DEV Community: Andrew

Your Promo Budget Is Funding Fraud — 6 Ways Fraudsters Drain Your Campaigns

Andrew — Thu, 21 May 2026 14:07:50 +0000

You launch a referral program. Marketing rolls out a welcome discount. Day one looks great: signups are up, promo codes are getting redeemed, and the funnel looks healthy.

A few days later, the numbers stop making sense. CAC spikes. A large chunk of the “new users” never come back. Referral payouts grow faster than actual customer growth.

That's usually a sign of promo abuse.

And in practice, it's often much more automated and coordinated than teams expect.

What promo abuse really looks like

When teams think about promo abuse, they usually imagine someone posting a discount code on Reddit or sharing a referral link with friends.

In reality, a lot of abuse is automated and runs at scale. Fraudsters create large numbers of fake accounts using proxies, automated browsers, and synthetic identities to repeatedly claim signup bonuses, referral rewards, and discounts.

If a fake account costs $0.50 to create and your signup bonus is worth $10, the math works in the attacker's favor very quickly.

6 ways fraudsters abuse promo campaigns

1. Fake account farms

The simplest form of promo abuse is creating large numbers of accounts to repeatedly claim new-user offers.

But modern fake accounts are harder to spot than they used to be.
Fraudsters use residential proxies so each account appears to come from a different IP. Virtual phone numbers pass SMS verification. Synthetic identities mix real and fake information to get through basic checks.

2. Self-referral rings

Referral programs often say: “Invite a friend, you both get $15.” For attackers, that becomes: create two accounts and earn $30.

But real abuse doesn't stop at one loop. Fraudsters build referral rings — networks of accounts referring each other across different IPs, devices, and time windows to avoid detection rules.

In more advanced cases, these networks even involve real users, who are paid or incentivized to act as referral nodes. This creates a gray area that's difficult to separate from legitimate growth.

3. Coupon code guessing and abuse

If your promo codes follow predictable patterns, they can be discovered and tested at scale.

Fraudsters use automation to try large numbers of combinations until they find valid or unreleased codes.

A “15% off + free shipping + new user discount” stack can quickly turn profit into loss.

4. Endless trial loops

Free trials are an easy target for abuse.

If a trial requires a credit card, fraudsters often use virtual cards that pass initial checks but fail later charges. If no card is required, it's even simpler: new email, new account, new trial — repeated endlessly.

This can be manual or automated, but the pattern is the same.

5. Loyalty point farming

Points-based reward systems are a common target for abuse.

Fraudsters create transactions purely to generate points, then convert those points into gift cards or resell them through secondary markets.

In practice, loyalty points often behave like cash. Once that happens, abuse becomes easy to scale and worth running as an ongoing operation.

6. Bot-powered blitzes

When a high-value promotion goes live, bot networks usually hit it within minutes. Automated scripts handle the entire flow: account creation, verification, and promo redemption much faster than any human user.

By the time it becomes visible to your team, most of the budget is already gone.

Modern bots are also more sophisticated than simple scripts. They mimic human behavior with random delays, realistic input patterns, and other techniques that help them blend in with normal traffic.

The real impact of promo abuse

The obvious cost is stolen promotional value, but the secondary effects are often worse.

Your data becomes unreliable. Fake accounts distort analytics, making metrics like LTV, segmentation, and A/B tests less accurate.
Your CAC is misleading. If a significant share of “customers” is fraudulent, your real acquisition cost is higher than what dashboards show.
Legitimate users are affected too. Promotions run out faster, more friction gets added, and verification steps appear because of abuse.
Teams also feel the impact. Support deals with more complaints, fraud teams investigate manually, and engineering spends time fixing issues reactively instead of building.

What actually works for promo abuse detection

No single signal reliably catches promo abuse. What matters is combining multiple weak signals into a consistent picture.

*Behavioral signals *— Real users browse, hesitate, read reviews, and often come back later. Fraudulent accounts usually go straight to the promo, redeem it, and disappear. The navigation patterns are very different.

Account clustering — Fake accounts created in batches often share subtle similarities: registration timing, email patterns, or overlapping device and network traits.

Velocity anomalies — Legitimate redemption follows a gradual curve. Fraud creates spikes, with many redemptions happening in a short time from similar accounts.

Device and network intelligence — Automation tools and proxy networks leave traces. TLS fingerprints, WebGL inconsistencies, and timezone mismatches become meaningful when correlated together.

Any serious guide to promo abuse will tell you the same thing: no single signal catches fraud reliably, it's the combination that matters.

Building your defense

A few practical approaches that help reduce promo abuse:

Design promos to be harder to abuse. Require account aging before eligibility. Tie rewards to real engagement instead of just signups. Use unique, time-limited codes. Add progressive verification so higher-value rewards require stronger checks.
Layer your verification. No single check is enough. Combine signals like email reputation, phone validation, payment verification, and behavioral patterns. Each layer increases the cost of abuse.
Detect bots before they redeem. This is where dedicated bot protection platforms earn their keep. Real-time analysis of device fingerprints, behavioral biometrics, and network signals can catch automated abuse before the promo is consumed — without adding friction for real users.

Monitor and adapt. Fraud patterns change over time. Static rules degrade quickly. Track anomalies, review redemption patterns, and continuously update your detection logic.

It's not going away

Promo abuse will continue because it’s profitable and easy to scale. If you’ve seen promo abuse in your own product, share your experience or thoughts in the comments.

Stop Guessing — 7 Signals That Prove Your Users Are Being Hacked

Andrew — Thu, 14 May 2026 16:08:57 +0000

You wake up to a support ticket: "I didn't make this purchase." Then another. Then five more.

By the time you start investigating, the attacker has already changed the email, drained the balance, and disappeared. Account Takeover is fast, quiet, and increasingly automated.
I've spent a lot of time dealing with these cases, and the pattern is usually the same: the warning signs were there, but nobody was paying attention to them.

Here are the signals that matter most, along with practical ways to catch them.

1. Login patterns that don't make sense

Most users are predictable. They log in from the same city, the same devices, and usually around the same time each day.

So when an account suddenly shows up from another continent at 3 AM, it's probably not because the user is traveling.

What to look for in your logs:

This check isn't perfect. VPNs, mobile networks, and corporate proxies can all create false positives.

Still, impossible travel detection catches more real attacks than you'd expect, especially when combined with other signals. It's one of the simplest high-value checks you can add.

2. Failed logins that look automated

People forget their passwords all the time. But there's a big difference between someone mistyping a password a few times and a bot trying thousands of leaked credentials.

In your auth logs, automated attacks usually look like this:

Humans don't behave like this.

These patterns are a strong signal of credential stuffing: fast attempts, consistent timing, and multiple accounts targeted from the same source.

The catch is that real attackers rarely stay this simple. They rotate IPs and spread attempts across proxy networks, so per-IP rate limiting quickly loses effectiveness.

To catch this reliably, you need to look at behavior across time and traffic patterns, not just individual IPs.

3. The account suddenly changes behavior

This one is subtle, but surprisingly reliable.

A user spends months casually browsing products, then one day logs in and immediately goes to:

Settings
Change Email
Change Password

All within 90 seconds.

That's usually not normal user behavior. It's often someone who just gained access and is trying to lock the real owner out before they're noticed.

4. The device fingerprint doesn't add up

Automated tools and fake browsers usually leave small inconsistencies behind.

Maybe the browser claims to run on macOS, but the WebGL data looks like Linux. Or the session has no plugins, a suspiciously generic screen resolution, and other unusually “clean” signals.

Common red flags:

Timezone doesn't match IP location
WebGL data doesn't match the claimed OS
No browser plugins at all
Unrealistic screen resolution or color depth

None of these mean much by themselves.

But when multiple anomalies show up in the same session, it's usually a sign that something isn't right.

5. Someone is phishing your users first

Account Takeover doesn't always start with a technical exploit. Sometimes it starts with a convincing email.

A user gets a message that looks like it came from your platform:

"Suspicious login detected. Verify your account."

They click the link, enter their credentials on a fake page, and the attacker logs in normally.

Things worth watching for:

Password reset spikes you didn't expect
Support tickets about emails your team never sent
Users reporting suspicious calls or messages claiming to be from your company
Security setting changes immediately after a password reset or suspicious login

You probably won't stop phishing completely.

But you can detect what happens next. If an account resets its password, changes the email, and disables 2FA within minutes, that's usually not normal recovery behavior.

6. Transactions suddenly look different

Once attackers get access, they usually move quickly.

A user who normally makes one small purchase a month suddenly places several expensive orders within minutes. Or a new payment method gets added and all available credits are used immediately.

Patterns worth flagging:

1. Payment method changes followed by immediate purchases
2. Transaction amounts far outside the user's normal range
3. Rapid use of credits, loyalty points, or gift balances
4. Shipping address changes right before high-value orders

Legitimate user behavior is usually gradual and predictable.

Takeover activity tends to happen in short, aggressive bursts.

7. The traffic doesn't look human

Large-scale Account Takeover attacks usually run on infrastructure, not real user devices.

That often leaves patterns behind: cloud provider IPs, rotating proxy networks, automated browsers, or request timing that looks too consistent to be human.

Common signals:

Logins from data center or cloud provider IPs
IPs rotating unusually fast
Browser headers that don't look like normal user traffic
TLS fingerprints linked to automation tools
Extremely consistent request timing

None of these signals prove an attack on their own.

But together, they often point to automated traffic rather than real users.

How do you actually detect account takeover in real time?

None of these signals work well on their own. A VPN login isn't suspicious by itself. Neither is a password reset. But combine a VPN login, an immediate password change, and a new payment method within 60 seconds, and you start seeing a clear pattern.

The hard part is correlating everything in real time: login anomalies, device fingerprints, behavioral signals of account takeover, and bot patterns, across every request, without adding latency or friction for real users.

These kinds of problems are often handled well by dedicated bot protection platforms.

What's been your experience with Account Takeover? Any war stories? Drop them in the comments.