Common Types of Identity Fraud

According to the Federal Trade Commission’s (FTC) 2024 report, US consumers lost more than $12.5 billion to fraud, much of it tied to identity information that attackers can easily steal, fake, or reuse.

Although the FTC report focuses on consumers, the underlying fraud mechanisms affect businesses just as much. Every day, organizations deal with identity-related risks during routine operations like account registration, payouts, refunds, dispute handling, and account recovery. For attackers, these everyday processes often present opportunities.

In this guide, we’ll walk through five common types of identity fraud that frequently appear in online systems. For each type, we’ll look at a real-world example and share practical identity verification strategies that can help organizations reduce the risk of repeated losses.

Account takeover

Account takeover (ATO) happens when someone gains unauthorized access to a legitimate user account and uses it for fraud or abuse.

A common technique behind these attacks is credential stuffing. Fraudsters obtain large lists of stolen usernames and passwords—often from previous data breaches—and automatically test them against login pages. Because many people reuse passwords across multiple services, some of those credentials inevitably work.

Automation makes this process extremely efficient, while password reuse keeps it profitable.

A real-world example

In 2023, 23andMe disclosed that attackers had used credential stuffing to access a portion of customer accounts. After logging in, they were able to obtain additional data through the platform’s DNA Relatives feature, which connects users with genetic relatives.

According to TechCrunch, the incident ultimately exposed information connected to 6.9 million users through this secondary access path.

The consequences extended beyond reputational damage. In June 2025, the UK Information Commissioner’s Office fined 23andMe £2.31 million for failing to implement adequate security measures to protect UK users’ personal data.

Why account takeover is such a challenge

One reason account takeover is difficult to detect is that the login often appears legitimate. If the correct password is used, systems that rely only on credentials may struggle to distinguish a real user from an attacker.

Fraudsters also tend to act strategically. They may wait quietly until the right moment to carry out actions such as:

• Changing payout or withdrawal details
• Exporting sensitive data
• Draining stored balances

In business environments, the consequences can escalate quickly. A compromised account might expose billing records, internal contacts, or financial information, which attackers can then use for further scams such as payment redirection or targeted phishing.

What can help prevent account takeover

Organizations can reduce the risk of account takeover by strengthening authentication and monitoring sensitive actions.

Effective measures include:

• Implementing multi-factor authentication (MFA)
• Offering phishing-resistant login methods such as passkeys or security keys
• Treating account changes—like email, phone number, or payout updates—as high-risk events
• Strengthening account recovery processes
• Adding temporary transaction holds after password resets, device changes, or payout updates

These steps make it significantly harder for attackers to move from a stolen password to full control of an account.

SIM swap fraud

SIM swap fraud occurs when a criminal convinces a mobile carrier to transfer a victim’s phone number to a SIM card controlled by the attacker. Once the number is transferred—or “ported”—the attacker can intercept SMS verification codes and phone-based account recovery messages.

Because many services still rely on phone numbers for authentication, gaining control of a number can effectively unlock access to email, financial accounts, and social platforms.

A real-world example

A high-profile example occurred in 2024, when attackers compromised the SEC’s @SECGov account on X (formerly Twitter).

According to a US Justice Department statement, conspirators carried out a SIM swap on the phone number linked to the SEC’s social media account. After gaining control of the number, they were able to intercept verification codes and access the account.

Once inside, they published a fraudulent post about Bitcoin ETFs, which immediately caused confusion across the cryptocurrency market.

Prosecutors said the attacker obtained a replacement SIM by presenting false information at an AT&T store, then purchased a phone nearby to receive the verification code and provide access to co-conspirators.

Why SIM swap fraud is dangerous

SIM swap fraud can quickly undermine phone-based security systems.

If a platform relies on SMS codes for login or account recovery, gaining control of a phone number may allow an attacker to bypass security checks entirely.

The problem is compounded by the fact that the initial breach often happens outside the organization’s control, at a mobile carrier’s store or support center.

SIM swap attacks also frequently appear alongside other tactics, such as phishing or stolen personal data.

What can help reduce the risk

Organizations can mitigate SIM swap risks by reducing their reliance on phone numbers as the primary authentication factor.

Some effective measures include:

• Requiring stronger authentication for high-risk actions such as account recovery or payout changes
• Treating phone number changes or new SIM signals as potential risk events
• Offering phishing-resistant sign-in methods like passkeys or authenticator apps
• Requiring identity verification for sensitive recovery requests

Bonus abuse

Bonus abuse occurs when someone repeatedly claims sign-up rewards, referral bonuses, free trials, or promotional credits despite not being a legitimate new customer.

A typical method behind these schemes is multi-accounting. A single individual creates numerous accounts using different identity details and redeems the same promotion multiple times.

A real-world example

In February 2026, the US Attorney’s Office for the District of Connecticut announced a 45-count indictment against two individuals accused of running a large bonus abuse scheme.

According to prosecutors, the defendants used personal data from roughly 3,000 identity theft victims to open accounts on platforms such as FanDuel and other online gambling services. They then exploited promotional bonuses and credits while routing profits through stored-value cards and financial accounts they controlled.

Authorities estimate the scheme generated around $3 million in profits.

Why bonus abuse is difficult to detect

Unlike large fraud incidents, bonus abuse often happens through many small transactions that blend into normal platform activity.

Fraudsters also take advantage of referral systems. When referral bonuses carry monetary value, attackers may recruit others or rotate identities to claim rewards repeatedly.

In regulated sectors such as gaming, betting, and fintech, the problem can also become a compliance issue, since many regulations require one account per user.

What can help prevent bonus abuse

Several safeguards can reduce the risk of promotion abuse:

• Linking promotional rewards to identity verification before withdrawal
• Enforcing “one user, one account” policies using document and biometric verification
• Requiring identity checks before referral rewards become withdrawable
• Treating payout destination changes as high-risk events that trigger additional verification

Refund fraud

Refund fraud involves manipulating return or refund processes to obtain money while keeping the product or service.

In e-commerce, this may involve claims such as:

• “Item not received” despite confirmed delivery
• Returning an empty box
• Reporting false product damage

In digital services, refund fraud often appears as unauthorized transaction claims filed after the service has already been used.

A real-world example

In December 2025, the Minnesota Star Tribune reported that major retailers were losing millions to organized refund fraud rings.

One such operation, known as “Noir Luxury Refunds,” allegedly operated from Egypt with participants in the United States. A Minnesota man connected to the scheme was expected to plead guilty.

According to a US Department of Justice release, customers paid a fee to the group, which then used social engineering tactics to convince retailers’ customer support teams to issue refunds.

The group also manipulated shipping labels so retailers believed returned products had been received—even when they had not.

Why refund fraud is difficult to stop

Refund fraud often targets customer service teams, which are typically trained to prioritize speed and customer satisfaction.

Once a fraud ring develops a successful tactic for one retailer, it can easily adapt the approach to other companies and even sell it as a service.

At the same time, organizations must balance fraud prevention with maintaining a positive customer experience.

What can help reduce refund fraud

Effective strategies include:

• Re-verifying identity for high-value refunds or repeat claims
• Requiring stronger verification for exceptions such as refunds without returns
• Monitoring customer support interactions for suspicious patterns
• Validating shipping events and detecting tracking anomalies

Chargeback fraud

Chargeback fraud, sometimes called friendly fraud, occurs when a customer disputes a legitimate transaction in order to reverse the payment.

In some cases, the buyer acts intentionally. In others, confusion over subscription renewals or billing descriptors may trigger the dispute.

Regardless of the intent, the result is often the same: the merchant loses the sale, the product, and additional dispute fees.

A real-world example

In late 2025, Australian broadcaster ABC News reported that small business owners were losing thousands of dollars to chargebacks.

One entrepreneur described selling two baby bags online. Although she had proof of delivery, the buyer disputed the transaction and the chargeback was approved. Later, she discovered the same bags listed for resale on Facebook by the buyer.

What began as a routine order ultimately resulted in lost merchandise, lost revenue, and additional dispute fees.

Why chargeback fraud is challenging

Card dispute systems often favor the cardholder, even when merchants provide evidence.

Each dispute also requires time and resources to manage, and high dispute ratios can trigger penalties from payment providers, including increased monitoring or higher processing risk.

What can help prevent chargebacks

Businesses can reduce chargeback risks by focusing on prevention:

• Using clear billing descriptors so customers recognize transactions
• Sending subscription renewal reminders and trial-ending notices
• Applying step-up verification to high-risk orders
• Keeping detailed evidence linking the buyer to the purchase
• Using early dispute alerts to resolve issues before they become formal chargebacks

How to prevent identity fraud

Despite their differences, many types of identity fraud follow the same pattern: attackers look for moments where identity is accepted with minimal verification and then repeat the exploit at scale.

The countermeasures often overlap as well. Strong verification during onboarding, step-up checks for risky actions, and better identity signals throughout the customer lifecycle can significantly reduce fraud risks.

By strengthening identity verification at critical moments, businesses can significantly reduce the opportunities attackers rely on—and better protect both their users and their platforms.