![\"Tolinku](\"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/screenshot-referrals-1772819416568.png\")
\nThe referrals page with stats cards, referral list, and leaderboard tabs.<\/em><\/p>\n\n\n\nCommon Fraud Patterns<\/h2>\n\n\n\nSelf-Referrals<\/h3>\n\n\n\n
The simplest fraud: a user creates a second account, refers themselves, and collects both sides of a double-sided reward. They get the referrer reward plus the new user reward.<\/p>\n\n\n\n
Self-referrals are common because the barrier is low. All it takes is a second email address, and free email providers have no shortage of those. Self-referrals are usually the first type of fraud to appear when a program launches.<\/p>\n\n\n\n
Fake Account Farms<\/h3>\n\n\n\n
More sophisticated attackers create batches of fake accounts to generate referral credit for a primary account. A single operator might manage dozens or hundreds of fake accounts, each receiving a referral invitation from the primary account.<\/p>\n\n\n\n
Fake account farms are often identified by:<\/p>\n\n\n\n
- \n
- Multiple accounts created from the same IP address in a short window<\/li>\n
- Similar email patterns (user123@, user124@, user125@ on the same domain)<\/li>\n
- Accounts that sign up but never complete any meaningful product actions<\/li>\n
- Referral relationships where one account has referred an unusually high number of others<\/li>\n<\/ul>\n\n\n\n
Referral Link Public Posting<\/h3>\n\n\n\n
This is technically not fraud but it causes real problems. A user posts their referral link to a coupon aggregator site, Reddit, or a large social group. Thousands of people use the same link. The referrer earns substantial rewards, but the new users are low-quality (they came for the discount, not the product) and retention is poor.<\/p>\n\n\n\n
Duplicate Device Signups<\/h3>\n\n\n\n
A user creates multiple accounts on the same device, cycling through email addresses. Without device-level checks, each signup looks legitimate from an IP and email perspective.<\/p>\n\n\n\n
Account Transfer Fraud<\/h3>\n\n\n\n
A user creates a new account, claims the referral reward for the new user side, and then migrates content or activity from their old account to the new one. This is harder to detect because there is a real transition of usage, but the signup was not organic.<\/p>\n\n\n\n
Detection Signals<\/h2>\n\n\n\n
Effective fraud prevention layers multiple signals rather than relying on any single check. A strong defense uses:<\/p>\n\n\n\n
Email Quality and Pattern Checks<\/h3>\n\n\n\n
Not all email addresses are equally trustworthy. Signals to check:<\/p>\n\n\n\n
- \n
- Disposable email domains:<\/strong> Services like Mailinator, Guerrilla Mail, and thousands of others create temporary addresses that receive one email and expire. Maintain a blocklist of known disposable email domains. Resources like disposable-email-domains on GitHub<\/a> maintain community-updated lists.<\/li>\n
- Email age:<\/strong> Most email providers expose account creation date via SMTP headers or through verification services. A 2-minute-old Gmail account is a red flag.<\/li>\n
- Pattern matching:<\/strong> Sequential usernames (user1234, user1235) or emails that clearly follow a generator pattern.<\/li>\n<\/ul>\n\n\n\n
IP Address Analysis<\/h3>\n\n\n\n
- \n
- Multiple signups from the same IP in a short window:<\/strong> One IP creating 10 accounts in an hour is almost certainly a fraud attempt.<\/li>\n
- Datacenter IP addresses:<\/strong> Residential IP addresses are normal. Datacenter IPs (AWS, GCP, DigitalOcean, etc.) are almost never used by real consumers to sign up for consumer apps. A signup from a cloud IP range is a strong fraud signal.<\/li>\n
- Known proxy and VPN IP ranges:<\/strong> Many fraud actors use VPNs to rotate IPs. Services like MaxMind GeoIP<\/a> include VPN and proxy flags.<\/li>\n<\/ul>\n\n\n\n
Device Fingerprinting<\/h3>\n\n\n\n
Device fingerprinting collects signals from the browser or app to create a unique-ish identifier for a device, independent of cookies or accounts. Even if a user creates multiple accounts with different emails, they are likely using the same device.<\/p>\n\n\n\n
Browser fingerprint components:<\/p>\n\n\n\n
- \n
- User agent string<\/li>\n
- Screen resolution and color depth<\/li>\n
- Installed fonts (via Canvas API)<\/li>\n
- WebGL renderer<\/li>\n
- Audio context fingerprint<\/li>\n
- Timezone and language settings<\/li>\n<\/ul>\n\n\n\n
Fingerprints are not perfectly stable (browser updates change them) and not perfectly unique (similar devices produce similar fingerprints). However, a device fingerprint match between two accounts is a strong signal worth investigating.<\/p>\n\n\n\n
Libraries like FingerprintJS<\/a> (open source version available, commercial version adds accuracy) implement this in JavaScript.<\/p>\n\n\n\n
For mobile apps, device identifiers are available through platform APIs:<\/p>\n\n\n\n
- \n
- iOS: DeviceCheck<\/a> provides a persistent device identifier that survives app reinstalls<\/li>\n
- Android: SafetyNet Attestation<\/a> (now Play Integrity API) provides device integrity signals<\/li>\n<\/ul>\n\n\n\n
Velocity Checks<\/h3>\n\n\n\n
Velocity checks flag unusual activity rates. Normal users do not:<\/p>\n\n\n\n
- \n
- Create multiple accounts from the same IP within 24 hours<\/li>\n
- Refer 50 people in the first week<\/li>\n
- Send referral invitations to email addresses that all bounce<\/li>\n<\/ul>\n\n\n\n
Implement rate limits at multiple levels:<\/p>\n\n\n\n
- \n
- Max referrals per user per day (e.g., 10)<\/li>\n
- Max accounts per IP per hour (e.g., 3)<\/li>\n
- Max pending reward amount per account (hold rewards above a threshold for review)<\/li>\n<\/ul>\n\n\n\n
Behavioral Analysis<\/h3>\n\n\n\n
Fraudulent accounts often exhibit behavioral signatures that distinguish them from legitimate users:<\/p>\n\n\n\n
- \n
- Completing signup but never performing any meaningful product action<\/li>\n
- Referring only accounts that also never perform meaningful actions<\/li>\n
- Account activity patterns that occur at unusual hours for the stated location<\/li>\n<\/ul>\n\n\n\n
Defining a "meaningful action" threshold for reward eligibility is one of the most effective simple controls. If a new user must, say, complete their first purchase or create their first project before the referral reward triggers, the economics of fake-account farming become much worse for the attacker.<\/p>\n\n\n\n
Validation Rules<\/h2>\n\n\n\n
Layer these checks in order of cost (cheap checks first, expensive checks only when cheaper checks pass):<\/p>\n\n\n\n
Layer 1: Blocklist checks (fast, zero cost)<\/strong><\/p>\n\n\n\n
- \n
- Disposable email domain<\/li>\n
- Known bad IP ranges (datacenter, known abuse IPs)<\/li>\n
- Country blocklist if applicable<\/li>\n<\/ul>\n\n\n\n
Layer 2: Uniqueness checks (fast, low cost)<\/strong><\/p>\n\n\n\n
- \n
- IP address uniqueness within time window<\/li>\n
- Device fingerprint uniqueness<\/li>\n
- Phone number uniqueness (if you collect it)<\/li>\n<\/ul>\n\n\n\n
Layer 3: Relationship graph checks (moderate cost)<\/strong><\/p>\n\n\n\n
- \n
- Referrer has not previously referred this device fingerprint<\/li>\n
- Referrer's total referral count is within normal parameters<\/li>\n
- Referrer and new user don't share device fingerprints with other accounts<\/li>\n<\/ul>\n\n\n\n
Layer 4: Behavioral qualification (deferred)<\/strong><\/p>\n\n\n\n
- \n
- New user completes qualifying action before reward is issued<\/li>\n
- Hold reward for manual review if any layer 1-3 signals triggered<\/li>\n<\/ul>\n\n\n\n
Reward Holds and Review Queues<\/h2>\n\n\n\n
Not every fraud signal should result in immediate blocking. False positives block legitimate users and generate support tickets. A better pattern is a graduated response:<\/p>\n\n\n\n
- \n
- Low signal:<\/strong> Issue reward normally, log the signals for pattern analysis<\/li>\n
- Medium signal:<\/strong> Issue reward after a hold period (24-48 hours), during which automated checks run<\/li>\n
- High signal:<\/strong> Hold reward and queue for manual review<\/li>\n
- Definitive fraud signal:<\/strong> Block reward, flag account for investigation<\/li>\n<\/ol>\n\n\n\n
The hold period approach is particularly useful for catching farm fraud. If a fake account farm is generating referrals, the pattern becomes obvious within hours. Rewards held for 48 hours can be cancelled before they are paid out.<\/p>\n\n\n\n
Fraud-Resistant Program Design<\/h2>\n\n\n\n
Some program design choices make fraud much harder to execute:<\/p>\n\n\n\n
Require email verification before referral credit.<\/strong> This eliminates disposable email abuse and ensures the referral email address is deliverable.<\/p>\n\n\n\n
Require phone number verification.<\/strong> Phone numbers are hard to acquire in bulk. A referral program that requires verified phone numbers has substantially lower fraud rates. The tradeoff is reduced conversion from legitimate users who do not want to provide a phone number.<\/p>\n\n\n\n
Delay reward issuance.<\/strong> A 14-30 day hold before rewards are paid gives time for account quality signals to develop. Low-quality accounts churn before the hold period ends.<\/p>\n\n\n\n
Set a minimum qualifying action.<\/strong> As noted above, requiring a first purchase, first session of meaningful length, or first core action before rewards trigger dramatically reduces the economics of fake account farming.<\/p>\n\n\n\n
Cap referrals per user.<\/strong> A maximum of, say, 25 referral rewards per account per month limits the maximum exposure from any single fraud actor.<\/p>\n\n\n\n
Make rewards non-transferable.<\/strong> Credits that can only be used on the referring account (not withdrawn or transferred) eliminate one class of fraud where the goal is to extract cash value.<\/p>\n\n\n\n
Monitoring for Fraud<\/h2>\n\n\n\n
Fraud prevention is not a one-time setup. It requires ongoing monitoring. Set up alerts for:<\/p>\n\n\n\n
- \n
- Referral payout rate above 1.05x (more rewards than referrals completed)<\/li>\n
- Single-user referral count above N standard deviations from mean<\/li>\n
- Spike in signups from a specific IP range<\/li>\n
- Unusual geographic distribution of referred signups (all from one country when your product is global, or vice versa)<\/li>\n<\/ul>\n\n\n\n
Review reward payout reports weekly. Sudden spikes in total reward cost are almost always a signal of fraud or a technical bug in reward triggering. The Tolinku analytics dashboard<\/a> surfaces anomalies in referral patterns that can indicate fraud.<\/p>\n\n\n\n
Balancing Fraud Prevention and User Experience<\/h2>\n\n\n\n
Every fraud control adds friction for legitimate users. The goal is not zero fraud (impossible without also blocking legitimate users), but fraud at an economically acceptable level.<\/p>\n\n\n\n
A good target: fraud represents less than 5% of reward payouts. If fraud is 2%, you probably have the controls about right. If it is 25%, you need more controls. If it is 0%, your controls are probably too aggressive.<\/p>\n\n\n\n
Review your false positive rate as carefully as your fraud catch rate. Look at users who had rewards held and investigate a sample. If a significant percentage of held rewards turn out to be legitimate, your thresholds are too aggressive.<\/p>\n\n\n\n
For configuration options and API documentation, see the Tolinku referral setup guide<\/a> and the referral rewards and attribution docs<\/a>.<\/p>\n\n\n\n
Summary<\/h2>\n\n\n\n
Effective referral fraud prevention uses:<\/p>\n\n\n\n
- \n
- Email quality checks (disposable domains, pattern matching)<\/li>\n
- IP analysis (velocity, datacenter ranges, proxy detection)<\/li>\n
- Device fingerprinting (cross-account identity matching)<\/li>\n
- Velocity rate limits at multiple levels<\/li>\n
- Behavioral qualification (meaningful action before reward triggers)<\/li>\n
- Reward hold periods for review<\/li>\n
- Ongoing monitoring and alerting<\/li>\n<\/ul>\n\n\n\n
No single control is sufficient. The combination of multiple lightweight signals, a hold-for-review workflow for ambiguous cases, and continuous monitoring creates a defense that is economically viable without blocking legitimate users.<\/p>\n\n\n\n
Related reading: Referral Program Analytics: Metrics That Matter<\/a>, Referral Tracking: Methods and Best Practices<\/a>, Building Referral Programs That Work<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
Referral fraud drains program budgets and corrupts attribution data. This guide covers the main fraud patterns, from self-referrals to referral farms, and the technical controls that stop them without blocking legitimate users.<\/p>\n","protected":false},"author":2,"featured_media":686,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Referral Fraud Prevention: Protecting Your Program","rank_math_description":"Protect your referral program from self-referrals, fake accounts, and referral farms. Learn device fingerprinting, velocity checks, and validation rules that work.","rank_math_focus_keyword":"referral fraud prevention","rank_math_canonical_url":"","rank_math_facebook_title":"","rank_math_facebook_description":"","rank_math_facebook_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-referral-fraud-prevention.png","rank_math_facebook_image_id":"","rank_math_twitter_title":"","rank_math_twitter_description":"","rank_math_twitter_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-referral-fraud-prevention.png","footnotes":""},"categories":[13],"tags":[28,145,44,45,93],"class_list":["post-687","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-growth","tag-attribution","tag-fraud","tag-referral-programs","tag-referrals","tag-security"],"_links":{"self":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/comments?post=687"}],"version-history":[{"count":2,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/687\/revisions"}],"predecessor-version":[{"id":2124,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/687\/revisions\/2124"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media\/686"}],"wp:attachment":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media?parent=687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/categories?post=687"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/tags?post=687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Medium signal:<\/strong> Issue reward after a hold period (24-48 hours), during which automated checks run<\/li>\n
- Low signal:<\/strong> Issue reward normally, log the signals for pattern analysis<\/li>\n
- Android: SafetyNet Attestation<\/a> (now Play Integrity API) provides device integrity signals<\/li>\n<\/ul>\n\n\n\n
- iOS: DeviceCheck<\/a> provides a persistent device identifier that survives app reinstalls<\/li>\n
- Datacenter IP addresses:<\/strong> Residential IP addresses are normal. Datacenter IPs (AWS, GCP, DigitalOcean, etc.) are almost never used by real consumers to sign up for consumer apps. A signup from a cloud IP range is a strong fraud signal.<\/li>\n
- Email age:<\/strong> Most email providers expose account creation date via SMTP headers or through verification services. A 2-minute-old Gmail account is a red flag.<\/li>\n
- Disposable email domains:<\/strong> Services like Mailinator, Guerrilla Mail, and thousands of others create temporary addresses that receive one email and expire. Maintain a blocklist of known disposable email domains. Resources like disposable-email-domains on GitHub<\/a> maintain community-updated lists.<\/li>\n