Holiday Fraud Is Just the Beginning: How Criminals Use Peak Season to Build Sleeper Accounts for Year-Round Abuse

Yes, criminal activity spikes during peak shopping season. But the most damaging fraud often doesn’t happen in November or December. It happens months later, after the holidays have passed and attention has shifted, using accounts that were created, compromised, or harvested during peak volume.

Fraudsters use the holidays to set up sleeper accounts and synthetic identities, and to harvest real customer accounts, then monetize them throughout the year. By the time most companies detect the fraud, those accounts have already matured, gained trust, and done real damage.

How active are criminals during the holidays? In the 62 days of November and December, myNetWatchman observed the following from live data sources:

• 5.7B unique credentials (username and password)

• 45.8M compromised credentials

• 16M compromised email accounts

• 3.7M payment/gift cards being tested

• Millions of new accounts created using compromised or synthetic data

Holidays are ideal for sleeper and synthetic account creation

The holiday season creates perfect cover for identity-based fraud because everything looks noisy:

• New account registrations surge to access discounts, shipping perks, and rewards

• Logins occur from unfamiliar locations and devices due to travel and gifting

• Customer service is overwhelmed with legitimate requests

• Promotional pressure reduces friction across onboarding and checkout

In that environment, fraudulent behavior blends in.

This matters because new account fraud is no longer a marginal issue. Losses tied to new account fraud now reach billions of dollars annually, driven largely by synthetic identities, fabricated profiles built using a mix of real and fake data. These accounts are designed to appear legitimate long enough to pass early controls, then “activate” later through fraud, abuse, or bust-out behavior.

Fraudsters know that account age equals trust. The holidays give them the scale and cover to create thousands of accounts that can quietly age into high-value assets.

The second holiday opportunity: harvesting real customer accounts

Alongside new account creation, the holidays are also prime time for account harvesting.

Shipping notifications, delivery issues, gift card emails, and promotion alerts create ideal phishing and credential-stuffing conditions. In many cases, the goal isn’t immediate fraud. Instead, criminals test credentials, confirm access, and store that account for later use.

These “harvested” accounts may sit dormant for weeks or months before being used, often during:

• Major sales events

• Product launches

• Or moments when the account has accumulated value or loyalty rewards

From a business’ perspective, the fraud appears suddenly. In reality, the compromise happened long before.

How sleeper and harvested accounts get monetized

Once activated, these accounts rarely serve just one purpose. They are reused across multiple fraud and abuse vectors:

• Fraudulent transactions and chargebacks using trusted accounts and saved payment methods

• Return and refund abuse, especially post-holiday when return volumes are already high

• Loyalty and rewards theft, draining stored value that often receives less scrutiny than payments

• Marketplace abuse, including fake buyers, seller reputation farming, or eventual bust-outs

The common thread is identity trust. These accounts succeed because they don’t look new, risky, or suspicious, until it’s too late.

Most organizations don’t see sleeper accounts until damage occurs

Fraud programs are optimized to detect loud events: chargeback spikes, refund abuse waves, bot attacks.

Sleeper accounts are different. They:

• Behave normally during early life stages

• Spread activity across time and channels

• Exploit organizational silos between identity, payments, loyalty, and marketplace teams

• Trigger controls only after trust has already been established

By the time action is taken, the account has often already been monetized across multiple surfaces.

What should your organization being doing now

Stopping sleeper and synthetic accounts requires shifting from transaction-only defenses to continuous identity risk assessment across the account lifecycle.

Start with stronger identity signals at account creation

Email addresses are one of the earliest and most persistent identifiers tied to an account and one of the most data rich, underutilized fraud signals.

Using email authentication and reputation intelligence at account creation helps identify:

• Newly created or disposable email domains

• Emails previously associated with fraud or abuse

• Reuse patterns across identities, devices, or transactions

• Automation-driven account creation behavior

This doesn’t mean blocking more customers. It means understanding risk earlier and applying friction only when signals justify it, preventing fraudulent identities from quietly aging into trusted accounts.

Re-evaluate trust when accounts evolve

Sleeper accounts rarely stay static. Risk increases when accounts:

• Change credentials or contact details

• Add new shipping addresses or payment methods

• Attempt high-value purchases, refunds, or redemptions

Re-checking email reputation and identity signals at these moments helps detect accounts that were once low risk but have since shifted, before abuse escalates.

In effective fraud programs, trust is not permanent. It is continuously re-earned.

Detect compromised credentials before takeovers turn into losses

Account takeovers are a common trigger for downstream fraud, but many defenses activate only after fraud occurs.

Credential intelligence solutions allow organizations to assess risk before approving sensitive account actions by identifying whether:

• Login credentials have appeared in known data breaches

• Passwords are actively circulating in criminal ecosystems

• Credentials are being reused across platforms

By evaluating credential exposure during logins, password changes, or account modifications, businesses can interrupt fraud at the takeover stage—rather than absorbing losses later through transactions, refunds, or loyalty theft.

The bigger picture: accounts are long-term fraud assets

Fraudsters don’t think in transactions. They think in accounts.

The holidays are not just a time of increased fraud, they are a setup phase. Accounts created or compromised during peak season often fuel fraud and abuse for the rest of the year.

Organizations that recognize this shift focus less on reacting to fraud spikes and more on exposing risky identities early, monitoring how trust evolves, and intervening before monetization occurs.

Because by the time fraud becomes obvious, the most important decisions were already missed.

myNetWatchman can help stop fraud before it ages

While fraudsters use the holiday chaos to plant seeds for year-round abuse, myNetWatchman’s Email Reputation service allows retailers to reclaim the advantage of time. By leveraging real-time criminal data, our solution exposes the "DNA" of an email address at the moment of entry. Whether it’s flagging a high-risk sleeper account during registration, identifying harvested credentials before they are stored, or preventing a high-value account takeover during a login shift, myNetWatchman provides the intelligence to act before monetization occurs. We offer a friction-free, zero-false-positive environment that doesn't just block bad actors, it ensures that trust is earned, verified, and maintained. Don’t let today’s peak season volume become tomorrow’s liability.

Want to learn more, let’s talk.