Why promo code abuse fraud is more harmful than you think

Morgan Ackley | Tuesday, January 24th, 2023 | 11 minutes

Businesses depend on promotions and lead-generating campaigns to acquire new customers and keep loyal customers happy. But anytime there is a transfer of value online via coupon, discount, or reward, there is also a fraud risk.

Sometimes what’s at risk isn’t a big-ticket item. Sign-up discounts and promotional offers — that free drink, first free download, or $5 voucher — have just as much value to a bad actor as cash and stolen credentials. Businesses, especially ones using subscription business models, that don’t prevent promo abuse can experience significant financial losses.

What is promo abuse fraud?

In promo abuse or discount fraud, a bad actor abuses a business’s promotional campaigns. Bad actors may attempt to defraud a business by using promo codes and discounts multiple times. Or they may abuse coupons and return policies to obtain goods for free.

Promo abuse is more often a form of intentional friendly fraud — it isn’t always criminal by law. After all, abusers often take advantage of policy loopholes and gaps in digital protections.

E-commerce retailers that use referral programs and sale-saving tactics like cart-abandonment coupons and apology discounts are most at risk for this type of fraud. In particular, promo abuse affects three common promotional campaigns.

  1. Sign-up bonuses: Promo abusers may attempt to open new accounts using multiple email addresses or aliases to take advantage of first-time-use discounts.
  2. Referral bonuses: Promo abusers may send referral codes to fraudulent email addresses for referral discounts. They may also crack referral codes for re-use.
  3. Loyalty discounts: Promo abusers may attempt to crack discount codes or use social engineering tactics to commit loyalty fraud to get more use out of one-time discounts.

“When it comes to promo abuse, we’re seeing new and different vectors of attack,” explained Brady Harrison, senior data analyst for Kount. “These days, it’s less common to see someone creating fraudulent coupons. But that behavior hasn’t gone away. It’s just transferred to a digital space.”

For example, rather than reusing the same coupon code, a bad actor may crack a coupon code by finding every possible coupon code for a single campaign. Previously, discounts and coupons made for a one-time transfer of value with a piece of paper. Today, a single bad actor can abuse a promotion countless times.

“We’ve seen that behavior increase as more traditional retailers undergo a digital transformation, particularly food service and restaurants that offer sign-up bonuses or incentives,” Harrison said. “And that’s frustrating because businesses count on those promotions for user retention. Instead, they have people who will create dozens of accounts to abuse the promotion.”

3 consequences of promo abuse fraud

Any business that isn’t concerned with the consequences of promo abuse might want to think again. One or two people taking advantage of a 10% sign-up promotion may not seem like a significant problem.

But remember that bad actors aren’t defrauding businesses at the rate of one or two promotions. They’re committing fraud at scale, taking advantage of promotions by the thousands or hundreds of thousands.

1. Promo abuse decreases sales and revenue
In 2014, an Uber user manipulated a referral code and shared it in a mass email and on Reddit. It wasn’t long before the user amassed $50,000 in Uber credits — essentially, free rides for life. The manipulated code became one of the top search results for “Uber promotion code.”

Uber discovered the abuse eight weeks later, after the user left a one-star review on a ride that Uber’s system flagged for manual review. By then, the company had lost eight week’s worth of rides. And it gave ride credit to the thousands of people who signed up under the user’s fraudulent referral code.

And Uber wasn’t alone in its unintentional allowance of promo abuse. 42% of businesses in a Kount survey said their organizations allow customers to abuse promotions. For example, they permit customers to buy enough merchandise to get free shipping but return items later, an act of free-shipping promo abuse and refund fraud.

2. Promo abuse leads to poor marketing spend
Promo abuse is especially detrimental to QSRs and franchise businesses, which is why online fraud detection for food service and restaurants is crucial for these businesses if they want to continue offering promotions.

Let’s say a business sets up a marketing budget for a promotional campaign. In the first 10 days, that campaign budget maxes out, which looks like a success. But when the business analyzes the results, it finds user retention on the campaign is zero. Essentially, the business used its campaign budget to give promo abusers discounts and free products.

And that’s money that franchise businesses and QSRs can’t afford to lose. Quick-service restaurants were expected to spend $3.9 billion on local advertising in 2019, according to BIA Advisory Services.

By 2023, BIA predicts QSRs will spend an additional $47 million a year in local advertising. Across industries, marketing expenses accounted for 11% of a business’s revenue in 2020. In the B2C space, that percentage was slightly higher — on average, 14%.

3. Promo code abuse leads to poor user retention
When businesses use marketing expenses on promotional campaigns, they’re enticing customers to stay in their ecosystem.

Spend a dollar to give a new customer a free product and make two dollars on their next purchase. Businesses that don’t account for promo abuse are spending money for no return on customer retention.

“If you just have people who are getting a free product every day, or they’re getting $5 off every time they make a purchase in your web store, that’s not leading to customer retention,” Harrison explained.

“There are people who use a lot of promotions because they’re highly engaged with your loyalty program. But then there are people who are abusing programs by circumventing any basic controls your business might have in place.”

How to prevent promo abuse fraud

When it comes to best practices for fraud prevention — including promo abuse — implement a solution that protects the entire customer journey. Promo abuse is as prevalent at the beginning of the journey (i.e., sign-up) as it is at the end (i.e., loyalty redemption and checkout). The right fraud prevention solution can help businesses combat promo abuse at every stage.

“How you prevent promo abuse depends on the kind of promotion you’re running,” Harrison explained. “But the biggest issue is not having behavioral controls or only having basic controls in your campaigns.

“Behavioral controls can account for code cracking and new account sign-ups. You’ll want to make sure you have a way to stop people from abusing either a free trial or the first free item by limiting it based on credit cards, devices, or emails used.”

1. Customize policies around trusted device use at sign-up

Trusted device capabilities can help businesses stop promo abusers from signing up for multiple accounts. If a user is registering several accounts from one device, Kount can flag those accounts for review. Businesses can customize controls to prevent users from registering several accounts from one device.

Essentially, Kount customers can identify the relationship between a device and a user. Let’s say an existing user attempts to create new accounts. Because the business can see that the user is creating accounts from the same device, they can challenge that user’s activity.

2. Customize policies around email use at sign-up and referral

Businesses make it easy for bad actors to abuse referral promos when they don’t have any policies around email use. Kount’s Email Insights can help businesses evaluate each user’s identity and measure risk. For example, let’s say a promo abuser is mass-entering email addresses for referral bonuses.

Businesses can use Email Insights to learn more about an email’s risk and usage trends, date first seen and last used, and associated transaction volumes, refunds, and chargebacks. An influx of new accounts under email addresses with an age of zero or that haven’t seen activity in years may indicate another user committed promo abuse.

3. Customize policies around promo code or discount use

Some of the same tactics that make account takeover possible also make promo abuse possible. When bad actors want to break into user accounts, they may attempt hundreds of email and password combinations in rapid succession.

In a code cracking attack, a promo abuser may attempt thousands of combinations of promo or discount codes quickly until they find the ones that work.

An account takeover solution can help businesses detect when promo abusers are attempting to crack discount codes. The solution evaluates a user’s behavior and device for anomalies that may indicate high-risk activity from bots, credential stuffing, and brute-force attacks. Linking data like trusted device status, IP address, and mobile network and proxy indicators allows Kount to execute a business’s risk- and trust-based user authentication policies.

Related content

See more related content


Morgan Ackley

Content Strategist

Morgan has worked in the tech industry for over 5 years. Her breadth of knowledge and curiosity about technology and all things fraud-related drive her to craft compelling, educational pieces for readers seeking answers.