A duplicate account is an account for a service controlled by a person in addition to their primary account. Some are for legitimate purposes, like replacing inaccessible accounts or separating a person’s private and public lives. Others are used for spam, scams, phishing, and other abuses.

‍

Duplicate accounts can create issues for a marketplace’sTrust and Safety operations for a number of reasons. One is that they make malicious behavior more difficult to trace back to its original perpetrator, especially if they’re using a duplicate account to impersonate someone else. Another is that they allow for the amplification of abuses, like artificially “ganging up” to harass certain users, or manipulating feedback or reward systems quicker and on larger scales. Perhaps most concerningly, they can allow abusive users to avoid consequences for their actions by simply switching to a different account.

‍

‍

Why Do Duplicate Accounts Occur? 

Sometimes, people will make duplicate accounts for non-malicious reasons. For example, a person may simply forget the login credentials for an account and create a new one to replace it. Or an employee of a business may accidentally create a duplicate account for that business, not realizing that another employee had already done so. People may also have duplicate accounts to separate their personal and professional personas.

‍

Other times, duplicate accounts are deliberately created for nefarious purposes. Some people may make duplicate accounts to distribute spam, harass others, or otherwise artificially influence a platform’s discussions or dynamics. Others may use duplicate accounts as backups in case their main account is restricted because of abusive behavior. This is commonly known as ban evasion.

‍

A person may also sometimes use duplicate accounts to fraudulently take advantage of perks or rewards on a platform more times than they are normally allowed. And in some cases, a person may use a duplicate account to impersonate another user. This is usually done as part of scams, spam, or phishing targeting that user and their contacts.

People who maliciously use duplicate accounts are becoming smarter in how they disguise fake accounts to look like real ones. However, there still tend to be some telltale signs that an account is a duplicate and doesn’t reflect a genuine individual person or organization. Here are 8 common ones.

‍

• Strange account name: A username that uses strange symbols or numbers, or misspells words, could be a duplicate account. This is especially because some platforms will propose alternative usernames with numbers if a base username is already taken.
• Ambiguous pictures: An account that uses a default profile picture, one that doesn’t match the activity on their account, or one that appears to be fabricated from another picture is cause for suspicion. Another red flag can be the account not consistently having pictures of the same people, or using stock photography too often. 
• Fake biography: Some platforms allow users space to provide information about themselves. If a profile has an incomplete biography, one that’s inconsistent with the rest of the account’s content, or one that just includes a bunch of suspicious-looking content (like links, emojis, and hashtags), it’s worth treating with skepticism.
• Lack of verification: Some services have badges that signify an account has been proven, with documents, to be the main account of a person or organization. Accounts that claim to be this person or organization but don’t have this badge are usually duplicates.
• Suspicious (lack of) followers: Generally, platform users will follow the accounts of people or groups that interest them. If an account has posted lots of content and is following many other accounts, but doesn’t have many followers itself, it may be a duplicate account. Or if an account has followers, but the followers don’t interact with the account often or have suspicious characteristics, it may also be a duplicate account.
• Lack of account history: Some platforms allow users to see how long an account has been active and how frequently it has been used. Newer accounts deserve greater caution, as do older accounts that don’t have a lot of overall activity on them.
• Repetitive account activity: Real users of online platforms tend to vary how they interact with the platform and other users. An account that simply reposts the content of others, or repeatedly posts similar messages (especially if they’re too-good-to-be-true product or service offers) should raise some red flags.‍
• Lack of congruency with other platforms: Check to see if an account’s user has accounts on other platforms. If they don’t, or if they do but their details and engagement metrics don’t match up across their accounts, it could be a sign that the account is a duplicate.

As we’ve touched on, another reason that duplicate accounts are problematic for Trust and Safety is that they aren’t always used by bad actors (though many of them are).

‍

So how does a platform separate honest users of duplicate accounts from ones who are simply there to cause trouble? Here are a few suggested techniques.

‍

‍

Identity verification

A quintessential way to cut down on malicious duplicate accounts is to require users to verify their identities when creating accounts. Sometimes, it may suffice to ask for an e-mail address or phone number, and then require the user to click a link in an email or text message. Other times, platforms may ask users for selfies or pictures of ID documents. They may also manually review user sign-ups, or use database-searching software to attempt to match credentials with known troublemakers.

‍

‍

Link analysis and re-verification

Another method for rooting out duplicate accounts made by bad actors is to employ link analysis tools. This allows for scanning a database of accounts to look for suspicious similarities between them. 

‍

For example, a group of accounts created at the same IP address, at the exact same date & time, or with similar ID credentials may indicate a user (or group of users) abusively signing up for duplicate accounts. Then the account owners can be asked to re-verify their identities. If they don’t, or the credentials they provide aren’t consistent, then a platform can take disciplinary action against them.

‍

‍

Behavioral cues

The actions a user takes when signing up for an account, or shortly after creating an account, can provide clues as to whether the account is a duplicate. For example, a person may use a VPN to make it seem like they’re operating from somewhere other than where they actually are. Or if they sign up for an account and then immediately change the credentials associated with it, that’s another red flag for a duplicate account.

‍

Some platforms use tools that look for behavioral oddities associated with duplicate accounts. For instance, some use invisible “honeypot” fields during registration that robots aiming to make duplicate accounts will attempt to fill in, but legitimate users won’t. Others will watch for hesitation in filling in basic information that could be indicative of a robot, instead of an actual person, trying to create an account.

‍

‍

Other security tools

There are other security solutions out there that can help a platform detect and block duplicate account fraud. For example, adding multi-factor authentication to a login process can help to slow down or stop abusive behaviors perpetrated by duplicate accounts. A program that identifies and prevents robot activity on a platform can also be useful.

‍

Other handy tools revolve around analyzing a user’s hardware and software signatures to check if multiple accounts are originating from the same location or device. For example:

‍

• Device fingerprinting: Device ID, browser ID, cookies, local file storage
• IP address: Geolocation, known VPN addresses
• E-mail address: Domain validity, date created, links to social media accounts‍
• Phone number: Geolocation, carrier, links to social media accounts

‍

‍