Apple just opened iPhone 17 pre-orders, and history has shown that fraudsters treat new-phone hype and holiday volume as their favorite cover.
Sleeper Accounts: Set for Attack
One common tactic used by fraud groups is to set up accounts well in advance of an attack. These accounts — sometimes called “sleeper” or “dormant” accounts — are used to hit companies at scale and avoid the scrutiny of guest checkouts. Fraudsters typically create new accounts using synthetic identities or compromise existing accounts.
In some cases, fraudsters have pre-positioned tens of thousands of accounts for the holidays alone. When you add in the hype of a new iPhone, the stage is set for a season of attacks. After weeks or months of lying low, these accounts are then activated by criminals to purchase upgrades, device financing, add-a-line promotions, or execute SIM swaps and port-outs.
Why this matters for mobile carriers: the Communications Fraud Control Association (CFCA) reports 1 in 9 telecom applications are believed to be fraudulent, and subscription/application fraud dominates telco fraud cases. Once a sleeper slips through, detection gets harder because the identity has “aged” and looks trustworthy.
What the Numbers Say
The telecom industry’s fraud pain is well documented. The CFCA estimates $38.95B in telecom fraud losses in 2023 (about 2.5% of global telecom revenue). Subscription/application and handset-related schemes are repeatedly cited among the top drivers — exactly the channels sleepers exploit when high-demand devices land.
How Sleepers Behave
Age the account: Clear KYC/IDV, low-risk behavior, on-time micro-payments to build trust and credit limits.
Change-then-spike: Recent contact or address changes, then a sudden upgrade/financing basket, add-a-line, or number port.
Cross-linking tells: Shared delivery addresses, devices, IPs/subnets, or emails across “unrelated” accounts — hallmarks of organized crime rings.
How to Spot Them
How quickly can you spot a compromised or synthetic account? Real-time credential intelligence identifies “sleeper” accounts as they activate, giving you the earliest possible heads-up to fraud. This means detection and remediation for hijacked accounts, right when it matters most:
- At account opening — validate the email is real, not synthetic or compromised
- At login with 2FA/MFA — reassess risk before granting access
- During password reset — prevent attackers from resetting credentials on hijacked accounts
- Before large transactions — verify the actual account owner is in control
And it’s not just customer accounts. Fraud can come from several directions — Email Reputation is applicable for customers, employees, vendors, partners, suppliers, consultants, and contractors.
The mechanics of how email became the digital economy’s most consequential vulnerability, the case studies that should have changed everything, and what a continuous intelligence approach actually looks like — all documented in “The Lying Gatekeeper,” a special report from myNetWatchman.
Read the Full Report →