Detecting Fake Signups: Risk Scoring for Referrals

Every referral program with a payout attached is also a fraud target. The moment a partner earns money for a signup, someone will manufacture signups. The cheap version is one person and a dozen throwaway accounts; the expensive version is a coordinated affiliate running scripts against your registration endpoint. Both end the same way: inflated numbers, a commission tree that pays out on garbage, and a CAC figure you can no longer trust. The fix is not a CAPTCHA wall that punishes real users. It is quiet, server-side risk scoring that runs on every signup, attaches a score to the referral, and lets clean conversions through untouched while flagging the rest. Here is how we score signups at Argus Grape, and which signals actually carry weight.

Disposable and throwaway email domains

The first signal is the cheapest to check and the cheapest to evade, so treat it as a weak prior, not a verdict. Maintain a blocklist of disposable-email domains and refresh it on a schedule, because new domains appear weekly. A signup from mailinator.com or a one-hour-inbox provider should add to the risk score, not auto-reject, since a small fraction of legitimate privacy-conscious users do reach for them. The value of this check is that fraud rings lean on disposable inboxes heavily, so a cluster of them under one referrer is far more telling than any single hit.

Normalized-email deduplication

The most common cheap attack is one inbox wearing many costumes. Gmail ignores dots and everything after a plus sign, so first.last@gmail.com, firstlast@gmail.com, and firstlast+ref1@gmail.com all deliver to the same person. Store a normalized form of every email alongside the raw one and dedup against it: lowercase, strip dots in the local part for providers that ignore them, and drop the plus-tag. When ten normalized addresses collapse to two real inboxes under a single affiliate, you have found a self-referral ring without needing anything fancier.

Device-fingerprint reuse

Email is trivial to vary; the browser environment is not. A device fingerprint built from user-agent, screen and viewport dimensions, timezone, language, and rendering quirks gives you a stable-enough handle to spot the same machine signing up repeatedly. No single attribute identifies a device, but the combination is sticky. The signal you care about is reuse: the same fingerprint behind five signups in an hour, all crediting the same referrer, is worth more than any email heuristic. Hash the fingerprint server-side and never let the client tell you who it is.

IP bursts and velocity

Coordinated fraud has a rhythm. Genuine referral traffic arrives spread across hours and networks; a script arrives in a burst from one IP, one subnet, or one datacenter ASN. Track signup velocity per IP, per subnet, and per referrer, and watch for spikes against each one's own baseline. Traffic from hosting-provider ASNs rather than residential or mobile networks is a strong tell, since real consumers rarely sign up from an AWS IP.

Combining signals into one score

No single check is decisive. Combine them into one weighted score per signup and tune the weights against confirmed fraud rather than intuition. The signals worth carrying weight are these:

• Disposable or freshly registered email domain (weak signal, raises the floor)
• Normalized email collides with an existing account under the same referrer
• Device fingerprint already seen on N signups within a short window
• Signup velocity exceeds the rolling baseline for the IP, subnet, or referrer
• Origin IP belongs to a hosting or VPN ASN rather than a consumer network
• Click-to-signup time near zero, or a referral chain that loops back on itself

Score silently, act later

The mistake is acting loudly. If you reject a fraudulent signup at the form, you hand the attacker a free oracle: they tweak one variable, resubmit, and learn exactly which check tripped. A ring that thinks it is winning keeps reusing the same fingerprints and inboxes; a ring that gets a hard error simply adapts. So accept the signup, attach the score, and decide downstream: low-risk conversions clear normally, while high-risk ones get held back from commission accrual and quietly shadow-banned, leaving the affiliate to admire an inflated dashboard while no real money moves. Run the scoring at the edge alongside click tracking so it adds no friction to honest users and no latency to the funnel, then let your signed conversion webhooks carry the score downstream for billing decisions. Review the held bucket weekly, feed confirmed cases back into your weights, and the model sharpens against the specific rings targeting you. See our pricing for which plans include risk scoring and shadow-ban controls.