How to Prevent Fake Signups
on Your Platform

Fake signups are a silent killer for growth-stage platforms. They inflate user metrics, waste server resources, skew product analytics, and—if you're paying for email sends or SMS verification—directly hit your bottom line.

The worst part? Most fake accounts never activate, making them pure cost with zero upside. Here's how to identify and prevent them.

The Real Cost of Fake Signups

Fake accounts aren't just a vanity metric problem. They cause tangible damage:

1. Skewed Metrics

Your signup numbers look great, but conversion rates plummet. This hides the real health of your funnel and misleads product decisions.

• Investors see inflated user counts with terrible engagement
• A/B test results are polluted by bot traffic
• Cohort analysis becomes meaningless

2. Wasted Resources

Every fake signup costs you money:

• Database writes: Storage and indexing for accounts that never activate
• Email sends: Welcome emails, verification emails, drip campaigns to dead addresses
• SMS costs: Phone verification for throwaways (~$0.01-0.05 per message)
• Support load: Fake accounts filing fake support tickets

3. Security Risks

Fake accounts are often the first step in larger attacks:

• Testing stolen credentials (credential stuffing)
• Scraping your platform's data
• Spamming legitimate users
• Exploiting referral programs

4. Reputation Damage

High bounce rates from sending to fake emails hurt your sender reputation with Gmail, Outlook, etc. This reduces deliverability for real users too.

Signals That Indicate Fake Signups

Real users and bots behave differently. Here are the telltale signs:

Email-Based Signals

• Disposable email services: tempmail.com, guerrillamail.com, 10minutemail.net
• No MX records: Domain doesn't actually receive email
• Sequential patterns: user1@domain.com, user2@domain.com, user3@domain.com
• Typosquatting: gmial.com, yaho.com (not real providers)
• Role-based emails: admin@, support@, noreply@ (not personal addresses)

IP-Based Signals

• Datacenter IPs: AWS, Google Cloud, DigitalOcean—legitimate users don't sign up from servers
• VPN/Proxy usage: Attackers hiding their real location
• Tor exit nodes: Anonymous networks often abused by spammers
• High-risk countries: Signups from regions you don't serve (geo-mismatches)
• Impossible travel: Same account signing up from 5 countries in 10 minutes

Behavioral Signals

• Instant form submission: Fields filled in <1 second (autofill scripts)
• No mouse movement: Bot submits form without cursor activity
• Missing referrer: Direct API POST instead of coming from your signup page
• Unusual user agents: Headless browsers or spoofed clients

Prevention Strategy #1: Email Validation

The easiest win is validating emails at signup, not after sending a verification email.

IPASIS includes email validation alongside IP intelligence in a single API call, so you get both signals in <20ms.

Prevention Strategy #2: IP Reputation Checks

Real users sign up from residential ISPs (Comcast, Verizon, BT, Vodafone). Fake signups come from:

• Cloud providers: AWS, Azure, Linode—server IPs, not home broadband
• VPN services: NordVPN, ExpressVPN exit nodes
• Proxy pools: Residential proxies used at scale

Checking IP reputation catches 70-80% of fake signups instantly.

Prevention Strategy #3: Progressive Friction

Don't block aggressively—apply friction based on risk level:

This balances security with user experience—real users rarely see friction.

Implementation Guide: Real-Time Signup Validation

Here's how to validate signups server-side using IPASIS:

// API route: /api/auth/signup
import { NextRequest, NextResponse } from 'next/server';

export async function POST(req: NextRequest) {
  const { email, username } = await req.json();
  const clientIP = req.headers.get('x-forwarded-for') || req.ip || 'unknown';
  
  // Validate both email and IP in one request
  const response = await fetch('https://api.ipasis.com/check', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.IPASIS_API_KEY}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      ip: clientIP,
      email: email
    })
  });
  
  const result = await response.json();
  
  // Define risk thresholds
  const riskFactors = {
    lowTrustScore: result.trust_score < 50,
    disposableEmail: result.email?.disposable === true,
    datacenterIP: result.datacenter === true,
    vpnDetected: result.vpn === true || result.proxy === true,
    torNode: result.tor === true,
    knownBot: result.bot === true
  };
  
  // Count total risk factors
  const riskCount = Object.values(riskFactors).filter(Boolean).length;
  
  if (riskCount >= 3) {
    // Critical risk: block
    return NextResponse.json(
      { 
        error: 'Signup blocked due to suspicious activity',
        code: 'SIGNUP_BLOCKED'
      },
      { status: 403 }
    );
  }
  
  if (riskCount === 2) {
    // High risk: require CAPTCHA + email verification
    return NextResponse.json({
      requiresCaptcha: true,
      requiresEmailVerification: true,
      message: 'Additional verification required'
    });
  }
  
  if (riskCount === 1) {
    // Medium risk: email verification only
    return NextResponse.json({
      requiresEmailVerification: true
    });
  }
  
  // Low risk: proceed normally
  // ... create user account
  
  return NextResponse.json({ 
    success: true,
    userId: newUser.id
  });
}

Advanced: Rate Limiting by Risk Level

Apply different rate limits based on IP reputation:

This prevents attackers from cycling through IPs to create thousands of accounts.

Monitoring and Alerting

Set up dashboards to track:

• Signup-to-activation ratio: Should be 40-70% for healthy platforms
• Email bounce rate: Spikes indicate fake email addresses
• Risk score distribution: Track percentage of high-risk signups
• Blocked signups: Monitor for false positives

Alert if:

• Signups spike 10x above normal in 1 hour
• Activation rate drops below 20%
• Same email domain creates 50+ accounts in a day

Handling False Positives

No system is perfect. Some legitimate users will trigger warnings:

• Corporate VPN users: Employees signing up from company networks
• Privacy-conscious users: Legitimate VPN/Tor usage
• Travelers: Signing up from hotel/airport WiFi

Solution: Don't block—add friction (email verification). If they verify, they're real.

Post-Signup Validation

Even after signup, continue monitoring for bot behavior:

• Never logs in: Account created but never used
• Immediate API spam: Starts making requests within seconds
• Scripted actions: Same actions at exact intervals
• No human interaction: API-only usage, never visits dashboard

Flag these accounts for review or apply stricter rate limits.

Case Study: Cleaning Up User Metrics

A marketplace platform had 100,000 "users"—but only 3,000 active. After implementing IP + email validation:

• Blocked 60% of signups (datacenter IPs + disposable emails)
• Activation rate jumped from 3% → 42%
• Email delivery costs dropped 70% (no more bounces)
• Clean metrics enabled better product decisions

The key insight: They weren't losing real users—they were finally seeing real users clearly.

Best Practices Summary

• Validate email + IP together at signup (use IPASIS for both)
• Apply progressive friction based on risk level
• Rate limit by IP reputation (stricter for datacenter IPs)
• Monitor activation rates to catch fake signup campaigns early
• Don't block aggressively—require email verification for medium-risk users
• Track post-signup behavior to catch sophisticated bots
• Log all risk signals to tune thresholds over time

The Bottom Line

Fake signups are a tax on growth. Every dollar spent sending emails to dead addresses or storing inactive accounts is a dollar not spent on real users.

By validating signups in real-time with IP intelligence and email validation, you can cut fake accounts by 80-90% while preserving a smooth experience for legitimate users.