Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Account creation fraud: what IAM and fraud teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Account creation fraud now costs victims $5.3 billion a year and added 10-hour average resolution times in 2023, according to Javelin Strategy’s 2024 Identity Fraud Study, while fraudsters use bots, synthetic identities, and rotating infrastructure to create “born bad accounts.” Registration controls alone do not close the lifecycle gap that follows signup.

NHIMG editorial — based on content published by Sift: How to Detect and Prevent Account Creation Fraud

By the numbers:

Questions worth separating out

Q: What breaks when account creation controls only look at signup-time signals?

A: Fraudsters can pass the front door with synthetic identities, temporary infrastructure, or automated form completion, then activate the account later for abuse.

Q: Why do account creation fraud programs need lifecycle monitoring?

A: Because the real loss often happens after the account is created.

Q: How do security teams know whether account creation fraud is outpacing controls?

A: Look for rising volume of new accounts with no organic activity, elevated chargebacks or disputes tied to recent registrations, and clusters of accounts sharing device or network traits.

Practitioner guidance

  • Move controls beyond the registration form Correlate device, network, behavioural, and identity signals across the full account journey so high-risk accounts can be challenged after signup, not only at the door.
  • Flag post-activation abuse patterns early Watch for new accounts that immediately hit referral programs, register payment methods, or create content at abnormal volume, then route those accounts to review before they compound loss.
  • Link clusters instead of isolated accounts Use shared email patterns, IP infrastructure, and device identifiers to identify coordinated fraud rings that would look benign if each account were evaluated alone.

What's in the full article

Sift's full article covers the operational detail this post intentionally leaves for the source:

  • A practical breakdown of registration-time signals such as device, network, email, and behavioural indicators.
  • Examples of how fraud teams layer real-time blocking, review queues, and post-registration monitoring.
  • Guidance on identifying synthetic identity patterns and coordinated multi-account activity.
  • A lifecycle approach to reducing abuse after onboarding rather than stopping at initial verification.

👉 Read Sift's analysis of account creation fraud detection and prevention →

Account creation fraud: what IAM and fraud teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Account creation fraud is a lifecycle failure, not a signup failure. The article shows that once a fraudulent account survives registration, it can be reused for promotion abuse, payment fraud, and marketplace manipulation. That means the control boundary cannot stop at proofing or CAPTCHA. The relevant governance question is how identity teams monitor the account after activation, because that is where the monetisation happens.

A few things that frame the scale:

  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance breaks down after creation rather than at creation.

A question worth separating out:

Q: Who is accountable when fraudulent accounts are allowed to persist after signup?

A: Accountability should sit with the teams that own the full lifecycle, not only the registration flow. Fraud, IAM, and platform operations all have a role because the failure is shared. If creation is treated as the end of governance, the organisation will keep absorbing avoidable loss.

👉 Read our full editorial: Account creation fraud exposes the limits of registration-time controls



   
ReplyQuote
Share: