Skip to content

Why am I here? Nethone is now part of Mangopay. Learn more about our award-winning Fraud Prevention solution  arrow-right-thin-inline

How to get precise fraud detection with a proxies and VPN detection tool

Learn how to detect the shadiest VPNs and proxies used for fraudulent activities such as account takeover, account opening fraud, payment fraud, and more.

get-precise-fraud-detection-with-a-proxies-and-vpn-detection-tool-1 Thumbnail - get-precise-fraud-detection-with-a-proxies-and-vpn-detection-tool

Experienced fraudsters use lesser-known illegal VPN services and proxies that are hard to detect, thus bypassing fraud prevention measures and pulling off account takeovers, account opening fraud, and payment fraud at a large scale.

Here's where our proxies and VPN detection tool steps in to address this loophole. Unlike conventional methods reliant on lists of known VPNs and proxies, this one assesses connections based on behavior, adding AI technology for real-time detection. The outcome is a significant uptick in precision, with the ability to uncover the subtle footprints of fraudulent activities and achieve a low false positives rate.


How fraudsters use VPNs and proxies to defraud your business and users

With shady VPNs and proxies, fraudsters can hide who the IP address belongs, their true geographic location, and repeated attempts, allowing them to commit fraud without being caught. Residential proxies, which are particularly popular in this context, refer to compromised devices owned by 'clean' internet users who are unaware their device is used for malicious activities. Fraudsters mask their identities and true locations behind the victim’s device - a practice facilitated by professional services offering a vast range of proxies and VPNs for sale.

Differences between various proxy services

There are four key types of proxy services commonly used in fraud as well. 

Datacenter proxies are the most basic type. They are commercially assigned to servers and are not affiliated with any Internet Service Provider (ISP). Because they are often flagged due to high bot likelihood and are typically shared among multiple users, they are at high risk of being blocked.

Residential proxies are assigned by ISPs. They are useful for fraudsters as they mimic human IPs, hence have a lower risk of being flagged.

Static Residential Proxies are a hybrid between datacenter and residential proxies. These proxies are recommended for tasks that require maintaining long sessions and circumventing captcha or anti-bot systems.

Mobile proxies are provided by mobile service providers. They have a low risk of being blocked because they’re not tied to a single user, as they are dynamically assigned to those within a cell tower's range. 


Fraud use cases involving VPNs and proxies

Fraudsters commonly exploit VPNs and proxies to hide their geo-location to commit various types of fraud. From here, more large-scale fraud types develop, such as account takeovers, account opening fraud, payment fraud, and even specialized, such as web scraping, account farming, price or inventory manipulation, and compliance breaches. Let's take a look at the most prominent ones.

Account takeover

Fraudsters need to mimic the real account holder's behavior close to perfection to avoid being flagged by risk detection software. By keeping the real users' attributes close to match, such as the IP address, fraudsters have enough time to explore the newly grabbed account. Why a shady VPN is useful for the fraudsters here? Because it can get an IP from the victim’s general area, and it can also hide their tracks.  

Account opening fraud

Fraudsters use synthetic IDs, so they need IP addresses to spoof their real ones. For creating one or multiple accounts that act independently of each other, fraudsters mask their actual IP address to make every account appear as if it is set up by a different individual from a different location. Also, most platforms restrict the number of accounts that can be created per IP address to prevent spamming, so fraudsters need to bypass this limitation by using a different IP address for each account. A hard-to-detect VPN or proxy will do the job.

Payment fraud

This fraudulent step marks the point where the fraudster gains control and is poised to spend the legitimate user's money. To avoid being detected, fraudsters are using a VPN connection to 'warm up the shop'. They try to impersonate the victim's behavior as much as possible, not only by keeping consistent shopping patterns but also by using an IP address from the victim's area and a spoofed browser so they can easily blend in.

Online platforms often offer bonuses, promotional offers, and discounts to attract new customers or to keep existing ones engaged. Fraudsters use VPNs and proxies to exploit these offers, a practice often referred to as bonus hunting or promo abuse. By hiding their real identity and location, fraudsters can sign up for the same promotional offers multiple times, breaking the typical 'one-per-customer' rule.

Web scraping 

While there are legitimate reasons for web scraping, such as data analysis and data-driven decision-making, it can also be used with malicious intent. Websites can detect and ban IP addresses that show bot-like behavior, such as rapid, repeated requests. By using a VPN or proxy, a fraudster can easily switch to a different IP address and continue scraping even after a ban. To scrape large amounts of data without being detected, fraudsters distribute their requests across many different IP addresses. This reduces the load on each IP and makes the scraping activity appear more like typical, human-led browsing.

Bot attacks 

To counter bot attacks, websites or apps block suspicious IP addresses, so fraudsters are looking to replace blocked IP addresses with new ones, continuing the attack uninterrupted and orchestrating distributed bot attacks from many locations at once. Certain VPNs and proxies, especially residential IP addresses, can make bot traffic appear as human users. This helps the bots bypass security measures implemented to stop them, allowing the attack to proceed undetected. 

Bots are also used in credential stuffing attacks, where cybercriminals use stolen or leaked credentials from one site to access accounts on others. With many users reusing passwords across platforms, providing stolen credentials often grants fraudsters full account access.

Sneaky VPNs and proxies: an anti-fraud struggle

VPNs, residential proxies, or TOR are network anonymization tools that enable dishonest users to simulate connections from diverse network locations and contexts. The constant changes in service addresses make it difficult to use lists of approved or blocked connections alone to fight against fraud. Proactive detection methods, like identifying these network anonymization techniques based on behavioral patterns, enable accurate detection of such cases in real time, even those using the latest and unknown anonymization methods.

Fraud prevention companies can detect proxy and VPN connections from well-known VPN providers, such as NordVpn and ExpressVpn, but they often rely on lists of VPN and proxy servers that quickly become outdated as new devices join the network. These companies struggle to recognize when new users with new devices with unknown VPNs or proxies show up, because they're not familiar with them. Fraud prevention systems are not up-to-date with the latest VPNs and proxies fraudsters use, allowing these lesser-known services to slip through undetected.

VPN and proxy detection done right

To detect shady VPN or proxy connections, we rely on behavioral analysis rather than static data, and instead of depending solely on outdated lists, we focus on real-time behavior. What does it mean to you? Even if a compromised device was recently added to the proxy server, we can recognize it and stop fraudulent activities occurring on your website and app with the highest precision in a matter of seconds. In essence, you can stay ahead of evolving threats and ensure your platform has a high level of protection against emerging risks, even if they arise from the most recent, previously undetected sources.


VPN and proxy detection is part of a large suite of risks we detect. 

If you'd like to learn more about how we can detect and block fraud on your website and app with the Behavioral VPN tool, contact us, and we'll show you exactly how.