Established-Account Fraud: When Bad Guys Get Sneaky

Most bad actors don’t like to wait around when committing fraud. They create an account and immediately make a fraudulent transaction. Time is money, even for bad guys. This type of fraud (new-account fraud) is prevalent in the ecommerce industry, and that’s because it’s the easiest type of fraud for bad actors to commit.

Merchants want new customers, so they usually make the account sign-up process easy, and bad actors take advantage of that to create hundreds or thousands of new accounts on a merchant’s platform to facilitate their fraud attacks. But there’s a catch for the bad actors: new-account fraud is so well known, most merchants aim the bulk of their fraud prevention strategy at preventing it.

Established-Account Fraud

That’s where established-account fraud comes in. Once an account has gone past being new and is considered established (say, a few months after account creation), the security aimed at the account starts to diminish. After all, there’s less fraud on established accounts, so it seems like a good financial decision to put fewer resources into monitoring for it after a certain point. But this approach can easily backfire, because bad actors have a strong incentive to find the weakest point in the fraud prevention strategy. The most experienced and most enterprising bad actors know that one way to get around the system is to commit established-account fraud.

Below are five types of established-account fraud that you should be on the lookout for.

Sleeper Accounts

Sleeper accounts are one of the most straightforward types of established-account fraud. A bad actor simply creates a new account and lets it sit unused until they consider it established enough to potentially avoid fraud prevention measures. This may be several months or several years. The older an account is, the more likely it is to bypass normal security checks.

But this can be a risky play. The general rule of committing fraud is to get as much of it done as you can before your account is discovered and blocked. That’s why so many bad actors use new accounts and don’t wait. But if they have the patience and the daring, a sleeper account can pay dividends by evading notice long enough to steal significant amounts from a merchant.

What to do about it:

Analyze your customer spend patterns (a human intelligence team can help with this). Identify two key factors: an age by which you consider an account established, and a minimum dollar amount customers should have spent by that account age. If accounts pass the age threshold but are below the dollar amount threshold, the account should be flagged for review by a fraud analyst. You can set up an anomaly alert (either automated or manual) to flag these accounts.

During review, the fraud analyst should look at account setup patterns to determine if the account was created by a bad actor. These patterns will be similar to patterns associated with new-account fraud. You may also want to put policies in place to delete accounts that remain inactive over an extended period of time (which is what Google is doing).

Account Takeover

Another way bad actors may attempt to gain access to established accounts is by compromising and taking over legitimate accounts created by actual customers. This can be done in a variety of ways: social engineering, phishing, purchasing credentials from the dark web, and launching credential stuffing attacks – just to name a few. Many customers use weak passwords or reuse the same passwords across accounts, which makes them easy targets for account takeovers (ATOs).

Once the bad actor has access to a customer’s account, they’ll frequently change the password to keep the legitimate customer out of the account, then use the customer’s PI to make purchases. This may include purchasing physical or digital goods and having them delivered to a shipping or email address within the bad actor’s control. These products will generally be resold by the bad actor for profit. For subscription services, the bad actor will use the subscription for their own benefit on the customer’s dime.

Because these accounts are not only established but also frequently have good spend (from the customer’s legitimate activities), they will often be given privileges by merchants such as an increased billing threshold or access to exclusive deals and products, which the bad actor will take advantage of.

What to do about it:

Set up an anomaly alert for sudden changes to shipping address or email address. If you’re able to track IP geolocation associated to account logins, your team should look for several failed login attempts followed by a successful login from a high-risk country or region. This is especially conspicuous if accompanied by a recent change in password or other account information that may indicate the account has been taken over by a bad actor. Develop an account recovery plan and ensure your human intelligence and customer service teams are trained in it. You can learn more about ATOs and how to prevent them in our previous blog post.

Fake Job Scams

Sometimes bad actors may take a more complex approach to established-account fraud, such as by running a fake job scam. Fake job scams are a growing issue in the job market today, as bad actors attempt to steal identities and other information from would-be employees.

A huge amount of sensitive and personal data can be at risk when someone falls for a fake job scam. In the realm of established-account fraud, we frequently see bad actors list job openings for freelance positions such as mystery shopper, software developer, graphic designer, or other work-from-home gigs. The bad actor, acting as an employer, instructs the employee to create an account on a relevant platform (e.g. a developer may create an AWS account) with their own PI. The bad actor requests the employee’s credentials, then takes over the account and ghosts the employee.

Like with traditional account takeover, this type of established-account fraud can be very difficult to spot upfront. That’s because all the information associated to the account is legitimate. If you reverse search the email address, it’s likely to lead you to the owner of the PI, which is usually a green flag for a fraud analyst. On the other hand, after the account has been compromised, there are ways to detect that this change has taken place. Bad actors in possession of this type of account will usually change some or all of the information associated to the account in order to put distance between them and the person they scammed.

What to do about it:

Fraud analysts can detect this type of established-account fraud by identifying discrepancies in current versus previous account information. If you’re able to track account information change history, this move will be obvious. If not, the changes made by the bad actors are often clumsy enough to be an obvious red flag even on their own. The important thing is to ensure that even accounts that were previously verified go back through your verification systems for subsequent purchases or are monitored by anomaly alerts that can send accounts to a human intelligence team for review.

Card Testing

In some ways, card testing operates on a similar scheme as sleeper accounts. While sleeper accounts are created and then left to sit completely unused, card testing accounts are used – but not for the type of purchases usually associated with new-account fraud (i.e. high-dollar purchases for products that can be easily resold or monetized).

Instead, card testing accounts are used to make a series of low-dollar purchases, each with different stolen PIs, with the aim of verifying whether the stolen payment information is valid. This type of activity doesn’t usually raise red flags with machine learning (ML) models or other first-line purchase monitoring. That’s why fraud of this kind can start when an account is new and last well into “established account” territory simply by flying under the radar for so long.

This prolonged attack may have a limited impact on your cost of goods losses since the products are low dollar, but the chargeback costs on this type of fraud can easily add up as each of the many legitimate cardholders file with their bank. There’s also a high probability that these accounts will be repurposed down the line to purchase higher-dollar products for resale.

What to do about it:

Track add-PI events and set up an anomaly alert to flag any account that has added three or more PIs. You may also impose a limit on the number of PIs (we suggest 4 to 6), beyond which customers will be physically unable to add more. However, there are legitimate reasons a customer may want to add more PIs (e.g. a shared family or business account), so your customer service team or human intelligence team should be able to bypass this block after an account has been verified as legitimate. We also recommend investing in new authentication solutions such as 3DS2 to help reduce this type of fraud.

Multi-Account Fraud

Multi-account fraud (MAF) is a different type of established-account fraud, one that may be classified as an abuse rather than outright fraud. There are reasons for legitimate customers to have more than one account (e.g. one account for work purchases, one account for personal purchases), but it crosses the line into abuse or fraud when the accounts are used to gain an unfair advantage over other customers using the platform.

MAF can often be found on gaming, gambling, or rewards platforms. A user with several accounts can gain higher odds on winning a contest or sweepstakes by entering with each account. They can also gain an unfair amount of benefit from promos or bonus points if those things are awarded at an account level. Multiple accounts might also be used to stockpile in-game currency or other platform perks, which could be sold to other users for real-world currency. And that’s not even getting into the numerous ways users can commit collusion using multiple accounts on a platform.

Your brand can take a significant hit thanks to MAF because other rule-abiding users often view this type of cheating as something that degrades the entire platform – and may even give them incentive to move to a competitor.

What to do about it:

Set a threshold for the number of allowable accounts per IP address or device fingerprint (or both). Set up an anomaly alert to detect when this threshold is crossed. We recommend using a threshold between three and six, though your business model may call for a threshold outside those parameters. Keep in mind that family members will often use the same device and IP address, so your human intelligence team should be cautious of blocking accounts for MAF unless they’ve been clearly created by a single user.

Fighting Back Against Established-Account Fraud

Committing established-account fraud takes more time, skill, and effort than using a new account. But for the bad actors who make a living committing ecommerce fraud, it can be worth the work. Established-account fraud is performed by the most experienced bad actors, so it won’t be easy to spot. Even with an ML model monitoring accounts on your platform, AI will not be able to detect this type of fraud with high accuracy.

Anomaly alerts are your most reliable tool to flag established-account fraud. If your business is small, alerting can be done manually by having a fraud analyst from a human intelligence team manually review customer accounts for the types of anomalous behavior mentioned above. If your business is larger, these alerts can be automated – whether as a daily sweep for analysts to comb through, or as a self-serve dashboard where analysts can develop their own monitoring and alerts. There are many ways to attack established-account fraud, and which options you choose depends on your business needs.

If your business has an established-account fraud problem and you’re not sure how to start fighting back, you can schedule a consultation with our experienced fraud prevention team here.