The latest wave of artificial intelligence (AI) improvements significantly improved the quality of models for image and text generation. Several companies, such as OpenAI (ChatGPT) and Claude provide services, often in the form of software as a service (SaaS) that make it easy for users to interact with these AI models.
SaaS companies, in particular AI-based SaaS, are in a highly competitive market. End users have access to a variety of products and often want to try these products before committing to a paid subscription. That’s why most of these AI SaaS companies offer a free trier or a free trial with a limited volume of usage. For example, users on the free plan may only be able to generate only 10 images per day or send only 1000 chat messages per day (cf screenshot below taken from the Claude.ai website).
Certain users find free plans too restrictive, but may not be willing to pay to get access to more features or a higher limit. That’s where multi-accounting, fake accounts, and bots come into the dance.
Abusing SaaS free tiers and free trials 101
It didn’t take too long before people realized they could bypass the free tier limits of such products by creating several accounts.
In response, most AI SaaS companies started to add more verification steps when creating accounts, such as:
- ensuring the user has a valid email address;
- sending a verification number with SMS.
However, as often when it comes to fraud prevention, users limited by these new restrictions searched for ways to bypass them.
People can create several email accounts manually. While this approach can work at a low scale (a few accounts), this can become cumbersome since trusted email providers like Gmail and Microsoft tend to make it difficult to create a massive volume of accounts, specifically to avoid abuse.
That’s where disposable email providers, i.e. throwaway emails that don’t require any verifications can help to bypass these limits. These services make it easy to create thousands of different email addresses, without any identity verification or phone verification. Moreover, some of these services provide API to automatically manage these email addresses.
But it’s not only about disposable emails. Several online services provide free temporary phone numbers that can be used for the registration process. Note that in case free numbers are not enough, e.g. if they are already linked to an existing account, it’s often possible to rent phone numbers by the day, just for the account creation process.
We analyzed the SMS received on these temporary numbers, and noticed several verification SMS linked to popular AI SaaS, such as Mistral AI, Poe, Claude, and OpenAI, as shown in the screenshots below.
We may argue that people manually creating 2 or 3 accounts is acceptable and that it has probably been taken into account in the product price. However, it may become more of an issue when attackers are creating thousands of accounts using bots, in order to resell them or to abuse their service themselves.
AI SaaS free tier abuse in the wild
Some of Castle's customers are facing the challenges described in this article. For example, one of our customers proposes an AI-based image generator among its suite of products, with a free plan to test it. When we look at the registration attempts linked to the AI-based image generator application, we notice a constant stream of abusive traffic, in particular coming from bots and users with disposable emails.
The graph below represents the number of malicious registration attempts per day over 2 weeks. In total, there were more than 3.5K malicious registration attempts.
What are the consequences of free trial/tier abuse?
- Cost: Without any proper verifications in place, these malicious accounts can engender high costs over time. In the case of AI-based SaaS, these costs are often linked to the infrastructure (servers, GPUs) required to provide the service.
- Sub-optimal product decisions: Without any means of measurement, these fake accounts provide the false sentiment of growth and it biases user interaction data, which may lead to sub-optimal product decisions.
- More restrictive free tiers: Abuse tends to force companies to have more restrictive free tiers, which can negatively impact the experience of genuine users.
Striking the right balance in preventing free trial abuse
Preventing free trial abuse isn't just about tightening security—it’s about finding the right balance between security, user experience, and cost. While free trials are meant to give users a taste of the product, excessive verification steps can frustrate genuine users, leading to lower conversion rates. At the same time, verification mechanisms themselves can become a cost center, particularly if companies end up paying to verify junk accounts.
For instance, SMS-based verification, often used to confirm new accounts, is vulnerable to SMS pumping abuse, where attackers exploit phone verification flows to generate revenue through fraudulent SMS messages. Similarly, email verification services and bot detection tools come with their own costs, which, when applied indiscriminately, can eat into margins. A more effective approach is to apply adaptive security measures—tightening verification only when risk signals indicate suspicious behavior. Companies can optimize their defenses by:
- Using bot detection intelligently to focus verification efforts on high-risk users rather than applying friction to all signups.
- Validating phone numbers efficiently, ensuring they are not linked to temporary services while avoiding unnecessary SMS costs.
- Filtering disposable emails selectively, rather than blocking free email providers entirely, which can turn away legitimate users.
Ultimately, the goal isn’t to eliminate abuse entirely—it’s to make it economically unviable while ensuring a smooth experience for real users.