Anyone can create a new email address in minutes. They generally don’t have to verify their identity or use their real personal information, and they can go on to use the email address to try to open other accounts. In a sense, an email address can be rather impersonal.
Except, legitimate email addresses tend to actually be deeply personal. There’s a good chance you’ve had an email address for years — maybe decades — and it’s a foundational connection that ties you to different platforms, services, and purchases you’ve used or made over time.
The dichotomy is a good thing. It means you can use positive and negative signals associated with email addresses, along with several types of email verification, to detect bad actors during account opening, before confirming a transaction, and at other points throughout the customer lifecycle.
The three types of email verifications
An email address can be an indirect piece of personally identifiable information (PII) and play a role in identity verification (IDV) and fraud prevention. For these purposes, there are three types of email verification you can use on their own or in combination:
- Access to the email: Can the person access the email address?
- The email’s reputation: Is the email address reputable?
- Email ownership: Does the email address belong to the person?
1. Access to the email
- You can confirm this by sending a one-time password (OTP) to the email.
Access to an email account doesn’t prove identity on its own. A bad actor may have access to someone else’s email account. Multiple members of an organization, family, or friend group might share a single email address. However, access can still be important.
For example, you might use an OTP to have someone prove that they can access an email address when they’re creating a new account. The check can help you detect bad actors who have other information associated with an email — such as a first and last name — but don’t know the account password.
You can also trigger an OTP request when you notice unusual activity such as an attempt to place a high-value order or change an account’s contact information. The OTP might act as a low-friction safety check that prevents some fraudulent transactions and account takeovers.
2. The email’s reputation
- Check an email’s reputation using an email risk report.
Different signals can help you determine the risk associated with an email address, and vendors may offer email risk reports or scores that you can integrate into your processes. Some signals are firmly positive or negative, such as whether the email address is on a fraud list. Others may range depending on the results.
Commonly used data points are:
- First seen: The date that the email address was first seen, which might correspond with an account opening, social media post, data breach, or other incident. Generally, a brand-new email address is riskier than an old one.
- Last seen: When the email address was most recently seen. Bad actors might create or buy aged email addresses, and if the address hasn't been seen since the “first seen” date, that could be a red flag.
- Velocity: How frequently the email address is used, generally with a focus on recent activity.
- Blocklists: Whether the email address or domain is part of any blocklists, such as denylists, scam lists, or fraud lists.
- Free or disposable: Whether the address is from a free or temporary email service.
- Spam: Whether the email exhibited spammy behavior.
- Deliverability: Whether the address is valid and can receive emails.
- Valid MX: If the email server has a valid mail exchange (MX) record, which tells you where the email server is for sending and receiving emails.
- Domain age: When the domain (the part after the @) was created.
You might also be able to determine riskiness by analyzing the elements of the email address, such as its length, the letters and numbers in the address, and whether it’s a variation of a blocklisted email.
Different services may also include other information or data points. For example, Persona’s email risk report gives you a value for email address and domain reputation (e.g., high or low reputation), and suggests whether you should treat it as suspicious or risky.
3. Email ownership
- Verify email ownership using external databases.
Perhaps you’ve confirmed that someone has access to an email account and the email address doesn’t appear risky. You still may want to take an additional step to confirm that the person you’re interacting with is the email’s owner.
To do this, you can try to connect other PII that you’ve collected, such as their name or phone number, to the email using external databases. These could be authoritative databases, such as credit bureaus and financial institutions, along with commercial and marketing databases.
Benefits of email verification for identity and fraud
Email checks and verifications offer several key benefits:
- Low friction: The reputational and ownership checks are passive signals. Legitimate users will also likely be on a mobile device or computer that they can use to quickly verify that they have access to their email.
- Enhances fraud prevention: The email and domain risk assessments can help give you a more complete picture of your users. You can run new checks if someone tries to change their account’s email address and automate periodic account reviews to try to identify bad actors based on updated email reputation verifications and link analysis.
- Improve trust: While asking users to confirm via an OTP adds a small amount of friction, people are increasingly familiar with these types of requests. Legitimate users might even see an OTP as a sign of safety and trust, especially when it’s triggered by a large transaction or account change.
Common drawbacks of email verification
Email verification isn’t a catch-all, and there are some drawbacks to be aware of:
- Email coverage is low: Authoritative databases that you can use to verify other types of PII don’t necessarily contain or share consumer email addresses.
- Marketing data isn’t always verified: Marketing agencies often aggregate email data, but they don’t necessarily verify the owner’s identity.
Email addresses for uncovering fraud
From detecting bad actors at onboarding to authenticating existing users, verifying an email address and its owner can be helpful throughout the customer lifecycle. But you can also use an email address as an identifying element within a fraud-discovery tool, such as Persona’s Graph.
You can use link analysis to find and understand how data points are connected, including names, emails, and IP addresses. One bad actor could be the key to uncovering a fraud ring focused on promo abuse or account takeovers. You can block accounts right from Graph and automate detection of similar suspicious patterns. One of our customers, nWay, found that about 50% of fraudulent accounts are linked to at least one other risky account.
Schedule a demo to learn more about how email risk reports and fraud-discovery tools can benefit your identity verification process and help you stop fraud.