Sleeper Accounts Are Waking Up, Right on Cue for iPhone 17 Pre-Orders & Holidays

Apple just opened iPhone 17 pre-orders (stores launch September 19), and history has shown that fraudsters treat new-phone hype and holiday volume as their favorite cover.

Sleeper Accounts Are Set for Attack

One common tactic used by fraud groups is to set up accounts well in advance of an attack. These accounts, sometimes called "sleeper" or "dormant" accounts, are used to hit companies at scale and avoid the scrutiny of guest checkouts. Experian describes this as new or hijacked accounts that behave normally until a rapid cash-out. Fraudsters typically create new accounts using synthetic identities or compromise existing accounts.

In some cases, fraudsters have pre-positioned tens of thousands of accounts for the holidays alone. When you add in the hype of a new iPhone, the stage is set for a season of attacks. After weeks or months of lying low, these accounts are then activated by criminals to purchase upgrades, device financing, add-a-line promotions, or execute SIM swaps and port-outs.

Why this matters for mobile carriers: the new-account step is already the riskiest stage in digital onboarding; of which the Communications Fraud Control Association (CFCA) reports 1 in 9 telecom applications are believed to be fraudulent and that subscription/application fraud dominates telco fraud cases. Once a sleeper slips through, detection gets harder because the identity has “aged” and looks trustworthy.

What the numbers say (and don’t)

The telecom industry’s fraud pain is well documented even if “sleeper accounts” aren’t broken out as a standalone line item. The CFCA estimates $38.95B in telecom fraud losses in 2023 (about 2.5% of global telecom revenue). Subscription/application and handset-related schemes are repeatedly cited among the top drivers, exactly the channels sleepers exploit when high-demand devices land.

How sleepers behave

• Age the account: Clear KYC/IDV, low-risk behavior, on-time micro-payments to build trust/limits.

• Change-then-spike: Recent contact or address changes, then a sudden upgrade/financing basket, add-a-line, or number port.

  
  

• Cross-linking tells: Shared delivery addresses, devices, IPs/subnets, or emails across “unrelated” accounts, hallmarks of organized crime rings. All patterns consistent with dormant/ATO and subscription-fraud lifecycles.

myNetWatchman spots synthetic and compromised accounts before they can monetize

How quickly can you spot a compromised or synthetic/fake account? At myNetWatchman, we identify "sleeper" accounts in real-time giving you the earliest possible heads-up to fraud. We're constantly sifting through attack traffic and monitoring criminal activity as it happens. This means you get the best detection and remediation for hijacked accounts, right when it matters most.

Here's how we do it:

Our Email Reputation service is a low cost and easy-to-use API companies use to determine if an email address really works, was created-for-fraud (its fake), or if criminals have compromised the email account and are actively using it.

Stop Fraud Before it Starts: Check the validity of an email account, anytime. Companies use Email Reputation to enhance user experience and optimize costs to authenticate and verify users as part of KYC, security, and fraud prevention.

1. At account opening

2. At login with 2FA/MFA

3. During password reset

4. User verification before large transaction

Not Just Customer Accounts: Since fraud can come at you from several directions, Email Reputation is applicable for all users with emails, customers, employees, vendors, partners, suppliers, consultants and contractors.

We're always gathering data, from live sources to the darknet. Then, our own intelligence and analysis kick in, pulling out the most relevant details—raw data, comparisons, velocities, and key features. All this incredibly accurate and actionable data is deployed in real-time, ensuring a smooth and secure experience for you. Want to learn more? Check us out at myNetWatchman.com.

Sources: CFCA global telecom fraud loss estimate (2023); TransUnion State of Omnichannel Fraud (new-account fraud rate); Experian on dormant/sleeper fraud; TransUnion on rising SIM-swap/port-out & Javelin ATO losses.