Key takeaways:
- Compromised passwords, frequently harvested via infostealer malware or third-party breaches, pose a critical threat by allowing criminals to bypass traditional fraud controls using legitimate user data.
- If left unchecked, these stolen credentials lead to severe business impacts, including fraudulent account creations, drained customer funds, costly chargebacks, and increased manual review overhead.
- Security teams should immediately integrate underground data intelligence APIs at high-risk touchpoints—such as account enrollment and checkout—to flag suspicious anomalies and trigger step-up authentication.
- To prevent future compromises and account takeovers, organizations must proactively monitor for password reuse and malware exposures to force credential resets before automated attacks occur.
pandemic shutdowns, businesses need confidence that the users interacting with their websites are legitimate. Given the constantly-shifting nature of criminal activity, even the most sophisticated fraud prevention programs struggle to separate good users from bad actors, particularly when criminals use stolen data to sidestep traditional fraud prevention measures.
Today, we’re expanding SpyCloud’s offerings with a new solution to help enterprises prevent criminals from using stolen data to create false identities and get away with fraud. SpyCloud Identity Risk Engine is a fraud prevention tool that draws on data from the criminal underground to assess user risk – something no other solution on the market can offer. It can be layered into an existing control framework to help fraud teams make more accurate decisions, enabling them to prevent more fraud and let more good business through uninterrupted.
Identity Risk Engine delivers actionable analytics that help organizations:
- Predict fraud tied to malware – Detect when consumers have had their personal data stolen by malware, putting them at elevated risk of fraud
- Detect synthetic identities – Spot irregularities in a user’s information suggesting that the identity has been stolen or created using persona data available to criminals
- Anticipate account takeover – Identify warning signs that consumers are at high risk of account takeover, such as high rates of password reuse across their accounts
Check out our video to learn more about how Identity Risk Engine helps enterprises stop hard-to-detect fraud.
How SpyCloud Identity Risk Engine can strengthen your fraud control framework
SpyCloud Identity Risk Engine can help enterprises make more confident fraud decisions for a variety of different scenarios. Here are just a few examples.
Scenario #1: A surge of new account enrollments come in. How can you tell which ones are legitimate?
A common challenge we’ve heard from customers since the onset of the pandemic is understanding how to handle an influx of new account signups. While many of the new enrollments come from real users expanding the services they use online, many also come from cybercriminals. The problem is significant: new account creation continues to be a primary attack vector, representing the highest-risk digital touchpoint for businesses, according to LexisNexis.
Fraudulent account creations are often difficult to detect because criminals enroll using legitimate data stolen from real users, typically combined into synthetic identities. The firehose of new registrations exacerbates the challenge of weeding out bad actors without slowing down the enrollment process for legitimate new users.
Identity Risk Engine helps enterprises detect risky account creations by flagging when a new user’s information includes anomalies that suggest the identity has been stolen or constructed. Enterprises can call the API during the account creation process to support other identity verification processes such as Know Your Consumer (KYC). In addition to a score indicating the user’s risk level, Identity Risk Engine also returns reason codes that explain why the account has been flagged as suspicious.
Scenario #2: A customer transacts via guest checkout. Should you let the purchase go through?
Guest checkout reduces friction for casual shoppers, but can provide limited information to support fraud decisions. Without an account to provide historical information, it can be difficult to determine how to proceed with the transaction. Fraud prevention controls can help, but typically offer limited protection if a bad actor has recycled stolen data that belongs to real users.
Identity Risk Engine takes some of the guesswork out of evaluating guest checkout transactions by enriching the data available to your fraud team with insights drawn from recaptured underground data. With the risk score and reason codes SpyCloud delivers, you can make a confident decision about whether to let the order go through, prompt the user for additional identity verification, or reject the transaction.
Using recaptured underground data to assess fraud risk can help you not only reduce fraud, but also reduce manual review rates.
Scenario #3: Some of your customers unknowingly use devices infected with malware. How can you prevent criminals from using their data for fraud?
It’s a silent threat: a user logs in with their usual browser, location, and credentials, or perhaps even a stored cookie. No alarms are raised and nothing seems amiss – until weeks later, when the real account holder issues a chargeback or reports other fraudulent activity. After the fact, the fraud team may or may not discover that the reason the fraudulent transaction slipped past their defenses was because the original user’s data had been siphoned by malware and was used to steal their accounts and identity.
Data collected by credential-stealing malware makes it easier for criminals to bypass anti-fraud measures. Each consumer whose data has been collected by malware is at significant risk of account takeover, identity theft, and other forms of online fraud.
Unlike any product on the market, Identity Risk Engine can identify high-risk users ahead of time, helping to prevent fraud losses tied to malware infections. By identifying that criminals have access to customers’ browser fingerprints, exact credentials, and sensitive information, you can proactively flag their account or take action before ATO and fraud can occur.
Scenario #4: An existing account holder logs in and changes their address. Did they move, or was their account taken over?
Account takeover represents a huge problem for enterprises, and a lucrative opportunity for criminals. In 2024, SpyCloud recaptured 548 million credentials exfiltrated via infostealer malware, according to SpyCloud’s 2025 Identity Exposure Report. Criminals test these passwords against online accounts, which they use to drain funds, steal loyalty points, make fraudulent purchases, resell, and monetize in any other way they can think of.
For years, SpyCloud has been a leader in account takeover prevention because we enable enterprises to detect and reset compromised credentials – but with the addition of Identity Risk Engine, fraud teams can enrich their risk models with enough new information to tailor the customer journey based on individual user risk. Understanding users’ exposure on the criminal underground can not only help enterprises take action to protect vulnerable accounts, but also avoid unnecessary friction for customers who are at exceptionally low risk.
Exposure type, severity, and timing can all influence the user’s risk. For example, if a user’s password has appeared in a combolist, it means their credentials are circulating widely in a format that’s easy for unsophisticated criminals to use in automated attacks. Their account is likely to be hit with credential stuffing attacks. In contrast, a user whose credentials have recently appeared in a fresh third-party breach is at higher risk of targeted account takeover attacks, which can include creative, manual efforts by an attacker.
In either case, the user’s own password history is a critical factor. If the user has a high rate of password reuse across their other exposed logins (including passwords associated with their other email addresses), there’s a good chance those attacks will be successful at some point. It may be valuable to take an additional step to verify that the user is legitimate and not a threat actor, such as triggering multi-factor authentication or making them re-enter their stored credit card number. On the other hand, strong password hygiene across other accounts means that criminals most likely don’t have the tools to steal this user’s account. In this case, you can let the user proceed with their account update without disrupting the customer journey.
How it works
It can serve as a complement to your existing solutions, with the flexibility to be layered into a customer journey at high risk points of your choice (account creation, transaction, etc.).
Learn how SpyCloud Identity Risk Engine can help limit fraud and customer friction
FAQs
Bypass fraud occurs when criminals use stolen legitimate user data—such as credentials, browser fingerprints, or personal information—to circumvent traditional fraud prevention controls and appear as authentic users during account creation or transactions.
The four P’s of fraud are Pretend, Problem, Pressure, and Pay—a framework that describes how scammers impersonate trusted entities, create urgent problems, apply pressure to act quickly, and demand payment or sensitive information.
Organizations can reduce friction by using underground data intelligence to assess individual user risk levels, allowing low-risk customers to proceed without additional verification while triggering step-up authentication only for high-risk accounts flagged by malware exposure or credential compromise.
High password reuse rates across multiple exposed accounts combined with credential appearances in combolists or recent data breaches indicate elevated risk, as criminals can easily leverage these credentials in automated credential stuffing or targeted account takeover attacks.