New Account Fraud Prevention

Detect and block users creating multiple accounts to exploit your platform. Learn how to use device fingerprinting to connect fake accounts to the same device.

The Problem

Every business with a signup flow faces the same challenge: fraudsters create multiple fake accounts to abuse your system. Whether it's claiming free trials repeatedly, gaming referral programs, or building networks for spam and scam operations, fake account creation costs businesses billions annually.

Traditional defences fail because:

Email verification is trivial to bypass with disposable email services
Phone verification can be defeated with virtual phone numbers
IP blocking fails against VPNs and rotating proxies
CAPTCHA is easily solved by bot farms and AI services
Rate limiting by IP misses distributed attacks

The result: A single fraudster can create hundreds of accounts, each appearing legitimate in isolation.

Common Attack Vectors

Attack Type

Description

Business Impact

Free Trial Abuse

Creating new accounts to extend free trials indefinitely

Lost revenue, skewed metrics

Promo/Coupon Stacking

Using multiple accounts to claim one-time offers repeatedly

Direct financial loss

Referral Fraud

Self-referring between fake accounts to earn bonuses

Inflated CAC, program abuse

Review Manipulation

Fake accounts posting fraudulent reviews

Damaged trust, legal risk

Bonus Abuse

Exploiting sign-up bonuses across multiple accounts

Direct financial loss

Content Spam

Automated account creation for spam distribution

Platform degradation

The Solution: Device-Based Identity

Guardian Stack links accounts to devices, not just credentials. Even when a fraudster uses a new email, phone number, VPN, and incognito mode, they're still using the same physical device — and Guardian detects it.

How It Works

User visits signup page
Guardian SDK silently collects device signals
User submits registration form
Your backend fetches the Guardian event and checks:
1. Is this device linked to existing accounts?
2. Is this a bot or automated browser?
3. Is the user hiding behind a VPN/proxy?
Allow, challenge, or deny registration

Key insight: The visitorId persists across incognito sessions, cleared cookies, and browser restarts. It's cryptographically tied to the physical device.

Implementation Guide

Step 1: Frontend — Capture Device Signals

Install the Guardian JS SDK:

npm install @guardianstack/guardian-js

Initialize Guardian when your app loads, then call .get() during registration:

import { loadAgent } from "@guardianstack/guardian-js";

// Initialize once when your app starts
const guardian = await loadAgent({
  siteKey: "YOUR_SITE_KEY",
});

async function handleSignup(formData: SignupFormData) {
  // 1. Get Guardian signals before submitting
  const response = await guardian.get();
  const requestId = response?.requestId;

  // 2. Submit registration with Guardian requestId
  const result = await fetch("/api/signup", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({
      ...formData,
      guardianRequestId: requestId,
    }),
  });

  return result.json();
}

Step 2: Backend — Verify & Decide

Install the Guardian Server SDK:

npm install @guardianstack/guardianjs-server

Create your signup endpoint with fraud checks:

import {
  createGuardianClient,
  isBot,
  isVPN,
  isTampering,
  isIncognito,
  isVirtualized,
} from "@guardianstack/guardianjs-server";

const guardianClient = createGuardianClient({
  secret: process.env.GUARDIAN_SECRET_KEY!,
});

app.post("/api/signup", async (req, res) => {
  const { email, password, guardianRequestId } = req.body;

  // 1. Fetch the Guardian event
  const event = await guardianClient.getEvent(guardianRequestId);

  // 2. Extract key identifiers
  const visitorId = event.identification.visitorId;
  const ipAddress = event.identification.ip;

  // 3. Check for automation/bot signals
  if (isBot(event)) {
    return res.status(403).json({
      error: "Registration blocked",
      reason: "Automated access detected",
    });
  }

  // 4. Check for browser tampering (anti-detect browsers)
  if (isTampering(event)) {
    return res.status(403).json({
      error: "Registration blocked",
      reason: "Browser integrity check failed",
    });
  }

  // 5. Check if this device has created accounts before
  const existingAccounts = await db.accounts.findMany({
    where: { visitorId },
  });

  if (existingAccounts.length > 0) {
    return res.status(403).json({
      error: "Registration blocked",
      reason: "You've already created an account",
    });
  }

  // 6. Check velocity (too many attempts from this device)
  const velocity = event.velocity;
  if (velocity["24h"] > 10) {
    return res.status(429).json({
      error: "Too many attempts",
      reason: "Please try again later",
    });
  }

  // 7. All checks passed — create the account
  const newUser = await db.accounts.create({
    data: {
      email,
      password: await hashPassword(password),
      visitorId, // Store for future fraud detection
      signupIp: ipAddress,
      createdAt: new Date(),
    },
  });

  return res.status(201).json({ success: true, userId: newUser.id });
});

Real-World Examples

Free Trial Abuse Prevention

Scenario: Your SaaS offers a 15-day free trial. Fraudsters create new accounts every 15 days to avoid paying.

app.post("/api/start-trial", async (req, res) => {
  const { guardianRequestId, email } = req.body;

  const event = await guardianClient.getEvent(guardianRequestId);
  const visitorId = event.identification.visitorId;

  // Check if this device has EVER started a trial
  const previousTrials = await db.trials.findMany({
    where: { visitorId },
  });

  if (previousTrials.length > 0) {
    const lastTrial = previousTrials[0];
    return res.status(403).json({
      error: "Trial unavailable",
      message: "You've already used a free trial on this device",
      previousEmail: maskEmail(lastTrial.email), // "j***@example.com"
    });
  }

  // Create the trial and link to device
  await db.trials.create({
    data: {
      email,
      visitorId,
      startedAt: new Date(),
      expiresAt: addDays(new Date(), 15),
    },
  });

  return res.json({ success: true, trialDays: 15 });
});

Referral Program Protection

Scenario: You offer $20 for each referred user. Fraudsters refer themselves using multiple accounts.

app.post("/api/apply-referral", async (req, res) => {
  const { referralCode, guardianRequestId } = req.body;

  const event = await guardianClient.getEvent(guardianRequestId);
  const newUserVisitorId = event.identification.visitorId;

  // Find the referrer
  const referrer = await db.users.findUnique({
    where: { referralCode },
  });

  if (!referrer) {
    return res.status(404).json({ error: "Invalid referral code" });
  }

  // Check if referrer and new user share the same device
  if (referrer.visitorId === newUserVisitorId) {
    // Log for fraud review but don't reveal detection
    await logFraudAttempt("self_referral", {
      referrerId: referrer.id,
      visitorId: newUserVisitorId,
    });

    return res.status(400).json({
      error: "Referral not applied",
      message: "This referral code cannot be used",
    });
  }

  // Check if this device has been referred before
  const previousReferrals = await db.referrals.findMany({
    where: { referredVisitorId: newUserVisitorId },
  });

  if (previousReferrals.length > 0) {
    return res.status(400).json({
      error: "Referral not applied",
      message: "This device has already been referred",
    });
  }

  // Valid referral — credit the referrer
  await db.referrals.create({
    data: {
      referrerId: referrer.id,
      referredVisitorId: newUserVisitorId,
      bonusAmount: 20,
      status: "pending",
    },
  });

  return res.json({ success: true, message: "Referral bonus applied!" });
});

Scenario: A one-time 50% discount code is being reused across fake accounts.

app.post("/api/apply-promo", async (req, res) => {
  const { promoCode, guardianRequestId } = req.body;

  const event = await guardianClient.getEvent(guardianRequestId);
  const visitorId = event.identification.visitorId;

  const promo = await db.promoCodes.findUnique({
    where: { code: promoCode },
  });

  if (!promo || !promo.isActive) {
    return res.status(404).json({ error: "Invalid promo code" });
  }

  // Check if promo is one-per-device
  if (promo.onePerDevice) {
    const usedBefore = await db.promoUsage.findFirst({
      where: {
        promoId: promo.id,
        visitorId,
      },
    });

    if (usedBefore) {
      return res.status(400).json({
        error: "Promo code already used",
        message: "This offer is limited to one per device",
      });
    }
  }

  // Record usage and apply discount
  await db.promoUsage.create({
    data: {
      promoId: promo.id,
      visitorId,
      usedAt: new Date(),
    },
  });

  return res.json({
    success: true,
    discount: promo.discountPercent,
  });
});

Database Schema Example

Store Guardian identifiers for long-term fraud detection:

-- Users table with fraud prevention fields
CREATE TABLE users (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  email VARCHAR(255) UNIQUE NOT NULL,
  password_hash VARCHAR(255) NOT NULL,

  -- Guardian fraud prevention
  visitor_id VARCHAR(255),          -- Persistent device ID
  signup_ip INET,                   -- IP at registration
  signup_risk_score INTEGER,        -- Trust score at signup

  -- Metadata
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

-- Index for quick device lookups
CREATE INDEX idx_users_visitor_id ON users(visitor_id);

-- Track all visitor IDs seen for a user (device history)
CREATE TABLE user_devices (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  user_id UUID REFERENCES users(id),
  visitor_id VARCHAR(255) NOT NULL,
  first_seen_at TIMESTAMP DEFAULT NOW(),
  last_seen_at TIMESTAMP DEFAULT NOW(),
  is_trusted BOOLEAN DEFAULT false,

  UNIQUE(user_id, visitor_id)
);

-- Fraud events for review
CREATE TABLE fraud_events (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  event_type VARCHAR(50) NOT NULL,  -- 'duplicate_device', 'bot_detected', etc.
  visitor_id VARCHAR(255),
  ip_address INET,
  request_data JSONB,
  guardian_event JSONB,             -- Store full event for analysis
  created_at TIMESTAMP DEFAULT NOW()
);

Best Practices

Do

Store visitorId with every account for future cross-referencing
Log fraud attempts without revealing detection methods to users
Use risk scoring for graduated responses instead of hard blocks
Combine signals — a VPN alone isn't fraud, but VPN + incognito + high velocity is suspicious
Review edge cases — legitimate users sometimes trigger signals

Don't

Don't block VPN users outright — many legitimate users use VPNs for privacy
Don't reveal detection methods in error messages (avoid "Bot detected")
Don't rely solely on IP — it's easily changed
Don't ignore velocity — rapid signups from one device indicate automation

Testing Your Implementation

Use these scenarios to verify your fraud detection:

Test Case

Expected Behavior

Normal signup

Account created successfully

Same device, new email

Blocked ("Already have an account")

Incognito mode signup

Slight score reduction, still allowed

VPN + incognito + rapid attempts

Challenge or block

Automated browser (Puppeteer)

Blocked (bot detected)

Anti-detect browser

Blocked (tampering detected)

Conclusion

New account fraud is a persistent threat that traditional verification methods can't solve. By linking accounts to physical devices through Guardian Stack's visitorId, you can:

Stop serial abusers who create multiple accounts
Protect promotional offers from exploitation
Preserve referral program integrity
Reduce manual fraud review with automated detection
Maintain good user experience for legitimate customers

The key insight: fraudsters can change emails, phone numbers, and IP addresses easily — but they can't easily change their physical device. Guardian Stack makes device identity the foundation of your fraud prevention strategy.

Get Started: Sign up for Guardian Stack and get your API keys to implement this today.

PreviousRequest ID Security NextPayment Fraud Prevention

Last updated 19 days ago

Was this helpful?

The Problem

Common Attack Vectors

The Solution: Device-Based Identity

How It Works

Implementation Guide

Step 1: Frontend — Capture Device Signals

Step 2: Backend — Verify & Decide

Real-World Examples

Free Trial Abuse Prevention

Referral Program Protection

Coupon/Promo Code Abuse Prevention

Database Schema Example

Best Practices

Do

Don't

Testing Your Implementation

Conclusion