See how it works
July 8, 2026·8 min read
investigate a fake signupfake account investigationsignup fraud investigationfraudulent account detectionfraud triage investigation

How to Investigate a Fake Signup

Every fraud team has the same moment: a new account trips a rule, and now someone has to decide — real customer or problem? The signup form gave you a handful of signals: an email, a name, maybe a phone, an IP, a device. The question is whether they describe one coherent real person or an identity assembled to get through your gate. This guide walks the manual investigation, then the automated one.

Fake signups fail in a specific way: under investigation, a real identity gets deeper — more history, more corroboration — while a constructed one gets thinner or contradictory. Your whole job is to apply enough pressure to tell which is happening.


Step 1 — Inventory what the signup gave you

List every identifier the account submitted or that your systems captured:

  • Email address — the anchor for most pivots.
  • Phone number — carrier and line type matter (a VoIP number on a "personal mobile" field is a signal).
  • IP address — geolocation, and whether it's a residential IP, a datacenter, a VPN, or a known proxy.
  • Name / claimed persona — the story the account is telling about itself.
  • Device / timing — signup at 3am local, or a device seen on ten prior accounts.

The goal now is not to judge each in isolation but to see whether they agree with each other.

Step 2 — Test internal consistency

Fake identities are assembled from parts that don't quite fit:

  • Email domain from one country, phone country code from another, IP from a third — with a persona claiming to be local to none of them.
  • A "40-year-old business owner" whose email was created last week and appears in zero breaches (a real 40-year-old has a decade of digital residue).
  • A residential-looking claim behind a datacenter IP or a commercial VPN.

Each mismatch is a crack. One crack is noise; three cracks pointing the same way is a pattern.

Step 3 — Investigate the email

Run the email through the full treatment (see how to investigate a suspicious email address): domain age and mail infrastructure, account enumeration across platforms, breach exposure, and the alternate identifiers those breaches surface. A real customer's email lights up with history and consistent registrations. A fake one is dark, or lights up in ways that contradict the persona.

Step 4 — Investigate the phone and IP

  • Phone: carrier, line type, and whether the number appears in fraud or spam reporting. Freshly issued VoIP numbers used once are a classic disposable pattern.
  • IP: proxy/VPN/datacenter classification, and whether the same IP or subnet sits behind other recent signups — the signature of a fraud ring or a single actor running many accounts.

Step 5 — Pivot for the ring

The most valuable finding in a fake-signup investigation is rarely about the one account — it's discovering that this account is one of many. A reused device fingerprint, a shared IP subnet, an alternate email that surfaces the same phone, a username that connects to other accounts: these turn a single fake signup into a mapped cluster of coordinated ones. Fake signups are seldom solo.

Step 6 — Resolve, decide, document

Assemble the identifiers into one picture, weight each link by how well it's corroborated, and reach a decision the account's behavior justifies: approve, step up verification, or decline. Then write it so it holds — because a wrongful decline is a lost customer and a challenged one, and a missed fraud is a loss. Every claim sourced, every link scored.

Done thoroughly this is thirty minutes to an hour per account. A growing platform generates far more flagged signups than an hour each allows, so in practice most get a rule score and a coin-flip, and the investigation that would have caught the ring never happens.


The same investigation, run by an agent

DefenceCore runs this entire sequence automatically. Drop in the signals the signup gave you — email, phone, IP, wallet, whatever you have — and the agent pivots across open sources the way a fraud analyst would: infrastructure and history on the email, carrier and reputation on the phone, proxy classification and co-registration on the IP, and the cross-identifier pivots that expose a ring.

What comes back in minutes, not an hour:

  • a resolved identity graph showing whether the submitted identifiers cohere into one real person or fracture into a constructed identity — with a confidence score on every link;
  • the connections to other accounts that reveal coordinated signups, when they exist;
  • deterministic risk signals (disposable email, VoIP number, proxy IP, no-history identity, persona mismatch) fired from a versioned ruleset;
  • a recommended action derived from signal severity, and a citation on every claim.

The payoff isn't just speed — it's coverage. When investigating a flagged signup costs minutes instead of an hour, every flagged signup gets investigated, and the fake ones stop clearing on a hunch. See a sample report.


Fake-signup red flags

SignalWhat it suggests
Email created days ago, zero breach historyPurpose-built identity
Country mismatch across email / phone / IPAssembled from parts
VoIP or freshly issued phone on a "personal" fieldDisposable identifier
Datacenter / VPN / known-proxy IPConcealed origin
IP subnet or device shared with recent signupsCoordinated ring
Persona claims history the identifiers don't showConstructed persona

Frequently asked questions

How do you tell a fake signup from a cautious real customer? By depth and consistency, not by any single flag. A privacy-conscious real customer still has coherent identifiers and some history; a fake identity contradicts itself or has no history at all. Investigation applies enough pivots to tell thin-and-contradictory from private-but-real.

Can this be done at the speed of a signup queue? Manually, no — thorough investigation is thirty-plus minutes per account, which doesn't scale to a busy queue. That's the exact gap autonomous investigation closes: minutes per case makes investigating every flagged signup viable.

What single signal matters most? None alone — coherence across signals is the signal. That said, the discovery that a signup shares infrastructure with other recent accounts is often the highest-value finding, because it converts one decision into a mapped cluster.

Is investigating a signup's identifiers legal? Researching open and commercially available data on submitted identifiers for fraud prevention is lawful in most jurisdictions. Usage is regulated: DefenceCore is built for verified security teams, and its reports may not be used for credit, employment, housing, or insurance decisions.


Investigate the next flagged signup

Take an account sitting in your review queue right now and run the full investigation on it.

Run an investigation

← All posts

SEE IT IN THE PRODUCT

See the carrier data, exposure score, and OSINT breakdown a single lookup returns.

See a sample report →