ShieldLabs
Back to blog

How to prevent coupon abuse (and tell it from coupon fraud)

A green photocopier duplicating a single green coupon into a stack of many identical copies, showing one coupon redeemed over and over across many accounts

Last updated on July 16, 2026 · 9 min read

Coupon abuse is one shopper redeeming a coupon more times than its rules allow, by posing as many separate new customers. Preventing it starts with a distinction most guides skip: coupon abuse is not coupon fraud, which is forged or stolen codes, and it is not everyday couponing, which is using valid public codes within the rules. It is the quiet middle case, one person running many look-alike accounts to claim a one-per-customer coupon again and again, and you stop it by reading the device and network behind each redemption rather than trusting the code or the email.

For online stores, the gap between how often a "first-order" coupon is meant to reach a first-order customer and how often it actually does is the whole problem. This guide draws the line between the three cases, then shows how merchants catch the multi-account version without forcing a login on everyone.

Key takeaways

  • Coupon abuse, coupon fraud, and everyday couponing are three different problems. Only the middle one, one shopper on many accounts, is what device-level detection is built to catch.
  • Coupon fraud is forged, stolen, or counterfeit codes, which is closer to payment fraud and a different control set. Couponing is a shopper using valid offers within the rules, which is not a problem at all.
  • The merchant's real coupon-abuse question is almost always the same one: how do you stop one person from using a one-per-customer coupon on a dozen accounts from the same device or address.
  • A coupon code and an email are both trivial to swap per redemption. The device and network behind the checkout are what stay consistent, so detection anchors there.
  • Detection produces evidence, not a verdict. Your own checkout rules decide what a risky redemption gets.

What is coupon abuse, and what is it not?

Most of the confusion around "coupon abuse" comes from one word covering three different things. Separating them is the first step to stopping the one that actually costs a merchant money, because each has a different owner and a different fix.

Coupon abuse (this guide)Coupon fraudEveryday couponing
What it isOne shopper redeeming a coupon they should not, by posing as many new customersForged, stolen, or counterfeit codes that were never validly issuedA shopper using valid public codes and offers inside the rules
Who does itA customer or reseller running many look-alike accountsOften organized, sometimes criminalOrdinary deal-seekers
Is it a crime?Usually a terms-of-service matter, not a crimeCan be criminal: counterfeiting and theftNo
What stops itReading the device and network behind each redemptionCode validation and anti-counterfeitingNothing, it is allowed
Where it showsMany "separate" accounts tracing to one device or addressCodes accepted that were never issuedNormal redemptions

It is not coupon fraud

Coupon fraud is the use of codes that were never valid: counterfeit coupons generated or printed to look real, stolen single-use codes, or codes altered to change their value. It also covers brute-forcing, scripting attempts at predictable code patterns until valid ones land, which is the offer-design reason to make codes random and single-use.

The defining cases are criminal. The counterfeit-coupon ring behind the "Queenpins" story moved an estimated $40 million in fake coupons before an FBI investigation ended it with guilty pleas and prison time. All of that is a counterfeiting and theft problem, closer to payment fraud, handled by validating the codes at issue and redemption rather than by reading who is behind the checkout.

It is worth naming only so you do not point identity detection at it and wonder why the numbers do not move. When people search for "coupon fraud," most of what surfaces is this criminal sense, not the merchant's quiet multi-account problem.

It is not everyday couponing

A shopper stacking valid public codes, hunting deal forums, or using a first-order discount once as a genuine first-time buyer is couponing, not abuse. It can be aggressive, and you can write your promo terms to limit it, but it is one real person acting within the rules, so it is an offer-design question rather than a detection one. The line, exactly as with promo abuse, is identity count: one person acting as one person is couponing, and one person acting as many is abuse. Consumer terms that look adjacent, like "coupon stacking" or the social-media "coupon glittering" trend, sit on the couponing side of that line and are not what a merchant's detection is built for.

A diagram contrasting three cases: coupon abuse (many accounts on one device), coupon fraud (a forged code with a warning), and ordinary couponing (one shopper with one valid coupon)

How coupon abuse actually works

The merchant-side case is narrow and consistent: a one-per-customer coupon, a first-order discount, or a referral credit is worth claiming more than once, so one person produces a stream of accounts that each look like a new customer and redeems it again from each. It is the same one-user-many-accounts pattern behind multi-accounting, where a fresh email and a rotated IP fail to stop it for the same reasons.

Two shapes do most of the damage. A reseller or a small operation runs a discount across many accounts to buy stock cheaply and resell it, turning the promo budget into their margin. A single shopper, meanwhile, re-runs a one-time code under new accounts to keep a "new customer" price forever.

The scale of the surrounding problem is large: Juniper Research projects global ecommerce fraud losses rising from $56 billion in 2025 to 131 billion dollars by 2030, and offer abuse like this is one of the quieter channels feeding that total.

Both leave the same trace: many redemptions that look unrelated on the surface, by code and email, but cluster on the device, the network, or the shipping address underneath. Clustering weak signals this way is one practical answer to a problem academic fake-account detection presented at USENIX NSDI also studied, from the angle of the social graph. Coupon abuse is the coupon-shaped case of the same ecommerce mechanic, so the same redemption-time signals and layered playbook that work against promo abuse apply here.

One adjacent problem is worth separating out, because retailer forums ask about it constantly: a private code leaking to a public deal site or a coupon browser extension, then redeemed at scale by shoppers who were never targeted. That is a code-distribution and code-leak issue, watched with code-monitoring tools and tighter distribution rather than with identity detection, and it is distinct from the question of one person on many accounts. The two can stack, a leaked code redeemed by a farm of look-alike accounts, but they are fixed at different layers.

How merchants catch multi-account coupon abuse

The question a merchant actually asks, the one that fills retailer forums, is narrow: how do you stop one person from redeeming a one-per-customer coupon on many accounts from the same device or address, without making every honest shopper log in or verify themselves. The answer is to stop trusting the parts of an account a shopper rewrites for free and start reading the parts they cannot.

A disposable email, a cleared browser, and a fresh coupon code all change the surface of an account. The device making the checkout, the connection it arrives on, and a reused shipping address or card do not. So when several "separate" accounts redeeming the same coupon resolve to one device or one household footprint, that link is the detection, and it holds even when nothing on the order form matches. It is the same persistent-identification layer described for multi-accounting prevention, pointed at the coupon redemption.

We measured which parts of a checkout a shopper can rewrite for free, and it was everything on the surface: the email, the browser cookie, and the coupon code all reset on demand, while the device making the order and the connection behind it held steady and traced back to one machine. The address layer is disposable by design, which is what makes it a weak thing to trust. That weakened further in 2020, when Safari began blocking third-party cookies by default, leaving even less on the order form worth anchoring to than the device beneath it.

Detect at the redemption, not after the refund

The cheapest place to act is the redemption itself. Reading the device at the moment the code is applied lets you catch the duplicate-account pattern silently, from signals the browser already exposes, and reserve any heavier verification step for the few redemptions that actually look risky, rather than taxing every shopper with a login or an identity check. That order, detect quietly and decide explicitly, is what keeps a genuine first-time buyer checking out untouched while a reseller running fifty accounts gets held. The score and the named signals are evidence; the rule that acts on them stays in your checkout code.

Preventing coupon abuse with ShieldLabs

ShieldLabs runs on your checkout or signup page through one JavaScript snippet, and it risk-scores every visitor on the first visit, so you have a read on the shopper behind a coupon redemption before the discount applies. At the center is persistent identification that ties a "fresh" account back to a device already seen, even after the shopper switches email, clears cookies, and rotates IP. It works in the background, with no friction for a real customer and no login required.

Each visit returns a risk score from 0 to 100 with the anonymity signals behind it, and across redemptions the pre-built patterns surface which accounts trace back to one device or one local network, so a coupon farm reads as a trend in the dashboard rather than a stack of separate orders. You read the risk score and named anonymity signals through the API and webhooks and decide, by your own rules, what a risky redemption gets: let a clean shopper check out, hold a suspect discount for review, or step it up to a check. It surfaces the evidence and applies nothing on its own, so you set the threshold and can always say why a redemption was held. The same layer covers the broader promo abuse case and feeds promo abuse prevention as a managed solution.

Sources

  1. Wikipedia: Coupon
  2. Wikipedia: Disposable email address
  3. Cao, Sirivianos, Yang, Pregueiro: Aiding the Detection of Fake Accounts in Large Scale Social Online Services (USENIX NSDI, 2012)
  4. ABC News: 3 Women Arrested in Massive Counterfeit Coupon Ring (2012)
  5. Juniper Research: Fraudulent eCommerce Transactions to Surpass 131 Billion Dollars by 2030 (2025)

Frequently asked questions

What is the difference between coupon abuse and coupon fraud?
Coupon abuse is exploiting a legitimate coupon beyond its intended limits, usually by redeeming it many times under fresh-looking accounts, while coupon fraud is the use of fake, stolen, or counterfeit codes that were never validly issued. Abuse uses real codes the wrong number of times; fraud uses codes that should never have worked at all. They need different controls: abuse is read at the identity layer, by linking the accounts behind the redemptions, while counterfeit-code fraud is closer to payment fraud and is handled by validating the codes themselves.
Is coupon abuse illegal?
For the everyday case, coupon abuse is a terms-of-service problem, not a crime. A coupon comes with rules you accept when you redeem it, and opening extra accounts to reuse a one-per-customer code breaks that agreement rather than a statute, so the realistic consequences are account-level: a store can void the discount, cancel the orders, close the accounts, and bar future signups. It becomes criminal when the codes themselves are counterfeit or stolen, when stolen cards fund the orders, or when the scale and intent amount to organized theft. So a shopper bending a coupon's rules is something a retailer polices through its terms, while counterfeiting codes is what brings in the law.
Is coupon stacking the same as coupon abuse?
Not on its own. Coupon stacking is combining more than one valid offer on a single order, and whether it is allowed is an offer-design choice you make in your promo rules. It only becomes abuse when it depends on fabricated identity, for example re-running a single-use code by opening a new account each time. Stacking valid public codes as one real customer is couponing; using many accounts to stack or re-use a code that was meant once is the multi-account problem this guide is about.
What is coupon glittering?
Coupon glittering is the trick of pairing a high-value coupon with a low-value item so a scanner applies more discount than the offer intended. Done deliberately it is a form of coupon fraud and can be illegal, but it plays out at the point of sale rather than in online multi-account redemption, so it is handled by coupon terms and scanner or cashier controls rather than the identity layer this guide is about. It shares the word coupon but sits closer to the in-store and consumer namespace than to the merchant's multi-account problem.
How do you stop one person from using a coupon on multiple accounts?
You read the device and network behind each redemption instead of trusting the email and the coupon code, then link the accounts that share a device, a connection, or a shipping address. A new inbox and a cleared browser make each account look new, but a stable device identifier ties them back together, so a one-per-customer coupon redeemed from a dozen accounts on one device stands out. From there your own checkout rules decide: let a genuine first-time buyer through, hold a suspect redemption for review, or step it up to a verification check, without forcing every shopper to log in.
How does ShieldLabs help prevent coupon abuse?
ShieldLabs adds one JavaScript snippet to your checkout or signup page and, on the first visit, returns a risk score from 0 to 100 with the named anonymity signals and persistent identification behind it. That identifier ties a fresh redemption back to a device already seen even after a new email and a rotated IP, and the score weighs the signals so you can act on the risky redemptions. It surfaces the evidence; your checkout rules decide. The free tier covers your first 5,000 identifications, enough to watch real risk scores on your own redemptions before you wire up a single rule.

Related articles