New Account Takeover

New account takeover sits at the intersection of identity theft and platform fraud. The attacker creates a duplicate account on a service you already use — an airline loyalty programme, a retailer, a subscription service, or a financial platform — using your name and enough personal details to pass the platform's verification process. Because many platforms lack robust duplicate-identity detection, the fraudster's new account can coexist with yours temporarily, or in some cases the platform's system merges the two or replaces the genuine one.

Once the fraudulent account is established, the criminal can request password resets to your email address (which they may also control), transfer loyalty points or store credit to themselves, change the delivery address for pending orders, or use saved payment methods if the platform allows account-level billing.

This type of fraud is particularly damaging on platforms where rewards or credits hold significant monetary value — frequent-flyer programmes, hotel points, gaming platforms, and retail wallets have all been targeted. The harm is not always immediately visible on a credit report, making discovery slower.

The attacker begins with personal data obtained from a breach or phishing campaign: full name, email address, phone number, and date of birth are usually sufficient. They register a new account on the target platform using this data, sometimes using a slightly modified email (for example, adding a dot or number) to avoid a duplicate-email block.

Next they contact the platform's customer support, claiming the 'real' account (yours) was compromised and requesting a merge or transfer. Alternatively, they use the new account to trigger 'I forgot my email' flows, feeding in enough of your personal details to convince a customer service agent to hand over account access or transfer balances.

Some attackers do not bother with customer service at all. If the platform allows social sign-in, they create the fraudulent account via a different auth provider and then link it to your email, effectively inserting themselves into your login chain. By the time you notice, rewards may be redeemed and payment details changed.

Platforms invest heavily in protecting existing accounts from password-based takeover, but many have weaker controls around account creation because they do not want to create friction for genuine new users. Customer service agents, trained to help frustrated customers, may be socially engineered into merging accounts or transferring value before verifying identity thoroughly. Loyalty programmes in particular have historically treated fraud as a low-priority customer experience issue rather than a security one.

Welcome to [Platform], [Your Name]! Your account has been created. If this was not you, contact [Support Email].

Your [Airline] Frequent Flyer account email has been updated to [New Email]. If you did not make this change, call [Fraud Line] immediately.

You have redeemed [Points] from your [Hotel Programme] account for a stay at [Property]. Enjoy your stay!

Hi [Your Name], a new sign-in method has been added to your [Retailer] account. If this was not you, secure your account now.

[Gaming Platform]: your in-game wallet balance has been transferred to account [ID]. Contact support if you did not authorise this.

Log in to all platforms where you hold an account and check your profile settings for unrecognised email addresses, phone numbers, or social sign-in connections. Enable all available security notifications so you are alerted to any changes. If a platform allows you to view active sessions or linked devices, review these periodically. Use a unique email address for high-value loyalty accounts so that a breach of your primary email does not expose all registrations.