Fraud prevention is a consideration for every company with a referral program. Inevitably, someone will test the system. Although you can’t change the intentions of bad actors, you can design your program to minimize fraudulent behavior. Combining our standard Advocate security features with good program design minimizes the risks posed by fraudulent activity.
We automatically compare referred friends’ email addresses against an extensive list of known disposable and temporary email domains. Our system also lets you manually block domains from the Settings → Security page in the Admin Portal. Learn more by viewing our Blocked Email Domains article.
Blocking participants can be done in a few ways:
You can invalidate a participant’s referral code to prevent them from making successful referrals. When the participant tries to use their code, they’ll receive a 404 Not Found message, or they won’t get attribution credit for the referral they made.
Individual IP addresses or a range of IP addresses can be blocked from the Settings → Security page in the Admin Portal.
Participants from specific countries can also be blocked if you have configured your data sharing settings to include sending us participant locale information.
We always recommend requiring authentication for API and UTT calls related to your referral program. You can adjust your settings in the Admin Portal to require a signed request to make authentication mandatory.
A signed request is a chunk of data that includes a JWT or API key. We use signed requests to verify that data sent to us comes from a trusted source. If signed requests aren’t used and we receive data that includes your tenant alias, then it’s possible for this data to make unauthorized or unintended changes to your program.
JWTs provide an extra layer of security when using UTT for referral programs because they are created with your private API key. You can use signed requests when creating or updating participants, events, and referrals. Learn more from our Signed Requests for Referral Programs article.
A common form of referral program fraud is someone trying to refer themselves multiple times to get rewarded. Programs that offer double-sided rewards for both the advocate and the referred friend are especially appealing for this type of fraud. Fortunately, with thoughtful design, you can minimize the impact of these attempts to game the system. Our top tips:
Require the referred friend to make a purchase or sign up for a plan before they’re rewarded. Revenue-centric goals are useful—encourage your participants to fully experience a product by setting up a website, verifying a phone number, or making their first post. This makes exploiting the program harder while still achieving your business goals.
The best type of incentive to offer depends on your business model. Legitimate B2C participants benefit from rewards like discounts, free time or limited-time access to an upgraded version of your product or service. B2B participants are typically better served by rewards outside of your service model, with gift cards being a popular selection. Using these reward types reduces the financial risk of any potential fraud, and in some cases can ensure a positive ROI from every possible referral.
Existing users who are looking to game the referral system can often be deterred by the threat of losing access to their account. This is particularly effective for SaaS, games, or marketplace companies because users often have a vested interest in keeping their accounts active, and fear losing access to a service they regularly use.
Capping rewards at a certain value or quantity discourages participants from trying to disproportionately profit from your reward structure. Caveat: Your program may have some super advocates or micro-influencers that drive a lot of traffic to your program. Consider adding them to a segment that allows higher rewards so they remain motivated to refer.