Fraudsters can hide behind changed cookies, masked Internet Protocol (IP) addresses or stolen login credentials. Browser fingerprinting adds another layer by checking the browser signals shared during a website visit, such as version, language, screen settings and WebGL output.
Browser fingerprinting signals help recognize returning devices and flag suspicious activity without relying on cookies alone. For fraud teams, they become more useful when combined with device, network and behavioral context before a decision is made.
Key Takeaways
- Browser fingerprinting creates a profile from signals like screen settings, language, plugins and WebGL output.
- These profiles can recognize repeat visitors when cookies, Internet Protocol (IP) addresses or login details change.
- Fraud teams use this data to uncover spoofing, account takeover, multi-accounting and unusual browser setups.
- Fingerprints are strongest when assessed alongside device, network and behavioral context.
What Is Browser Fingerprinting?
Browser fingerprinting identifies a browser based on the combination of settings and signals it exposes during a session. The profile is not the same as a cookie because it can persist even when a user clears stored site data. In fraud prevention, the purpose is to recognize risk patterns, not to personalize content across the web.
Examples of Browser Fingerprinting
Browser fingerprinting runs quietly in the background, collecting browser data and combining it into a unique identifier known as a hash. This hash can be built from dozens, or even hundreds, of data points.
Because the goal is to create a unique browser profile, no single attribute proves fraud on its own. However, some signals are more closely associated with suspicious behavior, such as browsers designed to bypass fraud prevention systems.
Common browser fingerprinting signals linked to higher risk include:
- Installed plugins, especially anti-fingerprinting extensions like AdBlocker Ultimate or Canvas Blocker.
- Outdated browser versions, which may suggest attempts to exploit unpatched security loopholes.
- Unusual screen resolutions, which can indicate device emulation, multi-accounting or activity from a virtual machine.
- Highly unusual configurations, especially when several suspicious signals appear together.
Some users may simply have uncommon preferences or setups. But when unusual browser signals appear in repeated or inconsistent patterns, fraud teams can assign a higher risk score and trigger further review.
How Does Browser Fingerprinting Work?
Browser fingerprinting usually works through a small JavaScript snippet that runs when a visitor lands on a website. During the connection process, it collects browser and environment signals that are already available during normal browsing, such as the browser type, operating system, screen settings, language, time zone and installed plugins.
These data points are then combined into a unique hash or profile, which can be compared against previous sessions. A single signal rarely proves fraud, but repeated, unusual or inconsistent combinations can raise risk.
Browser Hash
This type of hash creates an ID using browser data points like the user agent, operating system, screen, and font settings.
- Pros: The hash doesn’t change even if the user clears their cache and cookies or uses incognito mode.
- Cons: Multiple browsers (e.g. Edge, Chrome, and Firefox) on the same computer will generate different hashes. Even a browser update will force the creation of a new hash.
Cookie Hash
A new ID is created with each browser session.
- Pros: Easy to prove multiple users are the same person if they share the same cookie hash.
- Cons: Clearing the browser cookies and cache generates a new cache.
Device Hash
The ID is created based on hardware data such as the device type, HTML5 canvas, whether it allows touch support, and more.
- Pros: Unique ID based on the sum of the data points that relate to the device. Fraudster tools such as AntiDetect or FraudFox will generate the same hash, which can prove the use of a virtual machine, emulator or remote desktop connection. Plugins used to spoof a device will also generate a unique ID, which increases suspicion.
- Cons: There are far fewer unique IDs, as anyone with the same phone or laptop and browser version will generate the same hashes.
As you can see, it’s always better to combine all three hashes in order to get a better picture of who your users are. Legacy fraud detection methods only looked at the cookie hash or user agent, but fraudsters are now too savvy to be caught that way.
See how SEON connects device, browser, network and behavioral signals to help fraud teams detect suspicious activity in real time.
See more
What Is Cross-Browser Fingerprinting?
While the standard browser fingerprinting is dependent on which browser the person uses, a method called cross-browser fingerprinting has allowed researchers to ID people based on hardware alone.
This development could have drastic consequences both for privacy-focused users and fraud prevention companies. Bear in mind, however, that several of the methods and innovations introduced by researchers in cross-browser fingerprinting have already been integrated into fingerprinting solutions. This includes some of SEON’s fingerprinting data points, which we continue to update.
How Fraud Teams Use Browser Fingerprints
Browser fingerprints can help identify returning fraudsters even when they change emails, clear cookies or rotate IP addresses. The same signal set can also support account takeover checks when a familiar account suddenly appears with an unfamiliar browser setup.
For bonus abuse, bots and multi-accounting, repeated configurations across multiple accounts can reveal connections that are not obvious from identity data alone.
Identifying Users
Each user’s software and hardware setup is unique. In fraud prevention, this configuration acts like a digital ID that helps verify returning users.
Once you have identified the user, you can track their movements across your site. It’s also helpful to know when they are returning visitors.
Delivering Tailored Content
One of the key benefits of having a de facto user ID is that you can offer your users specific content. This could be geolocalized web pages, or redirecting them towards appropriate resources.
The same applies to targeted marketing. Once you know you are dealing with a loyal customer, you can send them unique offers such as bonuses, loyalty points, or special discounts.
Blocking Account Takeover (ATO) Attempts
ATO attacks happen when someone logs into an account that isn’t theirs. But if you’ve managed to create an ID for the original account holder, it becomes much easier to spot suspicious logins.
For instance, a new login from a previously unseen device and IP geolocation could increase your suspicions.
It’s worth noting that an efficient anti-fraud tool will not block all new device logins because sometimes, it will simply be someone logging from a new mobile device or computer. The key is that you should know when to ask for extra authentication, based on a combination of data points and what each means.
Spotting Connections Between Users
When the configurations for multiple users are similar, you can make an educated guess that you are dealing with the same person attempting a multi-accounting attack.
In the context of fraud prevention, this will allow you to prevent problems such as bonus abuse. iGaming companies and online casinos have an extra incentive to block collusive play between groups of players (or one person pretending to be multiple players).
Flag Suspicious Connections
Another important use of browser fingerprinting is detecting suspicious setups. These can include emulators, spoofing tools, or traffic routed through VPNs, proxies, and Tor networks.
- Emulators and spoofing tools: software designed to mask the real data and to replicate configurations from another setup.
- VPN, proxy, and Tor usage: software designed to hide the real IP address and to route the user’s traffic through another network.
Not every unusual setup indicates fraud, but they deserve closer attention. Continuous monitoring helps you spot high-risk users without blocking legitimate ones.
Limitations and Privacy Considerations
Browser fingerprints can change over time as users update browsers, change devices or install privacy tools. That means they should support risk decisions rather than act as a standalone reason to block a user. Businesses should also review disclosure, consent and data-use requirements with legal counsel because expectations vary by jurisdiction and use case.
8 Browser Fingerprinting Techniques for Fraud Prevention
Browser fingerprinting is a process, which means that several different tools can offer similar results. Let’s take a look at the standard features and see how they work.
Hashing
All the data returned from online fingerprinting is processed through a hash function. This is a long string of letters and numbers which processes data of arbitrary sizes into fixed-sized values. This makes it easier to log the information, encrypt, analyze and compare it.
For instance, SEON works with hundreds of parameters, but only three kinds of hashes: cookie hash, browser hash, and device hash.
Canvas Fingerprinting
Websites written in HTML5 contain a code element called the canvas. This element is used to draw graphics on a web page. It also generates data such as the font size or active background color setting, which come into play when creating a unique user ID for tracking. It is the most powerful feature of browser fingerprinting.
- HTML5 canvas fingerprinting detects: installed client fonts, browser font size, active background color, graphics card, operating system, and more…
The HTML5 fingerprint is used as a fraud prevention technique based on the fact that the same canvas image may be rendered differently on different computers.
WebGL Fingerprinting
Like the canvas element, WebGL is a JavaScript API that renders on-screen images and graphics. An image is rendered with a fixed size and, because different GPUs use different algorithms to display it, you can estimate the kind of graphics card your user has installed.
- A WebGL fingerprint detects: graphics card model, screen resolution…
User Agent Detection
A user agent, or UA, is part of the software designed to identify a browser with the website. It is a string which, when detected by a site, can display tailored content for specific browsers.
There are a few caveats to user agent detection, all related to how this data point is used in the real world. Firstly, web developers often rely on user-agent switching tools to visualize how a site will look on a variety of devices. Fraudsters use the same type of tool to spoof a browser. Default Android web browsers use the same user agents as Safari to make compatibility easier. Google is also depreciating user agents in its Chrome browser.
Still, user agent detection is an integral part of browser fingerprinting and remains useful when considered in tandem with other elements.
- User agent detection reveals: browser name, version or version number
Audio Fingerprinting
Producing sound from a mobile browser and device audio stack is surprisingly complex. In audio fingerprinting, a website uses the AudioContext API to send a low-frequency sound through the browser to the device, and measures how the device processes that data. This helps inform how to process audio – but no audio is recorded, collected, or played, so you don’t need microphone and speaker access. And yet, this technique can inform fingerprinting with multiple parameters and values.
- Audio fingerprinting detects: AudioBuffer value, DynamicsCompressor value…
Device Fingerprinting
Companies who create mobile apps specifically for smartphone OS can use a specific SDK (software development kit) to get extra information about devices, whether they are built by Apple, Samsung or other vendors.
- Such mobile device fingerprinting products detect: MAC address, serial number (Android only), device time zone, battery health, CPU details…
Tor Detection
By default, Tor makes each user have the exact same fingerprint. This ensures companies lack Tor fingerprinting information, ultimately providing fraudsters anonymity from basic anti-fraud solutions.
However, Tor detection works by running a test to see if the user’s IP matches a known Tor exit node, thus determining whether a user is running Tor. While a Tor user might not have any malicious intent, Tor users should be flagged as high risk by default due to the statistically higher likelihood of fraudulent activity.
Selenium Detection
Selenium is an open-source tool that automates browsers, which was originally intended to help with web application testing. Selenium is very easy to set up and allows users to run scripted actions in a distributed manner.
Though it is a useful tool for developers, it’s also the tool of choice for malicious actors who would want to scrape your website – e.g. ticket scalpers. Unfortunately, these people are incentivized to hide what they’re doing, and you need to be proactive in catching them.
While Selenium itself is difficult to detect, you can use JavaScript to check for evidence of WebDriver, the technology behind it. In fact, our upcoming rule update will automatically flag browsers that are automated as risky, allowing you to block bot traffic and service abuse.
How SEON Does Browser Fingerprinting
At SEON, we were very lucky to develop our browser fingerprint module with Gábor Gulyás, a pioneer of device fingerprinting. His expertise helped us create browser fingerprinting based on hundreds of parameters. However, we also recommend combining our module with other fraud detection features, such as:
- Social media lookup, which gathers data from social networks to enrich your understanding of the people on your site
- Reverse phone/email lookup to enrich data and create a better online digital footprint analysis
- IP analysis and proxy detection to ensure you understand more about connections between visitors
- Machine learning, the only engine powerful enough to look at all the data at scale and suggest risk rules tailored to your business model
All these modules are available as part of SEON’s fraud prevention solution, built to help businesses strengthen risk assessment and decision-making across the customer journey.
Frequently Asked Questions
Some modern fraud prevention solutions combine browser fingerprinting with AML screening to create stronger risk profiles. This approach links device and browser data, like operating system, plugins, and hardware signals, with AML checks such as sanctions and watchlist screening.
Browser fingerprinting services with VPN detection capabilities identify risky users by analyzing IP data, browser settings, and device attributes. They can spot connections routed through VPNs, proxies, or emulators by checking inconsistencies in IP location, time zone, and hardware signals. When combined with device fingerprinting and risk scoring, these tools help detect obfuscation, prevent fraud, and maintain compliance without blocking legitimate privacy-conscious users.
Yes, browser fingerprinting is legal as all the information collected is considered public and does not include any personal data. However, one should note that the fraud solution that collects the data should be compliant with all applicable legislation. For instance, SEON is fully GDPR compliant and ISO-27001 certified.
Browser fingerprinting focuses on signals exposed through the browser. Device fingerprinting can use a broader set of hardware, software and app-level attributes. Device Intelligence combines those identifiers with additional context to support risk decisions.
You might also be interested in reading about…
- SEON: Best Fraud Detection Software and Tools: Reviews in 2025
- SEON: Reverse Email Lookup: How It Works & How to Perform It
Learn more about:
Device Fingerprinting | Device Intelligence | Digital Footprinting | Fraud Scoring
External Sources
- Cover Your Tracks: About Us
- Pew Research Center: Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information
- Tor Project: Changes to the Tor Exit List Service
