Most online platforms allow a person or organization to only have a single account. From a Trust and Safety perspective, this helps ensure each account’s user can be held responsible for the activities originating from their account. However, there are some instances where users can have duplicate accounts on a platform.
Sometimes, there are justifiable reasons for a user having duplicate accounts. They may not be able to get into their original account because they’ve forgotten or lost access to the username, email address, phone number, or password associated with it. Or they may want to have one account to represent them professionally, and another for more personal uses.
Generally, though, duplicate accounts are problematic because they make abusive behaviors on digital marketplaces possible, or at least easier. These include spam, scams, phishing, harassment, engagement manipulation, impersonation, ban evasion, and even fraud. This article will discuss what duplicate accounts are, why they happen, how to identify malicious ones, and how to prevent the types of abuses they enable.
A duplicate account is an account for a service controlled by a person in addition to their primary account. Some are for legitimate purposes, like replacing inaccessible accounts or separating a person’s private and public lives. Others are used for spam, scams, phishing, and other abuses.
Duplicate accounts can create issues for a marketplace’sTrust and Safety operations for a number of reasons. One is that they make malicious behavior more difficult to trace back to its original perpetrator, especially if they’re using a duplicate account to impersonate someone else. Another is that they allow for the amplification of abuses, like artificially “ganging up” to harass certain users, or manipulating feedback or reward systems quicker and on larger scales. Perhaps most concerningly, they can allow abusive users to avoid consequences for their actions by simply switching to a different account.
Sometimes, people will make duplicate accounts for non-malicious reasons. For example, a person may simply forget the login credentials for an account and create a new one to replace it. Or an employee of a business may accidentally create a duplicate account for that business, not realizing that another employee had already done so. People may also have duplicate accounts to separate their personal and professional personas.
Other times, duplicate accounts are deliberately created for nefarious purposes. Some people may make duplicate accounts to distribute spam, harass others, or otherwise artificially influence a platform’s discussions or dynamics. Others may use duplicate accounts as backups in case their main account is restricted because of abusive behavior. This is commonly known as ban evasion.
A person may also sometimes use duplicate accounts to fraudulently take advantage of perks or rewards on a platform more times than they are normally allowed. And in some cases, a person may use a duplicate account to impersonate another user. This is usually done as part of scams, spam, or phishing targeting that user and their contacts.
People who maliciously use duplicate accounts are becoming smarter in how they disguise fake accounts to look like real ones. However, there still tend to be some telltale signs that an account is a duplicate and doesn’t reflect a genuine individual person or organization. Here are 8 common ones.
As we’ve touched on, another reason that duplicate accounts are problematic for Trust and Safety is that they aren’t always used by bad actors (though many of them are).
So how does a platform separate honest users of duplicate accounts from ones who are simply there to cause trouble? Here are a few suggested techniques.
A quintessential way to cut down on malicious duplicate accounts is to require users to verify their identities when creating accounts. Sometimes, it may suffice to ask for an e-mail address or phone number, and then require the user to click a link in an email or text message. Other times, platforms may ask users for selfies or pictures of ID documents. They may also manually review user sign-ups, or use database-searching software to attempt to match credentials with known troublemakers.
Another method for rooting out duplicate accounts made by bad actors is to employ link analysis tools. This allows for scanning a database of accounts to look for suspicious similarities between them.
For example, a group of accounts created at the same IP address, at the exact same date & time, or with similar ID credentials may indicate a user (or group of users) abusively signing up for duplicate accounts. Then the account owners can be asked to re-verify their identities. If they don’t, or the credentials they provide aren’t consistent, then a platform can take disciplinary action against them.
The actions a user takes when signing up for an account, or shortly after creating an account, can provide clues as to whether the account is a duplicate. For example, a person may use a VPN to make it seem like they’re operating from somewhere other than where they actually are. Or if they sign up for an account and then immediately change the credentials associated with it, that’s another red flag for a duplicate account.
Some platforms use tools that look for behavioral oddities associated with duplicate accounts. For instance, some use invisible “honeypot” fields during registration that robots aiming to make duplicate accounts will attempt to fill in, but legitimate users won’t. Others will watch for hesitation in filling in basic information that could be indicative of a robot, instead of an actual person, trying to create an account.
There are other security solutions out there that can help a platform detect and block duplicate account fraud. For example, adding multi-factor authentication to a login process can help to slow down or stop abusive behaviors perpetrated by duplicate accounts. A program that identifies and prevents robot activity on a platform can also be useful.
Other handy tools revolve around analyzing a user’s hardware and software signatures to check if multiple accounts are originating from the same location or device. For example: