Fake Accounts Begone! Stopping Spam Signups and Boosting your Conversion to Paid.
Are fake accounts and spam signups ruining your online business? Check out our ultimate guide to stopping them and boosting your conversion rate!
When building a signup page for your website or app, you are usually thinking about how to get people in. But it’s just as important to keep malicious users out, which can greatly improve your conversion to paid accounts.
The odd malicious users might not seem bad at first. But if all of your emails go to spam, you get kicked off your billing platform or your free tier usage cost goes crazy it can have a severe impact on your business.
In this post we’ll talk about commonly overlooked attacks and practical tips to keep malicious users out and get happy paying users in while improving your conversion rate. We will focus on email address & password signup because it's the most common. Social logins and key based authentication mitigate some of these issues but others still apply.
Some of the methods and defences we will look at are
- Bots repeatedly signing up
- Users with fake email addresses who can’t receive the email
- Users who use disposable email addresses
- Repeat signups to get a free tier or free trial twice
Robot users signing up
A Signup page basically takes an email address and a password (hashed & salted) and saves it to a database. But if that's all we do, a bot or script kiddie can simply submit the page repeatedly and generate hundreds or thousands of accounts.
If you're sending welcome emails, they will be sent out very quickly and look like spam, then bounce. Your Email platform will likely stop sending them, and stop sending all of your other emails.
The activity of all of these signups can have a noticeable impact on the load time of your app, slowing it down. In severe cases people might not even be able to use this. This is typically called a Denial of Service attack (DOS).
To mitigate against this we can use a browser fingerprinting or a spam prevention tool like reCAPTCHA or Cloudflare which can analyse the device and see if it's a script or a normal browser. If it's not sure it might fall back and ask the user to do something that humans can do well like detecting traffic lights in blurry photos. To implement recaptcha, you would install a javascript library, which will give you a token to be submitted to the server which is checked before creating the account.
You should also use Rate limiting to limit the maximum number of times per minute a device or ip address can hit your server. You would set strict limits on account creation, so that if someone is trying to create lots of accounts and they can get past other defences it will still take a long time. If you are using nginx you would use the limit_req module.
Signing up with fake email address
It might not be a sophisticated attack, but users simply using a fake email address can become a real issue. Users might lose access to data, or you won’t be able to contact them about any billing issues potentially leaving you out of pocket and with little choice but to cut them off without warning. It’s good to detect this early and fix any issues while the user is setting up their account.
Some of these cases could be accidental, and can easily be fixed if the user is made aware of them.
It could also be that they have typo’d the email address. You could detect this and provide hints when they are entering the form to catch common missspellings.
Verification emails
A fool proof way to check if they can receive the email is to send one! You would send a verification email, with a link with a secret token in it to be clicked. When they click the link you know they have received the email.
Disposable Email Addresses
If the user is deliberately trying to hide their email they might use a disposable email service. Some people use these continually to repeat your free trial and never pay. You should detect these at signup and ask the user to provide their real email address.
Users who use a disposable address never convert, so by getting them to give you their real address up front, you immediately improve your conversion rate.
See turning repeat trials into growth for more about other ways people repeat trials.
Conclusion
Now that your signup page has extra protections you can sleep easy, knowing that your email reputation can't drop through the floor, you can't suddenly get lots of charge backs and you can contact your users when you need to.
If you're interested in this space and would like to hear more, please signup and follow us on LinkedIn or Twitter.
Read the Report: Upollo SOC 2 Type 1
Join the Wave
Ready to revolutionize how you recognize opportunities? Sign up for the waitlist below and be among the first to experience its transformative power when it launches.
Get Started for Free
Start understanding and upselling your customers today.