The 2026 State of SaaS Signup Fraud Report
A directional, evidence-based look at what's actually attacking SaaS signup forms in 2026 — disposable emails, VPN traffic, AI-bot signups, Gmail alias abuse, and free-tier infrastructure mining. Drawn from Vouchley verification telemetry plus the broader industry data.
SaaS signup fraud in 2026 is not a single problem — it's five overlapping ones. Disposable emails inflate top-of-funnel volume. VPN and datacenter IPs hide automated farming. Gmail alias tricks fragment one human into many trial accounts. AI-driven agentic bots increasingly mimic human signup behavior. And free-tier infrastructure mining quietly destroys unit economics on products with expensive variable costs. This report aggregates what we see across Vouchley's verification telemetry, combined with publicly available industry data, into the most actionable picture possible of where signup fraud actually sits at the start of summer 2026.
This is a directional report, not a peer-reviewed dataset. Where we cite specific percentages from Vouchley traffic, they're aggregated across customers and represent typical ranges — your specific product, country mix, and acquisition channels will move these numbers around. Where we cite industry-wide figures, the source is linked at the bottom.
TL;DR — the five things changing in 2026
- AI-bot signups are growing ~10× year-over-year and routinely defeat legacy CAPTCHA + time-on-page checks
- Disposable email domains are spawning at 20–50 new domains/week — static blocklists go stale fast
- Gmail alias abuse (
+tagand dots) is now present on ~1 in 7 Gmail signups- Datacenter-IP signups concentrate on AWS, GCP, Hetzner, and DigitalOcean ASNs — under 1% of legitimate B2B traffic, 5%+ on attacked products
- VPN signups themselves are not block signals; VPN plus rapid feature consumption is the actual fraud fingerprint
1. The shape of signup fraud in 2026
Five distinct attack patterns drive virtually all signup fraud. Each has different fingerprints, costs, and mitigations. A team that names them separately ships better defenses than a team that lumps them under "fake signups."
Disposable email abuse
The most volumetric category. Across typical day-to-day Vouchley traffic, 2–5% of signups arrive on a known disposable email domain (Mailinator, 10MinuteMail, Guerrilla Mail, YOPmail, Temp Mail, and roughly 5,000 others). On launch days — Product Hunt, Hacker News front-page, viral X posts — that ratio spikes to 15–30% for a 24–48 hour window before returning to baseline.
The cost: low per signup (the user is mostly just curious, not actively trying to drain you), but high in aggregate because disposable email is the dominant cause of email deliverability damage. Gmail and Outlook punish senders with high bounce rates and high spam-fold rates — and bouncing transactional mail to abandoned Mailinator inboxes is exactly that pattern.
Automated / scripted signups
Smaller in raw volume — under 1% of legitimate B2B SaaS signups originate from datacenter-IP ASNs (AWS, GCP, Hetzner, DigitalOcean, Linode, Vultr, OVH). On products actively under automated attack, that ratio jumps to 5%+ and sometimes 15–25% for a few hours during the attack window.
The cost: much higher per signup. Scripts are most often pointed at products with expensive variable resources — LLM credits, video rendering, large storage allocations, API call quotas. A single weekend of unchecked automated abuse can produce a five-figure cloud bill.
Gmail alias abuse
Roughly 1 in 7 Gmail signups attempts at least one variant of +tag or dot abuse. Most are innocent — people who use rohit+netflix@gmail.com or r.o.h.it@gmail.com to organize their inbox, not to defraud. But the same normalized Gmail address signing up three or more times across a short window is a near-certain abuse signal.
The cost: distorts your conversion analytics (one human looks like four accounts), gates legitimate free-trial economics, and trains your sales team to email the same person four times.
AI-driven agentic signups
The newest pattern, growing roughly 10× year-over-year through 2026. The fingerprint is different from classic scripted abuse:
- Real browser fingerprints (headless Chrome with stealth patches)
- Realistic timing (typing pauses, scroll events, mouse movement)
- Residential proxy IPs that look like home internet connections
- Coherent name + company + job-title combinations the model invented
Legacy CAPTCHA and time-on-page checks miss most of it. The signal that does catch it is combination: residential-but-suspicious IP + brand-new email-domain + behavioral micro-anomalies + rapid feature consumption. No single layer fires; the score adds up.
Free-tier infrastructure mining
The most damaging pattern even when it's small in volume. Someone signs up specifically to exploit free compute, storage, or API credits at scale. Common targets in 2026:
- LLM-credit resale (sign up to OpenAI / Anthropic wrappers, pull out as many tokens as possible, resell access on grey markets)
- Free-tier GPU/render minutes
- Free-tier outbound email or SMS
- Free-tier cloud storage for piracy or CSAM staging
The cost is concentrated and brutal. A single mining attack on a SaaS without rate limiting can produce a $50,000 cloud bill before anyone notices. The mitigation is layered: rate-limit aggressively, cap free-tier resource consumption per user per day, and score signups so the obvious miners never get past the door.
2. What's growing the fastest
The single fastest-growing fraud category in 2026 is AI-driven agentic signups. Behind that, residential-proxy traffic (which masks automated abuse as legitimate consumer traffic) and Gmail alias abuse (driven by the broader anti-spam alias trend). Disposable email volume is roughly flat year-over-year — the same domains, slightly more users.
AI-bot signups — ~10× year-over-year
Two things drove the surge: cheap agentic browsing infrastructure (Browserbase, Browserless, Playwright-cloud), and the rise of CAPTCHA-solving-as-a-service (~$0.001–0.003 per solve). A motivated attacker can now create 10,000 plausible signups for under $50.
What this means in practice: any defense that depends on "humans behave differently than bots" is degrading fast. The new working defenses depend on combination signals — IP plus domain age plus behavioral micro-anomalies — rather than any single check.
Residential proxy traffic — ~3–5× year-over-year
Residential proxies (Bright Data, Oxylabs, IPRoyal, NetNut and dozens of smaller services) sell access to IPs that route through real consumer ISPs and look indistinguishable from legitimate home traffic. Used in fraud to defeat IP-reputation checks that focus on datacenter ASNs.
The mitigation is not "block residential proxies" — that's impossible without massive false positives. The mitigation is scoring. Residential proxy IPs combined with brand-new account creation, immediately followed by expensive feature use, is a high-confidence abuse fingerprint.
Gmail alias abuse — modest growth, but compound damage
The growth here is driven by a legitimate trend — people increasingly use email aliases to manage spam and privacy. Apple's "Hide My Email," SimpleLogin, AnonAddy, DuckDuckGo Email Protection, and Firefox Relay are all normalized in 2026. Most users on those services are real and high-intent.
The compound damage: when a legitimate alias service indistinguishable from disposable email becomes mainstream, naïve blocklists start eating real customers. The right answer is risk-tiering alias services rather than hard-blocking them.
3. The detection signals that actually work
No single signal stops modern signup fraud. Five combined signals — email domain, IP reputation, domain age, behavioral patterns, and device fingerprint — catch 90%+ of abuse when scored together. The single highest-leverage improvement most SaaS teams can make is moving from any single-signal defense to a layered score.
Email-layer signals
- Disposable domain match (against a daily-updated list)
- Role-based prefix (
info@,admin@,sales@,support@) - MX-record existence and freshness
- Free-provider classification (Gmail, Proton, Outlook, Yahoo, etc.)
- Gmail / Outlook alias normalization
Coverage alone: roughly 40–50% of fraud caught.
IP-layer signals
- VPN / commercial proxy detection
- Tor exit-node lists
- Datacenter / hosting ASN classification
- Geolocation vs declared country / language preference
- IP reputation score from a continuously-updated feed
Coverage alone: roughly 30–40% of fraud caught. Strong overlap with email-layer signals — together with email, you're at ~75–80%.
Domain-layer signals (for B2B)
- Domain age in days (anything under 30 is highly suspicious for B2B)
- Domain has a live HTTPS website (yes/no)
- MX records present and reachable
- Domain registered with a privacy / proxy registrar (small negative signal alone, larger when combined)
Coverage alone: lower (10–20%) but catches a specific pattern other layers miss — the "shell company" signup where the email passes deliverability but the domain is brand-new and has no online presence.
Behavioral signals
- Time-on-page before submit (under 3 seconds = high suspicion)
- Field-fill ordering (top-to-bottom vs all-at-once)
- Mouse movement / touch events present before click
- Honeypot field interaction (any interaction = bot)
- Scroll events before submit (real users scroll; many bots don't)
Coverage alone: 30–40% and dropping (AI-driven bots are increasingly humanlike). Still cheap to implement and worth keeping as a marginal contributor to the combined score.
Device-fingerprint signals
- Canvas fingerprint
- User agent + screen size + timezone + language
- Browser plugin list
- Same fingerprint creating multiple accounts over a short window
Coverage alone: variable, but this is the signal that catches motivated humans who swap emails and IPs but reuse the same device. The other four signals catch scripts and casual abusers; fingerprinting catches the long tail of human abusers.
The combined-score advantage
Each signal on its own has both false positives and false negatives. The math advantage of combining them is large: if every signal is 70% accurate independently, combining five via a thresholded score moves you to ~95% combined accuracy with proper weighting. That's the entire pitch for risk-tiered scoring rather than any single-layer block.
4. Industry benchmarks for 2026
Across published data and Vouchley's own traffic, the rough benchmarks for a "healthy" SaaS signup profile in 2026 are: under 3% disposable email rate, under 12% VPN signup rate, under 1% datacenter-IP rate, and a trial-to-paid conversion rate that doesn't differ by more than 3× between Gmail and corporate email signups. SaaS teams seeing significantly worse numbers than this on any axis have abuse to fix.
| Metric | Healthy benchmark | Under-attack range |
|---|---|---|
| Disposable email signups | < 3% | 8–30% |
| VPN signup rate | < 12% | 18–35% |
| Tor exit signups | < 0.5% | 1–5% |
| Datacenter-IP signups | < 1% | 5–25% |
| Same-IP signups (per 90 days) | < 5% of IPs | 30–40% |
| Conversion gap (Gmail vs corp) | < 3× | 8–20× |
| Free-tier limit hit < 24h | < 5% | 20–40% |
Note on benchmarks: these are typical ranges across Vouchley customers and broader industry reports. Your specific profile will shift based on country mix, acquisition channels (LinkedIn ads vs Product Hunt vs SEO), product category (developer tools see more datacenter signups; consumer apps see more disposable), and freemium offer (the more generous the trial, the more abuse).
5. The cost of inaction
Free trial abuse costs SaaS companies in three categories — direct infrastructure spend on fake users (20–50% of variable cost on attacked freemium products), email deliverability damage that hurts transactional mail to real users for weeks after, and polluted analytics that cause teams to over-invest in fixes for the wrong problems. Total cost is rarely tracked properly because most of it sits in the analytics gap.
Direct infrastructure cost
For products with expensive variable costs (LLM tokens, GPU compute, video rendering, large file storage), unchecked free-tier abuse can quickly account for 20–50% of total variable spend. For products with cheap variable costs (most SaaS dashboards, project management tools, basic CRMs), the direct cost is more like 2–8%.
Email deliverability damage
Underrated. Every signup with an unreachable email address that bounces a welcome email hurts your sender reputation. Across enough volume, Gmail and Outlook start flagging your domain as a low-quality sender — and the user-facing impact is legitimate transactional mail starts landing in spam. Password resets, receipts, security notices, deal notifications. The recovery period is 4–8 weeks after you've cleaned up your signups.
This is the cost most SaaS teams discover too late. By the time the deliverability dashboard turns red, the cause has been compounding for months.
Polluted analytics
The most insidious cost. If 30% of your trial signups are abuse, your trial-to-paid conversion rate looks artificially low. Your team tries to fix this by tweaking pricing pages, onboarding flows, and email sequences — none of which moves the needle because the problem isn't the funnel, it's the input.
Many SaaS teams spend a quarter "fixing conversion" before realizing the issue was clean-up, not optimization.
6. What's working in 2026 — the new defense playbook
The 2026 working defense is layered, scored, tiered, and silent. Layered means five signal types stacked. Scored means a single 0–100 number that combines them. Tiered means different actions at different score bands rather than binary block / allow. Silent means never telling the suspected abuser why they failed — that information helps them iterate.
Layered
Don't depend on any single signal. Combine email-layer, IP-layer, domain-layer, behavioral-layer, and device-layer checks. Each layer alone is bypassable; the combination is much harder.
Scored
Reduce all signals to a single 0–100 trust score that downstream code can branch on. This makes the threshold tunable — you can move the dial against false positives or false negatives in production without rewriting branching logic.
Tiered
Score ≥ 75: fast-track. Score 40–74: require email verification before activation. Score 15–39: verify email + delay high-cost features 24 hours. Score < 15: silent block.
The middle tiers matter more than the extremes. Most signups land in the 40–74 range — and "verify email before activation" catches enormous amounts of low-effort abuse without inconveniencing real users.
Silent
When you block, never explain. "We'll email you when your account is ready" and never email them. Tell a fraudster their email domain is blocked, and they switch to a different disposable provider next attempt. Tell them their IP is flagged, and they swap to a different residential proxy. Each piece of information you leak helps them iterate.
The instinct to be transparent with users is correct in 99% of product situations. Signup fraud is the 1%.
7. How to audit your own SaaS — a four-step exercise
A practical exercise any SaaS team can run in a single afternoon to size their signup-fraud exposure before investing in mitigations.
Step 1 — Segment trial-to-paid conversion by signup source
Run a SQL query against your users table. Group by email-domain category (corporate / Gmail / Outlook / Yahoo / disposable / other) and country. If any segment converts below 0.5% and represents more than 5% of signups, you have a fraud cluster worth investigating.
Step 2 — Measure account age at first revenue event
How long after signup does a typical paying customer convert? Compare that distribution against the cohort of accounts that hit free-tier limits within 24 hours. If 30%+ of feature-limit-hitting accounts are under 24 hours old, you have automated abuse — those are not engaged prospects.
Step 3 — Group trial accounts by IP and browser fingerprint
Count distinct accounts per unique IP and per unique device fingerprint over the last 90 days. Healthy SaaS: under 5% of IPs create more than one trial. Abused SaaS: 30–40%. The fingerprint signal catches motivated humans that swap emails and IPs but reuse the same device.
Step 4 — Sample 50 free-tier signups manually
Pull 50 random free-tier accounts from the last 30 days and look at each one — does the email look real, the IP look like consumer traffic, the company name plausible? A quick manual gut-check is the single fastest way to know whether to ship mitigations now or wait another month.
8. Methodology and data caveats
This report blends:
- Vouchley verification telemetry — aggregated, anonymized signal-firing rates across thousands of customer signups in 2026. Specific percentages reflect typical ranges across customers; any one product's numbers will vary by industry, country mix, and acquisition channel.
- Public industry research — citation-grade reports from Stripe, Clearout, Sensfrx, and others (linked below).
- Vendor pricing pages — verified against each public source on 2026-04-28.
What this report is not: a peer-reviewed academic dataset. Numbers are directional and meant to inform engineering decisions, not regulatory or financial models.
Where the report cites specific percentages from Vouchley traffic, they represent the rough range we observe — not a precise measurement of a single point in time. The signup-fraud landscape moves faster than annual reports can track, which is why combined-signal scoring (rather than fixed thresholds) is the recommended defense in 2026.
What to do next
If you got this far, you're probably a SaaS founder or engineer staring at a signup form that's getting attacked. Three concrete things to ship this week:
- Run the four-step audit above. You'll know in an afternoon whether you have a real problem or are optimizing prematurely.
- Implement Layer 1 + Layer 2 — disposable email blocking and Gmail alias normalization. Both ship in a single afternoon and catch the bulk of casual abuse.
- Score every signup with a combined model — either build it yourself or use an API. The combined score is what catches the hard cases the single layers miss.
Quick starts
- Start free with 100 Vouchley credits → — no card, ship in 30 minutes
- Download the disposable email domain list (JSON) → — free, no email required
- Read the full free-trial abuse playbook →
- Compare Vouchley to Kickbox, ZeroBounce, Sift →
Sources and further reading
Frequently asked questions
What is the most common form of SaaS signup fraud in 2026?
Disposable email signups remain the most volumetric category, accounting for roughly 2–5% of typical day-to-day traffic and spiking to 15–30% during product-hunt launches and viral moments. Datacenter-IP automated signups are smaller in volume (under 1% of legitimate traffic, 5%+ on attacked products) but cost far more per incident because they tend to abuse high-cost resources like LLM credits and storage.
How fast is AI-bot signup fraud growing?
Roughly 10× year-over-year through 2026, based on the rise of agentic browsing tools and signup-automation services. The fingerprint of AI-driven fraud differs from traditional scripted abuse: more human-like timing, real browser fingerprints from headless Chrome with stealth patches, residential proxy IPs. Legacy CAPTCHA and time-on-page checks miss most of it; combined IP-domain-behavioral scoring catches it.
What does free trial abuse cost a SaaS company?
Three categories of cost: direct infrastructure (20–50% of variable cost on freemium products with expensive resources), email deliverability damage (bounce and spam rates from unreachable addresses tank sender reputation at Gmail and Outlook, hurting transactional mail for real users), and polluted analytics (trial-to-paid conversion looks artificially low, leading teams to over-invest in pricing and onboarding fixes that won't solve the underlying problem).
Are Gmail signups more or less likely to be fraudulent than corporate email signups?
More likely, materially. Across typical B2B SaaS traffic, Gmail signups convert at roughly 1–3× lower rates than corporate-domain signups. Around 1 in 7 Gmail signups attempts at least one variant of + or dot alias abuse — most innocent, some not. The right move is not to block Gmail (you'll lose enormous legitimate volume) but to normalize Gmail addresses for uniqueness and apply slightly tighter scoring thresholds to free-provider signups.
Should I require credit cards to start a free trial?
It eliminates 95%+ of automated abuse but reduces trial starts by 30–60%. The remaining users are 2–3× more qualified, so paid conversion rate often rises. The right tool for high-cost trials (significant LLM, video, or storage consumption per user). The wrong tool for product-led growth motions where top-of-funnel volume matters more than per-user qualification — those should use risk-tiered verification instead.
How quickly should new disposable email domains be added to a blocklist?
Daily. New disposable services spawn at a rate of roughly 20–50 new domains per week as of 2026, with launches concentrated in Asia-Pacific timezones. A static blocklist built six months ago will miss ~25–40% of currently-active disposable services. Either subscribe to a daily-updated feed or use a verification API that maintains the list as a service.
Rohit Kashyap
Built Vouchley, a real-time signup verification API that scores email + IP + domain + bot signals in one call. Previously shipped MailValid (email validation) and Skill Arena (real-time esports platform handling thousands of concurrent users). Writes about SaaS fraud, signup infrastructure, and indie engineering.
Further reading
AI Bot Signups in 2026: Why Your Existing Defenses Are About to Fail
AI agents now mimic human signup behavior — typing cadence, mouse jitter, even dwell time — at a cost of cents per account. Here's why traditional bot defenses break against agentic signup fraud, and the new layered approach SaaS teams need.
How Fake Signups Quietly Destroy Your Email Deliverability
Fake signups don't just waste compute — they wreck your sender reputation. Here's how Gmail and Outlook decide whether your transactional email lands in the inbox or the spam folder, and how fake accounts move that needle in the wrong direction.
What Is a Signup Verification API? A Practical Guide for Product Teams
Signup verification APIs sit between your signup form and your database, scoring every new account in real time. Here's what they actually do, what they don't do, and how to evaluate one for your SaaS.