How to Prevent Fake Account Creation on Your Websites & Apps

Fake account creation is a type of automated account fraud in which cybercriminals use bots to create fake accounts for committing fraudulent acts, such as influencing product reviews, distributing false information, or spreading malware.

Protecting your platform against fake account fraud can be tricky because adding too much friction to the account creation process might drive real users away and result in loss of revenue. On the other hand, not taking action against fake accounts could lead to loss of reputation and other negative consequences.

In this article, we’ll uncover why bad actors use automated fake profile creation attacks, how these fake account creation attacks work, how to prevent bots from registering, and how the DataDome bot protection solution protects against 100% of automated bot threats, including fake account creation bots.

1. What is fake account creation?
2. Who uses fake account creation attacks, and why?
3. How fake accounts are created
4. Common defense strategies against fake account creation.
5. How DataDome protects e-commerce sites against fake account creation.

What is fake account creation?

Fake account creation is uses bots to automate the creation of fraudulent user accounts. The fake accounts are then used to commit account fraud, such as to generate spam, spread misinformation or malware, abuse signup bonuses, influence the results of reviews, voting, and more. Fake account creation is classified as an automated attack by OWASP, identified as OAT-019.

Fake accounts are becoming more and more of an issue across the internet:

• One in five account registrations are fraudulent.
• Over 2 billion fake Facebook accounts were taken down in 2019 alone.
• 21.6 million fake LinkedIn accounts were either removed or blocked in the first half of 2019.
• FakeSpot, Inc. estimates that 1/3 reviews on major websites—including Amazon, Walmart, and Steam—are fake.

Why do criminals create fake accounts?

Fake account creation may have started manually as a method for individuals to remain anonymous and avoid spam. After some time, it became a way to abuse bonus offers, or pretend to be someone else when communicating with others online, such as in romance scams (aka “catfishing”).

Today, fake accounts are often associated with social media (such as Twitter bots trying to influence elections), but there are many other use cases. The use of fake accounts to influence product reviews, for example, is now so widespread that it has become a flourishing industry of its own.

In the gaming and gambling industry, fake accounts are often used to benefit from signup bonuses, coupons, or other benefits that can subsequently be monetized.

Other examples include the manipulation of survey results, money laundering, or misusing free services (e.g. exploiting a free cloud computing account offer to mine cryptocurrency).

Finally, attackers can use fake accounts to camouflage credential stuffing attacks, by logging in with large numbers of “legitimate” accounts (with known usernames and passwords) that will lower the login fail rate of the attack.

How fake accounts are created

1. Gather Identity Source Data: Before running the user registration processes, bad actors will obtain identity source data—either stolen data, fabricated data, or a combination of the two—and use the bulk data as inputs for the next attack phase.
2. Complete Registration/User Enrollment Processes: Threat actors use APIs to sidestep new account registration forms and generate them behind the scenes in large quantities.
3. Use Created Accounts: Once the fake accounts are created, cybercriminals can use them for the various purposes listed above.

Figure 1 – OAT-019 Account Creation Attack Process