Using Zero Trust to Reduce Fraud and Abuse

"The real threat often lurks in the shadows of what happens next—once a user has seamlessly slipped through the registration process"

In the online security space, the zero-trust security model is widely known as a best practice in cybersecurity. It is distinguished by providing continuous monitoring of activities, and not just relying on a single check for authentication. Never trust, always verify.

What does the zero-trust security model look like when it’s applied to online fraud and abuse? In this post, I’ll delve into how concepts from zero-trust can be used to fight fraud and abuse with higher accuracy and less user frustration.

The Frontline Defense: Sign-Up Checks

Think about the common defense against online fraudsters. At the point of sign-up, all sorts of checks are triggered — CAPTCHAs for stopping bots, IP checks for blocking data centers or applying Geo restrictions, device fingerprinting for detecting multi-accounting — together forming a robust shield. Yet, this shield doesn't always discriminate between friend and foe – it will occasionally block legitimate users and cause undue frustration.

Now, consider that a clean sign-up doesn't always equate to a legitimate user. The real threat often lurks in the shadows of what happens next—once a user has seamlessly slipped through the registration process. This is where more nefarious abuse typically starts.

A commonly held belief within online security is that CAPTCHA and other registration checks adequately resolve any fraud or abuse problem. This notion, while appealing in its simplicity, falls short when confronted with reality.

Fraudsters may take advantage of an application's features to perpetrate their deceit, perhaps weaponizing your invite function into a spam-producing machine or unleashing a torrent of spam content via your platform. The danger isn't just at the gates–it's also inside the walls.

Borrowing from the Zero-Trust Approach

What if, instead of just trying to stop bad actors at sign-up, and then letting users roam completely free once they pass this initial check, we extend our vigilance to a user's entire journey, applying continuous verification of sensitive actions? These sensitive actions will depend on the nature of your service–spanning activities such as publishing content, sending invitations, or sharing accounts.

By applying the zero-trust model to these instances, every sensitive action is scrutinized to ensure they adhere to expected user behavior, which will go on for the entire account lifecycle.

Identifying the critical event

Below are some concrete examples of problems where this model is applicable, across different platforms:

  • Invitation spam, where attackers misuse an application's invite feature to send unsolicited messages or spam content to many recipients. This not only annoys recipients but also risks damaging the reputation of the host application.
  • Content spam, posting or publishing irrelevant, inappropriate, or repetitive information on digital platforms, often to promote a product or manipulate search engine rankings. This can degrade the user experience, lead to misinformation, and lower the credibility of the platform.
  • Spam messages to other users, often sent in bulk, typically containing advertisements, phishing links, or other unwanted content. These can be irritating for users, contribute to information overload, and pose security risks if they contain malicious links or attachments.
  • Abusing multifactor enrollment to create SMS-Pumping fraud or International Revenue Share Fraud (IRSF). The former involves sending a large volume of messages to premium numbers to generate revenue, and the latter depends on making calls to high-cost numbers for a share of the revenue.
  • Exploiting Continuous Integration (CI) services, often provided by software development platforms, to run scripts that mine cryptocurrency. This unauthorized use of computational resources can slow down or disrupt the services for legitimate users and increase costs for service providers.

Hopefully this gives you some ideas and inspiration to start thinking about where to put additional safeguards in place for your own app. If you’d like to learn more about different forms of online fraud and abuse, check out this other article from our blog.

Trust progression

Adopting a "trust progression" approach, where you determine certain criteria that makes each account more trustworthy, can further enhance security. For example, newly created accounts can be subjected to stricter rules and limits, and vice versa. Over time, as a user's behavior proves trustworthy, their privileges can be upgraded, mirroring the zero-trust model's approach of increased privilege. Below are some factors that you could incorporate in your user trust model:

  • Account Lifespan: The age of a user's account can provide valuable insights into their behavior. While newly created accounts could warrant closer scrutiny due to the common trend of abusers exploiting these accounts immediately, dormant accounts that suddenly become active might also raise red flags, suggesting more sophisticated abuse.
  • Subscription Tier: The user's choice of payment plan can be indicative of their intent. Users who commit to a paid subscription are often more likely to be genuine as compared to those on a free plan, suggesting that the rules can be less stringent for these paid users.
  • Reputation Score: For platforms with user-generated content, ratings or reviews provided by other users can be valuable in assessing trust. A high reputation score generally indicates a trustworthy user.
  • Two-Factor Authentication: Users who opt to set up two-factor authentication demonstrate an added level of commitment to securing their accounts, which could increase trust.
  • Referral Source: How a user arrived at the platform can also be a factor. If a user was referred by another trusted user or comes from a reputable source, they might be considered more trustworthy initially.


The zero-trust model has revolutionized cybersecurity by refusing to rest on a single point of authentication. We can incorporate this same level of vigilance and ongoing verification in the fight against online fraud and abuse. By focusing not only on the point of registration but also on users' behavior within the application, we can ensure a safer, more secure digital space for all.

Leveraging this continuous verification strategy is straightforward with Castle, which allows the implementation of checks for abusive in-app behavior as well as at the point of registration. Castle recently integrated with Segment to simplify this process even further. Why not employ a more robust strategy with our no-code Segment integration today?