Account Farming – What You Need to Know to Protect Your Business

Account farming involves creating multiple accounts on the same online platform. Farmed accounts are used to unfairly take advantage of promotional offers such as sign-up bonuses. For example, the free play bonuses that players receive when they sign up for iGaming accounts. Cybercriminals also use farmed accounts to leave negative reviews of competitors, commit identity theft, take over online wallets, and conduct phishing attacks or spam campaigns.

Any type of personal or business online account can be farmed for use in fraud, identity theft, phishing scams, or other malicious activities. Email accounts, social media accounts, and online advertising accounts are all used by cybercriminals to set up fake identities.

The US Federal Trade Commission (FTC) reported that fraudulent activity caused losses of $10.0 billion in 2023.¹ On a global scale, online fraud directed at e-commerce companies has been estimated to cause losses of $48 billion.² Analysts predict that losses from online fraud could rise as high as $343 billion by 2027.³

How does account farming work in practice?

Although cybercriminals all have their own methods, the process of farming accounts usually follows these steps:

• A personal account is set up with an email service provider, for example, Gmail, Outlook, or any other provider.
• The cybercriminal clears their browser cookies to prevent the platform from tracking previous activities or identifying multiple accounts associated with the same user.
• The cybercriminal will connect to a Virtual Private Network (VPN) and create another email account using different details such as a fake name and false phone number.

This process is repeated using a different VPN server address each time to mask the cybercriminal’s location and help them avoid detection by authorities such as cybersecurity firms, law enforcement, or email service providers.

The process of farming accounts can be done manually, but it is extremely time-consuming. To generate large numbers of fake accounts, cybercriminals usually use robots (or bots) to automate tasks.

Bots are programs that can automatically perform repetitive actions online and mimic human behavior. They are used in account farming to automate the creation, management, and operation of multiple accounts. Bots can bypass CAPTCHA challenges, fill out registration forms, and perform activities like liking or following social media accounts. They can also exploit business promotions at scale to fraudulently obtain free products, discounts, or rewards.

Cybercriminals use proxies or VPNs to conceal their identities and locations. This routes the cybercriminals’ internet traffic through intermediary servers that replace the real IP addresses with those of the proxy or VPN servers. In some cases, account farming is done via public Wi-Fi networks to further ensure anonymity.

To set up the accounts, cybercriminals use fake names and disposable virtual phone numbers to provide details to email service providers. Once the fake accounts are active, they can be used to engage in various activities to make them seem legitimate. Cybercriminals use a tool known as an activity generator to mimic human online behavior and trick algorithms. If a criminal is a skilled coder, they may be able to build an activity generator themselves. Activity generators are also available for sale on dark web forums and encrypted messaging platforms such as Telegram or Discord.

Activity generators can send and receive emails, follow and like other accounts, search the web while logged in, and sign up for online services. This helps cybercriminals bypass security checks and avoid triggering red flags that can lead to account suspension or detection.

Farmed accounts can be used individually to conduct small-scale fraud and shut down as they become detected. Account farms can also be deployed at scale to commit mass fraud or overwhelm systems.

For example, a new e-commerce business may find itself the target of farmed accounts being used for small-scale fraud, such as fraudulent purchases or exploiting promotional offers. On a larger scale, account farms could overwhelm the system with fake sign-ups or mass fraudulent transactions, leading to financial losses and a compromised system.

Why are online accounts farmed?

• The motivation may be purely financial. Farmed accounts can be used to take advantage of discount offers or sign-up bonuses. Scammers do this by repeatedly creating new accounts with different details to exploit promotional rewards multiple times, without any intention of becoming a long-term customer. This method is also used to extend access to software that offers a time-limited trial to new users. This is prevalent in the iGaming sector. Online casinos reported an 80% rise in fraud involving multiple accounts from 2022 to 2023.⁴

• Large-scale spam campaigns and phishing attacks are often conducted using multiple farmed accounts. These attacks can result in data theft or financial scams. Farmed accounts are used to create a network of seemingly legitimate senders that appear trustworthy. Cybercriminals trick recipients into revealing sensitive information, such as login credentials or financial data, or persuade them to click on malicious links. Victims may experience data theft, financial scams, identity theft, or have malware installed on their devices.

• Farmed accounts can be used to manipulate markets by artificially inflating product ratings, reviews, or transaction volumes. This distorts market trends and deceives legitimate consumers. For example, a company selling a new product may use farmed accounts to post fake positive reviews and ratings across multiple e-commerce platforms.

• Fraudsters can use farmed accounts to create fake profiles to spread misinformation, artificially inflate follower counts, or promote certain content. This type of social media manipulation can sway public opinion or influence trends. One recent example was the use of bots to spread misinformation during the height of the Covid-19 pandemic. Analysis of existing bot datasets revealed that up to 66% of bots were discussing COVID-19 and spreading pandemic-related misinformation on social media platforms such as Facebook, Instagram, X (Twitter), and TikTok.⁵

• Digital advertising fraud is another common use of farmed accounts. Fraudsters can generate fake clicks or impressions on online ads. This results in incorrect performance metrics which increases advertising costs for businesses. Fraudsters also use farmed accounts to manipulate affiliate marketing programs, earning commissions through misleading affiliate links. Farmed accounts can be used to artificially inflate social media engagement potentially misleading advertisers into paying for non-genuine exposure.
• Farmed accounts are also used in Distributed Denial of Service (DDoS) attacks. Cybercriminals deploy a large number of fake accounts to flood a target server with traffic. The overwhelming volume of requests can cause the server to crash or become unreachable. This disrupts services for real users and damages a business’s reputation.

Some common examples of account farming

There are some common examples of how account farming is typically used across different sectors.

Farming email accounts

The Google email account service Gmail is one of the most popular targets for cybercriminals. An estimated 91% of fraudulent emails are sent via Gmail accounts.⁶ Legitimate users typically have one or more Gmail accounts for personal or business use. This makes it harder for a business to detect whether a new account is being set up for a real user or a fake farmed account.

ISPs (Internet Service Providers) use analytics to give each user a reputational score. This score is what email providers like Gmail use to determine whether or not to flag messages as spam. The score is based on metrics including how often the account is used and what it is used for, for example, sending and receiving emails. A high reputation score means that an email is less likely to be flagged as spam.

With multiple email accounts with good reputation scores, cybercriminals can more easily send out spam. A high reputation score also makes it easier for a farmed account to pass a range of authentication protocols such as CAPTCHA prompts or other digital fingerprinting and identity-checking methods.

Farming online advertising accounts

Other popular targets for account farming are online advertising accounts such as Google Ads, LinkedIn, Amazon Ads, and Facebook Ad accounts. Gmail accounts are often farmed with the specific intention of using them to create fake online advertising accounts.

Fake online advertising accounts can be used to generate fake clicks or impressions, inflate ad performance metrics, and exploit advertising budgets without delivering real engagement.

Fraudsters use farmed online advertising accounts to break terms of services, for example, to spam real users with ads containing affiliate links. Some online services provide new accounts with free advertising. Scammers use farmed accounts to get free advertising by taking advantage of these initial sign-up offers or multiple times.

For example, a platform may offer free advertising credits for new sign-ups. By exploiting these initial sign-up offers, scammers can repeatedly generate free ads, often including affiliate links. These ads are then spammed to real users, driving traffic to fraudulent websites or generating commissions for the scammers. All while violating the platform’s terms of service and the RGPD.

Farming social media accounts

Creating multiple fake profiles on platforms like Instagram, Twitter, or Facebook allows fraudsters to inflate follower counts, manipulate engagement, or spread spam. Farming accounts on social media is now a commonplace activity for cybercriminals. For example, Facebook reports show that the company removed 691 million fake accounts at the end of 2023.⁷

A recent example is the numerous fake Facebook and Instagram accounts connected to an Israeli technology firm and used to spread political messages.⁸

Farming e-commerce accounts

Farming accounts from e-commerce enterprises allow cybercriminals to exploit discount codes, promotional offers, or loyalty rewards multiple times. In some cases, cybercrime gangs use farmed e-commerce accounts to purchase products and then resell them at inflated prices. Implementing strong e-commerce fraud detection can help businesses identify and block suspicious account behavior before promotions or transactions are exploited.

Why is account farming harmful?

Account farming undermines the trust and experience of legitimate users who follow platform rules and engage authentically. Cybercriminals manipulate systems to gain unfair advantages, such as exploiting promotions or inflating engagement metrics. This causes human users to feel frustrated as they may miss out on rewards – such as discounts or promotions – due to fraudulent activity.

For businesses, account farming is a major concern. Companies can incur major financial losses from fraudulent activities, such as misuse of promotions and loyalty programs. Manipulated data can inflate advertising costs by causing companies to mistakenly allocate funds based on false data. Account farming is often the first step in creating fake identities that are then used to fraudulently obtain financial services, sign up for credit cards, or take out loans. By using farmed accounts, cybercriminals can bypass verification systems, providing false information to open accounts or access credit without detection.

For individuals, account farming can lead to identity theft. Scammers may use farmed accounts to steal personal information which can be used to commit fraud.

The broader social impact of account farming is substantial. Account farming leads to the spread of misinformation which encourages the erosion of online trust and damages the digital economy.

How to protect your business against account farming

As technology evolves, cybercriminals are developing new ways of farming accounts. Advances in machine learning and artificial intelligence (AI) are making it harder to identify fraudulent bot activity. These technologies help bots to learn and adapt. Bots can now more convincingly mimic human behavior to bypass detection methods.

To protect their interests and their customers, business owners must take steps to implement robust fraud prevention methods. It’s important to understand that the aim of these protection measures is not to identify cybercriminals but to more accurately detect fake accounts.

Common measures to guard against accounting include:

• Phone number verification: Users must verify accounts with a phone number that is proven to be valid. Social media platforms, e-commerce sites, and financial services often use phone number verification. Users must enter a phone number during account registration which is verified by sending a one-time code via SMS or a call.
• Browser fingerprinting: Unique browser configurations such as plugins and screen resolution are analyzed to identify and flag suspicious patterns. When multiple accounts or activities exhibit similar configurations that deviate from normal behavior, these can be flagged as suspicious.
• Digital footprint analysis: Examining user behavior and historical data across platforms can detect inconsistencies or signs of fake account activity, such as repeated registration attempts. Online marketplaces, social media platforms, and financial institutions use digital footprint analysis. The process involves examining user behavior, including registration patterns, login times, and interaction history across various platforms. Analyzing these data points can identify inconsistencies or repeated registration attempts.
• Velocity checks: Monitoring the speed and frequency of actions like account creation or login attempts can help to identify suspicious activity. For example, suppose a user rapidly creates multiple accounts within a short time frame or attempts to log in repeatedly in quick succession. In that case, it can trigger an alert for suspicious activity.

Proven protection against account farming

Account farming is a serious risk to both businesses and individuals. The practice enables cybercriminals to commit fraud, steal personal information, damage the reputation of companies, and manipulate markets and public opinion.

DataDome offers you a proven solution that can help protect you from account fraud and other types of online fraud. DataDome Account Protect gathers data signals from users and businesses to construct accurate behavioral footprints. Our software can analyze over 5 trillion signals daily to identify and block fake accounts before they can do any damage.

Sources

¹ https://www.johnmarshallbank.com/resources/security-center/fraud-facts-and-statistics/

² https://b2b.mastercard.com/news-and-insights/blog/ecommerce-fraud-trends-and-statistics-merchants-need-to-know-in-2024/

³ https://www.juniperresearch.com/press/online-payment-fraud-losses-to-exceed-343bn/

⁴ https://onfido.com/blog/online-gambling-fraud/

⁵ https://redline.digital/fake-news-statistics/

⁶ https://www.stationx.net/phishing-statistics/

⁷ https://www.statista.com/statistics/1013474/facebook-fake-account-removal-quarter/

⁸ https://www.wsj.com/tech/meta-takes-down-inauthentic-accounts-on-facebook-instagram-linked-to-israeli-firm-cb03821f?utm_source=chatgpt.com