How to prevent New Account Fraud?

Share this post

Posted by Asaf Jacobi · 4 min read

New account fraud, also known as Account Opening Fraud or Online Account Origination Fraud, is when fraudsters use stolen or synthetic identities to open new bank accounts, with a view to maxing out their credit limits before disappearing into thin air, usually within 90 days.

The digital revolution occurring in financial services – with more and more people using cashless (EMV) payments and online banking – has created a situation where new account fraud is emerging as one of the biggest concerns for retail banks.

This is because fraudsters are constantly adjusting their operations in order to exploit new weaknesses and boost their profits.

For example, while they used to specialize in illegal activities such as counterfeit credit card fraud, they are now committing new account fraud in order to obtain authentic physical cards, making it easier for them to extract cash.  Indeed, the FTC estimates that in the US, credit card new account fraud was up 24% year-on-year in 2018; an illustration of cybercriminals’ ability to adapt.

Fraudsters will always seek out and exploit the weaknesses in a bank’s processes and security defenses. Existing anti-fraud prevention methods that are available to banks at the new customer onboarding stage create friction, negatively affecting the user experience to the point where legitimate prospects may quit the application process because it’s too cumbersome.

Banks would therefore rather take the risk of fraud rather than lose potential customers.

Unfortunately for them, the criminal underworld knows this. With the rising threat of new account fraud, banks urgently need to find a way to keep the onboarding process as slick and easy as possible, while also identifying and stopping any fraudsters.

Why is new account fraud so hard to spot?

Just because an applicant’s credit report looks fine, doesn’t mean their personal information hasn’t been stolen. On the dark web, entire legitimate identities can be bought for as little as $20. A lot of people don’t even know their details have been either stolen or used inappropriately, and neither do the banks which are processing these applications.

What’s more, the ‘identities’ attached to fraudulent applications are mostly synthetic, where the personal details provided are not all from the same person.

This means consumers may never know that their information has been exploited. In addition, since all the details included on the application are individually valid, banks find it challenging to spot any fraudulent activity.

Recent research from Aite Group reveals that 65% of fraud and anti-money laundering (AML) pros believe that synthetic identities are now a bigger issue for banks than regular identity theft.


How successful are banks at counteracting new account fraud?

Banks often rely on their customer service agents as their first line of defense. The Association of Certified Fraud Examiners (ACFE) reported 15 red flags that banks can watch out for when a new customer is opening an account, such as mismatched names and addresses, and even if the applicant is being overly friendly. This manual, human-driven identification process is not 100% reliable and is much less scalable.

New account fraud usually refers to theft from accounts that are less than 90 days.

A great deal of damage can happen in three months, especially when you are dealing with an organized identity fraud ring. Plus, the use of real (or a blend of real) details means that fraudulent applications are usually only being detected weeks after the account has been opened.

So, even if the account is detected as fraudulent, criminals will have had plenty of time to cause the bank big losses.

Identity fraud rings exacerbate the problem

Individual fraudsters are likely to open an account, immediately withdraw cash up to the initial credit limit, and then disappear. However, more often it’s the case that the account has been opened as part of the operations of an organized ring of fraudsters.

These can even be seemingly legitimate firms with a fully functional management structure. This makes it extremely difficult for banks who attempt to follow up on an individual who is suspected of committing new account fraud.

These criminals open several accounts with varying synthetic identities simultaneously. They have complete control over the accounts from day one (as opposed to when a fraudster performs an account takeover, which is easier for banks to detect) and can then work to build the account’s credit score, increasing their credit lines.

As these threat actors are all part of the same organization, a process referred to as ‘cash-cycling’ occurs, where money is circulated between the fraudulent accounts to imitate legitimate financial activity. As a result, traditional security measures will likely consider these accounts to be completely genuine.

Indeed, some accounts are only ever used as ‘mules’; they exist purely so that money can be transferred in and out again to help conceal the true purpose of other fraudulent accounts. It is likely that many of these mule accounts go completely undetected.

In this way, the crime ring manages multiple accounts, increases their credit lines, and after a short period of time they ‘bust-out’; withdrawing as much money as they can up to their new-and-improved credit limits before vanishing with the money.

To give an idea of the sheer scale of some of these illegal operations, a New Jersey crime ring, when finally arrested by the FBI and prosecuted, were found to be running 7000 synthetic identities, 25,000 credit cards, and to have stolen over $200 million.


Reducing the impact of new account fraud

Banks advertising frictionless onboarding processes will be attracting new customers and new fraudsters alike. They now need new strategies which prevent these attacks without compromising their attractiveness to legitimate users. Stopping fraud at this point will save these organizations billions down the line.

Simply relying on customer service agents to detect whether a new applicant has fraudulent intentions is clearly not the answer, as new account fraud continues to increase year-on-year.

The only way in which to combat new account fraud is with a holistic, multi-layered approach to security. By recognizing your standard user’s normal online interactions compared to both known legitimate customer behavior and known fraudster behavior, it is possible to weed out the criminals in real time through continuous profiling.

Employing behavioral biometrics is an unobtrusive solution which can stop criminals from opening an account and stops them committing fraud before it has happened.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?