IP Geolocation for Fraud Detection

Q: Can fraudsters bypass IP-based detection with a VPN?

VPNs can mask a fraudster’s true location, but the API’s is_vpn flag detects this. While VPN usage alone is not conclusive (many legitimate users use VPNs), a VPN combined with other risk signals — geographic mismatch, new device, high-value transaction — significantly increases the fraud probability. The VPN detection itself becomes a risk signal.

Online fraud costs businesses billions every year, and the attack surface keeps expanding. Account takeovers, payment fraud, fake registrations, and promotional abuse all share a common thread — the fraudster’s IP address reveals patterns that their stolen credentials cannot hide. IP geolocation and threat intelligence add a network-level fraud signal that is independent of user-provided data, making it one of the hardest signals for fraudsters to fake.

Scan a list of IPs in seconds

Paste up to 100 IPs and get a full geolocation report with 40+ fields per IP — country, city, ISP, ASN, VPN/Tor/datacenter flags, and threat score. Exports to CSV, JSON, Excel, PDF, XML.

Starting at $1.99 per report No signup required 7-day money-back guarantee

Try Bulk Lookup See sample PDF

The Problem

Traditional fraud detection relies heavily on user-provided data — billing address, card details, device fingerprints — but sophisticated fraudsters have learned to defeat these signals. Stolen credentials come packaged with matching personal information. Device fingerprints can be spoofed with anti-detect browsers. Even multi-factor authentication can be bypassed through SIM swapping or phishing. According to the FTC’s Consumer Sentinel report, fraud losses exceed $10 billion annually in the US alone.

What fraudsters cannot easily fake is the network layer. A stolen credit card from Texas being used from a datacenter IP in Eastern Europe creates a geographic mismatch that no amount of credential quality can disguise. A login from a known VPN service minutes after a login from the user’s home ISP signals account compromise. IP intelligence catches these patterns in real time, before the fraudulent transaction completes.

Close-up of credit card payment representing online transaction security — Credit: via Unsplash

How IP Intelligence Helps

IP geolocation adds network-level context to every transaction and authentication event. When a user logs in or makes a purchase, the fraud engine queries their IP address and receives geographic location, connection type, anonymization status, and threat reputation — all within milliseconds. This data feeds into risk scoring models alongside traditional signals to produce more accurate fraud decisions.

Geographic mismatch detection — compare the IP’s location against the billing address, shipping address, or the user’s historical login locations. A transaction from Lagos on a card with a billing address in Ohio is a strong fraud signal.
Anonymization detection — VPNs, proxies, and Tor are disproportionately used in fraud. While many legitimate users also use VPNs, a VPN connection combined with other risk signals (new account, high-value transaction, mismatched billing) significantly elevates the fraud probability.
Impossible travel detection — if an account authenticates from New York at 2:00 PM and from London at 2:15 PM, the account is compromised. IP geolocation provides the location data needed to calculate whether consecutive logins are physically possible.
Datacenter and hosting detection — legitimate customers rarely transact from cloud server IPs. The is_datacenter flag identifies connections originating from AWS, Google Cloud, DigitalOcean, and similar providers, which are commonly used by automated fraud tools and bot networks.
Velocity checks by network — track how many distinct accounts or transactions originate from the same IP, ASN, or /24 subnet within a time window. High velocity from a single network segment indicates coordinated fraud activity.

Key API Fields for Fraud Detection

API Field	Fraud Signal	Plan
`country_code`	Geographic mismatch with billing/shipping	Free
`city` / `region`	Granular location verification	Free
`is_vpn`	Anonymized connection (elevated risk)	Pro
`is_proxy`	Proxy-based identity masking	Pro
`is_tor`	Tor network (high risk for fraud)	Pro
`is_datacenter`	Hosting infrastructure (bot/automation)	Pro
`threat_score`	Composite IP reputation (0-100)	Business
`connection_type`	Residential vs hosting vs mobile	Business
`asn` / `org`	Network operator identification	Free
`timezone`	Timezone vs stated location consistency	Free

Implementation Example

A typical fraud scoring integration evaluates IP signals alongside transaction data to produce a risk score. Here is a simplified example:

async function assessFraudRisk(transaction) {
  const geo = await ipLookup(transaction.ip);
  let riskScore = 0;

  // Geographic mismatch
  if (geo.country_code !== transaction.billing_country) riskScore += 30;
  if (geo.country_code !== transaction.shipping_country) riskScore += 20;

  // Anonymization signals
  if (geo.is_vpn) riskScore += 15;
  if (geo.is_tor) riskScore += 35;
  if (geo.is_proxy) riskScore += 20;
  if (geo.is_datacenter) riskScore += 25;

  // Threat reputation
  riskScore += Math.floor(geo.threat_score * 0.3);

  // Impossible travel (compare to last login)
  const lastLogin = await getLastLogin(transaction.user_id);
  if (lastLogin && isImpossibleTravel(lastLogin, geo)) riskScore += 40;

  return {
    score: Math.min(riskScore, 100),
    action: riskScore > 70 ? 'block' : riskScore > 40 ? 'review' : 'allow',
    signals: { geo_mismatch, vpn: geo.is_vpn, datacenter: geo.is_datacenter }
  };
}

Real-World Fraud Patterns

IP intelligence reveals distinct patterns for different fraud types:

Card-not-present fraud — the IP location does not match the cardholder’s billing address or known location. Often originates from a different country entirely. VPN usage is common as fraudsters attempt to make their location match the card’s country. According to Visa’s security resources, geographic verification is a key component of CNP fraud prevention.
Account takeover (ATO) — a sudden change in login location, especially combined with immediate high-value transactions or account changes (new shipping address, new email). The IP often comes from a datacenter, VPN, or a country inconsistent with the account’s history.
Synthetic identity fraud — fake accounts created using combinations of real and fabricated personal data. These accounts often register from datacenter IPs, have no login history to compare against, and may exhibit velocity patterns (multiple accounts from the same IP range).
Promotion abuse — users creating multiple accounts to exploit sign-up bonuses, referral rewards, or limited offers. IP intelligence reveals when many accounts originate from the same IP, subnet, or ASN, indicating a single person operating multiple identities.
Credential stuffing — automated login attempts using lists of stolen credentials. These attacks typically originate from datacenter IPs, rotate through proxies, and show high velocity from individual ASNs. The is_datacenter and is_proxy flags are the primary detection signals.

Why My IP Help

Real-time fraud decisioning — API responses in under 50ms fit within payment processing and authentication workflows where latency directly impacts user experience and conversion rates.
Comprehensive risk signals — geolocation, anonymization detection, connection type, and threat scoring in a single API call. No need to integrate and maintain multiple vendor feeds for different fraud signals.
High-frequency detection updates — VPN, proxy, and Tor databases are updated multiple times daily. Fraudsters frequently rotate infrastructure, and stale detection databases create gaps that they exploit.
Flexible integration — REST API integrates with any fraud platform, payment gateway, or custom scoring engine. Use real-time lookups for transaction scoring and bulk lookups for retroactive analysis of historical fraud patterns.

Security alert notification on screen representing fraud detection systems — Credit: via Unsplash

Frequently Asked Questions

How does IP geolocation help detect payment fraud?

IP geolocation reveals the buyer’s physical location at the network level. By comparing this against the billing address and shipping address, fraud systems detect geographic mismatches that indicate stolen card usage. A purchase from a different country than the cardholder’s address is a strong fraud signal that triggers additional verification.

Can fraudsters bypass IP-based detection with a VPN?

VPNs can mask a fraudster’s true location, but the API’s is_vpn flag detects this. While VPN usage alone is not conclusive (many legitimate users use VPNs), a VPN combined with other risk signals — geographic mismatch, new device, high-value transaction — significantly increases the fraud probability. The VPN detection itself becomes a risk signal.

What is impossible travel detection?

Impossible travel detection compares consecutive login locations for the same account. If a user logs in from Chicago at 1:00 PM and from Tokyo at 1:30 PM, the physical distance makes it impossible for the same person to have traveled between the two locations. This indicates the account credentials are being used by someone else, likely from a compromised account.

How accurate is IP geolocation for fraud detection?

Country-level accuracy exceeds 99%, which is sufficient for most cross-border fraud detection. City-level accuracy ranges from 70-85%. For fraud purposes, country and region-level matching is the most valuable signal, as most card fraud involves different countries. Even city-level inaccuracies rarely cross country or state boundaries.

Should I block all transactions from VPNs or datacenters?

No. Blanket blocking creates too many false positives and frustrates legitimate customers. Instead, use VPN and datacenter flags as inputs to a risk scoring model that considers multiple signals. A VPN user purchasing a low-value item from a trusted account with consistent history is low risk. A VPN user on a new account making a high-value purchase with an address mismatch is high risk.

What is a threat score and how should I use it?

A threat score is a composite risk rating (0-100) aggregating multiple signals: VPN/proxy/Tor status, historical abuse reports, datacenter classification, and network reputation. Use it as one input to your fraud model alongside transaction-specific signals. A threshold of 40-50 for elevated review and 70+ for blocking is a common starting point, but calibrate based on your fraud rates.

How do I detect promotion abuse with IP data?

Track the number of new account registrations per IP address, /24 subnet, and ASN within a time window. Multiple accounts from the same network segment — especially from datacenter or proxy IPs — strongly indicate a single person creating fake accounts. The is_datacenter flag and ASN data are the primary signals for this pattern.

Can IP intelligence detect credential stuffing attacks?

Yes. Credential stuffing attacks generate high volumes of login attempts from datacenter IPs, often rotating through proxies. The is_datacenter, is_proxy, and ASN fields reveal the attack infrastructure. Rate limiting by ASN and blocking datacenter IPs from authentication endpoints are effective countermeasures.

How does IP fraud detection work with mobile users?

Mobile users connect through their carrier’s network, and IP geolocation identifies the carrier and approximate location. Mobile carrier IPs may be less precise at the city level due to NAT, but country and region accuracy remains high. The connection_type field distinguishes mobile connections from residential and datacenter traffic.

What latency does fraud scoring add to the checkout process?

The My IP Help API responds in under 50 milliseconds. Combined with a local risk scoring calculation, the entire fraud check adds less than 100ms to the transaction flow — imperceptible to the user. Responses can be cached per IP to eliminate API calls for repeat transactions during the same session.

Ready to get started?

Free plan includes 1,000 lookups/month. No credit card required.

Get Free API Key View Documentation