If you run an online business, you know just how important it is to get your account creation process right.
After all, the moment a potential user decides to open an account is usually one of the first interactions they’ll have with your business — and we all know how lasting a first impression can be.
With this in mind, many online businesses decide to make the process as easy and frictionless as possible. They collect only the information that is absolutely necessary (whether from a business or regulatory perspective) to get someone into their ecosystem — sometimes, as little as an email address.
And it’s true: a streamlined, frictionless signup process often does result in an uptick in conversions and new account creations. Unfortunately, not all of these newly-created accounts will be from real customers. Statistically speaking, a certain portion of these new accounts will belong to bad actors looking to engage in account creation fraud.
Below, we define account creation fraud, take a look at the different forms that it might take, and explore how it typically works. We also outline steps and advice that you can use to detect and mitigate it to protect your business and legitimate users.
What is account creation fraud?
While account creation fraud can take many different forms, it always revolves around fraudulently opening an account with an online business or service. It’s also sometimes called fake account creation, duplicate account creation, mass account creation, and new account fraud.
Why do bad actors engage in account creation fraud? There are countless potential reasons, ranging from the mostly innocent to the somewhat annoying to the downright nefarious. Some of the most common scenarios involving account creation fraud include:
- A legitimate new customer opening an account with a fake email address to reduce the amount of spam that they receive
- An existing customer opening a second account to take advantage of various promotions (for example, coupon codes or discounts offered to new users)
- An existing customer opening a second account using the referral code or referral link of their primary account to earn referral rewards
- A bad actor opening a second account to spam or harass other users
- A bad actor opening a second account to leave fake reviews (whether good or bad) on a product, service, or business page, either to mislead other users or to harm the reputation of a product or business
- A bad actor opening an account to engage in fraudulent transactions (for example, making a purchase with stolen credit card information)
- A bad actor opening multiple accounts to launder money by moving small amounts of money between many accounts
- A bad actor opening fake accounts to spoof deliveries and earn payouts
- A bad actor opening multiple accounts on a crypto/NFT platform to increase their chances of obtaining rare packs when NFT drops occur
Account creation fraud can affect virtually any business that operates online and which requires its users to open an account. Social media platforms, online dating sites, ecommerce platforms and online marketplaces, e-learning platforms, iGaming services, and financial institutions are just some examples of businesses that contend with fake profiles.
What does account creation fraud look like?
Account creation fraud can take many forms. That said, most of these variations will fall into one of three broad buckets, which we explore below.
1. A legitimate user opening duplicate accounts
One common form of account creation fraud is when a legitimate user opens multiple accounts on the same platform. This is sometimes specifically called duplicate account fraud.
Sometimes, a user might attempt to open a duplicate account using information that is completely true. They provide their real name, address, date of birth, etc. But then they provide an old or little-used email address instead of the email address linked to their primary account, or perhaps a home phone number instead of a cellular number.
Other times, a user might attempt to create an account using information that is very close to being legitimate, but adjusted slightly. For example, they might provide a phone number that is off by one digit, an email address that is off by one character, etc.
Or, a user might attempt to open an account using information that is completely made up — there isn’t a shred of truth to anything they provide. They might, for example, come up with a fake name and email address on the spot that passes as being real (but isn’t); or, they might simply provide a random string of text.
Duplicate account fraud is used for a variety of purposes. Most commonly, users open duplicate accounts to take advantage of referral programs or new customer promotions and discounts — often believing they are doing nothing wrong. Of course, this isn’t true, as it directly harms the bottom line of the business offering those discounts or referral rewards as a way of enticing new customers. (Other reasons a user might create duplicate accounts include a desire to leave fake reviews on products or profiles or even harassing other users, amongst other motivations.)
2. A bad actor leveraging bots
Another common form of account creation fraud involves leveraging bots, botnets, or pieces of code to create a large number of fake profiles very quickly. These accounts can be opened using fake information, stolen information, or a mix of the two, depending on the needs and motivations of the bad actor.
This is sometimes called automatic account creation fraud due to the fact that accounts can be created rapidly — much faster than would typically be possible for a human to do.
Bad actors interested in deploying bots this way will sometimes design and code their own software. Increasingly, however, bad actors simply turn to bot marketplaces to purchase the bot or service that they need. This has led to an explosion in the volume of bot attacks in recent years.
Fake accounts created via botnets can be leveraged for a wide variety of purposes where volume is the name of the game. Some examples include:
- Cyberattacks: Botnets are especially effective at conducting distributed denial-of-service (DDoS) attacks, where a server or network becomes overwhelmed by fake users. Likewise, accounts created via bots are often used in phishing attacks.
- Spamming: Accounts created by bots can be leveraged to spam a website with fake comments, reviews, links, and more.
- Content scraping: Content scraping occurs when someone copies content from the original creator and republishes it on their own website in hopes of attracting visitors. Accounts created via bots can be used to access and scrape content that is behind a paywall — for example, on websites that allow readers a certain number of free articles per month.
- Manipulating algorithms: Social media algorithms consider many different factors when deciding what content to promote and distribute to their users, but amongst the most important of these considerations are engagement metrics (likes, comments, shares, etc.). Fake accounts can be used to inflate engagement metrics on content in an attempt to manipulate the algorithm.
- Commit fraudulent transactions: Especially in cases where the fake accounts were generated using stolen information, they may be used to place fraudulent transactions.
- Commit money laundering: When a bad actor creates a large number of accounts using bots, they can then use those accounts to launder money. They usually do this by using the new accounts to send small amounts of money to a central account under their control. Because the amounts are small enough, it’s easier to avoid transaction monitoring that may otherwise flag them as being suspicious.
3. Online impersonation using stolen information
A far more insidious form of account creation fraud than the two discussed above involves a bad actor manually opening an account using information stolen from a real person — commonly known as identity theft. This information could have been stolen directly from the individual (for example, through a phishing attempt) or purchased on the dark web.
Once they create the first account, it’s possible the bad actor will stop there and begin taking advantage of the stolen identity. But highly skilled bad actors often use that first stolen account as a stepping stone to opening additional accounts on different platforms (under the same identity) to slowly build an online presence that appears to be legitimate.
The firmly-established stolen identity can then be used to conduct any variety of fraudulent activity, from making fraudulent transactions to laundering money, leaving fake reviews on products, harassing other users, catfishing, and more. Alternatively, the bad actor may auction off the stolen identity to the highest bidder, often for large sums.
Why is this form of account creation fraud so dangerous? For a couple of reasons.
First, because the bad actor is opening the account manually — as opposed to doing so via a bot network — it is much more difficult to identify. Bots tend to operate in easily recognizable patterns. This means that with the right tools and software, bot activity can often be identified and mitigated before it becomes a serious concern. It’s typically much harder to identify fraudulent activity being carried out by a living person.
Second, providing the bad actor has access to enough information about their victim to be truly “in control” of the identity, they may find it very easy to skirt around basic verification processes. This is especially true in cases where the bad actor has access to documents typically used in identity verification, such as a government-issued ID.
And third, this kind of attack involves multiple victims. On the one hand, your business may be a victim, depending on how the bad actor leverages your platform. If the fraudster engages with other users via your platform, those users may also be victimized. But in addition to this, there is a real person out there potentially dealing with the repercussions of identity theft — in the form of a harmed credit score, rejected loan applications, stolen funds, damaged reputation, and more.
How to prevent account creation fraud
One of the most challenging aspects of combatting account creation fraud lies in the fact that it can be incredibly difficult to identify — especially when bots aren’t involved. If you can’t differentiate accounts created by legitimate users from those created by bad actors, then enforcement of anti-fraud measures becomes all but impossible.
Fortunately, there are a few ways to prevent account creation fraud.
Prevent fake accounts through identity verification
Verifying user identity as a built-in piece of your account creation process can significantly cut down on the number of fake accounts that your business has to deal with in the first place.
Of course, there is no one right way to perform identity verification. How you decide to verify the identity of your users will naturally depend on a variety of factors. The industry you operate within, the type of business you run, the regulations you are subject to, your risk tolerance, and the expectations of your users should all inform your verification process.
For some businesses, it might be enough to simply require new users to verify their email address or phone number by requiring them to click on a verification link or enter a verification code that you send. Other businesses that want more stringent controls might implement document verification and require new users to submit a photo of a driver’s license or ID. Other businesses still might deploy database verification, selfie verification, or manual review.
Identify fake accounts through linkage analysis and reverification
If fake accounts already exist on your platform (which is very likely) the battle shifts to identifying these accounts so that you can remove or deactivate them and ban the bad actors from creating new accounts in the future. This can be done in a number of different ways.
One option you might consider is implementing a tool that analyzes your database of existing accounts and looks for signals that may indicate that they are related. A large number of accounts that have the same IP address, for example, may indicate that those accounts were created by a bad actor, perhaps by leveraging a botnet. Other similarities that might indicate a fraud ring include if there are a large number of accounts that were created on the exact date and time, if the selfies taken during verification look similar, and more.
Once identified, you can investigate these suspicious accounts further and take action as necessary, whether that’s asking the owner of the account to reverify their identity or putting them on a blocklist to ban them from your system completely.
Combatting account creation fraud in your business
Here at Persona, we understand how challenging it can be to spot and fight account creation fraud. That’s why we created our Graph solution to help you uncover sophisticated fraud rings by allowing you to easily find, visualize, and act on groups of accounts connected by common properties. With Graph, you can:
- Bring together data sources from both inside and outside of Persona to get a full view of your customer network
- Proactively fight fraud by reviewing the suspicious clusters we surface or manually scrutinizing your customer network via Graph Explorer and specific queries
- Take any follow-up actions — e.g. blocking bad actors, running additional screenings, or updating your detection rules with new insights