Follow Us! ThumbsUp 20 3997 6090
IP Fraud Score: How IP Analysis Works for Fraud Detection

IP address analysis is one of the oldest and most common methods used to detect fraudsters. Let’s see how an IP fraud score can help.

If you’re reading the words on this page, it’s thanks in part to an IP address. But unlike your home address, you probably have no reason to know it by heart.


Check your IP fraud score here:


And yet, this strange jumble of letters and numbers is, in fact, the key to automatic connection between any device and the Internet. This is true whether you visit a website, send or receive emails, use a chat room, and whether it’s from your phone, laptop or smart fridge.

And as we’ll see in this guide, you can get a lot of info thanks to an IP fraud score (also useful for transaction risk scoring).

Let’s see how it can help businesses make an educated guess about who their users are, where in the world they are based, and more importantly, what their intentions are. 

But first, some useful definitions:

What Is an IP Fraud Score?

An IP risk score can be used to help minimize the risk of bad actors entering your site. You can look at various settings and assign them points depending on a risk factor.

For instance, a VPN adds +1. An emulator adds +2, and so on. When all the points have been calculated, you get an overall IP fraud score.

IP reputation is another factor that impacts the overall score: IP addresses that have been historically connected to bots or fraudsters will have a higher risk score or might be blacklisted automatically by your provider.

Typically organizations use this solution at registration, login, or the buying stage, to stop potential malicious behavior (such as an account takeover).

While an IP fraud score is a type of fraud score, the two should not be confused with another: The former is specific to internet protocols whereas the latter is a more general overview of the fraud risk level of a user’s activities such as their transactions and purchasing behavior.

Public and Private IP Addresses

A public IP address is assigned to any device connecting to the Internet by an ISP (Internet Service Provider). It can be a phone or laptop, but also a web server or email server. It is impossible for a device to access a WAN (wide area network) like the Internet without one.

A private address is assigned to a device on a local network (LAN). Multiple devices can communicate with each other, usually within the same building.

IP addresses public versus private

You’ll find many different analogies used to explain what an IP address is. Some compare it to an Internet passport. Others to a building’s physical address, which allows you to receive information through a postbox. 

With that analogy, the public IP lets you receive mail at your place of business. But then, the mail still needs to be sent to the right people in the building, via Private addresses (like floor or desk number).

One point that often leads to confusion is that the term “private” doesn’t mean hidden. It simply refers to the fact that it links to a local network, and it’s possible for anyone to find it. 

Understanding Public IP Addresses

For our purpose, which is to detect fraudsters, public addresses offer a lot more information than private ones. So let’s dive into more detail about how they are created exactly:

  • Public IP addresses are generated automatically: They are assigned by your ISP (Internet Service Provider), and you cannot control them. However, you may have the option to use a static address (which always remains the same), versus a dynamic public address, which is randomly selected with every new connection. The most valuable ones for fraudsters are residential IP addresses, which can be sold or rented on specific marketplaces and brokerage services.
  • Every public IP address must be unique: There can never be two exact same public addresses.
  • Every device needs an IP address to connect to the Internet: That includes your phone, tablet, PC, laptop, watch or even smart fridge if it’s part of the IoT (the Internet of Things).

The last two points are particularly interesting because it means we could potentially run out of IP addresses. In fact, it’s happened once before when the explosive growth in mobile devices depleted the supply of IP addresses in the old IPv4 format. 

This is why a new format had to be created, IPv6. In theory, IPv6 supports a maximum 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses, which should hopefully last us a long time. 

IP Addresses and Geolocation

Many users first realize that their IP addresses contain useful information after their first encounters with the concept of geolocation. This usually happens because of:

  • Targeted ads: Digital marketers try to catch your attention by mentioning your local area in their adverts.
  • Blocked content: Most commonly found on media streaming platforms, where copyrights aren’t universal.

So this is the first key part of a user’s digital footprint that can be gleaned from IP addresses. They can, in theory, reveal where the user is based in the world. 

But a few important caveats: first, IP geolocation is a complex process that is outsourced to specialists. The accuracy of the geolocation can vary depending on which database they use. IP2Country, as it’s often called, tends to yield a 95% accuracy. IP2Region (which can be as granular as city and area code), decreases to around 50 – 75% accuracy. 

Secondly, you can’t always trust geolocation information. And this brings us to the most important part of IP lookup tools: understanding when the address has been manipulated.

How Users Hide Their IP Addresses

There are many reasons why someone would want to avoid spoofing detection. Circling back to our examples above, it could simply be to watch a video from a foreign country. It could be to improve their security via added encryption. And of course, it could be for malicious purposes.

Regardless of the why, let’s see how IP addresses are hidden:

  • VPNs: Short for Virtual Private Networks. Increasingly popular tools, which tunnel all traffic from a device towards a server in another location. Different VPNs offer different kinds of IP addresses, such as static, dynamic, or shared. 
  • TOR: a system designed to maintain a user’s anonymity by masking IP addresses. Users download and run a free browser, which passes and encrypts traffic multiple times to hide the original IP address. However, an ISP or fraud detection tool will know if the user connected to TOR’s entry and exit nodes.
  • Proxy servers: act as a middle man between a device and a visited website. TOR and VPNs are also considered proxies, even if they redirect all traffic coming from all software and device systems.
Learn How Proxy Detection Helps to Flag Fraudulent IPs

Proxies help fraudsters hide their IP addresses and stay anonymous. See how bad agents use them, and how our API flags them

Find out more

Proxy Servers and SOCKS5

Let’s dive deeper into the world of proxy servers. There are three main types: 

  • HTTP (which only reroute browser traffic) 
  • SOCKS proxies (which can be set up for other applications like games or streaming apps)
  • Transparent proxies (usually set up by employers, parents or public companies that want to restrict and monitor traffic. 

Proxy servers are easy, cheap and fast to set up, which is why fraudsters rely on them to quickly change IP addresses during multiple attacks. This is called IP spoofing, and anyone can do it in seconds with free services like 

proxy solutions used to fool an IP fraud score
A third party reseller of proxy addresses found on

Note that fraudsters favor SOCKS5 proxies, which are more complex to use, but can improve their chances of passing off as innocent residential users. 

Finally, it also helps to be familiar with the concept of proxy ports. These are numbers that refer to specific virtual locations on the connected device. As we’ll see below, it can be useful to understand which ports are available in the context of fraud detection.

The Key Features of IP Analytics 

Now that we understand how IPs work and a basic strategy of how people hide their addresses, let’s see what we can gather by analyzing them.

  • Geolocation: As we’ve previously seen, a legitimate IP address should reveal where the user is based in the world. It is a basic feature, but still useful to see if it matches the card country or if the customer is travelling too fast.
  • Internet Service Provider: Finding out who the ISP is can help us know if the IP is residential, from a normal residential connection, public library or web server/data center. The latter is particularly useful to know as they are often used by bots, VPN providers and TOR exit nodes.
  • Open port scan: All proxies tend to have at least one open port, and so do computers functioning as servers. By performing a scan, we can measure how risky the situation appears to be. For instance, some proxy providers resell hacked SSH connections, where port 22 is usually open. A proxy detection service or proxy detection API can help.
  • Spam checklist scan: There are two useful lists called DNSBL (Domain Name System Blackhole List) and RBL (Real-time Blackhole List), which catalogue IP addresses used for email spamming. If these IP addresses appear in the results of our search, we can suspect the user is fraudulent.

So with these few features, we can already tell a lot about a user based on their IP address. Where they are based, what kind of network setup they use to connect online, and whether they appear suspicious or not.

Velocity Rules for IP Usage 

So what should you do if you find a suspicious user’s IP address connecting to your system? You could simply block it straight away, but adding that address to a blacklist doesn’t make sense. This is because IP addresses are mostly dynamic, and multiple users could eventually end up sharing them, so you’d end up blocking valid customers.

This is why you can’t just look at the IP address itself, but also their usage via velocity rules. These algorithms look at the patterns and changes of IP address usage over time, which helps anti-fraud intelligence.

Enhancing IP Score Checks with APIs

As we’ve seen, understanding IP addresses and getting a report is fast, affordable, and easy to perform. But it’s in no way flawless. While it can indicate suspicious behavior, it cannot point to fraud with 100% certainty. 

This is, in fact, one of the shortcomings of the tech: it’s only useful as part of a complete fraud detection solution. When you search for risk, you need as much data as possible. And here, you’ll need:

two ways to get IP fraud scores using SEON

Prevent IP Fraud Risk with SEON

We can see how an IP fraud score check provides a great baseline for fraud intelligence and transaction fraud detection. It’s easy to implement, frictionless and delivers results in real-time. 

This is why when you use our full end-to-end fraud detection tool, we recommend you use it at every stage of the user journey, from login to checkout. 

It can help you catch suspicious connection changes, highlight the use of spoofing devices, and detect potential bot attacks. But there simply isn’t data available with IP addresses to create precise risk scores or a full digital footprint report.

Build a Fraud Scoring Model with SEON

SEON is a powerful end-to-end solution that gives you complete control over the rules that affect your users’ fraud scores, with granular reporting.

Book a Demo

Frequently Asked Questions

What is an IP score?

There are two types of IP scores. One of them is called an IP reputation score. Service providers use it to determine if your emails should pass spam filters. In fraud prevention, your IP risk score can determine if a system labels you as fraudulent or not,

How do I find my IP reputation score?

Tools such as Google Postmaster Domain and IP Reputation Dashboard can give you an overview of your IP score for email deliverability. Note that for fraud prevention, IP scores are usually hidden from users.

What is IP abuse?

Any improper use of the IP address of a server is considered IP abuse. This includes spamming, phishing attempts, DDoS or malware attacks.

Share article

See a live demo of our product

Click here

Author avatar
Tamas Kadar

Tamás Kádár is the Chief Executive Officer and co-founder of SEON. His mission to create a fraud-free world began after he founded the CEE’s first crypto exchange in 2017 and found it under constant attack. The solution he built now reduces fraud for 5,000+ companies worldwide, including global leaders such as KLM, Avis, and Patreon. In his spare time, he’s devouring data visualizations and injuring himself while doing basic DIY around his London pad.

Sign up for our newsletter

The top stories of the month delivered straight to your inbox