Yes, criminal activity spikes during peak shopping season. But the most damaging fraud often doesn’t happen in November or December. It happens months later — after the holidays have passed and attention has shifted — using accounts that were created, compromised, or harvested during peak volume.
Fraudsters don’t treat the holidays as a sprint. They treat them as account setup season.
In the 62 days of November and December, myNetWatchman observed the following from live data sources:
- 5.7B unique credentials (username and password)
- 45.8M compromised credentials
- 16M compromised email accounts
- 3.7M payment/gift cards being tested
- Millions of new accounts created using compromised or synthetic data
Why the Holidays Are Ideal for Sleeper Account Creation
The holiday season creates perfect cover for identity-based fraud because everything looks noisy: new account registrations surge to access discounts and rewards, logins occur from unfamiliar locations due to travel and gifting, customer service is overwhelmed with legitimate requests, and promotional pressure reduces friction across onboarding and checkout. In that environment, fraudulent behavior blends in.
New account fraud losses now reach billions of dollars annually, driven largely by synthetic identities — fabricated profiles built using a mix of real and fake data. These accounts are designed to appear legitimate long enough to pass early controls, then “activate” later through fraud, abuse, or bust-out behavior. Fraudsters know that account age equals trust. The holidays give them scale and cover to create thousands of accounts that quietly age into high-value assets.
The Second Opportunity: Harvesting Real Customer Accounts
Alongside new account creation, the holidays are prime time for account harvesting. Shipping notifications, delivery issues, gift card emails, and promotion alerts create ideal phishing and credential-stuffing conditions. In many cases, the goal isn’t immediate fraud — criminals test credentials, confirm access, and store accounts for later use.
These “harvested” accounts may sit dormant for weeks or months before being used, often during major sales events, product launches, or moments when the account has accumulated loyalty rewards. From a business perspective, the fraud appears suddenly. In reality, the compromise happened long before.
How Sleeper Accounts Get Monetized
Once activated, these accounts rarely serve just one purpose:
- Fraudulent transactions and chargebacks using trusted accounts and saved payment methods
- Return and refund abuse, especially post-holiday when return volumes are already high
- Loyalty and rewards theft, draining stored value that often receives less scrutiny than payments
- Marketplace abuse, including fake buyers, seller reputation farming, or eventual bust-outs
The common thread is identity trust. These accounts succeed because they don’t look new, risky, or suspicious — until it’s too late.
What to Do Now
Stopping sleeper and synthetic accounts requires shifting from transaction-only defenses to continuous identity risk assessment across the account lifecycle.
Start with stronger identity signals at account creation. Email addresses are one of the earliest and most persistent identifiers — and one of the most data-rich, underutilized fraud signals. Using email authentication and reputation intelligence at account creation helps identify newly created or disposable email domains, emails previously associated with fraud, reuse patterns across identities, and automation-driven account creation behavior.
Re-evaluate trust when accounts evolve. Sleeper accounts rarely stay static. Risk increases when accounts change credentials, add new shipping addresses or payment methods, or attempt high-value purchases, refunds, or redemptions. Re-checking email reputation at these moments helps detect accounts that were once low-risk but have since shifted.
Detect compromised credentials before takeovers turn into losses. Credential intelligence allows organizations to assess risk before approving sensitive account actions — identifying whether login credentials have appeared in known data breaches, whether passwords are actively circulating in criminal ecosystems, and whether credentials are being reused across platforms.
Fraudsters don’t think in transactions. They think in accounts. The holidays are not just a time of increased fraud — they are a setup phase. Organizations that recognize this shift focus less on reacting to fraud spikes and more on exposing risky identities early, monitoring how trust evolves, and intervening before monetization occurs. Because by the time fraud becomes obvious, the most important decisions were already missed.
The mechanics of how email became the digital economy’s most consequential vulnerability, the case studies that should have changed everything, and what a continuous intelligence approach actually looks like — all documented in “The Lying Gatekeeper,” a special report from myNetWatchman.
Read the Full Report →