An IP fraud score is a real-time risk rating that indicates how likely it is that the person behind an IP address is attempting fraud. It works by analysing network-level signals including VPN and proxy usage, TOR node connections, open ports, geolocation consistency and blacklist status, combining them into a single score your fraud system can act on.
Check your IP fraud score here:
If looking up a phone number, please include its country code without plus signs, spaces or hyphens. By trying this tool, you’re agreeing to our Privacy Policy, General Terms of Service and Data Processing Agreement.
Want to understand your IP fraud score results? Scroll down to learn how the score is calculated and how it helps prevent fraud.
What Is an IP Fraud Score?
An IP fraud score helps detect risky or fraudulent users by analyzing how they connect online. Signals like VPN or proxy usage, emulators, and poor IP reputation scores are assigned points. These points combine into a single score that reflects the likelihood of fraud.
For instance, a VPN might add +1, while a suspicious connection from a known TOR node could add more. IPs previously linked to bot activity, abuse, or chargebacks may be automatically blocked based on thresholds set by your fraud prevention system. Businesses often use IP risk scoring at critical moments like signup, login, or checkout—where preventing account takeovers and other threats is vital.
While it’s part of broader fraud detection, an IP fraud score is focused purely on network-level risk—not behavioral data like transactions or spending patterns.
How Is an IP Fraud Score Calculated?
An IP scoring API adds and subtracts points based on detected signals. Once the total score is calculated, the system can flag a user as low, medium, or high risk.
Here’s a simplified example of how an IP risk score is built:
| Signal detected | Points |
|---|---|
| IP from high-risk country | +2 |
| Residential ISP (lower risk) | -1 |
| Suspicious SSH port open | +5 |
| IP on DNSBL spam blacklist | +4 |
| VPN detected | +3 |
| Total score | 13 → high risk |
What happens next depends on the thresholds you set. Most fraud teams auto-approve low scores, send mid-range scores for manual review and auto-decline high scores, with exact cutoffs adjusted per industry and risk appetite.
What Signals Does an IP Fraud Score Analyse?
To calculate an accurate IP fraud score, you need to analyze key IP parameters that reveal how a user connects to the internet—and whether it looks suspicious.
1. Public vs. Private IP Addresses
Think of a public IP as a mailbox at the local post office—it’s how devices connect to the wider Internet. A private IP is like mail routing inside a building. Private doesn’t mean hidden—it just links to a local network.
Public IPs are assigned by ISPs and are essential for online access. Private IPs work within local networks like offices or homes. For fraud detection, public IPs are more valuable because they offer insight into user behavior and risk.
2. IP Geolocation
Geolocation ties IPs to physical locations, often used for targeting ads or restricting content. Accuracy depends on the database: some can pinpoint city-level data, while others only detect the country. Fraud teams use this to see if a user’s location matches expected behavior.
3. Public IP Address Features
- Automatically assigned by ISPs (static or dynamic)
- Globally unique—no two are the same
- Essential for internet access across all connected devices
- Residential IPs are especially valuable to fraudsters and often traded on shady marketplaces
4. Proxy Servers and SOCKS5
Fraudsters often mask their real IPs using:
- HTTP proxies (browser-level rerouting)
- SOCKS proxies (used for apps, gaming, streaming)
- Transparent proxies (set up by organizations to filter traffic)
These tools are cheap and easy to deploy, allowing bad actors to quickly rotate IPs during attacks. SOCKS5 proxies are especially sought after because they mimic legitimate residential users more effectively.
That’s why IP lookup tools are crucial—they help detect when an IP has been spoofed or manipulated.
How Users Hide Their IP Addresses
There are many reasons why someone would want to avoid spoofing detection. Circling back to our examples above, it could simply be to watch a video from a foreign country. It could be to improve their security via added encryption. And of course, it could be for malicious purposes.
Regardless of the why, let’s see how IP addresses are hidden:
- VPNs: Short for Virtual Private Networks. Increasingly popular tools, which tunnel all traffic from a device towards a server in another location. Different VPNs offer different kinds of IP addresses, such as static, dynamic, or shared.
- TOR: a system designed to maintain a user’s anonymity by masking IP addresses. Users download and run a free browser, which passes and encrypts traffic multiple times to hide the original IP address. However, an ISP or fraud detection tool will know if the user connected to TOR’s entry and exit nodes.
- Proxy servers: act as a middle man between a device and a visited website. TOR and VPNs are also considered proxies, even if they redirect all traffic coming from all software and device systems.
Proxies help fraudsters hide their IP addresses and stay anonymous. See how bad agents use them, and how our API flags them
Find out more
Velocity Rules for IP Usage
So what should you do if you find a suspicious user’s IP address connecting to your system? You could simply block it straight away, but adding that address to an IP blacklist doesn’t make sense. This is because IP addresses are mostly dynamic, and multiple users could eventually end up sharing them, so you’d end up blocking valid customers.
This is why you can’t just look at the IP address itself, but also their usage via velocity rules. These algorithms look at the patterns and changes of IP address usage over time, which helps anti-fraud intelligence.
Enhancing IP Score Checks with APIs
As we’ve seen, understanding IP addresses and getting a report is fast, affordable, and easy to perform. But it’s in no way flawless. While it can indicate suspicious behavior, it cannot point to fraud with 100% certainty.
This is, in fact, one of the shortcomings of the tech: it’s only useful as part of a complete set of fraud detection tools. When you search for risk, you need as much data as possible. Combining IP checks with digital footprint signals gives an even clearer view of user risk.
When you search for risk, you need as much data as possible. And here, you’ll need:
Discover how VPN provider Buffered used SEON’s IP fraud scoring to block high-risk traffic and cut chargebacks almost instantly.
Find out moreThe Benefits of IP Analysis Against Fraud
As we’ve seen, IP addresses contain a multitude of valuable parameters that help us calculate risk. It’s not the only reason to rely on IP analysis against fraud. Here is why you should deploy that type of tool today:
- Lightweight checks: IP analysis is invisible to the end user. All the checks happen behind the scenes, without slowing down the user journey.
- Real-time results: checking most IP parameters is nearly instantaneous, which also helps create a frictionless experience without sacrificing safety.
- Affordable: IP analysis is one of the most cost-effective ways to filter out bad agents.
As for the types of fraud you can detect with IP analysis, they include bot traffic, bonus abuse, multi-accounting, payment fraud, and more.
Prevent IP Fraud Risk with SEON
Breaking down the features of IP addresses for risk scoring is fast, affordable, and delivers results in real time. This is exactly what SEON’s IP lookup module offers in an affordable, easy-to-use package.
However, IP data is only one piece of the puzzle. To strengthen your overall fraud management strategy, covering risks such as bot attacks, bonus abuse, and chargeback fraud, it helps to combine IP fraud scoring with reverse email lookup, device fingerprinting, and other checks available through SEON’s fraud detection & prevention solution.
Frequently Asked Questions
There are two types of IP scores. One of them is called an IP reputation score. Service providers use it to determine if your emails should pass spam filters. In fraud prevention, your IP risk score can determine if a system labels you as fraudulent or not,
Any improper use of the IP address of a server is considered IP abuse. This includes spamming, phishing attempts, DDoS or malware attacks.
An IP score rating helps businesses determine whether an IP address is risky or not. While there is no standard for how the scores are calculated, a higher score tends to point towards a risky IP.
IP analysis can be performed manually by taking certain parameters, such as an IP address, and checking it against public databases. However, most businesses automate the process using IP lookup and IP risk-scoring tools
