Referral programs can easily become a magnet for abuse. This article breaks down predictable abuse patterns and practical tips to help your team stay ahead of referral fraudsters.
Common referral abuse tactics
| Tactic | How It Works | Example |
|---|---|---|
| Self-referrals | User creates multiple fake accounts to refer themselves | User signs up as both referrer and referee using different emails |
| Code farming | Referral codes shared on public forums, social media, or Reddit threads | User posts their referral link in a large group, earning rewards from strangers |
| Fake identities | Fraudster uses bots, stolen identities, or temporary emails to create fake users | User buys disposable email addresses to generate fake sign-ups |
| Return abuse | Referrals generate a purchase that is returned post-reward | Referee buys an item, gets a reward, then requests a refund or chargeback |
| Location spoofing | User manipulates location data to bypass geo-restrictions on referral rewards | VPN used to simulate being in a targeted country for higher payout |
An approach to designing smarter referral programs
We recommend starting on the conservative side and slowly loosening your fraud and abuse rules as you get a better sense of your audience's behaviour.
You need to tailor these rules for your audience, but here's an example of what it could look like:
Start conservative:
- Cap rewards per user: no more than 10 total referrals per month, or a lifetime cap of 20 per user.
- Limit reward velocity: no more than 5 rewards per day per user.
- Delay payouts: wait at least 7 days (or the length of your return window) before releasing a referral reward.
- Verify every referrer and referee: use email, phone, or payment method validation to ensure they're real users.
- Geo-fence your program: only accept referrals from countries you can service profitably.
Monitor closely:
- Set up alerts for unusual patterns:
- A single user earning multiple rewards from the same IP or device.
- High concentrations of referrals from a single country or region.
- A sudden spike in signups or reward claims at odd hours.
- Review fraud cases regularly: manually investigate suspicious activity and adjust rules accordingly.
- Monitor refund and churn rates: high rates may signal fraud.
Open up:
- Increase reward caps only after 30–60 days of stable data.
- Gradually relax velocity rules: for example, move from 5 rewards per day to 10.
- Expand geo-targeting one region at a time, with close monitoring.
- Introduce higher-value rewards only after building confidence in program integrity.
Mitigating specific abuse patterns
| Fraud Tactic | How to Mitigate |
|---|---|
| Self-referrals | Cap rewards per user, verify identity, limit velocity |
| Code farming | Prohibit public sharing, scan forums, cap total rewards per user |
| Fake identities | Use device fingerprinting, pattern analysis, email/phone verification |
| Return abuse | Delay rewards until after return window or retention period |
| Location spoofing | Geo-fence referrals, verify IP and device data |
How Flock can help
Flock has a powerful and flexible fraud model that makes it easier to run your referral program with confidence. Want to see how it works? Book a demo.