Blog Icon
Upollo Blog
← Back to Blog

Fake Accounts Begone! Stopping Spam Signups and Boosting your Conversion to Paid.

Are fake accounts and spam signups ruining your online business? Check out our ultimate guide to stopping them and boosting your conversion rate!

Stephen Nancekivell
Stephen Nancekivell
Senior Software Engineer
Fake Accounts Begone! Stopping Spam Signups and Boosting your Conversion to Paid.

When building a signup page for your website or app, you are usually thinking about how to get people in. But it’s just as important to keep malicious users out, which can greatly improve your conversion to paid accounts.

The odd malicious users might not seem bad at first. But if all of your emails go to spam, you get kicked off your billing platform or your free tier usage cost goes crazy it can have a severe impact on your business.

In this post we’ll talk about commonly overlooked attacks and practical tips to keep malicious users out and get happy paying users in while improving your conversion rate. We will focus on email address & password signup because it's the most common. Social logins and key based authentication mitigate some of these issues but others still apply.

Some of the methods and defences we will look at are

  • Bots repeatedly signing up
  • Users with fake email addresses who can’t receive the email
  • Users who use disposable email addresses
  • Repeat signups to get a free tier or free trial twice

Robot users signing up​

A Signup page basically takes an email address and a password (hashed & salted) and saves it to a database. But if that's all we do, a bot or script kiddie can simply submit the page repeatedly and generate hundreds or thousands of accounts.

If you're sending welcome emails, they will be sent out very quickly and look like spam, then bounce. Your Email platform will likely stop sending them, and stop sending all of your other emails.

The activity of all of these signups can have a noticeable impact on the load time of your app, slowing it down. In severe cases people might not even be able to use this. This is typically called a Denial of Service attack (DOS).

Chart of daily signups showing a spike in usage
Chart of daily signups showing a spike in usage

To mitigate against this we can use a browser fingerprinting or a spam prevention tool like reCAPTCHA or Cloudflare which can analyse the device and see if it's a script or a normal browser. If it's not sure it might fall back and ask the user to do something that humans can do well like detecting traffic lights in blurry photos. To implement recaptcha, you would install a javascript library, which will give you a token to be submitted to the server which is checked before creating the account.

You should also use Rate limiting to limit the maximum number of times per minute a device or ip address can hit your server. You would set strict limits on account creation, so that if someone is trying to create lots of accounts and they can get past other defences it will still take a long time. If you are using nginx you would use the limit_req module.

Signing up with fake email address​

It might not be a sophisticated attack, but users simply using a fake email address can become a real issue. Users might lose access to data, or you won’t be able to contact them about any billing issues potentially leaving you out of pocket and with little choice but to cut them off without warning. It’s good to detect this early and fix any issues while the user is setting up their account.

Some of these cases could be accidental, and can easily be fixed if the user is made aware of them.

It could also be that they have typo’d the email address. You could detect this and provide hints when they are entering the form to catch common missspellings.

Signup page catching typo
Signup page catching typo

Verification emails​

A fool proof way to check if they can receive the email is to send one! You would send a verification email, with a link with a secret token in it to be clicked. When they click the link you know they have received the email.

A verification email
A verification email

Disposable Email Addresses​

If the user is deliberately trying to hide their email they might use a disposable email service. Some people use these continually to repeat your free trial and never pay. You should detect these at signup and ask the user to provide their real email address.

Users who use a disposable address never convert, so by getting them to give you their real address up front, you immediately improve your conversion rate.

See turning repeat trials into growth for more about other ways people repeat trials.

Signup page detecting disposable emails
Signup page detecting disposable emails

Conclusion​

Now that your signup page has extra protections you can sleep easy, knowing that your email reputation can't drop through the floor, you can't suddenly get lots of charge backs and you can contact your users when you need to.

If you're interested in this space and would like to hear more, please signup and follow us on LinkedIn or Twitter.

Read the Report: Upollo SOC 2 Type 1
PDF • 2.4mb

Join the Wave

Ready to revolutionize how you recognize opportunities? Sign up for the waitlist below and be among the first to experience its transformative power when it launches.

Thanks! We'll let you know when you're off the waitlist.
Oops! Something went wrong while submitting the form.
About the Author
Stephen Nancekivell
Stephen Nancekivell
Senior Software Engineer

You Might Like:

All Posts
Customer-Led Growth: The Model for SaaS Success in 2025
Learn how Customer-Led Growth (CLG) drives SaaS success by focusing on customer satisfaction and advocacy, leading to better retention and organic business expansion.
Land & Expand: How the Best SaaS Companies Turn Single Users into Enterprise Deals
Learn how SaaS companies grow by turning single users into enterprise deals using the "land and expand" strategy to boost revenue and customer retention.
How to Convert Account Sharers without Alienating your Users
Effective strategies to convert account sharers into paying customers without pushing away the people who love your app the most

Get Started for Free

Start understanding and upselling your customers today.