Skip to main content

Fake Accounts Begone! Stopping spam signups and boosting your conversion to paid.

· 5 min read

When building a signup page for your website or app, you are usually thinking about how to get people in. But it’s just as important to keep malicious users out, which can greatly improve your conversion to paid accounts.

A login page waiting for fake accounts to sign up

The odd malicious users might not seem bad at first. But if all of your emails go to spam, you get kicked off your billing platform or your free tier usage cost goes crazy it can have a severe impact on your business.

In this post we’ll talk about commonly overlooked attacks and practical tips to keep malicious users out and get happy paying users in while improving your conversion rate. We will focus on email address & password signup because it's the most common. Social logins and key based authentication mitigate some of these issues but others still apply.

Some of the methods and defences we will look at are

Robot users signing up

A Signup page basically takes an email address and a password (hashed & salted) and saves it to a database. But if that's all we do, a bot or script kiddie can simply submit the page repeatedly and generate hundreds or thousands of accounts.

If you're sending welcome emails, they will be sent out very quickly and look like spam, then bounce. Your Email platform will likely stop sending them, and stop sending all of your other emails.

The activity of all of these signups can have a noticeable impact on the load time of your app, slowing it down. In severe cases people might not even be able to use this. This is typically called a Denial of Service attack (DOS).

Chart of daily signups showing a spike in usage

To mitigate against this we can use a browser fingerprinting or a spam prevention tool like reCAPTCHA or Cloudflare which can analyse the device and see if it's a script or a normal browser. If it's not sure it might fall back and ask the user to do something that humans can do well like detecting traffic lights in blurry photos. To implement recaptcha, you would install a javascript library, which will give you a token to be submitted to the server which is checked before creating the account.

You should also use Rate limiting to limit the maximum number of times per minute a device or ip address can hit your server. You would set strict limits on account creation, so that if someone is trying to create lots of accounts and they can get past other defences it will still take a long time. If you are using nginx you would use the limit_req module.

Signing up with fake email address

It might not be a sophisticated attack, but users simply using a fake email address can become a real issue. Users might lose access to data, or you won’t be able to contact them about any billing issues potentially leaving you out of pocket and with little choice but to cut them off without warning. It’s good to detect this early and fix any issues while the user is setting up their account.

Some of these cases could be accidental, and can easily be fixed if the user is made aware of them.

It could also be that they have typo’d the email address. You could detect this and provide hints when they are entering the form to catch common miss spellings.

Signup page catching typo

Verification emails

A fool proof way to check if they can receive the email is to send one! You would send a verification email, with a link with a secret token in it to be clicked. When they click the link you know they have received the email.

A verification email

Disposable email addresses

If the user is deliberately trying to hide their email they might use a disposable email service. Some people use these continually to repeat your free trial and never pay. You should detect these at signup and ask the user to provide their real email address.

Users who use a disposable address never convert, so by getting them to give you their real address up front, you immediately improve your conversion rate.

See turning repeat trials into growth for more about other ways people repeat trials.

Signup page detecting disposable emails

Conclusion

Now that your signup page has extra protections you can sleep easy, knowing that your email reputation can't drop through the floor, you can't suddenly get lots of charge backs and you can contact your users when you need to.

If you're interested in this space and would like to hear more, please signup and follow us on LinkedIn or Twitter.

Learn More
Upollo
  • About
  • Pricing
  • Privacy
  • Terms
Upollo logoUpollo
Copyright 2022