Using an IP Fraud Score to Detect High-Risk Users

Using an IP Fraud Score to Detect High-Risk Users

Author avatar

by Tamas Kadar

IP address analysis is one of the oldest and most common methods used to detect fraudsters. Let’s see how an IP fraud score can help.

If you’re reading the words on this page, it’s thanks in part to an IP address. But unlike your home address, you probably have no reason to know it by heart.


And yet, this strange jumble of letters and numbers is, in fact, the key to automatic connection between any device and the Internet. This is true whether you visit a website, send or receive emails, use a chat room, and whether it’s from your phone, laptop or smart fridge.

And as we’ll see in this guide, you can get a lot of info thanks to an IP fraud score (also useful for Transaction Risk Scoring)

Let’s see how it can help businesses make an educated guess about who their users are, where in the world they are based, and more importantly, what their intentions are. 

But first, some useful definitions:

Public and Private IP Addresses

A public IP address is assigned to any device connecting to the Internet by an ISP (Internet Service Provider). It can be a phone or laptop, but also a web server or email server. It is impossible for a device to access a WAN (wide area network) like the Internet without one.

A private address is assigned to a device on a local network (LAN). Multiple devices can communicate with each other, usually within the same building.

IP addresses public versus private

You’ll find many different analogies used to explain what an IP address is. Some compare it to an Internet passport. Others to a building’s physical address, which allows you to receive information through a postbox. 

With that analogy, the public IP lets you receive mail at your place of business. But then, the mail still needs to be sent to the right people in the building, via Private addresses (like floor or desk number).

One point that often leads to confusion is that the term “private” doesn’t mean hidden. It simply refers to the fact that it links to a local network, and it’s possible for anyone to find it. 

Understanding Public IP Addresses

For our purpose, which is to detect fraudsters, public addresses offer a lot more information than private ones. So let’s dive into more detail about how they are created exactly:

  • Public IP addresses are generated automatically: they are assigned by your ISP (Internet Service Provider), and you cannot control them. However, you may have the option to use a static address (which always remains the same), versus a dynamic public address, which is randomly selected with every new connection. The most valuable ones for fraudsters are residential IP addresses, which can be sold or rented on specific marketplaces and brokerage services.
  • Every public IP address must be unique: there can never be two exact same public addresses.
  • Every device needs an IP address to connect to the Internet: that includes your phone, tablet, PC, laptop, watch or even smart fridge if it’s part of the IoT (the Internet of Things).

The last two points are particularly interesting because it means we could potentially run out of IP addresses. In fact, it’s happened once before when the explosive growth in mobile devices depleted the supply of IP addresses in the old IPv4 format. 

This is why a new format had to be created, IPv6. In theory, IPv6 supports a maximum 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses, which should hopefully last us a long time. 

IP Addresses and Geolocation

Many users first realize that their IP addresses contain useful information after their first encounters with the concept of geolocation. This usually happens because of:

  • Targeted ads: digital marketers try to catch your attention by mentioning your local area in their adverts.
  • Blocked content: Most commonly found on media streaming platforms, where copyrights aren’t universal.
geoblocked content, which pushes users to use IP address fraud

So this is the first key part of a user’s digital footprint that can be gleaned from IP addresses. They can, in theory, reveal where the user is based in the world. 

But a few important caveats: first, IP geolocation is a complex process that is outsourced to specialists. The accuracy of the geolocation can vary depending on which database they use. IP2Country, as it’s often called, tends to yield a 95% accuracy. IP2Region (which can be as granular as city and area code), decreases to around 50 – 75% accuracy. 

Secondly, you can’t always trust geolocation information. And this brings us to the most important part of IP research: understanding when the address has been manipulated.

How Users Hide Their IP Addresses

There are many reasons why someone would want to avoid spoofing detection. Circling back to our examples above, it could simply be to watch a video from a foreign country. It could be to improve their security via added encryption. And of course, it could be for malicious purposes.

Regardless of the why, let’s see how IP addresses are hidden:

  • VPNs: or Virtual Private Networks. Increasingly popular tools, which tunnel all traffic from a device towards a server in another location. Different VPNs offer different kinds of IP addresses, such as static, dynamic, or shared. 
  • TOR: a system designed to maintain a user’s anonymity by masking IP addresses. Users download and run a free browser, which passes and encrypts traffic multiple times to hide the original IP address. However, an ISP or fraud detection tool will know if the user connected to TOR’s entry and exit nodes.
  • Proxy servers: act as a middle man between a device and a visited website. TOR and VPNs are also considered proxies, even if they redirect all traffic coming from all software and device systems.

Proxy Servers and Socks5

Let’s dive deeper into the world of proxy servers. There are three main types: 

  • HTTP (which only reroute browser traffic); 
  • Socks proxies (which can be set up for other applications like games or streaming apps)
  • Transparent proxies (usually set up by employers, parents or public companies that want to restrict and monitor traffic. 

Proxy servers are easy, cheap and fast to set up, which is why fraudsters rely on them to quickly change IP addresses during multiple attacks. This is called IP spoofing, and anyone can do it in seconds with free services like 

proxy solutions used to fool an IP fraud score
A third party reseller of proxy addresses found on

Note that fraudsters favour Socks5 proxies, which are more complex to use, but can improve their chances of passing off as innocent residential users. 

Finally, it also helps to be familiar with the concept of proxy ports. These are numbers that refer to specific virtual locations on the connected device. As we’ll see below, it can be useful to understand which ports are available in the context of fraud detection.

The Key Features of IP Analytics 

Now that we understand how IPs work and a basic strategy of how people hide their addresses, let’s see what we can gather by analyzing them.

  • Geolocation: as we’ve previously seen, a legitimate IP address should reveal where the user is based in the world. It is a basic feature, but still useful to see if it matches the card country or if the customer is travelling too fast.
  • Internet Service Provider: finding out who the ISP is can help us know if the IP is residential, from a normal residential connection, public library or web server/datacenter. The latter is particularly useful to know as they are often used by bots, VPN providers and TOR exit nodes.
  • Open port scan: all proxies tend to have at least one open port, and so do computers functioning as servers. By performing a scan, we can measure how risky the situation appears to be. For instance, some proxy providers resell hacked SSH connections, where port 22 is usually open. A proxy detection service or proxy detection API can help.
  • Spam checklist scan: there are two useful lists called DNSBL (Domain Name System Blackhole List) and RBL (Real-time Blackhole List), which catalogue IP addresses used for email spamming. If these IP addresses appear in the results of our search, we can suspect the user is fraudulent.

So with these few features, we can already tell a lot about a user based on their IP address. Where they are based, what kind of network setup they use to connect online, and whether they appear suspicious or not.

Velocity Rules for IP Usage 

So what should you do if you find a suspicious user’s IP address connecting to your system? You could simply block it straight away, but adding that address to a blacklist doesn’t make sense. This is because IP addresses are mostly dynamic, and multiple users could eventually end up sharing them, so you’d end up blocking valid customers.

This is why you can’t just look at the IP address itself, but also their usage via velocity rules. These algorithms look at the patterns and changes of IP address usage over time, which helps ant fraud intelligence.

What Is an IP Fraud Score?

You can look at various settings and assign them points depending on a risk factor. For instance, a VPN adds +1. An emulator adds +2 etc… When all the points have been calculated, you get an IP fraud score.

Enhancing IP Checks With Other Fraud Fighting Tools 

As we’ve seen, understanding IP addresses and getting a report is fast, affordable, and easy to perform. But it’s in no way flawless. While it can indicate suspicious behavior, it cannot point to fraud with 100% certainty. 

This is, in fact, one of the shortcomings of the tech: it’s only useful as part of a complete fraud detection solution. When you search for risk, you need as much data as possible. And here, you’ll need:

two ways to get IP fraud scores using SEOn

Always Useful, But Not Always Enough

We can see how an IP fraud score check provides a great baseline for fraud intelligence and transaction fraud detection. It’s easy to implement, frictionless and delivers results in real-time. 

This is why when you use our full end-to-end fraud detection tool, we recommend you use it at every stage of the user journey, from login to checkout. 

It can help you catch suspicious connection changes, highlight the use of spoofing devices, and detect potential bot attacks. But there simply isn’t data available with IP addresses to create precise risk scores or a full digital footprint report.

Share article

See a live demo of our product

Click here

Author avatar
Tamas Kadar

Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.

Sign up to our newsletter