When selling products or services globally, businesses often adjust pricing to match local markets, accounting for things like price sensitivity and purchasing power. It’s a win-win: businesses capture a larger market share, and customers in lower-income regions get access to goods and services they otherwise couldn’t afford. But, of course, some people just have to ruin it for everyone. Why should someone in your region pay half the price just because they flipped on a VPN and pretended to be somewhere else?

Detecting a user’s true location is key to protecting your regional pricing strategy and shutting down this kind of abuse. That way, you can block fraud and keep things fair for your real customers. In this article, we’ll dive into how regional pricing fraud works, the headaches of dealing with masked locations, and how Fingerprint can help you outsmart these cheaters and keep your business protected.

What is regional pricing?

Regional pricing is the practice of charging different prices for the same goods or services based on where the customer lives. Depending on the business, “region” could mean a country, a continent, or even a shared currency. Before setting these different prices, businesses need to dive into data like currency value, average income, demand, and competition in each region.

The aim is to strike a balance between affordability for customers and profitability for the business. When done right, regional pricing offers:

• Increased accessibility: Making goods and services affordable for customers in lower-income regions.
• Expanded market share: Attracting a wider audience by tailoring prices to local conditions.
• Maximized revenue: Charging higher prices in affluent regions to capture greater profits.
• Competitive edge: Staying aligned with local pricing expectations to compete effectively.

While regional pricing can be applied in almost any industry, it’s particularly common in subscription-based software, streaming services, gaming, travel, and e-commerce. An easy way to see this in action is on the Steam gaming platform, which allows developers to set prices by currency (e.g., Chilean Peso) and region (e.g., South Asia).

For instance, as of this writing, the price of Baldur’s Gate 3 on Steam ranges from $19.50 in Russia (1999 ₽) to $76.51 in Switzerland (CHF 69.99). Steam even does some of the heavy lifting, offering pricing guidance that can be especially handy for smaller shops or indie devs who don’t have the time or resources for extensive market research. This pricing makes games more accessible for lower-income regions while staying profitable for developers. However, it also attracts fraudsters looking to exploit the system.

How fraudsters hide their real location

Fraudsters are nothing if not resourceful when it comes to dodging regional pricing rules. They leverage various tools and tricks to mask their true location and access lower regional prices. Here are some of the most common methods:

Employing proxies and anonymizing networks

Proxies act as intermediaries that reroute internet traffic through a different location. Fraudsters can use them to fake their IP address and appear to be in another region. For extra anonymity, some use Tor (the onion router), which encrypts traffic within its network and routes their traffic through multiple relays, making location detection even harder.

Using a VPN

Virtual Private Networks (VPNs) work similarly to proxies by routing traffic through remote servers. Unlike proxies, VPNs encrypt all traffic and operate at the system level, affecting all internet activity on a device. This adds some additional security in addition to masking their location in order to bypass restrictions.

Falsifying account information

In cases where pricing is tied to user profiles, fraudsters may simply lie about their location. They might enter fake addresses or billing details during sign-up to mimic a cheaper region. For example, someone might claim to live in India while actually residing in France.

Exploiting cross-border payment methods

Some fraudsters bypass location restrictions by using payment methods associated with cheaper regions. Setting up accounts tied to international banks can allow them to appear as though they’re making purchases locally.

Sharing accounts across regions

Shared or resold accounts are another common tactic to access cheaper regional pricing. A fraudster might buy a subscription at a lower price in a cheaper region and then sell access to users in higher-priced regions. Streaming services, in particular, tend to be vulnerable to this type of abuse.

Modifying browser settings

Some fraudsters manipulate their browser settings to align with the region they want to target. This includes changing the browser’s language, time zone, or geolocation data. For example, a browser set to display Spanish and use the Argentina Time (ART) time zone might trick basic detection systems into thinking the user is in Argentina.

Detecting users’ true location with Fingerprint

Without accurate location detection, fraudsters can slip through the cracks, undermining your carefully designed pricing model. While basic methods like simple IP-based geolocation provide some insight, they can be easily spoofed, leading to inaccurate location data. You need more advanced techniques to see through tools like VPNs, proxies, and spoofed data.

That’s where Fingerprint can help. Fingerprint’s Smart Signals give you everything you need to detect user locations and enforce a regional pricing strategy that fraudsters can’t bypass. Fingerprint provides a simple client agent that runs on key pages, like login or checkout, and analyzes over 100 attributes from a user’s browser and device. This data is used to create a unique visitor identifier to recognize trusted devices, but more importantly, it is also used to detect key signals and attributes to help you gauge user risk and intent.

For region-based policies, the most relevant signals are IP Geolocation, VPN Detection, and Geolocation Spoofing Detection for mobile devices.

• IP Geolocation: Pinpoints the physical location of the true originating IP address. We use multiple techniques to detect the client’s true IP, even when anonymizing tools are in use, ensuring accurate visitor location.
• VPN Detection: Identifies VPN usage by analyzing factors like mismatched time zones, operating system settings, and connections from known VPN providers. This signal returns a simple boolean indicating if a VPN is in use, along with a confidence level for the detection. It also returns which methods were flagged, as well as the originating time zone and country. Check out our article on how VPN detection works for a detailed breakdown of the techniques involved.
• Geolocation Spoofing Detection: Specifically for mobile devices, this signal flags when geolocation data appears to have been tampered with, returning a boolean for easy implementation.
• IP Blocklist Matching: Available for Enterprise customers, this signal identifies whether a user’s IP address originates from a known Tor exit node or a public proxy provider, giving you additional insights into potential bypassing tactics.

How to enforce regional pricing

With Fingerprint Smart Signals, you can pinpoint users’ true locations and catch anyone trying to bypass your regional pricing strategy. Here’s how you can leverage the IP Geolocation and VPN Detection signals to make it happen.

First, you’ll need a Fingerprint account (sign up for a free trial if you don’t already have one) and your API keys from the Fingerprint dashboard. This tutorial will use the Fingerprint CDN and Node SDK, but we have a variety of SDKs for your favorite framework or language.

While testing, it’s a good idea to disable any ad blockers because they might interfere with loading Fingerprint scripts from the CDN. For production, you can bypass this issue with a proxy integration, but that’s beyond the scope of this tutorial.

1. Add the client agent to your checkout

To access the geolocation and VPN signals from Fingerprint, you’ll first need to make an identification request on the pages where accurate location data is required. This example is for a checkout page where a user can activate regional pricing. Load the Fingerprint client agent as early as possible, and then call the get() method to make an identification request exactly when you need it.

// Initialize the agent as soon as possible
const fpPromise = import("https://fpjscdn.net/v3/YOUR_PUBLIC_API_KEY").then(
  (FingerprintJS) => FingerprintJS.load()
);

async function getRegionalPricing(orderDetails) {
  // Request identification data when you need it.
  const fp = await fpPromise;
  const result = await fp.get();
  const { requestId, sealedResult } = result;

  // Include the requestId and/or sealedResult with the order details
  const orderPayload = {
    ...orderDetails,
    requestId,
    sealedResult
  };

  const requestOptions = {
    method: "POST",
    body: JSON.stringify(orderPayload),
    headers: {
      "Content-Type": "application/json",
      Accept: "application/json",
    },
  };

  // Send the order payload to your server
  const response = await fetch("/api/regional-pricing", requestOptions);

  // ... additional order logic
}

2. Retrieve the signals server-side

There are several ways to retrieve the generated Smart Signals on your server. After making an identification request on the client side, you can pass the returned requestId to your server and use the Fingerprint Server API to fetch the full identification event results.

Alternatively, you can set up webhooks to send identification event results directly to an endpoint on your server, linking them using the requestId from the client side. Another option is to receive the full identification event results directly on the client side in encrypted form as a sealedResult, then pass them to your server for decryption.

In this tutorial, we’ll use the encrypted client-side approach, known as Sealed Client Results. We recommend this method because it reduces latency by eliminating the need for an additional request to retrieve the identification event details on your server. Import one of our server SDKs and use the unsealEventsResponse method along with the sealedResult sent from the client side and your encryption key to unseal the data.

  const {
    unsealEventsResponse,
  } = require("@fingerprintjs/fingerprintjs-pro-server-api");

  const { sealedResult } = request.body;
  const decryptionKey = "YOUR_ENCRYPTION_KEY"

  const unsealedData = await unsealEventsResponse(
    Buffer.from(sealedResult, "base64"),
    [
      {
        key: Buffer.from(decryptionKey, "base64"),
        algorithm: "aes-256-gcm",
      },
    ]
  );

3. Extract geolocation and VPN use details

Now that we have the full identification event data decrypted, pull out the specific information we need: the actual geolocation and whether or not VPN has been detected.

  const location = unsealedData?.products?.ipInfo?.data?.v4?.geolocation;
  const vpnDetection = unsealedData?.products?.vpn?.data;

You can see more details on the result data in the Server API reference but here is an example of the geolocation object:

{
  "accuracyRadius": 20, // in km
  "latitude": 50.05,
  "longitude": 14.4,
  "postalCode": "150 00",
  "timezone": "Europe/Prague",
  "city": {
    "name": "Prague"
  },
  "country": {
    "code": "CZ",
    "name": "Czechia"
  },
  "continent": {
    "code": "EU",
    "name": "Europe"
  },
  "subdivisions": [
    {
      "isoCode": "10",
      "name": "Hlavni mesto Praha"
    }
  ]
}

While the VPN detection output looks like this:

{
  "result": true,
  "confidence": "high",
  "originTimezone": "Europe/Prague",
  "originCountry": "unknown" // Not yet supported for browsers
  "methods": {
    "timezoneMismatch": true,
    "publicVPN": true,
    "auxiliaryMobile": false, // Irrelevant for browsers, mobile SDKs only
    "osMismatch": true,
    "relay": true
  }
}

4. Block VPN and enforce regional pricing based on true location

Next, we’ll use this data to determine the appropriate price based on the user’s actual location and block regional pricing if VPN use is detected. Start by using the true geolocation to determine the correct pricing.

In this example, pricing is based on the user’s country, and we’ll use a pseudo-function to look up the corresponding price.

const countryPrice = getCountryPrice(location?.country?.code);

You’re now using the user’s true location information instead of the location they’re pretending to be in. Before sending the price back to the client, you can also check for VPN usage and block transactions over VPNs for added protection against regional pricing fraud.

One thing to note is that anonymizing services like Apple’s iCloud Private Relay can trigger a VPN detection, even if the user has not changed their presenting location using the service. In those cases, you can choose to still return a successful response.

if (
  vpnDetection?.methods?.relay === true &&
  vpnDetection?.methods?.timezoneMismatch === false
) {
  return {
    success: true,
    price: countryPrice,
  };
}

In all other cases where VPNs are detected, you can choose to block the regional pricing.

  if (vpnDetection?.result === true) {
    return {
      success: false,
      message:
        "It looks like you are using a VPN. Please turn it off and use a regular local internet connection before activating regional pricing.",
    };
  }

Stay ahead of fraudsters with smarter data

Regional pricing only works if you can enforce it, and fraudsters using VPNs and proxies are ready to bypass your rules. If you want to keep your pricing strategy intact, you need reliable tools that can cut through their tricks and reveal users’ true locations. With Fingerprint’s Smart Signals you can accurately identify users’ real locations, enforce fair pricing, and block regional pricing fraud with ease.

Ready to see it in action? Try it out in our demo or contact our team to learn how Fingerprint can help secure your regional pricing strategy.