Authors

  • Nadia Judge
  • Brooks Flanders, Marketing Content Manager

    In 2004, the same year the U.S. launched the National Cyber Alert System, Brooks launched her writing career with one the largest cybersecurity companies in the world. There she wrote about enterprise security and the highly-deceptive threats designed to circumvent standard defenses. Nineteen years later her interest in helping companies solve complex security challenges still runs deep.


In today’s hyper-connected world, the dark reality of account opening (AO) fraud looms large. Armed with sophisticated tactics, cybercriminals exploit vulnerabilities in account creation, wreaking havoc for companies and their customers. Industry reports show that consumers lost $7 billion to AO fraud in 2021. As the frequency and complexity of these attacks rise, implementing robust prevention measures is no longer optional –– it’s critical. 

In this blog, we’ll reveal the five best practices for preventing account opening fraud. But first, we’ll cover tactics bad actors use and the challenges in AO fraud prevention.  

How fraudsters conduct account opening fraud 

Bad actors open fraudulent accounts by using their own identity, a stolen identity or a synthetic identity, which is a combination of the two. They commonly register with their own (untraceable) device and phone number or email to appear legitimate. But in reality, the account has been created for the sole purpose of committing fraud, such as applying for a loan or credit card — with no intention of paying off the debt. 

They do this by pretending to be someone they’re not, using a variety of tricks:

  • Stolen Identities: Fraudsters use the victim’s name, address, and in some cases, Social Security number (SSN) to open an account. This is common when fraudsters target financial services, applying for a loan or making unauthorized purchases using the victim’s identity. They can easily purchase stolen identities on the dark web where sellers often list the victim’s credit rating.
  • Fake identities: In this case, a fraudster creates a fictitious identity and may create an email account specifically for fraud purposes. With this approach, they don’t have an established credit rating, but it still offers numerous avenues for exploitation such as layering in money laundering or various scam operations.
  • Synthetic identities: By combining stolen identity data with their own phone number and/or email address, fraudsters are able to trick data validation methods and authenticate with one-time passcodes (OTPs). With this tactic, it’s estimated that fraudsters are able to enroll 95% of the time. A 2023 Deloitte report shows it’s the fastest growing financial crime in the US.
  • High quality fake IDs: They’re sold online in plain sight, not just on the dark web! Plus, new fake ID services offer image editing tools, enabling users to cut and paste their own photos into ID design templates. Generative AI can also be used to create or edit images that look like genuine IDs.

The challenges in AO fraud prevention

Preventing AO fraud is difficult in the face of constantly evolving fraud tactics. Simultaneously, companies must keep up with ever-changing compliance mandates, like Know Your Customer (KYC) and General Data Protection Regulation (GDPR). Efforts to meet compliance and patch security often add too much friction to the account opening flow.


When opening an account, customers may be asked to fill out lengthy forms, present a photo ID, set up authentication, answer security questions and enter an OTP to prove they possess the email or phone number they’ve provided. These painstaking processes lead 51% of customers to drop off before completing AO and don’t do enough to prevent fraud.


In a world flooded with synthetic, fake and stolen identities paired with deceptive fake IDs, companies face additional challenges that further complicate AO fraud prevention: 

  1. Ever-changing compliance mandates add complexity & friction
    • AML, PEP & KYC: Banks must comply with Anti-Money Laundering (AML), Politically Exposed Persons (PEP) and KYC regulations, which mandate identity verification with a photo ID, background checks and much more.
    • Privacy requirements: Data privacy mandates, like GDPR, specify how personally identifiable information (PII) is handled, stored and secured.
  1. Friction-filled user experiences (UX) lead customers to drop off before completing enrollment. Strong anti-fraud and compliance measures, like ID proofing and multi-factor authentication (MFA) with OTPs or security questions, negatively impact UX if the steps feel complicated and time consuming.
  2. Combining multi-vendor solutions for authentication, anti-fraud, background checks, identity proofing and other tools requires difficult integrations and lengthy development cycles. The results: complexity, silos and disjointed UX.
  3. DIY integrations of data validation sources are difficult to set up and maintain. But without it, customers lack the global and regional coverage that’s needed. Plus, if results from different sources conflict, the discrepancies will have to be reconciled. 


5 best practices for preventing AO fraud

In the face of account opening fraud, implementing strong and user-friendly defense is imperative to safeguard customer identities, protect sensitive data, and maintain customer trust. To achieve this, follow these 5 best practices: 

  1. Leverage AI: In the battle against online fraud, AI’s ability to analyze vast amounts of data, detect subtle patterns and adapt to evolving tactics makes it an invaluable tool. Here are specific ways AI can be used to secure account opening:
    • Behavioral analytics: AI analyzes user behavior during account opening, comparing it to typical user behaviors. Deviations, such as rapid data input, which might indicate a bad bot, can be weighed in an overall risk score.
    • Biometric authentication: AI-driven facial recognition supports phishing-resistant biometric authentication.
    • Biometric matching: Verifies the identity of the person by comparing their ID photo with their selfie photo.
    • Device fingerprinting: AI can analyze the metadata from a user’s device to detect suspicious signals. If new accounts are being opened from the same device but with different personal identity data, it’s flagged as a risk.
    • Conversational AI: With generative AI, IT administrators can perform natural language queries about customers, their activities and security events, for instance. Natural language processing can also be used to flag text anomalies, like scripted or automated text entry typical of bad bots.
    • Data validation: AI can cross-reference identity data (address, name, SSN, etc.) with trusted databases to check for inconsistencies.
    • Continuous learning: By training AI on new data, it can adapt to emerging fraudulent techniques, staying a step ahead of fraudsters.
    • Real-time monitoring: AI’s ability to process large data sets in real time means it can instantly detect anomalies, assigning a risk score to each account opening attempt and triggering mitigation steps if needed.
  1. Implement layered identity proofing: To detect synthetic identities and fake IDs, companies need a layered approach that includes identity verification and data validation. Together, they verify identities during the onboarding process while ensuring the best user experience (UX) possible. Here’s what they do:
    • Data validation: As a first line of defense, a data validation solution that aggregates dozens of sources runs in the background to instantly verify:
      • The personal data users provide is accurate and authentic
      • The data is strongly associated and linked to the claimed identity
      • The user’s device and location are associated with the identity
      • The individual is not on a global sanctions watch list
    • Identity verification: Analyzes the user’s photo ID and selfie to verify:
      • The real-world identity exists
      • The selfie of the individual is a legitimate, live person
      • The user is the same person associated with the verified ID
      • The user’s government-issued ID is authentic and valid 
      • The ID is unaltered, matching dates with templates, fonts, holograms and dozens of other security features
    • Better together: Data validation and identity verification complement each other and work seamlessly together if natively built within the same platform along with orchestration and real-time fraud protection.
      • Strongest security: Identity verification determines if an individual and their ID are legitimate with the highest level of confidence 
      • Best UX: Data validation runs in the background and returns results in less than a second, adding zero friction to the user experience

Unless your organization is bound to KYC compliance, data validation alone may satisfy your risk tolerance with the majority of legitimate customers. In the event data validation returns mixed or negative results, you can invoke identity verification, giving the user a second chance to prove their identity.  

  1. Utilize real-time fraud prevention: End-to-end AO fraud protection should run in the background to assess all that’s happening throughout the enrollment process. Holistic anti-fraud solutions include:
    • Multiple detection methods: To ensure accurate detection, one solution should be able to examine hundreds of signals. Broad protection requires behavioral biometrics, device fingerprinting, bot detection, application and network evaluation, authentication analysis, transaction signing and more.
    • Continuous risk analysis: ML and AI can assess the full context of all activity in real time — across the AO process. Anomalies, even subtle deviations, should be weighed as part of a holistic, contextual analysis.
    • Immediate threat response: Proactively detect new, zero-day attack patterns with ML and AI that’s continually updated and tuned. 
  1. Orchestrate to consolidate: Orchestration pulls all capabilities together to unify protection against AO fraud and create seamless enrollment flows, providing:
    • Accurate risk scores: An orchestration engine aggregates and correlates data across AO capabilities, apps and channels to assess the full context of all risk signals and pinpoint suspicious activity.
       
    • Automated decisioning: When anomalies are detected, you need to respond instantly, adapting the AO journey in real time. In response to a high risk score, it can deny a user or challenge them with MFA or identity verification, for example. 
    • No-code journey builder: Drag-and-drop tools give you the flexibility and control to create secure and user-friendly AO journeys, making it easy to define when you need identity verification, data validation, MFA and more.
  1. Ensure smooth and easy enrollment: An inviting, seamless UX is essential to improving AO completion rates. Identity verification, in particular, benefits from simple graphic illustrations that optimize the step-by-step process. Be sure to also implement form auto-fill and phishing-resistant authentication. These and other low-friction tools augment layers of passive security, like data validation and real-time fraud prevention, to minimize the customer’s burden of proof. 



Account Opening with Transmit Security 

Transmit Security solves the full range of account opening challenges and delivers all 5 best practices in a single, unified AO platform. Made for enterprises with the most complex infrastructures in the world, our solution delivers the UX and IT simplicity and detection accuracy to stop AO fraud, ensure compliance and optimize enrollment rates.

In addition to the best practices outlined above, our end-to-end account opening solution offers a complete set of authentication methods, giving you the option to enroll users with passkeys, passwordless MFA, SMS OTPs, email magic links, social logins and passwords.

Our all-in-one solution ensures a seamless UX and a coordinated fraud defense while minimizing IT complexity and costs. Central identity management and a unified user store optimizes visibility and control across the entire account opening journey. We’ve even integrated conversational analytics, so much like ChatGPT that you can ask questions and get instant insights about your fraud detection data, end users and their security posture. 

Transmit Security makes it easy to simplify and secure every step of account opening. Explore our full AO platform or request a meeting so we can help you solve your toughest identity and fraud challenges. 

Transmit Security is the only vendor to provide a unified AO platform with a full set of native capabilities — designed to address the complete use case out of the box.

Learn More About Transmit Security