Merchants & Banks Are Being Threatened by New Account Fraud. Here’s How They Can Fight Back.
New customers are great… unless they’re not really customers at all, that is.
A new buyer purchasing hundreds of dollars worth of merchandise seems like a good thing. But, if the buyer is using a newly-created online account, there’s a chance you’re dealing with a scammer
This could be an example of a fast-growing threat called new account fraud. It happens when scammers combine stolen personally identifiable information with new data to create synthetic identities, then open new accounts in the fake persona’s name.
Step 1
Fraudsters steal personally identifying information (PII) from one or more victims
Step 2
Fraudsters manufacture new identities using a mix of stolen and synthetic information
Step 3
Fraudsters open accounts with financial institutions using synthetic identities
Identifying new account fraud before the fact is challenging, but it’s not impossible. In this post, we look at how fake information is used to con merchants and financial institutions. We’ll explain how new account fraud works, and list a few red flags that may help with scam prevention.
Recommended reading
- The Top 10 Prepaid Card Scams to Watch Out For in 2025
- Credit Card Shimmers: Are You Prepared for “Skimming 2.0?”
- How do Banks Conduct Credit Card Fraud Investigations?
- Fake Google Reviews: How to Identify, Remove & Prevent
- What is Third-Party Fraud? Tactics, Red Flags & Prevention
- Review Fraud: How it Works & How to Get Rid of Fake Reviews
What is New Account Fraud?
- New Account Fraud
New account fraud occurs when a fraudster adopts a false identity to create a new payment card account. This can occur at either the banking or the merchant level, with fraudsters using stolen or synthetic identities to secure new credit or debit cards.
[noun]/no͞o ● ə ● kount ● frôd/
New account fraud is a third-party fraud tactic. In a new account attack, the scammer will use stolen information to create a new user profile and try to get a bank account. The fraudster then uses that account to make purchases. Once the fraud is eventually discovered, the merchant will be left holding the bag.
A new account scheme starts with a fake payment account that, for all intents and purposes, looks like the genuine article. The data used to create the account may be stolen, obtained through devious techniques such as phishing, or purchased off the dark web for pennies. The fraudster may attempt to impersonate an existing cardholder, or create a synthetic “Frankenstein” identity with bits swiped from multiple individuals.
Once a new identity profile exists, it can be used to secure a payment card with either an issuing bank or a merchant. In some cases, the fraudster will open multiple accounts at different banks simultaneously. Using the newly acquired cards, the crook starts shopping (usually online, where customer validation tends to be more lax).
Fraudsters who engage in new account fraud know that the scam will eventually be detected. So, their goal is to max out the credit accounts and disappear before getting caught. Not surprisingly, new account creation fraud generally occurs within 90 days of securing a new card.
New account fraud incidents have been growing at an alarming rate recently. According to the Federal Trade Commission, fraud losses increased more than $5.8 billion from 2020 to 2021, representing a year-over-year jump of more than 70%.
How Common is New Account Fraud?
Very common. Recent data shows that new account fraud makes up 89% of all credit card fraud.
So, why are we seeing so many new account attacks? The simple answer is “the internet.” I get that that’s a little reductive, though. If we want to dig a little deeper, we see that there are four primary factors contributing to the problem:
Some fraudsters use a variation of new account fraud known as “bust out” fraud. Instead of immediately maxing out cards, the criminal uses the faux account to build a credit rating, apply for additional credit cards, and increase their credit limits. They may wait months or years before “busting out” by spending all their available buying power and absconding.
Who Pays for New Account Fraud?
Obviously, if a fraudster is making money, that money has to come from somewhere. In cases where an account was set up in a real person’s name, any purchases would go against that person’s credit history… At least until the valid user reports the scam.
That leaves either banks or merchants to foot the bill. Traditionally, fraud costs have been absorbed by financial institutions. But, with the increase in fraudulent activity – especially friendly fraud – bank liability is not a given. Certain circumstances may allow the bank to shift responsibility to the merchant.
New Account Fraud
Bank at Fault
In many cases, the fault will lie with the bank that issued the line of credit. Using the example we outlined above, if a fraudster creates a fake profile to secure a new account and line of credit, the bank would be held liable. They were unable to perform due diligence and detect the impersonator; as such, they bear responsibility for the losses.
New Account Fraud
Merchant at Fault
If a fraudster uses stolen cardholder credentials to create a fake profile on a merchant’s site, the retailer in question can be held liable. This depends on whether the bank can make a compelling case that the merchant should’ve been able to detect the new account scam. For instance, if the merchant fails to adhere to proper validation protocols, or makes transaction errors, the bank may initiate a chargeback to recover funds.
Turn to the experts to protect your business
Fraud schemes are often aimed at consumers, but it is banks and merchants who end up footing the bill
Request a Demo
Red Flags & Warning Signs
So, new account scammers might be draining your revenue without your knowledge. If it’s any consolation, though, fake signups come with reliable red flags that banks and merchants can be on the lookout for. These include:
Multiple Accounts Created From the Same IP/Device
Legitimate users will typically sign up for one account. After all, what’s the point of having two or more accounts?
Fraudsters, however, are playing a different game. For them, the more accounts they’re able to open, the more chances they’ll have to fly under the radar, bypass restrictions, and engage in illicit activities. That’s why scammers will often use one device or IP address to create several fake accounts at once. Doing so gives them more opportunities to participate in foul play and do harm to your business.
Geolocation Mismatches
Most legitimate account openings should occur in close proximity to the individual’s listed billing address.
By contrast, one telling indicator of a fraudulent signup is when an account is created in a region different from the address provided during account creation. Other times, fraudsters may use VPNs or proxy servers to mask their real location so as to appear legitimate and bypass fraud detection tools that flag access attempts from high-risk geographies.
Incomplete or Inconsistent Customer Data
Fraudsters rely on stolen or manufactured identities to open fraudulent accounts, so they may often have incomplete information about their victim. Other times, scammers may intentionally omit details so that they can cover their tracks. For example, when filling in account details, they may intentionally leave out their stolen identity’s full last name or zip code.
Unusual Purchasing Behavior From New Accounts
Fraudulent activities often differ dramatically from non-fraudulent ones in terms of both quantity and quality. That’s because scammers are trying to evade detection, while carrying out as much criminal activity as possible before they are caught.
As a result, scammers may make a large quantity of high-value purchases in a short amount of time, buy easily flippable items, or make identical purchases but have them shipped to different locations.
Use of Temporary or Disposable Emails and Phone Numbers
Email addresses and phone numbers make fraudsters more traceable, so scammers who create fake accounts may do so using fake, “burner” details instead.
Burner emails, for example, expire shortly after creation. This ensures that the bad actor’s primary email address remains unconnected from the fraudulent account activity, and thus makes it less likely that they’ll be caught.
SSN Mismatches
This one applies more specifically to banks, since merchants wouldn’t have access to an individual’s Social Security number.
Be suspicious of Social Security numbers that don’t match the identity on file with the bank or the three major credit bureaus. The same goes for Social Security profiles with odd aspects, such as references to two different applicants with no credit history.
How to Respond to New Account Fraud Attacks
You need to take a multilayered approach to new account fraud. If you suspect that a transaction might be a scam, take the following actions:
- 1. Freeze Suspicious Accounts: Temporarily disable accounts exhibiting signs of fraud to prevent further transactions while investigating.
- 2. Review & Reverse High-Risk Transactions: Audit transactions made by flagged accounts. Initiate reversals, refunds, or cancellations where appropriate to limit loss.
- 3. Notify Your Processor: Inform your payment processor about the incident. They may offer additional tools or freeze settlements for high-risk accounts.
- 4. Block Fraud Infrastructure: Blacklist IP addresses, email domains, and devices used in the attack. Consider velocity limits or CAPTCHA for high-risk regions or devices.
- 5. Monitor for Repeat Attacks: Keep a close eye on new accounts and transactions in the aftermath. Fraudsters often return with variations on the same tactics.
- 6. Analyze the Attack Pattern: Identify commonalities in fraudulent accounts. Use this data to strengthen fraud filters and block similar attempts.
- 7. Update Fraud Detection Rules: Tighten account creation rules based on what you learned, and adjust thresholds as needed for behavior-based alerts.
- 8. Audit & Patch Vulnerabilities: Review your sign-up and checkout processes for weaknesses. Ensure rate limiting, bot protection, and API security are in place and up to date.
Legal & Compliance Obligations Regarding New Account Fraud
The financial services industry is a tightly-regulated space. Being in compliance with laws and regulations designed to protect both yourself and your customers is mandatory, not optional.
For example, EU merchants and financial institutions must comply with General Data Protection Regulations (GDPR), while merchants that store or accept credit or debit cards, no matter where they’re located, must follow PCI-DSS requirements. Both regulations instruct businesses to protect customers’ data through tokenization or encryption measures, which can minimize the risk of sensitive data falling into the hands of fraudsters.
In addition, during the onboarding process, merchants — particularly banks — must carry out Know Your Customer (KYC) procedures to verify and prove that users opening new accounts are who they say they are. Doing so can help lower the prevalence of identity theft and prevent financial institutions from inadvertently enabling crimes such as money laundering or terrorist financing.
Other Strategies to Prevent New Account Fraud
Of course, preventing fraudsters from creating new accounts is more effective than waiting to respond until some damage has been done. In practice, new account fraud prevention means:
None of these items, on their own, are enough to prove that a new account is bogus. That said, any one of these should be enough to make banks or merchants take a second look at the account and potentially ask for additional identification.
New account creation fraud can be a profitable enterprise, but fighting it alone can be a time-intensive endeavor that often offers a limited ROI. That’s why many merchants find it more profitable to partner with a full-service fraud and chargeback provider. To learn more, contact Chargebacks911® today.
FAQs
How does new account fraud work?
Cybercriminals use phishing or social engineering attacks to steal personal data, such as names, birthdays, and Social Security numbers, then open new bank, loan, or credit accounts using stolen or synthetic identities. The new accounts are then used to make fraudulent purchases.
How do you avoid new account fraud?
New account creation fraud can be hard to prevent, but more stringent customer verification using IP address checking, comparing information against profiles from other authorities, and using biometric identification can all help reveal potentially bogus accounts.
Can someone create a fake bank account?
Sort of. It’s more accurate to say that hackers create code that either goes through, or works around, bank security to grab personal information. This could be used by the cybercriminal to open an account, but is more often sold on the dark web.
In the US, federal identity validation mandates make it harder to create fake accounts. That said, there are actually apps that will allow users to create realistic fake accounts. Although these are marketed as pranks, thieves use them to steal from real bank accounts.
Why do fraudsters open bank accounts?
The accounts can be used to make illegitimate purchases or be used to build credit for a larger scam.
What are some red flags for fraudulent new accounts?
Spotting phony accounts isn’t an exact science, but banks or merchants can look for red flags like newly issued identification documentation (address, driver’s license, etc.). Other signs of suspicious activity include a lack of credit history, small initial purchases or cash deposits, or using mail drops instead of street addresses.
What is an example of new account fraud?
New account fraud occurs when a fraudster opens a bank account using a stolen or synthetic identity. An example is when a fraudster uses a fake name, along with a real cardholder’s social security number obtained through phishing or data breaches, to open a new bank account and apply for credit.
Is new account fraud illegal?
Yes, new account fraud is a federal offense punishable by restitution, plus prison time and/or fines.
How common is new account fraud?
New account fraud is very common: the Association of Certified Fraud Examiners (ACFE) revealed that, in 2024, new account fraud was the second most common fraud type after pig butchering, a scam that combines tactics used in romance scams with those present in investment frauds.
