The Six Hidden Costs of Signup Fraud
Signup fraud is not one cost. It is six costs distributed across engineering, finance, operations, and product that nobody owns and nobody tracks. Here is every dollar you are losing, with the math to prove it.
The examples below use a reference SaaS company with the following profile:
- Monthly signups: 10,000
- Fake account rate: 20% (2,000 fake signups/month)
- Pricing: $49/month with a 14-day free trial
- Payment processor: Stripe
- SMS provider: Twilio
A 20% fake account rate is conservative. Companies without VOIP detection typically see 15-30%, with B2C products trending toward the higher end.
Cost 1: Wasted Stripe Processing Fees
Stripe charges $0.30 per failed charge attempt. Fake accounts that enter stolen or random card numbers generate failed charges. Card-testing attacks generate dozens of failed charges per session.
When a fake account attempts to upgrade from a free trial, one of three things happens:
- They enter a stolen card: The charge may succeed initially, but will result in a chargeback within 30-90 days
- They enter a random/invalid card: Stripe processes the attempt, it fails, and you are charged the $0.30 per-attempt fee
- They do not enter a card at all: The trial expires, the account sits dormant, and you absorb the infrastructure cost of hosting it
For card-testing attacks specifically, the numbers are worse. A typical card-testing session involves 50-200 charge attempts in rapid succession. At $0.30 per attempt, a single session costs $15-60 in Stripe fees. If you experience 3-10 card-testing sessions per month (common for SaaS products with free signup), that is $45-600/month in processing fees alone.
The Math
- 2,000 fake accounts × 30% that attempt payment × $0.30 per attempt = $180/month (baseline)
- Add card-testing attacks: 5 sessions × 100 attempts × $0.30 = $150/month
- Combined: $180-600/month
Cost 2: Chargebacks
When a fake account uses a stolen card and the charge succeeds, the real cardholder files a chargeback. Stripe charges $15 per dispute. You also lose the charged amount and the product/service provided.
Chargebacks are the most expensive single cost of signup fraud. Each chargeback incurs:
- Stripe dispute fee: $15 per chargeback (non-refundable, regardless of outcome)
- Lost revenue: The full charge amount is reversed (e.g., $49 for a monthly subscription)
- Product/service cost: Whatever resources the fake account consumed during the subscription period
- Time cost: Your team spends 15-30 minutes per chargeback gathering evidence for the dispute response
Even worse, a high chargeback rate (above 0.75% of transactions) triggers Stripe's monitoring program, which can result in:
- Increased processing fees
- Mandatory reserves (Stripe holds back a percentage of your revenue)
- Account review, with potential termination if the rate exceeds 1.5%
The Math
- 2,000 fake accounts × 15% that use stolen cards × 10% chargeback rate = 30 chargebacks/month
- 30 chargebacks × ($15 fee + $49 lost revenue) = $1,920/month
- Conservative range: $450-2,500/month
Cost 3: Wasted SMS Verification Costs
Every SMS OTP sent to a VOIP number is wasted. At $0.0075 per message segment (Twilio US pricing), 2,000 fake verifications cost $15/month. Small individually, but it compounds.
SMS costs are the smallest line item, but they are a useful proxy for measuring your fraud rate. If you are sending 10,000 SMS verifications per month and 20% are going to VOIP numbers, you are wasting $15/month on messages that verify nobody.
The real cost escalates if fake accounts trigger re-verification flows (password resets, MFA challenges, account recovery), which can multiply the SMS cost by 2-3x. And if you use international SMS delivery (for non-US numbers), the per-message cost can be $0.05-0.10, pushing the waste to $100-200/month.
The Math
- 2,000 fake signups × $0.0075/SMS = $15/month (base verification only)
- Add re-verification: $15 × 2x = $30/month
- Range: $15-45/month
Cost 4: Customer Support Overhead
Fake accounts generate support tickets: "My account was hacked" (it was a fraudster's account), disputed charges, account lockouts from suspicious activity detection, and manual review of flagged accounts.
Signup fraud creates support work in non-obvious ways:
- Chargeback investigations: Your support team gathers evidence for Stripe disputes (15-30 min per dispute, 30 disputes/month = 7.5-15 hours)
- "Account compromised" tickets: When a fraudster's account is detected and locked, they sometimes contact support pretending to be a legitimate user (surprisingly common)
- Real user confusion: When a real person's email is used by a fraudster to create an account, the real person contacts you when they try to sign up and find their email is already taken
- Manual account cleanup: Someone on your team periodically reviews and deletes suspicious accounts, which takes 2-5 hours per month depending on volume
The Math
- Chargeback investigations: 15 hours/month × $40/hour = $600
- Fraud-related tickets: 40 tickets × 15 min × $40/hour = $400
- Account cleanup: 4 hours × $40/hour = $160
- Total: $500-2,000/month (varies heavily by team size and fraud volume)
Cost 5: Inflated Metrics Leading to Bad Decisions
When 20% of your signups are fake, every metric downstream is wrong. Conversion rates, activation rates, feature usage, NPS, and cohort analysis are all polluted. Product decisions based on this data are unreliable.
This is the most damaging cost because it is invisible and compounds over time. Consider what 20% fake accounts do to your metrics:
- Trial-to-paid conversion: Your real conversion is 15%, but with fake accounts diluting the denominator, it appears to be 12%. Your board asks why conversion is low. You spend engineering time A/B testing the wrong things.
- Activation rate: Fake accounts never activate. Your activation metric shows 45% when the real number is 56%. You invest in onboarding improvements that only apply to real users.
- Feature adoption: Fake accounts skew usage data. A feature that 80% of real users love looks like it has 64% adoption when fake accounts are included. It gets deprioritized on the roadmap.
- Cohort analysis: Every cohort is polluted. Month-over-month comparisons are unreliable. You cannot tell if a change improved retention or if the fraud rate fluctuated.
- CAC calculation: If you spend $50,000/month on marketing and get 10,000 signups, your CAC appears to be $5. But 2,000 of those signups are fake, so your real CAC is $6.25. At scale, this 25% error compounds into major budget misallocation.
Bad metrics lead to bad decisions. Bad decisions waste engineering time and marketing budget. Over a year, a product team making decisions on 20% polluted data can waste hundreds of thousands of dollars in misdirected effort. This is the single largest cost of signup fraud, but it never appears on a balance sheet.
Cost 6: Infrastructure Costs for Bot Traffic
Every fake account consumes database storage, generates API calls, triggers background jobs (welcome emails, onboarding flows, analytics events), and uses server CPU. At 2,000 fake accounts/month, infrastructure costs add up.
The per-account infrastructure cost varies by product, but a typical breakdown for a SaaS application:
| Resource | Per Account | 2,000 Fake Accounts |
|---|---|---|
| Database rows (user + settings + audit log) | ~2 KB | 4 MB/month |
| Welcome email (SES/SendGrid) | $0.0001 | $0.20/month |
| Onboarding background jobs | ~50ms CPU | 100 seconds/month |
| Analytics events (Segment/Amplitude) | $0.005-0.01 | $10-20/month |
| API calls during trial (bots scraping) | $0.05-0.50 | $100-1,000/month |
| Total infrastructure waste | $200-800/month |
The API abuse line is the wildcard. If your product has an API (and most SaaS products do), fake accounts on free trials will use it. Competitors scrape your data. Bots consume your compute. Individual costs are small, but at 2,000 accounts/month, they accumulate.
Total Cost Calculator
Adding up all six cost centers for our reference company (10,000 monthly signups, 20% fake):
| Cost Center | Low Estimate | High Estimate |
|---|---|---|
| 1. Wasted Stripe fees | $180 | $600 |
| 2. Chargebacks | $450 | $2,500 |
| 3. Wasted SMS | $15 | $45 |
| 4. Support overhead | $500 | $2,000 |
| 5. Inflated metrics | Incalculable (likely the largest cost) | |
| 6. Infrastructure waste | $200 | $800 |
| Total (quantifiable) | $1,345/month | $5,945/month |
| Annual cost | $16,140/year | $71,340/year |
The $8,000/month figure in the title is the midpoint of the quantifiable range. When you add the decision cost of polluted metrics, the true cost is likely 2-3x higher. For companies with more than 10,000 monthly signups or higher fraud rates, the numbers scale linearly.
ROI of Fraud Prevention
The math is simple. Auth1's Growth plan costs $39/month and prevents approximately 85% of fake signups (based on customer data across 40+ SaaS companies). At a midpoint fraud cost of $3,645/month, the net savings are $3,606/month. That is a 93x ROI.
Even using the conservative low estimate ($1,345/month in fraud costs), Auth1 saves $1,306/month for a 34x ROI. There is no marketing channel, no product feature, and no operational improvement that delivers 34-93x returns at $39/month.
What Changes When You Turn On Fraud Prevention
- Fake account rate drops from 20% to 3% (2,000 fake signups down to 300)
- Trial-to-paid conversion jumps 40-75% because the denominator is now accurate
- Chargebacks drop to near zero because stolen-card users cannot create accounts
- Product metrics become trustworthy for the first time
- Support load decreases 25-40% as fraud-related tickets disappear
- Stripe risk score improves, reducing decline rates for real customers
Stop the Bleeding
The gap in most SaaS authentication flows is the absence of identity verification at signup. Email/password authentication verifies that someone controls an email address. SMS OTP verifies that someone can receive a text message. Neither verifies that the person is real or that the phone number is attached to a real identity.
Auth1 fills this gap with three layers of verification that run in a single API call:
- VOIP detection: Blocks non-fixed VOIP numbers (Google Voice, TextNow, TextFree) before SMS is sent. 94-97% accuracy with sub-carrier mapping for Bandwidth.com numbers.
- Risk scoring: Combines carrier type, port history, area code reputation, IP reputation, device fingerprint, and velocity into a 0-100 score. You set the threshold.
- Bot prevention: Cryptographic proof-of-work (BotShield) runs in the browser. No CAPTCHA, no tracking, no user friction. Stops automated signup scripts.
The free tier includes 1,000 verifications/month with full VOIP detection. The Growth plan ($39/month) includes 10,000 verifications and all fraud prevention features. There is no reason not to start today.
Sign up at auth1.ai/signup, get your API key, add the verification call to your signup flow, and start blocking fake accounts today. Set voipPolicy: "flag" for the first week to measure your fraud rate before enforcing. Most teams are surprised by what they find.