Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Account sign-up abuse: what fraud teams need to harden now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Account sign-up remains the most abused entry point, with Storm-1152 creating 750 million fake Microsoft accounts and attackers also concentrating on sign-in and password reset flows, according to Arkose Labs' analysis of 12 months of fraud data. The pattern matters because identity and fraud controls fail first where onboarding, recovery, and scale collide.

NHIMG editorial — based on content published by Arkose Labs: Bot Detection Inside the Scammer’s Mind: Attack Data Revealed by Frank Teruel

By the numbers:

Questions worth separating out

Q: How should security teams stop fake account creation at sign-up?

A: They should add layered friction that raises the cost of bulk registration without breaking legitimate users.

Q: Why do password reset flows attract fraud and account takeover attempts?

A: Password reset flows restore access when identity is weakest, so attackers target them to convert a fresh foothold into durable control.

Q: How do organisations know if sign-up fraud controls are actually working?

A: They should measure more than blocked attempts.

Practitioner guidance

  • Harden account creation with layered abuse checks Add device reputation, behavioural risk scoring, email and phone validation, and adaptive friction to registration flows so that bulk sign-up cannot proceed at human speed.
  • Separate recovery from routine authentication risk Apply stronger step-up checks to password reset and account recovery than to ordinary sign-in, especially where email-only recovery can be abused.
  • Track fraud by time window and campaign pattern Monitor attacks by time of day, day of week, season, and event-driven demand spikes so that clustering becomes visible before losses escalate.

What's in the full article

Arkose Labs' full research covers the operational detail this post intentionally leaves for the source:

  • The article breaks down the three highest-risk customer touchpoints, including sign-up, sign-in, and password reset.
  • It includes the year-long attack timing analysis that shows seasonal and business-hour fraud patterns by industry and region.
  • It expands on the Storm-1152 account creation abuse case and how fake accounts were monetised.
  • It points to the practical defence priorities the vendor recommends for hardening high-value workflows.

👉 Read Arkose Labs' analysis of scammer behaviour and account sign-up abuse →

Account sign-up abuse: what fraud teams need to harden now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Fraud starts where identity becomes cheap to manufacture. The article confirms that account sign-up remains the most valuable first touchpoint for abuse because it lets attackers create scale before defenders have behavioural history or trust signals. That is a governance problem, not just a bot problem, because onboarding controls often optimise for conversion instead of adversarial verification. Practitioners should treat registration as the first control plane for trust.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when identity workflows are abused for fraud?

A: Accountability should sit jointly with identity, fraud, and product owners because the abuse occurs at shared workflow boundaries. Governance should define who owns sign-up risk, who owns recovery risk, and who can force changes when abuse trends shift. Without clear ownership, attackers simply move to the least defended identity touchpoint.

👉 Read our full editorial: Fraudsters still abuse account sign-up as the highest-value entry point



   
ReplyQuote
Share: