Learn how you can keep cheaters at bay with ReferralHero anti-fraud features.

Making sure people don't cheat is extremely important at ReferralHero. While 100% protection is not possible (in technology some people will always find a way to game the system), our goal is to make sure that we are always a step ahead of cheaters.

In this article, you will learn how ReferralHero Anti-fraud algorithms work and how they protect you.

ReferralHero's Anti-Fraud Algorithm (RAFA) consists of 5 layers of security checkpoints:

  • 1st layer. The first thing we do is to check whether the email address entered is formatted properly and it is not an alias. Why not an alias? Because aliases are the easiest way to create unlimited free email addresses. If we allowed aliases people could just refer themselves forever.

  • 2nd layer. After that, ReferralHero does an MX records check-up to make sure the domain exists. For example, if the email entered is "", our system will make sure that the domain actually exists and is not associated with malicious activity.

  • 3rd layer. If the domain exists, we check if the domain is in our database of over 8,000 known disposable domains. We use a combination of third parties and an internal database, to make sure it's always up to date.

  • 4th layer. If the email looks legit we compare it against subscribers who have signed up before with the same IP address and or device. Whilst having the same IP address is not necessarily a sign of cheating (read more below), it's one of the markers that we use to flag a potential cheater. We also use an internal fingerprinting technology that has a 99% accuracy rate.

  • 5th layer. If the email has been flagged as potentially fraudulent, we then do a behavioural analysis on similar emails. A behavioural analysis aims to seek a specific set of patterns used by cheaters. For example, cheaters tend to sign up with fake emails over a short period of time. Genuine referrals usually take some time to pile up.


Do you block subscribers that use the same IP address? No, we don't. The IP address is only one of the many factors that we analyse. However alone it’s not enough. The simple reason is that a lot of offices or co-working spaces use a single IP address. We will flag subscribers who have used the same IP address as "Medium risk".

Is your algorithm perfect? The system is not perfect and never it will be. New websites and disposable domain services are created every day and sometimes it will happen that a few of them are used before we catch them.

Can I see which subscribers have been flagged? Yes. You can go to "Subscribers > High risk" and see which subscribers have been flagged by our system and the level of risk. If you think our system is wrong (a legit subscriber has been flagged as suspicious), you can decide to remove that subscriber from the High-Risk list by clicking on the "Approve" button.

What can I do if I see many subscribers in the "High risk" page? First of all, don't worry. Our system simply warns that some subscriber MIGHT be fraudulent but it's always up to your common sense to decide what to do. However, if you see a lot of subscribers in the "High risk" section the first thing to do is to check who has referred these people. If you notice that a lot of risky subscribers have been referred by a single person it's likely that this person is trying to cheat. You can always delete the risky subscribers and/or the referral.

Does your algorithm work when I use your APIs? The first 3 layers will work, but not the 4th and 5th.

Last updated