What is referral fraud?

Referral programs are used by hundreds of brands, including T-Mobile, Grubhub, American Express, to drive more sales by rewarding people or businesses that promote their products.

Referral fraud is the abuse of these programs by fraudsters to make money and obtain unfair discounts. 

Fraudulent referrals are costly, both in terms of money paid to people who don’t deserve it and time spent investigating the fraud. In some cases, credit card fraud accompanies referral fraud, causing additional costs due to refunds and chargebacks. 

A 2023 study revealed that 25% of merchants experienced referral fraud, and 34% experienced coupon and discount abuse, which is often related to referral fraud.

How do referral programs work?

A referral program rewards promoters according to a result that is beneficial to the business. Here are some examples:

• Ride-sharing company Easyride offers customers $20 credit if they get a friend to sign up and spend $20. 
• A weightlifting blogger advertises Apex Strength gym on each of their posts. The gym pays the promoter $10 for every person who uses their referral code for a free day pass.
• Level Up Books is a service that sends out curated book recommendations to managers. They sign up with Amazon to receive a percentage of all books sold as a result of links clicked in their emails.

There are various ways of tracking the performance of referrers, such as the number of clicks, sign-ups, or percentage of sales. This leads to numerous types of referral fraud, each designed to exploit specific weaknesses of the referral program. For example, if you pay a referrer when an account is created with only an email address, they could make a lot of money creating dozens of fake accounts. 

Types of referral fraud

Let’s look at the main categories of referral fraud. While some of these are outright criminal, others, such as breaking the terms of service of a site or exploiting a loophole, are in a gray area.

Fake new customers

As I mentioned earlier, when a referral program pays per sign-up, fraudsters can exploit this by creating fake accounts.

To create enough fake accounts to make this enterprise worthwhile, the fraudsters use bots to create the accounts automatically. These bots can spoof different devices and use different IP addresses using a VPN to evade simple bot or device detection that only relies on IP addresses. Device intelligence, which we will cover later, can help detect these bots.

If the referral program requires the referred customer to make a successful purchase, the fraudster can use a stolen credit card to make purchases. They will send the item to the cardholder’s billing address if known, or a random address, and profit from the payouts from the referral program. 

When the business finds out it was a fraudulent transaction, they may have already paid the fraudulent referrer, will have incurred a loss due to the cost of the sent goods, and may have to pay chargeback fees to their payment processor.

Referral farming

Unique discount codes can be used to track who referred someone to a product. For example, let’s say a YouTube channel called “Shirley’s Health” advertises that a vitamin supplement is 30% off. They tell viewers to use the discount code SHIRLEY. A share of revenue from sales that use the discount code goes to the channel.

Referral farming is a scheme where the fraudster uploads their unique discount code to promo-code sharing sites. Customers who use these sites typically have decided to buy something, have the order page open, and are now hunting for a discount code. If the fraudster’s discount code is used, they get paid for sales they didn’t help generate — which is a waste of money for the referral program.

Return abuse

Return abuse involves referring someone but arranging with them to return the product for a full refund once the referral payout has been made. It takes advantage of both generous return policies and the timing of payouts.

Return abuse requires coordination with the person returning the goods and cutting them in on the deal — or a fraudster can just set up another fake account to be that “other person,” which requires much less coordination and allows them to keep the full payout amount. Customers who constantly return items get banned by retailers. Therefore, it doesn’t scale as well as other methods of referral fraud.

Account cycling

Some referral programs pay based on new account sign-ups. These may pay as soon as an account is verified or only when the new account makes a purchase.

In either case, account cycling can be used as a referral fraud technique. The idea is to refer a friend to open an account and collect the referral fee. Then, the friend closes the account and uses the referral link or code again to reopen the account with the same details.

Some referral programs require a transaction after sign-up, which reduces the risk of account cycling but doesn’t eliminate it. It can still be attractive for friends to cycle accounts for each other for products they intend to buy frequently, such as food deliveries.

Impact of referral fraud

Referral fraud has financial repercussions for your referral program and should be taken seriously.

Here are the ways this can happen:

• Fraudsters get paid: If the fraudster gets their referral payment before they are caught, your money is lost.
• You get hit with chargebacks: When a stolen credit card is used, you will need to refund the charge, in addition to paying chargeback fees.
• Customers get unintended discounts: Account cycling and referral farming can result in your giving additional discounts that are not budgeted for.
• Your team wastes time: Dealing with refunds, chargebacks, blocking accounts, and investigations wastes your team’s time on fraud mitigation when they could be focusing on something else to help drive more revenue.
• Marketing is negatively impacted: Your marketing campaigns are less effective because money is diverted from genuine referrers to fraudsters. Tracking campaigns also becomes more challenging because fraudulent referrals skew marketing data.

Detecting and preventing referral fraud

Verify referrer details

Asking for more information from referrers will discourage fraudsters because it will force them to reveal their identity or spend money to create fake personas. Asking for email verification, a valid phone number, or government-issued ID documents will reduce referral fraud. However, there is a balance between obtaining just enough verification to prevent fraud and too much verification since you don’t want to deter genuine referrers from signing up and promoting your company.

Verify referral actions

Consider how you calculate a referrer's payment and the timing of that payment. If it is too easy to get paid — e.g., a sign-up with no sale counts as a referral — then it is easier for the fraudster to meet the payment conditions without generating any real business.

To verify the referral action, you can require that the referred customer has spent above a certain amount and hasn’t made a return within the return period. If you reward referrers for leads, only pay out the referrer once the lead is marked in your database as genuine; e.g., after you have spoken to them. This requires more time and effort but it is worth it to avoid losing money to fraudsters. 

Monitor referral activity

Your marketing team is likely tracking referral activity to see which campaigns are successful, and finance may be tracking them for profitability. Using the same data, you can also look for unusual patterns that indicate fraud might be happening. For example:

• A new or dormant account suddenly generates a high volume of referrals in a short amount of time. 
• The number of new accounts created on a particular day is much higher than usual, and you do not know why.
• Customers signing up from countries or states that are out of the ordinary for your business.

Set referral limits

Referral limits let you automate decisions about suspicious activity in a simple way: You can set a monthly limit on how much a referrer can earn. These limits can then be increased for trusted referrers you know, have interviewed, or have generated a lot of legitimate business.

Analyze traffic sources

You can keep track of the IP addresses of users creating accounts and check if those IPs are on known blocklists. You can also check if the same IP addresses are involved with multiple accounts since such activity can be considered a red flag and worth investigating further.

Block automated abuse

Referral fraudsters use bots to create accounts in bulk automatically. Bots are software that imitates a genuine user and a browser, and takes commands from the fraudster. They are often run from different IP addresses in an attempt to evade detection.

Bot usage can be detected by analyzing traffic sources, checking for device reuse, and monitoring referral activity. You can also determine how long it takes for someone to sign up or perform specific actions — if they are too fast, they might be a bot. 

Check for device reuse

The standard techniques to detect device reuse across new accounts are to set a cookie or check IP addresses. Reusing the same device to create multiple accounts is almost certainly a sign of referral fraud or foul play. You can put automatic payment holds on those referrers while they are investigated. 

However, it’s also important to remember that IP addresses are sometimes shared between different people using the same internet service provider (such as students on college campuses). This makes IP reuse a red flag, but this alone is insufficient evidence to ban a customer account. Additionally, cookies-based checks are not foolproof since cookies can be cleared in the browser.

Fingerprint device intelligence and Smart Signals

Determined referral fraudsters will use various methods to hide their activity and evade simple detection systems, such as those checking IP addresses. They can launch fraud campaigns using bot networks, VPNs, Tor, compromised cloud accounts, and more.

To defend against these sophisticated techniques for avoiding detection, Fingerprint device intelligence creates a unique digital fingerprint, a visitor identifier, for online browsers and devices accessing your website or application. This visitor ID can detect suspicious devices or behavioral patterns in real time. 

Fingerprint analyzes over 100 device attributes like browser configurations, operating system details, and hardware settings to accurately recognize returning visitors. 

Additionally, Fingerprint’s Smart Signals provides information about your visitors that is useful for detecting suspicious activity, such as whether they are using a VPN or are a bot. Fingerprint’s API provides a “Suspect Score” for each device that you can use to assess the risk of dealing with that visitor.

Tutorial: Use Fingerprint to prevent fraud against your referral program

In this tutorial, we will use tools from Fingerprint to protect a site against referral fraud. This could be any site with referrals, such as an e-commerce site, a survey site that pays per survey completed, or a business with an offline component completed in person, such as a law firm.

We will use Node.js for our examples. If you use another technology stack, Fingerprint has libraries for all the popular frameworks and languages.

Getting started

First, create a Fingerprint account and open your API keys page. Create a public key now. Keep this page open to copy keys into your code when needed.

Note: If you’re using an ad blocker, your implementation may not work. Simply turn it off while testing, and learn more about how to protect your production Fingerprint implementation from ad blockers in our documentation.

Linking accounts to the device

The Fingerprint visitor ID uniquely identifies a browser or native mobile device. It enables you to detect when a device has been used before on your site, and then link that device to other information you have such as the email address they used, if they have provided one.

In the first part of the tutorial, we will link new accounts with their visitor ID (which represents the unique device) to spot whether someone is creating many new accounts from the same device. We will then automatically block new accounts made from the same device.

First, install the Fingerprint API on the sign-up page you must protect, replacing the PUBLIC_API_KEY with the public key from your API keys page.

<script>
  const fpPromise = import('https://fpjscdn.net/v3/PUBLIC_API_KEY')
    .then(FingerprintJS => FingerprintJS.load());
</script>

In this scenario, we have a sign-up page that requires an email and password. When the user clicks Sign Up, we can resolve the promise shown above and use fp.get() to instruct Fingerprint to store information about the visitor, their device, and the time of the visit.

<script>
  document.querySelector('#signup-form').addEventListener('submit', async (evt) => {
    evt.preventDefault();
   
    const fp = await fpPromise;
    const result = await fp.get();
    const requestId = result.requestId;

    const email = document.querySelector('#email').value;
    const password = document.querySelector('#password').value;

    // Send the requestId along with the request you want to protect from suspicious behavior
    fetch('/signup', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({ requestId: requestId, email: email, password: password }),
    });
  });
</script>

It is possible for a fraudster to change or remove the requestId variable, but that won’t help them bypass the check. Fingerprint can detect this behavior when we verify requestId on the server.

We will now add the Node.js server code to verify the request ID and get the associated Fingerprint visitor ID used to identify the device. We can then check if the same device has recently performed a sign-up. Create a private key in API keys, replace <<Private Api Key>> with that key, and change the region to match yours.

const express = require("express");
const app = express();
app.use(express.json());

const {
  FingerprintJsServerApiClient,
  Region,
} = require("@fingerprintjs/fingerprintjs-pro-server-api");

const client = new FingerprintJsServerApiClient({
  apiKey: " <<Private Api Key>>",
  region: Region.Global,
});

app.get("/", (req, res) => {
  res.sendFile(__dirname + "/index.html");
});

app.post("/signup", async (req, res, next) => {
  try {
    const { requestId, email, password } = req.body;
    const event = await client.getEvent(requestId);
    const visitorId = event.products.identification.data.visitorId;

    // Check how many times this visitor has created an account
    const queryResult = await sqlClient.query(
      "select count(*) as count from user where created > NOW() - INTERVAL '30 DAY' WHERE visitorid = $1",
      [visitorId]
    );

    // Device has been used to create an account more than twice in the last 30 days, disallow this.
    if (queryResult.rows[0].count > 2) {
      req.sendStatus(403);
      return;
    }

    const userId = await createUser(email, password);

    // Link visitorId (i.e. the device) to the user
    await sqlClient.query("update user set visitorid = $1 where userid = $2", [
      visitorId,
      userId,
    ]);

    res.sendStatus(200);
  } catch (err) {
    next(err);
  }
});

app.listen(3000, () => {
  console.log("Listening on port 3000");
});

Using Fingerprint bot detection to detect automated tools

We now want to add bot detection to protect against the mass creation of accounts. This will protect the site from referral fraud and other unwanted activity that uses bots.

Fingerprint’s Smart Signals includes a bot detection tool that can tell you if the visitor is likely a bot and, if so, whether it is a “good bot” like a web crawler or a “bad bot” — e.g., someone trying to defraud your site in some way.

We will check the event data object to see if the visitor is likely a bot. In this case, we will reject signups from any kind of bot (good or bad) since we only want human sign-ups:

 const botDetection = event.products.botd.data.bot.result;
  if (botDetection != "notDetected") {
    req.sendStatus(403);
    return;
  }

  // Check how many times this visitor has created an account
  // ...

Key takeaways

Referral fraud wastes time and money while detracting from the marketing goals of the referral program. You should protect against referral fraud using various methods, including monitoring and limits, as well as device intelligence solutions like Fingerprint.

To try Fingerprint now, check out our Getting Started Guide or contact our team to learn more.