---
title: "How to Investigate a Fake Signup"
description: "A step-by-step method for deciding whether a flagged signup is a real customer or a constructed identity — inventory the signals, test their consistency, pivot for the ring, and resolve with a defensible decision."
canonical: https://defencecore.com/blog/how-to-investigate-a-fake-signup
published: 2026-07-08
modified: 2026-07-08
---

# How to Investigate a Fake Signup

Every fraud team has the same moment: a new account trips a rule, and now someone has to decide — real customer or problem? The signup form gave you a handful of signals: an email, a name, maybe a phone, an IP, a device. The question is whether they describe **one coherent real person** or **an identity assembled to get through your gate.** This guide walks the manual investigation, then the automated one.

Fake signups fail in a specific way: under investigation, a real identity gets *deeper* — more history, more corroboration — while a constructed one gets *thinner* or *contradictory*. Your whole job is to apply enough pressure to tell which is happening.

---

## Step 1 — Inventory what the signup gave you

List every identifier the account submitted or that your systems captured:

- **Email address** — the anchor for most pivots.
- **Phone number** — carrier and line type matter (a VoIP number on a "personal mobile" field is a signal).
- **IP address** — geolocation, and whether it's a residential IP, a datacenter, a VPN, or a known proxy.
- **Name / claimed persona** — the story the account is telling about itself.
- **Device / timing** — signup at 3am local, or a device seen on ten prior accounts.

The goal now is not to judge each in isolation but to see whether they *agree with each other.*

## Step 2 — Test internal consistency

Fake identities are assembled from parts that don't quite fit:

- Email domain from one country, phone country code from another, IP from a third — with a persona claiming to be local to none of them.
- A "40-year-old business owner" whose email was created last week and appears in zero breaches (a real 40-year-old has a decade of digital residue).
- A residential-looking claim behind a datacenter IP or a commercial VPN.

Each mismatch is a crack. One crack is noise; three cracks pointing the same way is a pattern.

## Step 3 — Investigate the email

Run the email through the full treatment (see [how to investigate a suspicious email address](/blog/how-to-investigate-a-suspicious-email-address)): domain age and mail infrastructure, account enumeration across platforms, breach exposure, and the alternate identifiers those breaches surface. A real customer's email lights up with history and consistent registrations. A fake one is dark, or lights up in ways that contradict the persona.

## Step 4 — Investigate the phone and IP

- **Phone**: carrier, line type, and whether the number appears in fraud or spam reporting. Freshly issued VoIP numbers used once are a classic disposable pattern.
- **IP**: proxy/VPN/datacenter classification, and whether the same IP or subnet sits behind other recent signups — the signature of a fraud ring or a single actor running many accounts.

## Step 5 — Pivot for the ring

The most valuable finding in a fake-signup investigation is rarely about the one account — it's discovering that this account is **one of many.** A reused device fingerprint, a shared IP subnet, an alternate email that surfaces the same phone, a username that connects to other accounts: these turn a single fake signup into a mapped cluster of coordinated ones. Fake signups are seldom solo.

## Step 6 — Resolve, decide, document

Assemble the identifiers into one picture, weight each link by how well it's corroborated, and reach a decision the account's behavior justifies: approve, step up verification, or decline. Then write it so it holds — because a wrongful decline is a lost customer and a challenged one, and a missed fraud is a loss. Every claim sourced, every link scored.

Done thoroughly this is thirty minutes to an hour per account. A growing platform generates far more flagged signups than an hour each allows, so in practice most get a rule score and a coin-flip, and the investigation that would have caught the ring never happens.

---

## The same investigation, run by an agent

[DefenceCore](/) runs this entire sequence automatically. Drop in the signals the signup gave you — email, phone, IP, wallet, whatever you have — and the agent pivots across open sources the way a fraud analyst would: infrastructure and history on the email, carrier and reputation on the phone, proxy classification and co-registration on the IP, and the cross-identifier pivots that expose a ring.

What comes back in minutes, not an hour:

- a **resolved identity graph** showing whether the submitted identifiers cohere into one real person or fracture into a constructed identity — with a confidence score on every link;
- the **connections to other accounts** that reveal coordinated signups, when they exist;
- **deterministic risk signals** (disposable email, VoIP number, proxy IP, no-history identity, persona mismatch) fired from a versioned ruleset;
- a **recommended action** derived from signal severity, and a **citation on every claim.**

The payoff isn't just speed — it's coverage. When investigating a flagged signup costs minutes instead of an hour, *every* flagged signup gets investigated, and the fake ones stop clearing on a hunch. [See a sample report](/sample-report).

---

## Fake-signup red flags

| Signal | What it suggests |
|---|---|
| Email created days ago, zero breach history | Purpose-built identity |
| Country mismatch across email / phone / IP | Assembled from parts |
| VoIP or freshly issued phone on a "personal" field | Disposable identifier |
| Datacenter / VPN / known-proxy IP | Concealed origin |
| IP subnet or device shared with recent signups | Coordinated ring |
| Persona claims history the identifiers don't show | Constructed persona |

---

## Frequently asked questions

**How do you tell a fake signup from a cautious real customer?**
By depth and consistency, not by any single flag. A privacy-conscious real customer still has coherent identifiers and some history; a fake identity contradicts itself or has no history at all. Investigation applies enough pivots to tell thin-and-contradictory from private-but-real.

**Can this be done at the speed of a signup queue?**
Manually, no — thorough investigation is thirty-plus minutes per account, which doesn't scale to a busy queue. That's the exact gap autonomous investigation closes: minutes per case makes investigating every flagged signup viable.

**What single signal matters most?**
None alone — coherence across signals is the signal. That said, the discovery that a signup shares infrastructure with other recent accounts is often the highest-value finding, because it converts one decision into a mapped cluster.

**Is investigating a signup's identifiers legal?**
Researching open and commercially available data on submitted identifiers for fraud prevention is lawful in most jurisdictions. Usage is regulated: DefenceCore is built for verified security teams, and its reports may not be used for credit, employment, housing, or insurance decisions.

---

## Investigate the next flagged signup

Take an account sitting in your review queue right now and run the full investigation on it.

→ **[Run an investigation](/)**
