Every time tickets for a major cricket match go on sale—especially one involving India—millions of eager fans rush to secure their spot. Unfortunately, many find tickets already snatched up by fraudsters, only to resell them on black markets at inflated prices. As ticket supply remains limited while demand skyrockets, sophisticated bots and automated tools have made it increasingly difficult to block these malicious actors.
These bots aren’t just a nuisance; they’re a direct attack on your system’s fairness and availability. In this blog, we’ll explore traditional methods deployed to tackle fraud, the challenges these methods face, and practical solutions to help protect your system from abuse.
A common tactic employed by fraudsters is new account fraud—the act of creating large numbers of fake or deceptive accounts to game account-level restrictions, snap up limited inventory, or abuse promotional offers.
Block Disposable Email Domains
Prevent account creation using temporary email services like Mailinator, 10MinuteMail, or GuerrillaMail. Blocking temporary emails is a great first-line defense against low-effort abuse. However, since determined fraudsters can programmatically create accounts with legitimate providers like Gmail, this tactic should be seen as a filter, not a foolproof barrier.
Normalize Email Inputs
Stop multiple registrations using minor email variations by:
• Removing dots in the local part (e.g., john.doe@gmail.com → johndoe@gmail.com)
• Disallowing ”+” aliases (e.g., user+alias@gmail.com treated as user@gmail.com).
This is highly effective for services like Gmail, but be aware that many other email providers don’t support these aliases, so its impact is targeted.
Limit Payment Instrument or Shipping Address Reuse
This is a form of velocity checking. The core principle is to detect and flag when a single entity is attempting to masquerade as many different users. If the same credit card, payment instrument or shipping address appears across multiple accounts, block the transaction to prevent coordinated fraud.
Verify Mobile Numbers with OTP
Enforce OTP verification during login or at booking time to prevent abuse of disposable mobile numbers. This will prevent misuse of accounts where disposable mobile numbers have been used to create accounts.
Even with account-level limits in place, fraudsters often create multiple accounts and use botnets or proxies to overwhelm the system.
Think of rate limiting as a bouncer at a popular club. The bouncer doesn’t care who you are individually (that’s what the account-level checks are for). Their job is to control the flow, ensuring the club doesn’t get dangerously overcrowded. If one group tries to rush the door all at once, the bouncer steps in and tells them to slow down. That’s exactly what rate limiting does for your server.
IP Address Tracking
Monitor the number of requests from each IP. This is the most common strategy, but it’s easily bypassed. Fraudsters use botnets and proxy networks (both datacenter and residential) to distribute their requests across thousands of unique IP addresses, making each one look like a legitimate user. This is why IP-based limiting alone is not enough.
Username Monitoring
Prevent excessive login or booking attempts per username, limiting brute-force or automated attacks through the use of botnets, vpn, or proxies.
Device Fingerprinting (DeviceId)
This powerful technique moves beyond easily changed IPs. A device fingerprint creates a unique ID from a combination of signals from a user’s browser or device—like screen resolution, installed fonts, and operating system. This allows you to detect multiple accounts operating from the same physical machine, even if they use VPNs or proxies. It becomes much harder for a fraudster to run a massive attack, as they would need to constantly spoof thousands of unique and consistent device profiles.
Log out users and redirect to CAPTCHA or OTP verification when key parameters (IP, DeviceId) change mid-session.
Shadow ban or lock accounts that make too many login attempts within a short time.
While the strategies above will block a significant amount of crude, automated fraud, the most sophisticated attackers focus on mimicking human behavior. In our next post, we’ll explore the world of behavioral analytics and biometrics, where we’ll learn to spot the invisible tells of a bot, such as:
None of these strategies work in isolation. A sophisticated fraudster might use a real Gmail account to bypass your email checks, but their plan will fall apart when your system detects that the same credit card is being used across ten different “new” accounts.
Think of your security like a medieval castle’s defenses:
A single defense can be bypassed, but forcing an attacker to defeat multiple, interlocking layers makes your system a much harder—and less profitable—target.
The goal of a modern anti-fraud system is not to be impenetrable, but to make attacking your platform unprofitable. Each layer you add—from email validation to intelligent rate limiting—increases the cost, time, and complexity for a fraudster to succeed. By building a layered defense, you force them to abandon their efforts in search of an easier target. This ensures your real fans and customers get the fair access they deserve.
Stay tuned as we explore more sophisticated behavioral analytics and machine learning solutions in upcoming posts.
Want to read more about how we think and build at Ipsator?
