Have you ever signed up to a service with different accounts? You might have, without noticing, broken their terms and conditions by performing what is known as multi accounting.
Of course, it doesn’t make you a fraudster. But those who purposefully create multiple accounts to abuse a system are crossing a fine line between customer benefits and company damage.
How Multi Accounting Works
At its core, multi accounting simply means opening more than one account per person. But there are sophisticated methods and simple ones.
- Basic multi accounting: users create an account with an email address and password. They log out, and create another one. Usually from the same device, and maybe using the same IP, or through a VPN.
- Sophisticated multi accounting: organized fraudsters use emulators, virtual machines, and even residential like IPs, such as Socks5 proxies or mobile networks to leverage fresh IP addresses. This is also referred to as gnoming.
- Stolen IDs or synthetic IDs: the most elaborate multi accounting fraudsters will even create accounts through stolen data or synthetic identities, or IDs constructed based on a real original document.
Why It’s a Problem for Everyone
Multi accounting creates different problems depending on the site platform or service it is targeted at. However, the most common reasons it’s used are:
- Promo and coupon abuse: Companies often try to onboard new users through promotions, free demos and coupons. This is true everywhere, from the gambling world to ecommerce. Multi accounting takes advantage of these promos and bonuses.
- Fake reviews / feedback: It’s so easy to create an email address or social media profile, that many people do it to boost targeted products, services, or even their own reputation. It can be innocent enough (making it look like you have more friends), or a full organized crime operation, like click farms with tens of thousands of phones.
- Reset bans / bad history: Users who have been blacklisted from a site can simply create a new account under a different name. The same applies to someone with a bad credit history or crash record with rented cars.
But there’s more: below, we’ll look at some examples of multi accounting that are specific to different verticals.
In the eCommerce industry, companies have to deal with multi account payment fraud as well as promo abuse.
Online loan providers have to battle fraudsters who use multi accounting to default on the loan and run away with the money. Similarly, financial institutions have to stop fraudsters from gaining access to promos or payment methods for fraudulent purposes.
In the social media and online dating world, users will create multiple accounts to reach more people – often to scam or spam users.
The travel industry is also increasingly targeted and now must battle the problem of fake bookings and reviews from scammers – and even from malicious competitors who can try to damage other businesses’ reputation.
The Gaming or iGaming industry has its own term for multi accounting: smurfing. The method is the same, and the goal allegedly more innocent. It is simply for gamers to improve their tactics without damaging the statistics of their main account.
Finally, the Online Gambling Vertical is one that’s hit particularly hard as it’s susceptible to a number of attack vectors such as:
- Affiliate fraud: whereby fraudsters create fake accounts to boost their numbers of CPAs (cost per acquisition) and CPLs (cost per lead).
- Arbitrage: even World Poker Series winner have been caught creating multiple accounts to gain advantage over other players.
- Matched betting: another situation where controlling multiple accounts can help change the odds in your favour.
How Can Organizations Tackle Multi Accounting
In our last webinar for the gambling industry, a poll revealed that finding connections between different accounts was the number one challenge for fraud managers. Our solution includes combining the following tools to create a four-pronged line of defence:
- Device fingerprinting: by creating browser, device hashes or IDs, it’s easy to see when multiple users obviously rely on the same device to log into your platform. While not necessarily indicative of frauds (family PCs), it’s an important point to check.
- IP analysis: More than checking if users connect through the same IP address. It’s also about flagging known VPN IPs and suspicious open ports, ISPs. Using TOR network is also considered as a red flag.
- Email analysis: data enrichment can turn single data points into full user pictures. This is particularly true with email address parameters such as domain validity, creation date, and link to social media accounts.
Finally, it’s important to combine all the analyzed data and process it through intelligent rules. While fraud managers can spot connections manually, they can’t do it at scale.
This is why AI-Powered rules, velicity rules and behavior profiling are the only effective solutions to filter out the noise and reveal accurate insights to determine if multiple accounts do indeed belong to the same person.
In short, it’s about using a system that leverage AI and human intelligence to process incredibly large amounts of data, and validate the recommendations thanks to human wisdom and insight.
Multi accounting is a growing problem for almost any kind of business operating online. It can be simple or complex, and innocent or done on a scale only an organized crime ring can reach.
However, tools such as IP and Device fingerprinting, email analysis and AI-driven algorithms are strong weapons to have in your arsenal against fraud.
And while not all multi accounting should necessarily be seen as fraudulent, you can still implement the right tools to let your team decide if it must be stopped or not.
More importantly, if a customer seems suspicious based on the digital footprint, you should have enough flexibility to add or remove dynamic verification steps. All so you can reduce conversion churn, friction, and simplify the user journey for delivering the best experience possible.