Check your IP fraud score here:
If looking up a phone number, please include its country code without plus signs, spaces or hyphens. By trying this tool, you’re agreeing to our Privacy Policy, General Terms of Service and Data Processing Agreement.
IP address analysis is one of the most established methods for spotting online fraud. If you’re reading this, you’re already using an IP address, whether from your phone, laptop, or even smart fridge. It’s the invisible string connecting your device to the Internet, enabling everything from web browsing to emails and video calls.
But IPs aren’t just about connectivity—they can also reveal suspicious activity. That’s where IP fraud scores come into play.
Want to understand your IP fraud score results? Scroll down to learn how the score is calculated and how it helps prevent fraud.
What Is an IP Fraud Score?
An IP fraud score helps detect risky or fraudulent users by analyzing how they connect online. Signals like VPN or proxy usage, emulators, and poor IP reputation scores are assigned points. These points combine into a single score that reflects the likelihood of fraud.
For instance, a VPN might add +1, while a suspicious connection from a known TOR node could add more. IPs previously linked to bot activity, abuse, or chargebacks may be automatically blocked based on thresholds set by your fraud prevention system. Businesses often use IP risk scoring at critical moments like signup, login, or checkout—where preventing account takeovers and other threats is vital.
While it’s part of broader fraud detection, an IP fraud score is focused purely on network-level risk—not behavioral data like transactions or spending patterns.
Watch the video below for a quick breakdown of how fraud scores work:
How do IP Fraud Scores Work?
An IP scoring API adds and subtracts points based on detected signals. Once the total score is calculated, the system can flag a user as low, medium, or high risk.
Here’s a simplified example of how fraudulent IP detection works:
- IP is from Russia → adds +2
- ISP is residential → subtracts -1
- Suspicious SSH port is open → adds +5
- Total IP risk score = 6 → potentially flagged as high risk
The goal is to evaluate as many signals as possible to create an accurate IP risk lookup and improve fraud prevention outcomes in real time.
What IP Data Is Important for an IP Fraud Score?
To calculate an accurate IP fraud score, you need to analyze key IP parameters that reveal how a user connects to the internet—and whether it looks suspicious.
Public vs. Private IP Addresses
Think of a public IP as a mailbox at the local post office—it’s how devices connect to the wider Internet. A private IP is like mail routing inside a building. Private doesn’t mean hidden—it just links to a local network.
Public IPs are assigned by ISPs and are essential for online access. Private IPs work within local networks like offices or homes. For fraud detection, public IPs are more valuable because they offer insight into user behavior and risk.
IP Geolocation
Geolocation ties IPs to physical locations, often used for targeting ads or restricting content. Accuracy depends on the database: some can pinpoint city-level data, while others only detect the country. Fraud teams use this to see if a user’s location matches expected behavior.
Public IP Address Features
- Automatically assigned by ISPs (static or dynamic)
- Globally unique—no two are the same
- Essential for internet access across all connected devices
- Residential IPs are especially valuable to fraudsters and often traded on shady marketplaces
Proxy Servers and SOCKS5
Fraudsters often mask their real IPs using:
- HTTP proxies (browser-level rerouting)
- SOCKS proxies (used for apps, gaming, streaming)
- Transparent proxies (set up by organizations to filter traffic)
These tools are cheap and easy to deploy, allowing bad actors to quickly rotate IPs during attacks. SOCKS5 proxies are especially sought after because they mimic legitimate residential users more effectively.
That’s why IP lookup tools are crucial—they help detect when an IP has been spoofed or manipulated.
How Users Hide Their IP Addresses
There are many reasons why someone would want to avoid spoofing detection. Circling back to our examples above, it could simply be to watch a video from a foreign country. It could be to improve their security via added encryption. And of course, it could be for malicious purposes.
Regardless of the why, let’s see how IP addresses are hidden:
- VPNs: Short for Virtual Private Networks. Increasingly popular tools, which tunnel all traffic from a device towards a server in another location. Different VPNs offer different kinds of IP addresses, such as static, dynamic, or shared.
- TOR: a system designed to maintain a user’s anonymity by masking IP addresses. Users download and run a free browser, which passes and encrypts traffic multiple times to hide the original IP address. However, an ISP or fraud detection tool will know if the user connected to TOR’s entry and exit nodes.
- Proxy servers: act as a middle man between a device and a visited website. TOR and VPNs are also considered proxies, even if they redirect all traffic coming from all software and device systems.
Proxies help fraudsters hide their IP addresses and stay anonymous. See how bad agents use them, and how our API flags them
Find out more
The Key Features of IP Analytics
Now that we understand how IPs work and a basic strategy of how people hide their addresses, let’s see what we can gather by analyzing them.
- Geolocation: As we’ve previously seen, a legitimate IP address should reveal where the user is based in the world. It is a basic feature, but still useful to see if it matches the card country or if the customer is travelling too fast.
- Internet Service Provider: Finding out who the ISP is can help us know if the IP is residential, from a normal residential connection, public library or web server/data center. The latter is particularly useful to know as they are often used by bots, VPN providers and TOR exit nodes.
- Open port scan: All proxies tend to have at least one open port, and so do computers functioning as servers. By performing a scan, we can measure how risky the situation appears to be. For instance, some proxy providers resell hacked SSH connections, where port 22 is usually open. A proxy detection service or proxy detection API can help.
- Spam checklist scan: There are two useful lists called DNSBL (Domain Name System Blackhole List) and RBL (Real-time Blackhole List), which catalogue IP addresses used for email spamming. If these IP addresses appear in the results of our search, we can suspect the user is fraudulent.
So with these few features, we can already tell a lot about a user based on their IP address. Where they are based, what kind of network setup they use to connect online, and whether they appear suspicious or not.
Velocity Rules for IP Usage
So what should you do if you find a suspicious user’s IP address connecting to your system? You could simply block it straight away, but adding that address to an IP blacklist doesn’t make sense. This is because IP addresses are mostly dynamic, and multiple users could eventually end up sharing them, so you’d end up blocking valid customers.
This is why you can’t just look at the IP address itself, but also their usage via velocity rules. These algorithms look at the patterns and changes of IP address usage over time, which helps anti-fraud intelligence.
Enhancing IP Score Checks with APIs
As we’ve seen, understanding IP addresses and getting a report is fast, affordable, and easy to perform. But it’s in no way flawless. While it can indicate suspicious behavior, it cannot point to fraud with 100% certainty.
This is, in fact, one of the shortcomings of the tech: it’s only useful as part of a complete fraud detection tool. When you search for risk, you need as much data as possible. And here, you’ll need:

Discover how VPN provider Buffered used SEON’s IP fraud scoring to block high-risk traffic and cut chargebacks almost instantly.
Find out more
The Benefits of IP Analysis Against Fraud
As we’ve seen, IP addresses contain a multitude of valuable parameters that help us calculate risk. It’s not the only reason to rely on IP analysis against fraud. Here is why you should deploy that type of tool today:
- Lightweight checks: IP analysis is invisible to the end user. All the checks happen behind the scenes, without slowing down the user journey.
- Real-time results: checking most IP parameters is nearly instantaneous, which also helps create a frictionless experience without sacrificing safety.
- Affordable: IP analysis is one of the most cost-effective ways to filter out bad agents.
As for the types of fraud you can detect with IP analyis, they include bot traffic, bonus abuse, multi-accounting, payment fraud, and more.
Prevent IP Fraud Risk with SEON
Breaking down the features of IP addresses for risk scoring is fast, affordable, and delivers results in real time. This is exactly what SEON’s IP lookup module offers in an affordable, easy-to-use package.
However, IP data is only one piece of the puzzle. For a complete solution against all kinds of fraud, from bot attacks to bonus abuse and chargeback fraud, we recommend combining IP fraud scoring with reverse email lookup, user and device fingerprinting, and more.
To learn more about how SEON can protect your online business, ask an expert by clicking the link below.
SEON is a powerful end-to-end solution that gives you complete control over the rules that affect your users’ fraud scores, with granular reporting.
Ask an Expert
Frequently Asked Questions
There are two types of IP scores. One of them is called an IP reputation score. Service providers use it to determine if your emails should pass spam filters. In fraud prevention, your IP risk score can determine if a system labels you as fraudulent or not,
Any improper use of the IP address of a server is considered IP abuse. This includes spamming, phishing attempts, DDoS or malware attacks.
An IP score rating helps businesses determine whether an IP address is risky or not. While there is no standard for how the scores are calculated, a higher score tends to point towards a risky IP.
IP analysis can be performed manually by taking certain parameters, such as an IP address, and checking it against public databases. However, most businesses automate the process using IP lookup and IP risk-scoring tools