ipasis
Blog/Fraud Prevention

How Fraudsters Create Fake Accounts (And How to Stop Them)

March 9, 20268 min read

Fake account creation is a billion-dollar fraud industry. From credential stuffing to referral abuse to account takeovers, fraudsters have industrialized the process of creating thousands of fake identities.

Understanding how they operate is the first step to stopping them. In this post, we'll reverse-engineer the fake account creation pipeline and show you how to defend against it.

The Scale of the Problem

Fake accounts aren't created manually. They're generated at industrial scale:

  • Credential stuffing: Billions of stolen username/password combos tested across sites
  • Referral fraud: Fake accounts claiming bonuses (Uber, Airbnb, crypto airdrops)
  • Review manipulation: Fake Amazon/Yelp accounts posting fake reviews
  • Social media bots: Inflating follower counts or spreading misinformation
  • SaaS trial abuse: Repeatedly claiming free tier benefits

A single fraudster can create 10,000+ accounts per day using automation tools.

Anatomy of Fake Account Creation: The Fraudster's Toolkit

Creating fake accounts at scale requires three components:

1. Disposable Email Services

Email verification is the most common anti-fraud check—so fraudsters bypass it with:

  • Temporary inboxes: tempmail.com, guerrillamail.com, 10minutemail.net (free, no signup required)
  • Email aliasing: Gmail's "+" trick (user+123@gmail.com) or catch-all domains
  • Burner email APIs: Services that generate thousands of emails programmatically
  • Hacked email accounts: Compromised accounts used to verify signups

These services receive verification emails automatically, allowing bots to confirm accounts without human intervention.

2. Residential Proxies and VPNs

Most platforms detect datacenter IPs (AWS, Google Cloud) as suspicious. Fraudsters counter with:

  • Residential proxy networks: Rent real home IP addresses (Bright Data, Smartproxy) to appear as legitimate users
  • Mobile proxies: 4G/5G IPs that rotate frequently
  • VPN services: NordVPN, ExpressVPN exit nodes spread across countries
  • SOCKS5 proxies: Cheap, disposable IPs bought in bulk

Residential proxies are particularly dangerous—they look exactly like real users to basic IP checks.

3. Automation Frameworks

Fraudsters use headless browsers and automation tools to mimic human behavior:

  • Puppeteer/Playwright: Headless Chrome controlled by scripts
  • Selenium: Browser automation framework
  • Anti-detect browsers: Tools that spoof fingerprints (FingerprintJS, Multilogin)
  • CAPTCHA solving services: 2Captcha, AntiCaptcha (human workers solve CAPTCHAs for $1-3 per 1000)

These tools can fill forms, click buttons, and navigate pages—making bot traffic nearly indistinguishable from humans.

Step-by-Step: How Fraudsters Create 1,000 Fake Accounts

Step 1: Acquire Resources

  • Buy 1,000 residential proxy IPs ($50-100)
  • Subscribe to a disposable email API ($20/month for unlimited addresses)
  • Set up Puppeteer script with anti-detection plugins

Step 2: Automate Signup Flow

// Simplified fraudster script (Puppeteer + residential proxies)
import puppeteer from 'puppeteer-extra';
import StealthPlugin from 'puppeteer-extra-plugin-stealth';
import { getDisposableEmail, checkInbox } from 'temp-email-api';
import { getProxy } from 'residential-proxy-service';

puppeteer.use(StealthPlugin()); // Evade bot detection

async function createFakeAccount() {
  const proxy = await getProxy(); // Get residential IP
  const email = await getDisposableEmail(); // Generate temp email
  
  const browser = await puppeteer.launch({
    args: [`--proxy-server=${proxy}`],
    headless: true
  });
  
  const page = await browser.newPage();
  await page.goto('https://target-platform.com/signup');
  
  // Fill signup form with randomized data
  await page.type('#email', email);
  await page.type('#username', generateRandomUsername());
  await page.type('#password', generateStrongPassword());
  
  // Mimic human behavior (random delays, mouse movements)
  await page.mouse.move(100, 200);
  await page.waitForTimeout(Math.random() * 2000 + 1000);
  
  await page.click('#submit-button');
  
  // Wait for verification email
  await page.waitForTimeout(5000);
  const verificationLink = await checkInbox(email);
  
  // Verify account
  await page.goto(verificationLink);
  
  await browser.close();
  console.log(`Account created: ${email}`);
}

// Run 1,000 times in parallel
for (let i = 0; i < 1000; i++) {
  createFakeAccount();
}

Step 3: Verify Accounts

The script monitors disposable inboxes for verification emails and clicks confirmation links automatically.

Step 4: Exploit the Platform

Once accounts are verified, fraudsters use them for:

  • Claiming referral bonuses (cash out or resell accounts)
  • Scraping data (product prices, user profiles)
  • Spamming (posting fake reviews, sending phishing messages)
  • Credential stuffing (testing stolen passwords on other sites)

Why Traditional Defenses Fail

Fraudsters have adapted to bypass most common protections:

DefenseHow Fraudsters Bypass It
Email verificationDisposable email APIs auto-fetch verification links
CAPTCHASolving services (2Captcha) for $1-3 per 1,000
IP blockingResidential proxies appear as real users
Browser fingerprintingAnti-detect browsers spoof fingerprints
Rate limitingRotate IPs and distribute requests over time

The key insight: No single signal is enough. You need layered detection.

How to Detect Fake Accounts: Multi-Signal Approach

Signal #1: Email Intelligence

Go beyond syntax validation. Check:

  • Disposable domain lists: Maintain updated blocklists (or use an API like IPASIS)
  • Email age: New domains are often throwaway
  • Sender reputation: Domains with high bounce rates
  • Pattern matching: Sequential emails (user1@, user2@, user3@)

Signal #2: Advanced IP Analysis

Residential proxies are hard to detect, but not impossible:

  • Proxy/VPN detection: Use specialized databases (IPASIS, IP2Proxy)
  • Connection type: Datacenter vs. residential vs. mobile
  • Geo-mismatch: IP location doesn't match claimed location
  • Behavioral velocity: Same IP creating multiple accounts in minutes

Signal #3: Behavioral Analysis

Even sophisticated bots leave traces:

  • Typing speed: Bots fill forms instantly or at perfect intervals
  • Mouse movements: Straight lines or no cursor activity
  • Session depth: Real users browse; bots go straight to signup
  • Time on page: Spending <2 seconds on signup form is suspicious

Signal #4: Device Fingerprinting

Track unique device signatures:

  • Canvas/WebGL fingerprints: Unique rendering patterns
  • Installed fonts: Unusual font lists = automation tools
  • Browser inconsistencies: Claimed browser doesn't match capabilities
  • Hardware specs: Headless browsers report unusual CPU/GPU

Implementation: Multi-Layered Fraud Detection

Here's how to combine signals for maximum accuracy:

// Server-side fraud detection
async function evaluateSignupRisk(email, ip, fingerprint, behaviorData) {
  // Check email + IP with IPASIS
  const ipasisResponse = await fetch('https://api.ipasis.com/check', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.IPASIS_API_KEY}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({ email, ip })
  });
  
  const ipasis = await ipasisResponse.json();
  
  // Calculate risk score (0-100, lower = riskier)
  let riskScore = ipasis.trust_score;
  
  // Deduct points for red flags
  if (ipasis.email?.disposable) riskScore -= 30;
  if (ipasis.datacenter) riskScore -= 20;
  if (ipasis.vpn || ipasis.proxy) riskScore -= 15;
  if (ipasis.tor) riskScore -= 25;
  
  // Behavioral signals
  if (behaviorData.formFillTime < 2000) riskScore -= 20; // Too fast
  if (behaviorData.mouseMovements < 5) riskScore -= 15; // No human movement
  if (!behaviorData.referrer) riskScore -= 10; // Direct POST
  
  // Device fingerprint signals
  if (fingerprint.headlessBrowser) riskScore -= 25;
  if (fingerprint.duplicateFingerprint) riskScore -= 20; // Seen before
  
  // Velocity check: same IP creating multiple accounts
  const recentSignups = await countRecentSignups(ip, '1 hour');
  if (recentSignups > 3) riskScore -= 20;
  
  return {
    riskScore: Math.max(0, riskScore),
    signals: {
      disposableEmail: ipasis.email?.disposable,
      datacenterIP: ipasis.datacenter,
      vpnDetected: ipasis.vpn || ipasis.proxy,
      suspiciousBehavior: behaviorData.formFillTime < 2000,
      headlessBrowser: fingerprint.headlessBrowser,
      highVelocity: recentSignups > 3
    },
    action: riskScore < 40 ? 'BLOCK' : riskScore < 70 ? 'CHALLENGE' : 'ALLOW'
  };
}

Responding to Different Risk Levels

  • Low risk (70-100): Allow instantly
  • Medium risk (40-69): Require email verification + CAPTCHA
  • High risk (<40): Block or manual review queue

Post-Signup Monitoring

Even if an account gets through, continue monitoring:

  • Activation rate: Does the user actually use the account?
  • API abuse: Immediate high-volume requests
  • Referral patterns: Referring other suspicious accounts
  • Session anomalies: Logging in from 10 countries in 1 hour

Flagged accounts can be rate-limited, required to re-verify, or suspended.

The Arms Race: Staying Ahead

Fraudsters constantly evolve their techniques. To stay ahead:

  • Update detection rules monthly: New proxy services emerge, disposable email domains change
  • Monitor false positive rate: If >5%, you're blocking real users
  • Analyze blocked accounts: What patterns do they share?
  • Share threat intel: Coordinate with other platforms to identify fraud rings

Case Study: Stopping a Referral Fraud Attack

A fintech app offered $10 for each referral. Fraudsters created 5,000 fake accounts in 24 hours to claim $50,000.

How they did it:

  • Residential proxies to appear legitimate
  • Disposable email APIs for verification
  • Anti-detect browsers to evade fingerprinting

How the platform stopped it:

  • Implemented IPASIS email + IP validation
  • Flagged accounts created within minutes of each other from similar IPs
  • Required ID verification for referral payouts >$50
  • Recovered $47,000 before fraudsters cashed out

Best Practices for Fraud Prevention

  • Layer multiple signals: Email + IP + behavior + device fingerprint
  • Use specialized APIs: IPASIS detects disposable emails and proxy IPs in <20ms
  • Apply progressive friction: Don't block aggressively—challenge medium-risk users
  • Monitor post-signup behavior: Catch accounts that slip through initial checks
  • Update blocklists regularly: Fraudsters rotate infrastructure constantly
  • Require verification for high-value actions: Payouts, purchases, data exports

The Future of Fake Account Detection

As AI-powered automation improves, fake accounts will become harder to detect. The future of fraud prevention includes:

  • Behavioral biometrics: Unique typing rhythms and mouse patterns
  • Graph analysis: Detecting fraud rings by account relationships
  • Device reputation: Tracking devices across platforms
  • Real-time ML models: Learning from fraud patterns as they emerge

But the fundamentals remain: validate identity signals early, apply friction intelligently, and monitor continuously.

Detect fake accounts before they cause damage.

IPASIS provides real-time email + IP intelligence. Stop fraud in <20ms.

View PricingAPI Documentation