Stop fake referrals
without blocking real ones

Enable fraud detection in Settings → Referral → Fraud protection. The 'Balanced' level (default) catches most fraud: device fingerprinting blocks same-device signups across browsers and incognito tabs, email normalization catches Gmail dot tricks and plus-addressing, and the disposable email blacklist blocks 140+ temp email services. The key: fraud detection is silent. Fake signups still go through (so the fraudster doesn't know they've been caught), but the referral credit is withheld. The referrer doesn't get points.

First, set fraud protection to 'Strict' to stop new fake referrals immediately. Then review your subscriber list — signups from known disposable domains and those with withheld referral credits are visible in your dashboard. For existing damage: you can manually adjust points via the API, or remove fraudulent subscribers entirely. Going forward, the multi-signal detection (fingerprinting + IP + email normalization + velocity) makes it very difficult for a single person to accumulate fake referrals without being caught.

On 'Balanced' (default), unlikely. Same-IP referrals score 40 points against a 50-point threshold, so they'll only be flagged if combined with another signal (like a fingerprint match or suspicious email pattern). People on the same WiFi network but using different devices with different emails will almost always pass. On 'Strict', same-IP alone is enough to trigger. Use Strict only for high-stakes campaigns where fraud risk outweighs the risk of blocking a few legitimate shared-network referrals.

Yes — that's why it's effective. FingerprintJS generates a visitor ID from browser properties (canvas rendering, WebGL, installed fonts, screen dimensions) that remain consistent across normal and incognito sessions on the same device. If someone opens an incognito tab to fake a referral, the fingerprint still matches their regular session. It's not perfect — some browsers with aggressive anti-fingerprinting (Tor, Brave with strict settings) can evade it. But combined with IP analysis and email normalization, even those cases are usually caught by another signal.

Yes. In your fraud detection settings, you can add up to 5 whitelisted emails that bypass all fraud checks. This is useful when testing your referral flow with your own email addresses — you won't accidentally flag yourself as a fraudster. Alternatively, set the protection level to 'Off' temporarily during testing, then switch back to 'Balanced' before your waitlist goes live.

Very few. Most waitlist tools (LaunchList, Prefinery) have no fraud detection at all. Waitlist.com has basic checks. Viral Loops flags high-risk participants but users report that bots still get through. Waitlister is the only waitlist tool with device-fingerprint-based fraud detection, email normalization (Gmail dot tricks, plus-addressing), velocity scoring, disposable email blocking, and configurable protection levels — all included from the Launch plan at $15/mo. GrowSurf has comprehensive fraud detection, but it's referral software for established products ($125+/mo), not a waitlist tool.

No. Fraud detection is included on the Launch plan ($15/mo) and above — the same plan that includes referrals. There's no separate add-on or per-check pricing.

Yes. This is a complementary strategy. In your thank-you page editor, turn off 'Show position' while keeping the leaderboard and referral section visible. Subscribers see the leaderboard ranked by points but never see their exact position number — removing the incentive to game from #47 to #12. Combine this with fraud detection for a belt-and-suspenders approach. Read more about hiding positions in the position inflation docs.