The Ban Evasion Toolkit: Techniques Fraudsters Use to Evade Bans

It’s a tale as old as time: your platform has policies to keep users safe and protect your profits, someone violates those policies, and they’re banned or suspended from using the platform. Happily ever after? Unfortunately, not always.

Fraudsters are a stubborn bunch. They’re not likely to be deterred by a simple ban, and the more organized they are, the less likely it is that the first ban will get rid of them—it might not even really slow them down. When ban evasion runs rampant, your fraud prevention expenditure has to increase just to tread water. So, how do we cut fraudsters out closer to the root?

Multi-accounting

First thing’s first: it’s important to acknowledge that virtually all ban evasion involves some form of multi-accounting.

Short of somehow scheming to get the original account reinstated (in which case, no ban is technically being evaded), there’s no way to rejoin a platform after being banned without creating a new account. For many platforms, having multiple accounts at all is a violation of the app’s policies. But even on platforms that allow multiple accounts, one thing is certain–using another account to continue using the app after the first account is banned is against the rules.

If you have multiple accounts with a platform, getting one or two banned isn’t such a big deal—especially if you’re a career fraudster who treats these burned accounts as the cost of doing business. If you can stand to make thousands by operating a hundred or more accounts, a few bans here and there are little more than a slap on the wrist.

Buying accounts from other people

If, for whatever reason, you can’t make another account yourself, you can buy them from other people. Between individuals, this might look like an interpersonal agreement—maybe you know a friend who doesn’t use their account anymore, so you offer them cash for the login credentials.

Among fraudsters, however, it’s much more business-like. Fraudsters who are already in the multi-accounting business sometimes find themselves with more accounts than even they care to have. When this happens, they can go to hacker forums or Telegram groups to sell their excess, often in discounted bundles of dozens or more at a time.

With Fraud-as-a-Service on the table, even the least committed or technically-savvy fraudsters can get access to the accounts they need to evade as many permanent bans as a platform can dole out.

Automated email account creation and online phone services

Today, most larger platforms require some sort of email or phone number verification to help weed out at least a little malicious traffic. But getting another email address or phone number is no big deal to a fraudster.

Email account creation can be automated, and fraudsters can even create accounts strategically much earlier before they need them to thwart email age analysis. Phone numbers can be acquired from cheap prepaid SIM cards or even from free online phone services like Google Voice.

More advanced user verification methods like requiring photo ID, address, or full name are harder to bypass, but still not impossible. Today, many people’s personally identifiable information can be found in data breaches or for sale on darknet marketplaces. Synthetic identities or a combination of synthetic and stolen identity information are also good options for committed fraudsters. With generative AI hitting the world stage, even fabricating photo ID pictures is becoming easier than ever for fraudsters.

The stricter the user verification, the harder it is for a fraudster to create multiple accounts, but it’s important not to underestimate their resources. If they want to ban evade badly enough, there are methods for bypassing new user verification available to them.

Device ID obfuscation

One of the ways that platforms enforce bans is by recording the device or browser fingerprint information of users they ban, so if someone tries to rejoin on the same device, the platform recognizes them as someone who’s been banned before.

Device fingerprinting has been the standard for years now, meaning that fraudsters have caught on to how it works—and how to outfox it.

Iremar Brayner, Senior Fraud Manager at Farfetch, recalled the old state of ban evasion detection in Incognia's webinar Ban Evasion: The Great Fraud Enabler.

“I remember like 10 years ago, 12 years ago, we would identify and tackle ban evasion by looking at data points. We've seen that a hundred accounts were created from a specific IP address, from a specific device by using a specific VIN number, and now it has evolved that fraudsters are able to manipulate this data. They are able to easily manipulate IP address and device information. So today, I think it's more about the behavior itself than a specific data point.”

André Ferraz, Incognia CEO and co-founder, echoes how easy it is for today’s fraudsters to shirk device and browser fingerprinting measures.

“There are many device fingerprinting techniques that don't even stand after the user, let's say, reinstalls the app. That generates a whole new device. Well, if that's the case, the fraudster only needs to remove your app, go to the app store, download it again, and do the same thing.”

Even more sophisticated device fingerprinting using parameters like OS version, model, screen resolution, and so on, can be thwarted using app tampering tools or by manipulating the device parameters to change its fingerprint. Emulating a mobile phone from a computer is also a popular option for more technically knowledgeable fraudsters.

How to stop ban evasion and make sure the first ban sticks

If multi-accounting is the great ban evasion enabler, then it follows that stopping multi-accounting is one of the best ways to stop ban evasion. So, how do you stop multi-accounting?

The answer lies in your ability to re-identify the same users across different accounts and devices, even when they’re trying to hide from view. Like we mentioned above, fraudsters know a lot of the popular industry ways of finding them, and they’ll try to obfuscate around those methods.

Taking device ID obfuscation as an example, the solution has to be two-pronged: checking devices for risk signs, and having other signals in place that can tell us who a user is even if they’re masking or manipulating their device fingerprinting. A device integrity check can reveal emulation, app tampering tools, GPS spoofing apps, and other device features that are more common with fraudsters’ devices than regular users.

As for additional signals, location behavior has proven to be an incredibly powerful way to re-identify users across accounts and devices. Regardless of any factory resets, device swaps, or fingerprint spoofing maneuvers, if you know your fraudster’s location down to the apartment level, you can identify and block them permanently.

As Andre explains it, “By leveraging location signals, you're able to see, ‘Well, I'm seeing multiple accounts being created from different devices, different device IDs. But there's one thing in common, which is they're all located in Apartment 11B in this apartment complex,’ for example. They're all connected to the same Wi-Fi network, for example. If you're able to dive deeper into these signals and find the connections between different devices, you can also identify ban evasion more effectively.”

If you can’t re-identify your users, then the first time you ban a fraudster might be only the beginning of a long uphill battle. When you get to the root of the problem—making sure you know who people are when they try to make multiple accounts—it’s much easier to make that first ban the last one as well.