How to Investigate a Fake Signup
Every fraud team has the same moment: a new account trips a rule, and now someone has to decide — real customer or problem? The signup form gave you a handful of signals: an email, a name, maybe a phone, an IP, a device. The question is whether they describe one coherent real person or an identity assembled to get through your gate. This guide walks the manual investigation, then the automated one.
Fake signups fail in a specific way: under investigation, a real identity gets deeper — more history, more corroboration — while a constructed one gets thinner or contradictory. Your whole job is to apply enough pressure to tell which is happening.
Step 1 — Inventory what the signup gave you
List every identifier the account submitted or that your systems captured:
- Email address — the anchor for most pivots.
- Phone number — carrier and line type matter (a VoIP number on a "personal mobile" field is a signal).
- IP address — geolocation, and whether it's a residential IP, a datacenter, a VPN, or a known proxy.
- Name / claimed persona — the story the account is telling about itself.
- Device / timing — signup at 3am local, or a device seen on ten prior accounts.
The goal now is not to judge each in isolation but to see whether they agree with each other.
Step 2 — Test internal consistency
Fake identities are assembled from parts that don't quite fit:
- Email domain from one country, phone country code from another, IP from a third — with a persona claiming to be local to none of them.
- A "40-year-old business owner" whose email was created last week and appears in zero breaches (a real 40-year-old has a decade of digital residue).
- A residential-looking claim behind a datacenter IP or a commercial VPN.
Each mismatch is a crack. One crack is noise; three cracks pointing the same way is a pattern.
Step 3 — Investigate the email
Run the email through the full treatment (see how to investigate a suspicious email address): domain age and mail infrastructure, account enumeration across platforms, breach exposure, and the alternate identifiers those breaches surface. A real customer's email lights up with history and consistent registrations. A fake one is dark, or lights up in ways that contradict the persona.
Step 4 — Investigate the phone and IP
- Phone: carrier, line type, and whether the number appears in fraud or spam reporting. Freshly issued VoIP numbers used once are a classic disposable pattern.
- IP: proxy/VPN/datacenter classification, and whether the same IP or subnet sits behind other recent signups — the signature of a fraud ring or a single actor running many accounts.
Step 5 — Pivot for the ring
The most valuable finding in a fake-signup investigation is rarely about the one account — it's discovering that this account is one of many. A reused device fingerprint, a shared IP subnet, an alternate email that surfaces the same phone, a username that connects to other accounts: these turn a single fake signup into a mapped cluster of coordinated ones. Fake signups are seldom solo.
Step 6 — Resolve, decide, document
Assemble the identifiers into one picture, weight each link by how well it's corroborated, and reach a decision the account's behavior justifies: approve, step up verification, or decline. Then write it so it holds — because a wrongful decline is a lost customer and a challenged one, and a missed fraud is a loss. Every claim sourced, every link scored.
Done thoroughly this is thirty minutes to an hour per account. A growing platform generates far more flagged signups than an hour each allows, so in practice most get a rule score and a coin-flip, and the investigation that would have caught the ring never happens.
The same investigation, run by an agent
DefenceCore runs this entire sequence automatically. Drop in the signals the signup gave you — email, phone, IP, wallet, whatever you have — and the agent pivots across open sources the way a fraud analyst would: infrastructure and history on the email, carrier and reputation on the phone, proxy classification and co-registration on the IP, and the cross-identifier pivots that expose a ring.
What comes back in minutes, not an hour:
- a resolved identity graph showing whether the submitted identifiers cohere into one real person or fracture into a constructed identity — with a confidence score on every link;
- the connections to other accounts that reveal coordinated signups, when they exist;
- deterministic risk signals (disposable email, VoIP number, proxy IP, no-history identity, persona mismatch) fired from a versioned ruleset;
- a recommended action derived from signal severity, and a citation on every claim.
The payoff isn't just speed — it's coverage. When investigating a flagged signup costs minutes instead of an hour, every flagged signup gets investigated, and the fake ones stop clearing on a hunch. See a sample report.
Fake-signup red flags
| Signal | What it suggests |
|---|---|
| Email created days ago, zero breach history | Purpose-built identity |
| Country mismatch across email / phone / IP | Assembled from parts |
| VoIP or freshly issued phone on a "personal" field | Disposable identifier |
| Datacenter / VPN / known-proxy IP | Concealed origin |
| IP subnet or device shared with recent signups | Coordinated ring |
| Persona claims history the identifiers don't show | Constructed persona |
Frequently asked questions
How do you tell a fake signup from a cautious real customer? By depth and consistency, not by any single flag. A privacy-conscious real customer still has coherent identifiers and some history; a fake identity contradicts itself or has no history at all. Investigation applies enough pivots to tell thin-and-contradictory from private-but-real.
Can this be done at the speed of a signup queue? Manually, no — thorough investigation is thirty-plus minutes per account, which doesn't scale to a busy queue. That's the exact gap autonomous investigation closes: minutes per case makes investigating every flagged signup viable.
What single signal matters most? None alone — coherence across signals is the signal. That said, the discovery that a signup shares infrastructure with other recent accounts is often the highest-value finding, because it converts one decision into a mapped cluster.
Is investigating a signup's identifiers legal? Researching open and commercially available data on submitted identifiers for fraud prevention is lawful in most jurisdictions. Usage is regulated: DefenceCore is built for verified security teams, and its reports may not be used for credit, employment, housing, or insurance decisions.
Investigate the next flagged signup
Take an account sitting in your review queue right now and run the full investigation on it.