Account Fraud
TL;DR
- Account fraud = Fake or malicious accounts created on your platform
- Types: Bot signups, referral abuse, multi-accounting, fake reviews
- Creates infrastructure for future fraud and policy abuse
- Detect via: Device fingerprinting, email analysis, behavioral patterns
- Prevent with: CAPTCHA, email verification, phone verification, rate limiting
Fraudulent accounts created on your platform for abuse.
Definition
Account fraud occurs when someone creates fake or abusive accounts on your website or app. These accounts become infrastructure for other fraud types: promo abuse, refund fraud, fake reviews, and organized attacks.
Why Fake Accounts Matter
| They Enable | How |
|---|---|
| Promo abuse | New account = new discount |
| Referral fraud | Self-refer across accounts |
| Velocity evasion | Spread activity across accounts |
| Card testing | Disposable accounts for testing |
| Fake reviews | Boost or attack products |
| Resale fraud | Bulk buying limited items |
Common Patterns
Bot Signups
Automated account creation at scale:
- Hundreds of accounts in hours
- Similar registration patterns
- Disposable email domains
- Generic or random usernames
Referral Fraud
Gaming referral programs:
- Self-referral across accounts
- "Referral farms" with fake accounts
- Quick signup → claim reward → abandon
Multi-Accounting
One person, multiple identities:
- Evade account-level limits
- Stack promotions
- Bypass bans or restrictions
- Separate fraud activity from "real" account
Fake Review Fraud
Manufactured social proof:
- Paid review rings
- Competitor sabotage
- Boosting new products artificially
Detection Signals
Registration Red Flags
| Signal | Risk Level |
|---|---|
| Disposable email domain | High |
| Email pattern matches prior fraud | High |
| Device seen on multiple accounts | Critical |
| Registration velocity (time to complete) | Medium |
| Phone number from VoIP provider | Medium |
| Similar usernames/passwords | High |
Email Analysis
| Pattern | What It Suggests |
|---|---|
| john+1@gmail, john+2@gmail | Multi-accounting |
| Random string @domain.com | Bot-generated |
| Domain age < 30 days | Recently created for fraud |
| Known disposable domain | Temporary account |
| Email never used elsewhere | Fabricated for this account |
Device Signals
Device fingerprinting reveals:
- Same device across multiple accounts
- Emulator or automation tools
- VPN/proxy usage
- Device recently associated with fraud
Behavioral Indicators
| Behavior | Risk |
|---|---|
| No browsing before checkout | Scripted behavior |
| Immediate promo redemption | Promo farming |
| Referral link used instantly | Self-referral |
| Never returns after signup | Throwaway account |
| Review posted without purchase | Fake review ring |
Prevention Strategies
At Registration
| Control | What It Stops |
|---|---|
| CAPTCHA | Bot signups |
| Email verification | Disposable emails |
| Phone verification | Multi-accounting |
| Rate limiting | Mass registration |
| Device fingerprinting | Repeat registrations |
Email Verification Best Practices
| Level | Method | Stops |
|---|---|---|
| Basic | Send confirmation link | Fake emails |
| Medium | Check domain reputation | Disposable domains |
| Strong | Email risk scoring | Fraud-associated emails |
Phone Verification
| Check | Why |
|---|---|
| SMS verification | Ties to real phone |
| VoIP detection | Block virtual numbers |
| Phone line type | Mobile vs. landline vs. VoIP |
| Phone velocity | Same number, many accounts |
Device Controls
| Control | What It Catches |
|---|---|
| Device fingerprinting | Same device, different accounts |
| Emulator detection | Automated fraud tools |
| VPN detection | Hidden location |
| Device reputation | Known fraud devices |
Account Linking
Connect related accounts using:
| Attribute | What It Links |
|---|---|
| Device fingerprint | Same device = same person |
| IP address | Same network (less reliable) |
| Payment method | Same card across accounts |
| Shipping address | Same destination |
| Behavioral patterns | Similar navigation, timing |
Response Playbook
Confirmed Fake Account
- Block the account – Prevent further activity
- Revoke benefits – Cancel promos, referral rewards
- Blacklist identifiers – Device, email, phone
- Check for linked accounts – Find the network
- Update rules – Close the registration gap
Mass Signup Attack
- Enable rate limiting – Slow the attack
- Add friction – CAPTCHA, phone verification
- Review recent signups – Find and remove fakes
- Block infrastructure – IPs, devices, email patterns
Prevention Checklist
- CAPTCHA on registration
- Email verification required
- Disposable email domains blocked
- Device fingerprinting enabled
- Rate limiting on signup endpoints
- Phone verification for high-value actions
- VoIP/virtual number detection
- Account linking across devices
- Promo redemption limits per device
Next Steps
Preventing fake accounts?
- Add device fingerprinting – Catch repeat registrations
- Implement email verification – Block disposables
- Set up rate limiting – Stop mass signups
Detecting fake accounts?
- Check registration signals – Score risk at signup
- Analyze email patterns – Catch multi-accounting
- Link accounts – Find networks
Responding to fake accounts?
- Follow response playbook – Block and revoke
- Find linked accounts – Catch the full network
- Update prevention – Close gaps
Related Topics
- Promo Abuse – What fake accounts enable
- Fraud Rings – Organized multi-accounting
- Device Fingerprinting – Linking accounts by device
- Velocity Rules – Detecting signup patterns
- Card Testing – Often uses fake accounts
- Refund Fraud – Another fake account use case
- Account Takeover – When real accounts are hijacked
- Risk Scoring – Scoring at registration