Signup forms are targets. Every exposed registration form attracts automated bots, fraudsters creating fake accounts, competitors scraping behind login walls, and users abusing free trials with throwaway credentials.
The challenge is distinguishing fake signups from real users without creating friction that drives legitimate customers away. Overly strict validation loses real users. Insufficient validation lets abuse through.
Effective signup protection uses layered validation—multiple signals that together identify fake signups while keeping the door open for legitimate users.
Understanding Fake Signup Patterns
Fake signups come from different sources with different characteristics:
Automated bots submit registration forms programmatically. They're typically fast (submitting in milliseconds), don't execute JavaScript, don't move a mouse, and often have outdated or unusual user agents. Bots create accounts for spam, credential stuffing, or scraping.
Disposable email users sign up with temporary email addresses that expire within minutes or hours. Some have legitimate reasons (privacy concerns), but many are abusing free trials, evading bans, or creating multiple accounts for fraud.
Fraudulent accounts are created manually or semi-automatically with intent to abuse the system. Credit card testing, referral fraud, fake reviews, and similar schemes require accounts that look real enough to avoid immediate detection.
Invalid or mistyped addresses come from real users who accidentally enter wrong information. These aren't malicious, but they create accounts that can never receive email—activation links, password resets, or important notifications fail silently.
Each category requires different detection approaches.
Layer 1: Email Validation
Email validation is the foundation of signup protection. A thorough email check catches multiple problem categories:
Format validation catches obviously malformed addresses—missing @ symbols, invalid characters, incomplete domains. This is the minimum any form should do.
Domain validation verifies the domain exists and has DNS records. Typos like gmial.com pass format validation but fail domain checks because the domain doesn't exist.
MX record verification confirms the domain is configured to receive email. A domain might exist but have no mail servers configured.
Mailbox verification (where possible) checks whether the mail server accepts messages for the specific address. Some servers confirm this; others refuse to answer.
Deliverability assessment considers factors like domain reputation, known bounce patterns, and historical deliverability data.
Each layer catches problems the previous layers miss. A phased approach validates progressively deeper:
- Check format instantly (client-side, free)
- Check domain and MX on blur or submit (fast API call)
- Full deliverability check for high-value signups (deeper API call)
Layer 2: Disposable Email Detection
Disposable email services provide temporary addresses for users who want to sign up without providing permanent contact information. Services like Guerrilla Mail, 10 Minute Mail, Temp Mail, Mailinator, and hundreds of others offer these throwaway addresses.
Disposable email detection maintains databases of known disposable domains, pattern-based detection for newly created services, and heuristics for identifying throwaway behavior.
When a disposable email is detected, applications can:
Block registration - Simplest approach. Require a permanent email address.
Allow with restrictions - Let users sign up but limit functionality until they provide a permanent address.
Flag for monitoring - Allow registration but mark the account for closer scrutiny of behavior.
Require phone verification - Add a second verification channel for users with disposable emails.
The right approach depends on what you're protecting. A free trial with significant value justifies stricter controls than a newsletter signup.
A disposable email check returns clear signals for decision-making:
const response = await fetch(
'https://api.apiverve.com/v1/disposableemailchecker?email=user@tempmail.com',
{ headers: { 'x-api-key': 'YOUR_API_KEY' } }
);
const { data } = await response.json();
if (data.isDisposable) {
// Block signup or require phone verification
return { error: 'Please use a permanent email address' };
}
When isDisposable is true, your application can block, restrict, or flag the signup accordingly.
Layer 3: Bot Detection
Automated bots exhibit behavioral patterns that differ from human users:
Speed - Humans take seconds to fill forms. Bots submit instantly or with mechanical regularity. A form submitted 200 milliseconds after page load isn't a human.
Interaction patterns - Humans move the mouse, scroll, make mistakes and correct them. Bots often interact minimally or not at all.
JavaScript execution - Many bots don't fully render pages or execute JavaScript. Requiring client-side computation can identify basic bots.
Honeypot fields - Hidden form fields that humans never see. Bots programmatically fill all fields, triggering the trap.
Browser fingerprinting - Automated tools have identifiable characteristics—missing browser APIs, inconsistent reported capabilities, known bot browser signatures.
User agent analysis - Bot frameworks have identifiable user agents. Outdated browsers are suspicious. Missing user agents are suspicious.
IP reputation - IPs from known bot networks, data centers without legitimate traffic, or with high abuse history indicate automated traffic.
Bot detection typically combines multiple signals into a risk score rather than relying on any single indicator. A single bot signal might be a false positive; multiple signals together indicate high confidence.
Layer 4: Phone Validation
For high-value signups—paid plans, financial services, enterprise accounts—phone validation adds another verification layer:
Format validation confirms the phone number structure is valid for its country. This catches typos and made-up numbers.
Type detection identifies whether a number is mobile, landline, or VoIP. Mobile numbers are harder to generate in bulk than VoIP numbers.
Carrier identification shows which network the number belongs to. Known VoIP carriers may indicate higher risk for certain use cases.
SMS verification sends a code the user must enter, confirming they control the phone number.
Phone validation adds friction, so it's typically reserved for contexts where account value justifies it. A free blog doesn't need phone verification; a financial services platform does.
VoIP numbers deserve consideration. Many legitimate users have Google Voice, Skype, or similar numbers. Blocking all VoIP numbers creates false positives. But VoIP numbers are also easier to generate for fraud. The right approach depends on your fraud risk profile.
Layer 5: Pattern Detection
Individual signals have limited value. Patterns combining multiple signals are more powerful:
Velocity patterns - Multiple signups from the same IP address, same device fingerprint, or same behavioral patterns in short time periods indicate bulk account creation.
Sequential data - Email addresses like test1@example.com, test2@example.com, test3@example.com suggest automated generation.
Cross-signal combinations - A new domain, plus disposable email, plus instant form submission, plus known bot user agent creates high confidence of fraud even if each signal alone wouldn't trigger blocking.
Deviation from baselines - Understanding normal signup patterns helps identify abnormal ones. A sudden spike in signups from a particular country or with particular characteristics warrants investigation.
Pattern detection typically operates on aggregated data—looking at signup volume over time, geographic distribution, email domain distribution, and other aggregate metrics that reveal coordinated activity.
Balancing Security and Conversion
Every validation check creates potential friction. A signup flow that rejects too many people—including legitimate users caught by false positives—has poor conversion.
Principles for balancing security with conversion:
Validate progressively - Start with light validation. Apply heavier validation only when earlier signals indicate risk. Most legitimate users see minimal friction.
Provide helpful feedback - When validation fails, help users fix the problem. "Did you mean gmail.com?" is better than "Invalid email."
Allow override with verification - If validation is uncertain, let users proceed with additional verification rather than blocking outright.
Measure false positives - Track when legitimate users are blocked. If the same validation rule causes repeated support tickets, the rule may be too aggressive.
Segment by value - Apply stricter validation to higher-value actions. Creating an account might have light validation; starting a trial might have more; completing a purchase might have the most.
Fail gracefully - If validation services are unavailable, have fallbacks. Rejecting all signups because the validation API is down is worse than allowing some risky signups through temporarily.
User Experience Considerations
How validation feels matters as much as what it catches:
Speed - Validation shouldn't noticeably slow down the signup process. Async validation that completes before users finish typing feels instant.
Clarity - Error messages should explain what's wrong and how to fix it. "Please use a permanent email address" not "Error 403."
Positioning - Show validation feedback near the relevant field. Don't make users hunt for error messages.
Timing - Validate on blur (when users leave a field) rather than on every keystroke. Let users finish typing before showing errors.
Persistence - Remember that validation passed. Don't re-validate on every page load or make users re-enter verified information.
Post-Signup Monitoring
Validation at signup is one checkpoint. Ongoing monitoring catches accounts that passed initial validation but exhibit suspicious behavior later:
Activation monitoring - Accounts that sign up but never activate may indicate fake signups that couldn't pass email verification.
Behavior analysis - Normal users have varied behavior. Accounts that immediately scrape data, spam other users, or perform single-purpose actions warrant investigation.
Velocity monitoring - Unusual activity levels—creating hundreds of items, sending hundreds of messages—indicate automation even if signup looked legitimate.
Payment fraud signals - For accounts with payment, watch for card testing patterns, chargeback rates, and suspicious purchase behavior.
Post-signup monitoring catches sophisticated fraud that initial validation misses. The best fake accounts look legitimate at signup and reveal themselves through behavior.
Measuring Effectiveness
Track metrics to understand whether your validation is working:
Fake signup rate - What percentage of signups turn out to be fake (never activate, exhibit bot behavior, get caught in post-signup monitoring)?
Activation rate - What percentage of signups complete activation? Low rates may indicate invalid emails getting through.
Conversion rate - What percentage of signups become paying customers or engaged users? If conversion drops after adding validation, false positives may be the cause.
Support ticket volume - Are users complaining about being unable to sign up? These represent potential false positives.
Fraud losses - If accounts are used for fraud, what are the actual losses? This is the cost you're trying to minimize.
Track these metrics before and after changes to understand impact. A validation change that reduces fake signups 50% but also reduces legitimate signups 10% may not be worthwhile.
Implementation Approaches
Progressive implementation - Start with basic validation (format checking, obvious bot detection). Add layers as you understand your fraud patterns. Don't over-engineer initially.
API-based validation - Build vs. buy decisions favor APIs for most validation tasks. Email deliverability databases, disposable email lists, and bot detection signatures require ongoing maintenance. APIs handle this.
Risk scoring - Rather than binary accept/reject, assign risk scores. Low risk proceeds normally. Medium risk triggers additional verification. High risk blocks.
Fallback handling - External validation services will occasionally be unavailable. Decide in advance whether to fail open (allow signups, validate later) or fail closed (block signups during outages).
Compliance and Privacy
User validation intersects with privacy and data protection:
Data minimization - Only collect information you need. Phone validation might be overkill for low-risk applications.
Transparency - If you're checking users against databases, privacy policies should disclose this.
Data retention - Validation data (IP addresses, device fingerprints, etc.) may be personal data with retention requirements.
Regional variations - Validation approaches that work in one jurisdiction may face restrictions in others. Phone verification, IP geolocation, and device fingerprinting all have varying privacy implications.
Review validation approaches with privacy and legal requirements in mind.
Starting Simple
For most applications, a reasonable starting point:
- Format validation - Client-side, instant
- Email deliverability check - Server-side, on submit
- Disposable email detection - Server-side, on submit
- Basic bot detection - Honeypot fields, submission timing
- Rate limiting - Limit signups per IP per time period
This combination catches the majority of fake signups with minimal friction for legitimate users. Add more sophisticated measures as you understand your specific fraud patterns.
The goal isn't to eliminate all fake signups—that's impossible without also eliminating many real users. The goal is reducing fake signups to manageable levels while maintaining healthy conversion rates for legitimate traffic.
Validate emails thoroughly with the Email Validator API. Detect disposable addresses with the Disposable Email Checker API. Verify phone numbers with the Phone Number Validator API. Identify bots with the Bot Detector API. Build signup forms that keep the fakes out.
Originally published at APIVerve Blog
Top comments (0)