| We are a small startup operating a service where people make real appointments at various venues around the city. To request an appointment, all you have to provide is name, email, phone number & some other basic details. You also have to select the details of the appointment prior to this. It takes a normal person about 2 minutes to get from entry point to appointment confirmed. We have been experiencing periodic fake appointments, which is really disrupting our business and damaging our relationship with our venues. They're obviously created by humans, only a few a week, but we'd like better protection against these people. We deal with them reactively using our admin tools and contacting people, but it's wasting our time and the relationship damage is already done. The only measure we have in place to proactively prevent this right now is strict rate limiting. We're considering: - Recording IP/UA info for every appointment (then blacklisting). But thats easy for someone to get round, and they might just do it from different places, agents, etc. - Email verification for your first appointment, but thats an experience trade-off. We're small and every conversion counts - so we want to avoid adding new barriers if we can. Plus, some of the requests have working emails. - Moderating our appointments before they get passed onto our venues. This adds a barrier to the process, and there are times where requests happen when the whole team is not working or asleep. A compromise would be a delay where the team can intervene before an appointment is allowed to continue, but that makes for a worse experience for our users (+ some appointments need to be sorted out quickly). - SMS verification, however, we called a couple of the trolls, and they are real numbers (no response, of course). Does anybody have any experience of this, or any advice? |
As with AirBnB registration, you would strongly encourage users to register using a social media auth but allow them to use an email + nothing else if they desire.
You can then apply a simple risk scoring model that says (I'm simplifying here):
* Facebook + 200 friends + > 3 year account age = auto-approve
* Email only = red flag; manual verification
Critically, you don't reveal to red-flagged users that they've been placed in a sandbox.