New account fraud is one of the hardest types of fraud to catch because it doesn’t always look like fraud at first. It targets your onboarding flow using stolen or synthetic identities and automated sign-up campaigns that probe your verification stack until a gap is found. Below, we’ll discuss how new account fraud works, how it differs from related threats such as account takeover and promo abuse, and how to build preventive measures without impeding legitimate users.

Highlights

• New account fraud uses stolen, synthetic, or fabricated identity signals to create accounts that appear legitimate long enough to extract value from your platform.

• Effective detection depends on layering signals across device intelligence, behavioral analysis, identity enrichment, and anomaly detection.

• Prevention works best when it’s applied progressively at onboarding, friction is proportional to risk, and accounts are monitored continuously after sign-up.

What is new account fraud?

New account fraud is when someone creates an account using stolen, synthetic, or fabricated identity signals to access something valuable and then disappears. These tactics can sometimes bypass customer identity verification systems, which opens businesses up to attack. The target might be a welcome bonus, a credit line, a free trial with a payment method attached, or the ability to move money through your platform.

How does new account fraud work?

New account fraud can follow one of a few recognizable patterns. Each is designed to establish a seemingly legitimate presence on your platform before the fraudulent actor extracts value.

Here are the common types of new account fraud:

• Synthetic identity fraud: A fraudulent actor assembles a profile using a real tax identification number, paired with a fabricated name and date of birth, then builds credibility slowly before they extract value.

• Stolen identity fraud: A real person’s credentials are obtained from a data breach or credential market. An account is opened without their knowledge, value is extracted, and the victim finds out only when a collection notice arrives or their credit score drops.

• Money mule accounts: Real people are sometimes recruited under false pretenses to open accounts that receive and forward illicit funds. This hides the flow of money for fraudulent actors.

• Bot-driven sign-ups: Automated campaigns can test thousands of credentials against your onboarding flow, probing for combinations that let fraudulent accounts through. A sudden rise in failed sign-ups often precedes a wave of successful ones.

How does new account fraud relate to account takeover and other threats?

New account fraud is distinct from account takeovers and other threats, with each type of fraud requiring a unique defense. Here’s a look at the additional account-related fraud risks you need to be aware of:

• Account takeover: This method targets existing accounts by obtaining credentials through phishing, credential stuffing, or fraud markets.

• Credential stuffing: Credential stuffing is the automated testing of username and password pairs, which are harvested from unrelated data breaches, against your login page. Compromised accounts can be used as templates for synthetic identity construction.

• Free trial and promo abuse: This refers to the creation of multiple accounts to claim a welcome bonus repeatedly. The fraudulent actor might use real, distinct identities.

• Chargeback fraud: Chargeback fraud is when a legitimate customer disputes a charge they actually authorized.

These fraud threats often work together with new account fraud to maximize financial gain.

What are the warning signs of new account fraud?

To identify new account fraud, you need to look for a cluster of signals. The warning signs below are organized by where in your stack you’d detect them.

At the device and network layer

• IP address mismatch: The stated location doesn’t match the Internet Protocol (IP) address or the connection routes through a virtual private network (VPN), proxy, or data center.

• Device fingerprint reuse: The same fingerprint appears across multiple recent account creations.

• Automation indicators: Browser or device settings suggest scripting—inconsistent screen resolution, missing expected browser application programming interfaces (APIs), or mismatched time zone.

• Sign-up speed: High volumes of new accounts originate from the same device or IP range in a short window.

At the identity layer

• Disposable email: The address was created hours before sign-up or belongs to a known throwaway domain.

• Identity inconsistencies: Name, address, and date of birth don’t consistently match external data sources.

• Address anomalies: The submitted address is a mail forwarding service, vacant lot, or location associated with past fraud.

At the behavioral layer

• Nearly instant form completion: Fields are filled faster than any human can type, with no hesitation or correction behavior.

• No organic session: The sign-up came from an unusual referral path with no browsing pattern that preceded it.

• Immediate high-value action: The account tries to add a payment method or initiate a transfer before any normal warm-up behavior.

At the aggregate level

• Speed of creation: There’s a sudden increase in new accounts created from a specific geography or device cohort.

• Elevated failure-then-success pattern: A high rate of identity verification failures is followed by slight variations and retries.

How can you detect new account fraud?

Detecting new account fraud works best when you layer signals. These techniques can improve detection:

• Device intelligence: A device fingerprint captures the combination of browser, hardware, operating system, and network attributes that make a device distinct. Most automated attacks are detectable.

• Behavioral analysis: Real users interact with forms differently from bots. Signals such as keystroke timing, mouse movement patterns, and whether a user copied and pasted into a field are hard to fake at scale.

• Identity enrichment: Validating submitted identity details against external signals helps assess whether a combination of signals looks like a real person.

• Anomaly detection: A sign-up that appears borderline legitimate might be clearly fraudulent in the context of a wave of similar sign-ups. Real-time monitoring for volume peaks, geographic clusters, and device cohort anomalies can catch abuse campaigns.

• Risk scoring: Rather than make a binary pass-or-fail decision at sign-up, a risk score lets you route accounts into different flows.

How do you prevent new account fraud without stopping legitimate sign-ups?

The goal is to make fraud expensive enough that attackers go elsewhere. Here’s how to prevent new account fraud without punishing real users:

• Rate limiting and bot defenses: Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHAs), invisible bot detection, and sign-up rate limits by IP address and device can stop automated attacks before they generate useful data about your verification stack.

• Progressive friction: Calibrate verification depth to risk score. A low-risk sign-up from a known device and a consistent identity profile might go straight through, while a high-risk sign-up gets routed to phone verification or document upload.

• Step-up verification: Early account behavior needs to trigger additional identity checks. An account that passes initial onboarding but immediately tries to add three payment methods and initiate a withdrawal should probably get a verification request.

• Postcreation monitoring: Fraud doesn’t always manifest immediately. Monitor new accounts for behavioral patterns that correlate with later fraud such as specific action sequences, unusual session timing, and immediate profile changes.

How Stripe Radar can help

Stripe Radar uses AI models to detect and prevent fraud, trained on data from Stripe’s global network. It continuously updates these models based on the latest fraud trends, protecting your business as fraud evolves.

Stripe also offers Radar for Fraud Teams, which allows users to add custom rules addressing fraud scenarios specific to their businesses and access advanced fraud insight.

Radar can help your business:

• Prevent fraud losses: Stripe processes over $1 trillion in payments annually. This scale uniquely enables Radar to accurately detect and prevent fraud, saving you money.

• Increase revenue: Radar’s AI models are trained on actual dispute data, customer information, browsing data, and more. This enables Radar to identify risky transactions and reduce false positives, boosting your revenue.

• Save time: Radar is built into Stripe and requires zero lines of code to set up. You can also monitor your fraud performance, write rules, and more in a single platform, increasing efficiency.

Learn more about Stripe Radar, or get started today.