How to Prevent Free Trial Abuse (Without Blocking Legit Users)
Last month, an AI startup discovered a user who used $220 in GPU credits in just one hour, using disposable email addresses. They're not alone. We found that more than 70% of AI companies deal with trial abuse daily.
Free trials are a great way to get people to try your product, but some users take advantage, creating multiple accounts and squeezing every bit of value with no intention of ever paying.
So, how do you stop free trial abuse without frustrating legitimate users? Let’s break it down into actionable steps.
Understanding Free Trial Abuse
Free trial abuse occurs when someone repeatedly signs up for free trials of your product to avoid paying. Many SaaS companies limit free trials to one per user (often verified by a unique email address or phone number). Abusers often bypass these restrictions by using clever tricks like disposable emails or multiple aliases to create multiple accounts. For example, if a product allows only one trial per email, fraudsters simply generate new email accounts (like disposable emails, or using email aliases like [email protected]). This can be especially damaging to businesses, inflating user numbers without leading to legitimate conversions.
Block Users from Signing Up
Your first line of defense is to prevent suspicious users from signing up. Blocking them at the signup stage is key because it stops abuse before it even starts.
Verify Email Addresses
Before anything else, check that users sign up with a valid email address they actually own. Send a quick confirmation email immediately after signup. This will:
- Make sure the email address is valid
- Confirm the user owns the email
- Give you a point of contact
Block Disposable Emails
Once email verification is in place, some users will attempt to bypass it using temporary email services.
There are multiple ways to block temporary emails, but the most efficient method is using an API like UserCheck.
Example API request:
curl -X GET "https://api.usercheck.com/email/[email protected]" \
-H "Authorization: Bearer <api_key>"
Response example:
{
"status": 200,
"email": "[email protected]",
"domain": "example.com",
"mx": false,
"disposable": false,
"public_domain": false,
"relay_domain": false,
"alias": false,
"role_account": true,
"did_you_mean": null
}
Block any email where disposable: true.
Block Email Forwarding Services
Some users exploit email forwarding services (like Apple’s Hide My Email, SimpleLogin, Firefox Relay...) to generate unique email addresses that all route to the same inbox, also known as privacy email addresses.
How to detect this:
- Use UserCheck’s API and block any email where
relay_domain: true.
Normalize & Block Email Aliases
Some email providers allow aliases, making it easy to sign up several times with the same email address.
Plus Addressing (subaddressing)
Adding a +alias to an email address is a common way to create an email aliases.
- Format:
[email protected] - Solution: Strip out
+aliasbefore checking for duplicate accounts.
Dots in Gmail
Gmail ignores dots (.), meaning [email protected], [email protected], and [email protected] all belong to the same account.
- Solution: Normalize Gmail addresses by removing dots before checking for duplicates.
Block VPNs & Proxy Users
Many abusers use VPNs to hide their real IP addresses, spoof their location, or to frequently change their IP address.
While some users might use VPNs for privacy, it's wise to block them or at least flag them as suspicious.
To detect VPN users, use a proxy detection API like ProxyCheck:
curl -X GET "https://proxycheck.io/v2/1.2.3.4?vpn=3&key={API_KEY}"
Flag or block users with vpn: true or proxy: true.
Use social login
You can avoid many of the steps above by using only social login options like Google, GitHub, or Apple. This shifts the responsibility of verification to the OAuth provider, making it much harder for users to create multiple accounts. Managing multiple Gmail accounts and logging into each one is far more difficult than using disposable email addresses.
Social login is also widely preferred by younger users and can improve your signup conversion rate. It’s a good idea to implement it, even alongside traditional email/password signups.
Monitor Activity & Detect Abusers
Even with preventive measures, some abusers will slip through. Monitor user behavior to detect patterns of abuse.
Identify Multiple Accounts
Check IP Addresses
One of the simplest ways to detect multiple accounts is by monitoring IP addresses. Look for repeated signups from the same IP or a small range of IPs. While some overlap can happen naturally (e.g., shared office networks), patterns like a high number of signups from a single IP in a short period could indicate abuse.
Track Device Fingerprints
IP-based tracking alone isn’t foolproof. Abusers can switch networks, use VPNs, or rotate IPs. That’s where device fingerprinting comes in.
Device fingerprinting assigns a unique identifier to each device by analyzing things like browser, operating system, plugins, and more.
This technique makes it slightly harder for users to create multiple accounts, as their device characteristics remain consistent even if they change their email or IP address.
Example using FingerprintJS:
import FingerprintJS from '@fingerprintjs/fingerprintjs'
const fpPromise = FingerprintJS.load()
;(async () => {
const fp = await fpPromise
const result = await fp.get()
console.log(result.visitorId)
})()
Compare visitorId across signups to detect users who are trying to create multiple accounts.
Monitor behavioral patterns
Even if users can successfully hide who they are, they can't hide what they do. By tracking how users interact with your product, you can identify suspicious activity and take action.
What to look for:
- Rapid account creation – Users registering multiple accounts within minutes or seconds.
- Usage spikes – High resource consumption compared to typical users.
- Unusual data – Auto-generated or weird looking names or emails like "asdfgh qwerty" or "John Doe1234".
What to do:
- Automatically flag suspicious users for review, set lower rate limits, or require additional verification like a phone number or a credit card.
Use Honeypots & CAPTCHA to Block Bots
If you are dealing with automated abuse, there's a few things you can do to block bots:
- Cloudflare Turnstile – A CAPTCHA alternative that doesn't require users to solve a captcha. Works well and requires close to no action from users.
- CAPTCHA – Google reCAPTCHA or hCaptcha can slow down automated signups but they can still be bypassed by bots and most humans hate them so keep that in mind.
- Honeypot fields – Adding hidden form fields can help if you're dealing with comment spam or related issues, but for product signups this is pretty much useless.
Adjust Your Free Trial
Limit Features During Trial
Free trials don't have to offer the full product. You can restrict which features are available to free trial users, especially if some features are more costly than others.
If your product offers an API, you can disable it for free trial users. This will prevent them from using your product in an automated way.
If your product offers downloadable assets, you can watermark them or prevent users from downloading them completely.
Require a Payment Method
Asking for a credit card upfront (even with a $0 charge) filters out non-qualified users. This will add some friction to your signup process, so you have to take that into consideration, but this will also make it easier to convert users later on, since their credit card will already be on file.
Moz.com is an example that offers a 30-day free trial but requires a credit card to sign up.
Drip-feed the value
If your product can be drip-fed, for example if it's credit based, you can release credits over time, or after users perform specific actions. This will discourage users from signing up and using everything all at once.
Alternatives to free trials
In some cases, getting rid of free trials altogether can be a better solution. Here are a few suggestions that you can implement instead.
Offer a money-back guarantee
Offer a money-back guarantee and clearly state it in your onboarding process. Users will feel more confident about paying knowing they can get their money back if they're not fully satisfied.
Surfshark is a great example of a company that offers a 30-day money-back guarantee and makes it prominent during the checkout flow.
Paid trials
Similar to asking for a credit card upfront, require users to pay a small upfront fee. This will filter out most of the non serious users. Ahrefs previously offered a 7-day trial for $7 to let users test their $99/month plan. They later removed it after introducing a cheaper $29/month option.
Invite-only trials
For early-stage products, an invite-only model can be a great alternative. It stops abuse while creating exclusivity. You can ask current users to invite new users through a referral link, or create a waitlist and slowly approve real users as they sign up.
Freemium
- it's close to limited free trials
- freemium plans usually have stricter limits than free trials, so maybe it'll look less attractive to abusers
Final Thoughts
Free trial abuse is annoying, especially for AI companies with high operational costs. But with a bit of work you can significantly reduce it. Some steps take less than an hour to implement and can make a big difference.
Remember, the goal isn’t to get it to zero, it's to make it difficult enough for abusers to not bother.
If you’re ready to take the first step, try UserCheck’s API for real-time disposable email detection. It’s free for up to 1,000 checks per month and takes less than 5 minutes to implement.
PS: We've compiled a checklist you can pass on to your dev team to prevent free trial abuse.
Prevent Free Trial Abuse Checklist
Setup Email & Identity Verification
- Send confirmation emails to verify ownership.
- Block disposable and forwarding emails (Use UserCheck API).
- Normalize email aliases (remove Gmail dots, plus-addressing).
- Implement social login (Google, GitHub, Apple) to reduce fake signups.
Prevent Automated & Fake Signups
- Add CAPTCHA (Cloudflare Turnstile) to block bots.
Detect VPNs, Proxies & IP Abuse
- Use a proxy/VPN detection service (e.g., ProxyCheck) to flag suspicious IPs.
- Track and flag multiple signups from the same IP range.
Monitor Device & User Behavior
- Implement device fingerprinting (FingerprintJS) to detect duplicate accounts.
- Track behavioral red flags:
- Rapid signups from the same IP/device.
- High resource usage or API abuse.
- Auto-generated names/emails or unusual patterns.
- Flag suspicious users for manual review or additional verification.
