Security Tips
Oct 1, 2024
How to detect and prevent fake account creation?
Effective strategies to identify fraudulent accounts and protect your business from bots and scammers.
One in five account openings online are fake. Companies from finance, e-commerce travel, gaming or social media industries are victims of massive fake account creation, driven by bots and fraudsters.
This can sometimes elevate to massive amounts. In 2019 alone, Facebook removed over 2 billion fake accounts, and LinkedIn blocked or removed 21.6 million fake accounts in just six months. On e-commerce platforms like Amazon and Walmart, it's estimated that one-third of product reviews are fake, many coming from fraudulent accounts.
Why do these fake account exist? And how can businesses detect them and prevent them to be created in the first place?
How does fake account creation work?
As companies focus on user growth, they tend to make their registration process lighter and lighter, with simple forms requiring just the name and email, and sometimes a phone number. This increases their conversion rate, but also their likelihood of attracting fake accounts.
Account registration fraud happens when fraudsters leverage the vulnerabilities of a website or app registration form. It’s mainly bot-driven, with automatic scripts using fake or stolen information to look like genuine users.
The automation of fake account creation has reached a fairly advanced stage, with bots incorporating wait times to mimic human behavior and the marketing of ‘bots as a service’ that can be hired to create hundreds of fake accounts for you.
The creation of fake accounts can also be man-made, whether it's someone trying to get a second free trial or fraud farms, with low-paid workers creating fake accounts all day long.
Why would someone create a fake account?
There are surprisingly many ways to monetize a fake account (especially if you have thousands of them). Here are just a few examples:
Free trial and subscription abuse: Many subscription-based services, like streaming platforms, fitness apps, and gaming companies, offer free trials to attract users. Fraudsters take advantage of this by creating or reselling fake accounts, allowing them to repeatedly exploit these offers.
Fake product reviews: A prevalent issue for marketplaces and e-commerce platforms, fake accounts are often used to post exaggerated positive or negative reviews to manipulate product rankings. A quick Google search for "buy product reviews" reveals just how widespread and thriving this fraudulent market is.
Click and engagement fraud: Fraudsters can be paid to generate fake clicks or fake engagement, whether it's for a company looking to squeeze its competitors' advertising budgets by clicking on all their ads, or for an inspiring influencer buying likes and comments on their posts.
Money laundering: From gig economy platforms and cryptocurrency exchanges to gaming rewards, fraudsters require a large number of fake accounts to launder money through various online channels.
Selling fake products: Fake accounts on e-commerce platforms can be used to sell non-existing, stolen or poor quality products (like dropshipped products labelled as handmade or AI-generated books).
Phishing and scamming: Up to 10% of profiles on dating apps are fake, mainly use for phishing attempts. These fake profiles aim to trick users into sharing personal information or falling for other fraudulent schemes.
Some industries are more targeted than others, like:
Banking and finance: to facilitate money laundering, fraudulent transactions, and identity theft..
Social media and dating platforms: used for scams, phishing, and artificially boosting engagement.
E-commerce: to manipulate reviews, exploit promotions, and sell counterfeit goods.
Education: to access online content or financial aid fraud.
Gaming: to cheat, farm rewards, and engage in credit card fraud.
We could list many other ways these accounts can be monetized, like manipulating public opinion on social media or cheating on online game. And sometimes people create fake accounts just for the pleasure of trolling online users.
What is the impact of fake accounts?
Financial losses
Fake account creation can have a profound financial impact on businesses, primarily through direct losses. Fraudsters exploit free trials and promotional offers using fake accounts, leading to significant operational expenses for services that never reach genuine customers.
But companies also lose money on resources like server capacity, bandwidth, and staff time needed to support these fake users.
Faked analytics
Fake accounts also compromises the accuracy of key business metrics, crucial for decision-making. With inflated user numbers, businesses are often misled into believing they are growing faster than they truly are. This can prompt premature scaling of infrastructure, which leads to unnecessary investments in areas like technology and staffing.
Beyond this, fake accounts can distort engagement data by producing inflated clicks, views, or interactions, making it difficult to assess how real customers interact with the business.
Analytics and A/B testing, used to fine-tune customer experiences and optimize marketing strategies, also become unreliable when fake accounts skew results.
Wasted marketing budget
Fake accounts can get included in audience targeting algorithms, which means marketing campaigns are directed at non-existent users. This dilutes the effectiveness of ads and results in poor return on investment.
Reputational damage
If a platform is known for being overrun with fake profiles, customers may begin to question the legitimacy of its service or user base. No one wants to chat with a bot or a catfish.
For e-commerce companies, fake accounts leaving fraudulent product reviews can undermine trust in the marketplace, eroding consumer confidence in both the business and its vendors.
Customer support costs
Support staff must deal with increased inquiries related to fraudulent activities, whether it’s addressing complaints about scams, processing refunds for fraudulent transactions, or managing issues stemming from fake reviews.
The time spent on these tasks diverts attention from supporting legitimate customers, which not only strains resources but can also diminish the quality of service for real users. Over time, this increased workload can contribute to a decline in overall customer satisfaction, further damaging the business’s reputation.
How to spot fake accounts?
Detecting fake accounts is a delicate thing, as there is no one size fits all. It requires monitoring for unusual patterns and behaviors that distinguish fraudulent users from legitimate ones.
You can usually look for one of those red flags:
Unusual activity patterns: Fake accounts often show irregular engagement, such as a high volume of actions in a short time, that would be manually impossible to do.
Incomplete or generic profiles: Generic profile pictures, usernames, or email addresses that seem automated or random, like "paul1234" (sorry if that’s really your username).
IP address anomalies: A large number of accounts created from the same IP address or region within a short timeframe (specifically if you don’t usually operate in that region) can be a red flag.
Surge in sign-ups: Fake accounts are often generated en masse. So before you pop the champagne to celebrate all those new users, double check if they look like legitimate users.
How to prevent fake account creation in the first place?
Spotting fake accounts is all very well, but you know what's even better? Stopping them before they're even created! Here are a few tips to help you do just that:
Implement CAPTCHA
CAPTCHA can be a handy first layer to block bots during the sign-up process, but they're not foolproof. Bots are increasingly capable of bypassing CAPTCHAs using techniques like optical character recognition (OCR) to solve the challenges automatically.
In fact, CAPTCHA-solving services are readily available online at surprisingly low costs, making them less effective as a standalone defense. Plus let’s be honest, I’ve never met another human who liked a CAPTCHA field.
Honeypot fields
These are invisible form fields that legitimate users won't see or interact with, but bots often will. When an automated system fills in these hidden fields, it triggers an alert, allowing you to identify and block the bot before it completes the sign-up process. This technique is seamless for real users and highly effective at catching automated attempts.
Limit Account Creation
Set a limit on how frequently users can create accounts from the same device, email domain, or phone number. This prevents scammers from mass-producing accounts with minor tweaks to data. You could also restrict the number of accounts that can be created from a single IP address within a given timeframe. But be careful as this might results in false positives depending on your business.
Phone number verification
Phone verification is probably the easiest way to implement fake account prevention, as it can be implemented with an API in less than a day. Users usually have only have one phone number, scammers don't like revealing theirs and it's a great way to also prevent users creating multiple accounts.
Phone number verification works by sending a one-time password (OTP) by SMS or an online messaging channel like WhatsApp. By using a solution designed to limit fraud, such as Prelude, you are guaranteed to have a secure and authentic user base.
Multi-Factor Authentication (MFA)
To go one-step further, you can introduce MFA during the account creation process to authenticate users through multiple steps, such as a password and a one-time code sent to a verified device, making it harder for bots to create accounts.
Case Study: How Prelude helped Cubzh prevent fake account on its gaming platform
Cubzh is a gaming platform that blends the creative freedom of Minecraft with the community-driven spirit of Roblox. Unlike its competitors, Cubzh prioritizes the quality of its user base over its quantity.
A standout feature of the platform is the Makers’ Marketplace, where users can earn in-game currency by creating successful games and get rewarded for their contributions. Players can also earn it through consistent engagement, with daily logins and new creations being rewarded.
However, Cubzh faced challenges with cheaters and malicious users creating fake accounts and bots, threatening its community-first approach. Some users exploited the freemium model by creating multiple accounts to maximize their in-game earnings.
Handling these issues internally drained time and resources that could have been better spent enhancing the platform. To tackle this, Cubzh implemented Prelude’s advanced verification tools, which became crucial in their fight against fake accounts.
Now, all new users must verify their identity by providing a phone number (or a parent's number for users under 13). Prelude’s SMS verification API ensures that each account is legitimate, allowing Cubzh to:
Protect younger players and reassure parents
Maintain a high-quality, authentic community
Prevent abuse of the freemium system by stopping users from creating multiple accounts
“The Prelude API is really easy to use, we were able to implement the solution in less than a day. Since then, we've seen a real improvement in the quality of our user base and in our user’s churn rate”, Adrien Duermael, CEO of Cubzh
How to prevent fake account creation with phone verification?
Getting started is straightforward. With Prelude’s API, you can be up and running in just three steps, all outlined in our Quickstart guide. The entire process can be completed in under a day, making it quick and hassle-free.
Get the SDK: We provide SDKs for many popular languages to make your life easier, such as Node, Go, Python, Ruby, Java, PHP or C#.
Initialize the SDK by pasting the snippet available in our quickstart guide.
Send and verify a code: call the authentication endpoint with your phone number to receive a code by SMS and verify it.
And that’s it—you’ve successfully implemented SMS verification! From here, you can run tests to ensure the integration works smoothly, add fraud signals for enhanced protection, and connect your webhook to receive real-time notifications when an OTP is sent or billed.
So if you want to mitigate fake accounts on your platform, you can start for free with Prelude or talk to our sales team!
One in five account openings online are fake. Companies from finance, e-commerce travel, gaming or social media industries are victims of massive fake account creation, driven by bots and fraudsters.
This can sometimes elevate to massive amounts. In 2019 alone, Facebook removed over 2 billion fake accounts, and LinkedIn blocked or removed 21.6 million fake accounts in just six months. On e-commerce platforms like Amazon and Walmart, it's estimated that one-third of product reviews are fake, many coming from fraudulent accounts.
Why do these fake account exist? And how can businesses detect them and prevent them to be created in the first place?
How does fake account creation work?
As companies focus on user growth, they tend to make their registration process lighter and lighter, with simple forms requiring just the name and email, and sometimes a phone number. This increases their conversion rate, but also their likelihood of attracting fake accounts.
Account registration fraud happens when fraudsters leverage the vulnerabilities of a website or app registration form. It’s mainly bot-driven, with automatic scripts using fake or stolen information to look like genuine users.
The automation of fake account creation has reached a fairly advanced stage, with bots incorporating wait times to mimic human behavior and the marketing of ‘bots as a service’ that can be hired to create hundreds of fake accounts for you.
The creation of fake accounts can also be man-made, whether it's someone trying to get a second free trial or fraud farms, with low-paid workers creating fake accounts all day long.
Why would someone create a fake account?
There are surprisingly many ways to monetize a fake account (especially if you have thousands of them). Here are just a few examples:
Free trial and subscription abuse: Many subscription-based services, like streaming platforms, fitness apps, and gaming companies, offer free trials to attract users. Fraudsters take advantage of this by creating or reselling fake accounts, allowing them to repeatedly exploit these offers.
Fake product reviews: A prevalent issue for marketplaces and e-commerce platforms, fake accounts are often used to post exaggerated positive or negative reviews to manipulate product rankings. A quick Google search for "buy product reviews" reveals just how widespread and thriving this fraudulent market is.
Click and engagement fraud: Fraudsters can be paid to generate fake clicks or fake engagement, whether it's for a company looking to squeeze its competitors' advertising budgets by clicking on all their ads, or for an inspiring influencer buying likes and comments on their posts.
Money laundering: From gig economy platforms and cryptocurrency exchanges to gaming rewards, fraudsters require a large number of fake accounts to launder money through various online channels.
Selling fake products: Fake accounts on e-commerce platforms can be used to sell non-existing, stolen or poor quality products (like dropshipped products labelled as handmade or AI-generated books).
Phishing and scamming: Up to 10% of profiles on dating apps are fake, mainly use for phishing attempts. These fake profiles aim to trick users into sharing personal information or falling for other fraudulent schemes.
Some industries are more targeted than others, like:
Banking and finance: to facilitate money laundering, fraudulent transactions, and identity theft..
Social media and dating platforms: used for scams, phishing, and artificially boosting engagement.
E-commerce: to manipulate reviews, exploit promotions, and sell counterfeit goods.
Education: to access online content or financial aid fraud.
Gaming: to cheat, farm rewards, and engage in credit card fraud.
We could list many other ways these accounts can be monetized, like manipulating public opinion on social media or cheating on online game. And sometimes people create fake accounts just for the pleasure of trolling online users.
What is the impact of fake accounts?
Financial losses
Fake account creation can have a profound financial impact on businesses, primarily through direct losses. Fraudsters exploit free trials and promotional offers using fake accounts, leading to significant operational expenses for services that never reach genuine customers.
But companies also lose money on resources like server capacity, bandwidth, and staff time needed to support these fake users.
Faked analytics
Fake accounts also compromises the accuracy of key business metrics, crucial for decision-making. With inflated user numbers, businesses are often misled into believing they are growing faster than they truly are. This can prompt premature scaling of infrastructure, which leads to unnecessary investments in areas like technology and staffing.
Beyond this, fake accounts can distort engagement data by producing inflated clicks, views, or interactions, making it difficult to assess how real customers interact with the business.
Analytics and A/B testing, used to fine-tune customer experiences and optimize marketing strategies, also become unreliable when fake accounts skew results.
Wasted marketing budget
Fake accounts can get included in audience targeting algorithms, which means marketing campaigns are directed at non-existent users. This dilutes the effectiveness of ads and results in poor return on investment.
Reputational damage
If a platform is known for being overrun with fake profiles, customers may begin to question the legitimacy of its service or user base. No one wants to chat with a bot or a catfish.
For e-commerce companies, fake accounts leaving fraudulent product reviews can undermine trust in the marketplace, eroding consumer confidence in both the business and its vendors.
Customer support costs
Support staff must deal with increased inquiries related to fraudulent activities, whether it’s addressing complaints about scams, processing refunds for fraudulent transactions, or managing issues stemming from fake reviews.
The time spent on these tasks diverts attention from supporting legitimate customers, which not only strains resources but can also diminish the quality of service for real users. Over time, this increased workload can contribute to a decline in overall customer satisfaction, further damaging the business’s reputation.
How to spot fake accounts?
Detecting fake accounts is a delicate thing, as there is no one size fits all. It requires monitoring for unusual patterns and behaviors that distinguish fraudulent users from legitimate ones.
You can usually look for one of those red flags:
Unusual activity patterns: Fake accounts often show irregular engagement, such as a high volume of actions in a short time, that would be manually impossible to do.
Incomplete or generic profiles: Generic profile pictures, usernames, or email addresses that seem automated or random, like "paul1234" (sorry if that’s really your username).
IP address anomalies: A large number of accounts created from the same IP address or region within a short timeframe (specifically if you don’t usually operate in that region) can be a red flag.
Surge in sign-ups: Fake accounts are often generated en masse. So before you pop the champagne to celebrate all those new users, double check if they look like legitimate users.
How to prevent fake account creation in the first place?
Spotting fake accounts is all very well, but you know what's even better? Stopping them before they're even created! Here are a few tips to help you do just that:
Implement CAPTCHA
CAPTCHA can be a handy first layer to block bots during the sign-up process, but they're not foolproof. Bots are increasingly capable of bypassing CAPTCHAs using techniques like optical character recognition (OCR) to solve the challenges automatically.
In fact, CAPTCHA-solving services are readily available online at surprisingly low costs, making them less effective as a standalone defense. Plus let’s be honest, I’ve never met another human who liked a CAPTCHA field.
Honeypot fields
These are invisible form fields that legitimate users won't see or interact with, but bots often will. When an automated system fills in these hidden fields, it triggers an alert, allowing you to identify and block the bot before it completes the sign-up process. This technique is seamless for real users and highly effective at catching automated attempts.
Limit Account Creation
Set a limit on how frequently users can create accounts from the same device, email domain, or phone number. This prevents scammers from mass-producing accounts with minor tweaks to data. You could also restrict the number of accounts that can be created from a single IP address within a given timeframe. But be careful as this might results in false positives depending on your business.
Phone number verification
Phone verification is probably the easiest way to implement fake account prevention, as it can be implemented with an API in less than a day. Users usually have only have one phone number, scammers don't like revealing theirs and it's a great way to also prevent users creating multiple accounts.
Phone number verification works by sending a one-time password (OTP) by SMS or an online messaging channel like WhatsApp. By using a solution designed to limit fraud, such as Prelude, you are guaranteed to have a secure and authentic user base.
Multi-Factor Authentication (MFA)
To go one-step further, you can introduce MFA during the account creation process to authenticate users through multiple steps, such as a password and a one-time code sent to a verified device, making it harder for bots to create accounts.
Case Study: How Prelude helped Cubzh prevent fake account on its gaming platform
Cubzh is a gaming platform that blends the creative freedom of Minecraft with the community-driven spirit of Roblox. Unlike its competitors, Cubzh prioritizes the quality of its user base over its quantity.
A standout feature of the platform is the Makers’ Marketplace, where users can earn in-game currency by creating successful games and get rewarded for their contributions. Players can also earn it through consistent engagement, with daily logins and new creations being rewarded.
However, Cubzh faced challenges with cheaters and malicious users creating fake accounts and bots, threatening its community-first approach. Some users exploited the freemium model by creating multiple accounts to maximize their in-game earnings.
Handling these issues internally drained time and resources that could have been better spent enhancing the platform. To tackle this, Cubzh implemented Prelude’s advanced verification tools, which became crucial in their fight against fake accounts.
Now, all new users must verify their identity by providing a phone number (or a parent's number for users under 13). Prelude’s SMS verification API ensures that each account is legitimate, allowing Cubzh to:
Protect younger players and reassure parents
Maintain a high-quality, authentic community
Prevent abuse of the freemium system by stopping users from creating multiple accounts
“The Prelude API is really easy to use, we were able to implement the solution in less than a day. Since then, we've seen a real improvement in the quality of our user base and in our user’s churn rate”, Adrien Duermael, CEO of Cubzh
How to prevent fake account creation with phone verification?
Getting started is straightforward. With Prelude’s API, you can be up and running in just three steps, all outlined in our Quickstart guide. The entire process can be completed in under a day, making it quick and hassle-free.
Get the SDK: We provide SDKs for many popular languages to make your life easier, such as Node, Go, Python, Ruby, Java, PHP or C#.
Initialize the SDK by pasting the snippet available in our quickstart guide.
Send and verify a code: call the authentication endpoint with your phone number to receive a code by SMS and verify it.
And that’s it—you’ve successfully implemented SMS verification! From here, you can run tests to ensure the integration works smoothly, add fraud signals for enhanced protection, and connect your webhook to receive real-time notifications when an OTP is sent or billed.
So if you want to mitigate fake accounts on your platform, you can start for free with Prelude or talk to our sales team!
Recent Articles
Start optimizing your auth flow
Send verification text-messages anywhere in the world with the best price, the best deliverability and no spam.