Automated New Account Fraud: The Bot Battleground

It seems like a day doesn’t go by without interacting with a bot — be it a customer support chat bot or a personal digital assistance bot — they seem to be everywhere. Unfortunately, fraudsters are increasingly proficient at using bots for their own nefarious purposes, including account origination fraud — also known as new account fraud. For instance, there are specialized bots designed to automate online applications like credit cards, bank deposit accounts, insurance quotes and other products and services — often completing hundreds of applications in an instant.

What's the cost of new account fraud?

New account fraud resulted in $6.2 billion in losses in 2024, impacting millions of consumers, according to the Javelin Strategy & Research, 2025 Identity Fraud Study. Besides the direct financial risk of fraudulent new accounts, organizations also incur indirect costs, such as wasted marketing spend, resources for account underwriting and provisioning, hours spent investigating suspect accounts, and lost profits from account write-downs and closures.  

What’s a bot?

Bots are automated computer programs that make digital functions easier, faster and cheaper. These programs are designed to execute otherwise tedious, repetitive, computer-based tasks. It’s estimated 42% of all internet activity is bot activity with 65% of that traffic from malicious bots. Bad bot behavior can range from financial gains to creating mischief — for instance, stealing information to gain a competitive advantage. Stopping botnets or bot attacks isn’t necessarily a fraud problem; most organizations have cybersecurity teams that help protect their organizations’ systems. However, for bot attack protection, a layered approach is best and fraud solutions can be key to guarding against fraudulent account activity.

How are bots used to automate fraud?

In the realm of fraud, bots are used to carry out a variety of illicit activities. Two of the most important types based on total negative impact for organizations are new account fraud, as already mentioned, and account takeover (ATO) fraud. For ATO, bots are used to gain unauthorized access to user accounts via stolen credentials (e.g., credential stuffing) or by exploiting weak authentication mechanisms. Once inside, the bots can steal funds, perform transactions, steal personal data (personally identifiable information or PII) or manipulate account details.

For new account fraud, bots automate human behavior in opening new accounts en masse. They use stolen and fabricated identities (synthetic identities) to provide enough information to successfully open accounts fraudsters will control. They also work to get far enough in the application process to have a credit check occur — starting a credit history for the fabricated identity — critical to the utility of a synthetic identity.

Bots can also be used to collect data without accessing existing accounts. They can perform reconnaissance: testing fraud prevention controls to gather information for use in future attacks (i.e., PII harvesting.) In instances where consumers must fill out forms to get online quotes, organizations often use prefill applications to speed up transactions. Bots can be trained to discover prefill usage, collect PII and use it later in other fraud attacks.

Why are organizations vulnerable to bot attacks?

Bot attacks occur when fraudsters find ways to circumvent organizations’ first-level cybersecurity defenses. Fraud solutions can be used after the fact to distinguish real identities from fake identities, but these fraud solutions vary in their abilities to understand a real human with a verified identity vs. a non-human bot.

Organizations that suffer from bot attacks often share one or more of the following weaknesses in their fraud prevention strategies and capabilities:

• Inability to detect fake identities: Recognizing fabricated identities, either based on some stolen elements or completely synthetic, is critical to stopping bot attacks since they often rely on false identities in new account opening fraud attempts.
• Lack of sufficient and diverse signals: Understanding the true linkages between devices and personal identity is key to detecting bots and reducing fraud risk. Device reputation data, such as email and device ID related to the device phone number, is important to detect a compromised device. Real humans typically have longstanding behavior with these reputational attributes which match well to other identity attributes (e.g., all are associated with the same household address).
• Insufficient device history: It’s typical for companies to only store device history for six months. Knowing this practice, fraudsters direct bot networks to recycle device IDs six months after they were previously used. Without information from a device consortium with broad visibility to risky devices with years of history, organizations might be at greater risk once their device histories are purged.
• Recognize virtual environments: Bots use advanced evasion techniques like virtual environments and devices to launch high-scale attacks that leave no trace. 
• Lack of insights early in consumer journey: Often, companies make the mistake of believing because money has not yet changed hands, their risk is low. Consequently, they don’t focus on detecting risk early in the consumer journey when bots can be used to harvest data or complete reconnaissance.

How can organizations better defend against fraud bot attacks?

Implementing a layered fraud solution that combines identity, device and behavioral insights to help defend against automated new account fraud enables a better understanding of the risk associated with the consumer device used during an interaction or application. A fraud solution like TransUnion TruValidate™ Device Risk supports organizations in using better signals for smarter risk decisions during new account applications. In essence, it:

• More fully understands the relationship between device and accounts: Device Risk leverages device history and confirmed fraud risk from the longest standing device consortium network of over 10 billion devices
• Leverages robust device history: TransUnion stores data about a device with negative reputation for up to five years and a device with a positive reputation for up to two years, enabling greater fraud coverage and capture compared to competitors
• Detects volume spikes: Gain a critical early warning indicator of unusual activity within an application to alert of potential bot activity
• Detect virtual environments and bots: Identify virtual environments through browser data analysis, IP Reputation signals and advanced anomaly and evasion detection techniques. Most automated attacks originate from virtual devices, allowing fraudsters to perform malicious activities at scale and erase traces.

Better risk signals are key to stopping automated new account fraud

Suspected digital fraud represented 5.4% of all transactions in 2024, according to the TransUnion 2025 Omnichannel Fraud Report. Identity scams and data breaches continue to occur, and identity data is often weaponized by fraudsters to perpetrate new account and account takeover fraud. To combat this dangerous, damaging and costly trend, organizations need diverse signals early in the consumer onboarding process to effectively reduce fraud risk and protect consumers. 

Learn more about TruValidate Device Risk to help combat automated bot attacks.