TL;DR: Identity remains the control point for account takeover and new account fraud because attackers keep adapting their methods to monetise stored payment methods or move funds, according to Ping. The taxonomy matters because it helps practitioners map threat sequences and prioritise protections across identity journeys, not just individual controls.
At a glance
What this is: This is an identity threat taxonomy that maps how fraudsters chain tactics across account takeover and new account fraud.
Why it matters: It matters because IAM and NHI teams need to defend identity paths as sequences, not as isolated events or point-in-time checks.
👉 Read Ping's identity threat taxonomy for account takeover and fraud prevention
Context
Identity fraud is a sequence problem, not a single-control problem. When attackers can switch tactics after one path is blocked, IAM teams need to understand how identity checks, session controls, and recovery workflows fit together across the full access journey.
The article frames this through account takeover and new account fraud, where identity becomes the entry point to online services and financial abuse. For practitioners, the useful takeaway is that threat taxonomy work helps separate common fraud patterns from isolated anomalies, and that is typical of mature identity-risk analysis.
Key questions
Q: How should security teams use an identity threat taxonomy?
A: Security teams should use an identity threat taxonomy to group related fraud behaviours into a lifecycle view, then map each stage to a specific control owner and detection method. That makes it easier to spot where attackers can pivot, where assurance is weak, and where policy changes will reduce repeated abuse.
Q: What is the difference between account takeover and new account fraud?
A: Account takeover abuses an existing account by compromising someone already trusted by the system, while new account fraud creates or hijacks the enrolment process to establish a fraudulent identity. Both are identity abuse problems, but they require different controls because one targets established trust and the other targets initial trust.
Q: Why do fraudsters keep shifting identity attack methods?
A: Fraudsters shift methods because identity controls are often uneven across the customer journey. If passwords, device checks, or recovery steps block one path, attackers can move to enrolment abuse, social engineering, or session manipulation. A layered identity model forces them to work harder at every stage.
Q: How can organisations reduce account takeover risk without hurting user experience?
A: Organisations should focus on risk-based controls that step up only when behaviour, device, or transaction context changes materially. Stronger authentication at the right moment is less disruptive than blanket friction, and it is more effective when paired with monitoring of recovery and post-login abuse.
Technical breakdown
How identity threat taxonomies map fraud sequences
An identity threat taxonomy groups related fraud behaviours into a logical sequence so defenders can see how an attacker moves from initial identity compromise to monetisation. In practice, that means linking reconnaissance, credential abuse, session abuse, and fraudulent transactions into one model rather than treating each event as separate noise. The value is not just classification. It is prioritisation, because a taxonomy shows where a control failure is likely to cascade into the next stage of abuse.
Practical implication: Use the taxonomy to map where your current controls interrupt the fraud chain and where gaps still allow progression.
Account takeover and new account fraud as identity-control failures
Account takeover and new account fraud sit at different points in the identity lifecycle, but they often exploit the same weak spots: weak assurance during sign-in, poor detection of behavioural change, and inadequate recovery or enrolment checks. ATO usually abuses an existing account, while NAF creates a fraudulent identity or synthetic persona to gain trust. Both can be enabled by overreliance on static signals such as passwords or first-touch verification.
Practical implication: Review sign-in, recovery, and enrolment paths separately, then test whether the same attacker could pivot between them.
Why holistic threat prevention beats single-point detection
Holistic threat prevention means using multiple signals across identity, device, transaction, and session layers to stop abuse before it completes. Fraudsters adapt quickly, so a control that catches one tactic can simply push the attacker into another. A taxonomy helps by turning this adaptive behaviour into a defender-friendly map. That is especially useful where identity is the gate to money movement, stored value, or privileged access, because the impact of one missed step is amplified.
Practical implication: Correlate identity signals with downstream transaction risk so one detection does not become the attacker’s cue to switch tactics.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity taxonomies are becoming a governance tool, not just a fraud model. When organisations can describe how identity abuse unfolds across enrolment, authentication, recovery, and monetisation, they can set control ownership more clearly. That is useful for IAM teams because it moves the conversation from isolated fraud alerts to lifecycle accountability.
Account takeover and new account fraud should be treated as adjacent risks. They often share the same sources of weakness, including weak assurance, poor behavioural context, and inconsistent step-up logic. A mature identity programme should expect attackers to pivot between them, so defensive design must cover both abuse of existing identities and creation of fraudulent ones.
The real value of a taxonomy is decision support. It helps security leaders decide which control failures matter most, where to invest in detection, and which workflows need stronger assurance. For practitioners, the goal is not perfect classification. The goal is faster intervention before identity abuse becomes financial loss or account compromise at scale.
Holistic prevention is now the baseline for identity risk management. Static controls do not keep up with adaptive fraud actors who can change methods quickly. Teams that align taxonomy with monitoring, risk scoring, and recovery policy will have a better chance of closing the gaps attackers exploit next.
Identity lifecycle governance should absorb fraud insights. If threat taxonomy findings never reach access policy, enrolment policy, and incident response, the organisation stays reactive. Practitioners should use taxonomy outputs to tighten assurance where the identity journey is weakest.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- From our research: Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- The next control question is not whether identity abuse exists, but which lifecycle stage gives you the best chance to stop it, which is why Top 10 NHI Issues is the natural follow-on resource.
What this signals
Identity threat taxonomies will increasingly shape programme prioritisation. Security teams that can map fraud patterns to enrolment, authentication, recovery, and monetisation will have a clearer basis for investment decisions. That is especially true in environments where identity controls are fragmented across business and security teams.
With 97% of NHIs carrying excessive privileges, the broader lesson is that identity abuse often succeeds because defenders tolerate too much standing access and too little lifecycle discipline. The same governance weakness that affects human-facing fraud also affects service accounts and automated workflows, so teams should stop treating these as separate problems.
Ephemeral trust debt: every time a team adds a new identity flow without tightening verification, it creates a deferred fraud risk that will later surface in detection or incident response. Practitioners should treat identity design changes as risk-bearing decisions, not just product work.
For practitioners
- Map fraud tactics to identity lifecycle stages Classify account takeover and new account fraud across enrolment, authentication, recovery, session use, and monetisation so control ownership is clear and gaps are visible.
- Review step-up logic across high-risk journeys Test whether the same assurance rules apply in sign-in, password reset, device change, and account creation flows, then harden the weakest path first.
- Correlate identity and transaction signals Join login anomalies with payment, transfer, and beneficiary-change events so fraud detection can stop abuse before the attacker completes a monetisation step.
- Use taxonomy output to drive policy updates Feed recurring fraud patterns into access policy, recovery rules, and alert triage so the organisation improves the controls attackers actually bypass.
Key takeaways
- Identity fraud should be managed as a sequence of related tactics, not as isolated login failures.
- Account takeover and new account fraud are different attack paths, but they often share the same governance weaknesses.
- The practical value of an identity threat taxonomy is clearer control ownership, faster prioritisation, and stronger lifecycle policy.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity assurance and access control are central to stopping fraud-driven account abuse. |
| NIST CSF 2.0 | DE.AE-1 | Taxonomies help teams detect fraud patterns as repeatable anomalies, not one-off alerts. |
| NIST AI RMF | Fraud taxonomy work supports governance over adaptive automated decisioning. |
Apply AI RMF governance practices to document how automated fraud decisions are reviewed and tuned.
Key terms
- Identity Threat Taxonomy: A structured way to group identity-related attack behaviours into related stages and patterns. It helps defenders understand how fraud unfolds across enrolment, authentication, recovery, and monetisation, so controls can be assigned to the right part of the identity lifecycle.
- Account Takeover: Account takeover is the compromise of an already established account so an attacker can use existing trust to act as the legitimate user. In identity programmes, it usually signals weaknesses in authentication, recovery, device trust, or session handling rather than a failure at enrolment.
- New Account Fraud: New account fraud is the creation or takeover of a fresh identity during enrolment so an attacker can establish trust and later abuse it. It often exploits weak identity proofing, poor anti-abuse controls, or gaps between registration, verification, and first use.
Deepen your knowledge
Identity threat taxonomy and lifecycle-based fraud prevention are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme from a similar starting point, it is worth exploring.
This post draws on content published by Ping: an identity threat taxonomy for fraud prevention and account takeover. Read the original.
Published by the NHIMG editorial team on 2024-06-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
