Account sign-up abuse: what fraud teams need to harden now

TL;DR: Account sign-up remains the most abused entry point, with Storm-1152 creating 750 million fake Microsoft accounts and attackers also concentrating on sign-in and password reset flows, according to Arkose Labs' analysis of 12 months of fraud data. The pattern matters because identity and fraud controls fail first where onboarding, recovery, and scale collide.

NHIMG editorial — based on content published by Arkose Labs: Bot Detection Inside the Scammer’s Mind: Attack Data Revealed by Frank Teruel

By the numbers:

• Storm-1152 created 750 million fake Microsoft accounts and made millions of dollars selling them on the dark web.
• In El Salvador, fraudsters might make 20x more attacking gaming companies versus working a software developer job.

Questions worth separating out

Q: How should security teams stop fake account creation at sign-up?

A: They should add layered friction that raises the cost of bulk registration without breaking legitimate users.

Q: Why do password reset flows attract fraud and account takeover attempts?

A: Password reset flows restore access when identity is weakest, so attackers target them to convert a fresh foothold into durable control.

Q: How do organisations know if sign-up fraud controls are actually working?

A: They should measure more than blocked attempts.

Practitioner guidance

• Harden account creation with layered abuse checks Add device reputation, behavioural risk scoring, email and phone validation, and adaptive friction to registration flows so that bulk sign-up cannot proceed at human speed.
• Separate recovery from routine authentication risk Apply stronger step-up checks to password reset and account recovery than to ordinary sign-in, especially where email-only recovery can be abused.
• Track fraud by time window and campaign pattern Monitor attacks by time of day, day of week, season, and event-driven demand spikes so that clustering becomes visible before losses escalate.

What's in the full article

Arkose Labs' full research covers the operational detail this post intentionally leaves for the source:

• The article breaks down the three highest-risk customer touchpoints, including sign-up, sign-in, and password reset.
• It includes the year-long attack timing analysis that shows seasonal and business-hour fraud patterns by industry and region.
• It expands on the Storm-1152 account creation abuse case and how fake accounts were monetised.
• It points to the practical defence priorities the vendor recommends for hardening high-value workflows.

👉 Read Arkose Labs' analysis of scammer behaviour and account sign-up abuse →

Account sign-up abuse: what fraud teams need to harden now?

Explore further

View Full Forum →  |  NHI Foundation Course →