Preventing Spammers and Fraudulent Users (for Startups)
We often get asked "What are the best practices for dealing with fraudulent accounts and spammers in our community?" We are lucky to be a part of the Techstars network, so I asked the group for their favorite ideas and got some great answers. It seems that as soon as a new website begins to get even a moderate amount of traffic, they will start to attract scammers who create multiple accounts with different IP addresses.
Scammers use these fake accounts to spam the community, claim free referral credits and use stolen credit cards that often aren't discovered for months. It's an annoying and expensive hassle, and one that many new companies aren't equipped to handle. We are presenting some simple things that you can do manually while your traffic is still building. Eventually you will want to outsource this process, but in the beginning you can do it yourself
Here Are Some Simple Tips:
1. Email Verification
Have an email verification system, coupled with a Captcha, with a real person validating the account. You can allow some access without a verified identity, but to access key functions, the account has to be verified. There are tutorials available online to walk you through creating an email verification system, or you can use a service like LeadSpend.
2. Phone Verification
Add things which create little friction for legitimate users but make it difficult for spammers/fraudsters to scale their attack. For example, verify mobile phone number before freeing up referral credits. Email is easy to spam because it's trivial to sign up for a new account. Everyone has a single mobile phone number and it's annoying and expensive to get more numbers. Twilio is a great resource for this but there are also services who will do it for you.
3. Be Clever
Honeypot field + time to complete logging are great options too. You create a form input in a hidden div and only a bot will fill it out. You can also track how long it takes to fill out the form. Any form submissions where that hidden input has anything in it, and the time to complete the form is lightning fast... well that's not a human. Best of all, real users are not impacted.
4. Ask For Help
Leverage your community to help. Something as simple as a "Flag Member" button can go a long way. If you have a vibrant community, they will be glad to assist in policing. If you can leverage your members, they can cut our bad users before they can do too much damage.
5. Geography Matters
A lot of automated bots originate from the same small set of countries. Services like MaxMind provide inexpensive GeoLocation and can be used to blacklist countries, or only allow users from a particular country. MaxMind even provides their database for free if you want to DIY and save some money.
6. When It's Time, Outsource
Staying on top of the spammers and the fraudsters is a time consuming game of "Whack-a-Mole". Anonymous people/bots can't be held accountable - if you ban them they can come right back. If you force someone into a strong online identity verification, then they can be held accountable but they lose online privacy. BeehiveID can detect bots (trivially), can guarantee uniqueness, and still preserve privacy because we know nothing about the users actual online identity. This way you can get rid of malicious users and they can't come back. But your good users don't have to surrender their privacy.