A sweepstakes that attracts 50,000 entries sounds like a success — until you discover that 30,000 of those entries came from bots, fake email addresses, and people running scripts to maximize their odds. Fraudulent entries don't just inflate your numbers. They contaminate your data, skew your analytics, waste your email budget, and undermine the fairness that makes a legitimate promotion work.
This guide covers the major fraud threats facing sweepstakes and contests, the specific tools and techniques for preventing each one, and how to build a fraud prevention strategy that protects your promotion without creating so much friction that legitimate entrants give up.
Why Sweepstakes Fraud Matters
Fraud isn't just an annoyance — it has measurable business impact. Every fraudulent entry creates downstream costs and data quality problems.
| Impact Area | What Fraud Does | Business Cost |
|---|---|---|
| Data quality | Fake emails, names, and phone numbers enter your CRM | Inflated list metrics, higher bounce rates, email deliverability damage |
| Email costs | You pay to email fake addresses that bounce | Wasted sends, reduced sender reputation |
| Analytics accuracy | Bot entries skew conversion rates and engagement data | Misleading ROI calculations, bad budget decisions |
| Winner fairness | Fraudulent entries dilute legitimate participants' odds | Legal risk, brand reputation damage, participant complaints |
| Ad spend | Retargeting campaigns target fake profiles | Wasted ad budget on non-existent people |
| Campaign ROI | Inflated entry counts mask actual performance | Overestimated campaign value, continued investment in ineffective formats |
The scale of the problem is significant. In 2024, global losses from digital ad fraud exceeded $140 billion, with bot-driven activity representing a major share. General Invalid Traffic (GIVT) rose 86% year-over-year, according to DoubleVerify. While sweepstakes-specific fraud numbers are harder to isolate, any online form that offers value (a chance to win) will attract automated abuse.
Types of Sweepstakes Fraud
Understanding the specific fraud threats helps you deploy the right countermeasures. Here are the most common types:
| Fraud Type | How It Works | Severity | Detection Difficulty |
|---|---|---|---|
| Bot entries | Automated scripts submit forms thousands of times | High | Medium — patterns are detectable |
| Duplicate accounts | One person enters with multiple email addresses | Medium | Medium — IP and device signals help |
| VPN/proxy abuse | Users mask their location to enter geo-restricted promos | Medium | Medium — VPN detection available |
| Sweepstakes hobbyists | Serial entrants from contest directories with no purchase intent | Low-Medium | Hard — these are real people |
| Organized gaming rings | Groups coordinate to submit mass entries and share winnings | High | Hard — coordinated but legitimate-looking |
| Fake referrals | Self-referrals using multiple accounts to earn bonus entries | Medium | Medium — referral chain analysis helps |
| Disposable email abuse | Temporary email addresses used for one-time entries | Medium | Easy — domain pattern detection |
IP-Based Fraud Prevention
IP filtering is the first line of defense against most automated fraud. By limiting the number of entries allowed from a single IP address, you can prevent scripts and bots from submitting thousands of entries from one machine.
| Security Level | IP Limit | VPN Blocking | CAPTCHA | Best For |
|---|---|---|---|---|
| Strict | 1 entry per IP | Yes | Yes | High-value prizes, fraud-sensitive brands |
| Medium | 3 entries per IP | Optional | Optional | Most standard sweepstakes |
| Low | 5 entries per IP | No | No | Low-value or high-volume campaigns |
| Off | No limit | No | No | Internal promotions, trusted audiences |
| Custom | Your choice | Your choice | Your choice | Specific requirements |
Don't set IP limits too strict for shared networks
Office buildings, universities, and coffee shops share IP addresses among many users. A 1-IP-per-entry limit might block legitimate entrants in these environments. For most campaigns, 3 entries per IP strikes the right balance — it stops automated abuse while allowing multiple legitimate users on the same network to enter.
Revup offers five configurable security levels — Strict (1 IP limit, VPN blocking, CAPTCHA), Medium (3 IP), Low (5 IP), Off, and Custom — so you can match your fraud prevention to the specific risk profile of each campaign.
CAPTCHA and Bot Detection
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) remains one of the most effective tools against automated bot entries. It forces entrants to prove they're human before submitting the form.
| Approach | Friction Level | Bot Prevention | Best For |
|---|---|---|---|
| CAPTCHA on every entry | High | Very effective | High-value promotions |
| CAPTCHA on suspicious activity | Low for most users | Effective | Balanced approach |
| No CAPTCHA | Zero | None | Low-risk, trusted-audience campaigns |
| Honeypot fields (hidden form fields) | Zero — invisible to users | Moderate | Supplement to other measures |
The trade-off with CAPTCHA is conversion impact. Every friction point in the entry flow reduces the number of legitimate completions. A well-implemented CAPTCHA might reduce conversion by 5-10%, but the entries you lose to CAPTCHA are negligible compared to the thousands of fake entries you prevent.
For campaigns where conversion rate is critical, consider using CAPTCHA selectively — triggering it only when the system detects suspicious behavior (rapid submissions, unusual patterns) rather than requiring it for every entry.
Revup
Revup's form builder includes a CAPTCHA field that you can add to any promotion — preventing automated bot entries while keeping the experience smooth for legitimate participants.
Geofencing and Location Restrictions
Many promotions are legally restricted to specific countries or regions. Geofencing enforces these restrictions at the entry level, preventing entries from locations outside your promotion's eligible territory.
This isn't just a compliance tool — it's a data quality tool. Entries from countries outside your market have no business value and dilute your metrics. A promotion targeting U.S. consumers doesn't benefit from 5,000 entries from locations where you can't ship prizes or serve customers.
Geofencing Best Practices
- Match geofencing to your official rules eligibility — if rules say U.S. only, enforce U.S. only
- Consider state-level restrictions for high-value prizes — some states have registration requirements
- Enable VPN blocking alongside geofencing — without it, users can bypass country restrictions
- Disclose geographic eligibility clearly on the entry page — don't let ineligible people waste time entering
- Test your geofencing with a VPN before launch — verify it actually blocks restricted locations
Revup supports country-level geofencing that restricts entries to specified countries, combined with VPN blocking that prevents circumvention. This combination ensures that your promotion data comes from eligible participants in your target market.
Preventing Duplicate Entries
Duplicate entries — one person entering multiple times with different email addresses — are harder to detect than bot traffic because each individual entry looks legitimate. The patterns only become visible when you analyze entries in aggregate.
| Detection Method | What It Catches | Limitations |
|---|---|---|
| Email deduplication | Same email used twice | Doesn't catch different email aliases |
| IP address tracking | Multiple entries from same IP | Shared networks create false positives |
| Email domain analysis | Disposable email services | Doesn't catch unique Gmail aliases |
| Entry timing analysis | Rapid sequential submissions | Doesn't catch spaced-out duplicates |
| Name + location matching | Same person, different email | Common names create false positives |
No single detection method catches everything. The most effective approach is layered prevention — combining IP limits, email deduplication, and entry timing analysis to catch the majority of duplicate entries without creating excessive false positives.
Don't be so aggressive that you block real entrants
Fraud prevention is a balance. If your filters are too aggressive, you'll block legitimate entries from shared households, office networks, and mobile carriers (which often share IP addresses among thousands of users). Start with medium security settings and tighten only if you observe specific fraud patterns. Monitor your blocked entry rate — if it exceeds 10-15%, your filters may be too strict.
VPN and Proxy Detection
VPN and proxy services allow users to mask their real IP address and location. Fraudsters use them to bypass IP limits (appear as different users), circumvent geofencing (appear to be in an eligible country), and hide their identity when submitting mass entries.
VPN blocking prevents entries from known VPN and proxy IP ranges. This is particularly important for promotions with geographic restrictions, where a user in an ineligible country could use a VPN to appear as if they're in the United States.
| Scenario | VPN Blocking Recommended? | Reason |
|---|---|---|
| High-value prize ($5,000+) | Yes | Higher incentive for fraud |
| Geographically restricted promotion | Yes | Prevents geo restriction circumvention |
| International promotion (no geo restrictions) | Optional | Lower fraud incentive |
| Internal or employee promotion | No | Trusted audience, may use corporate VPN |
| Low-value or no-prize promotion | No | Low fraud incentive, not worth the friction |
Revup's Strict security level includes VPN blocking by default, and you can enable or disable it independently through the Custom security level. For most consumer-facing promotions with prizes worth $1,000 or more, VPN blocking is recommended.
Referral Fraud Prevention
Referral mechanics — where participants earn bonus entries by inviting friends — are highly effective for campaign growth but create specific fraud opportunities. The most common scheme: self-referral, where one person creates multiple accounts to refer themselves and accumulate bonus entries.
Referral Fraud Prevention Measures
- Limit bonus entries per referrer — cap at 10-25 referral entries regardless of how many people they invite
- Require referred entries to be unique — the referred person must be a new email address not already in the system
- Apply IP limits to referral chains — if the referrer and referred person share an IP, flag it for review
- Monitor referral patterns — a single person generating 50+ referrals in an hour is likely gaming the system
- Don't award referral entries until the referred person completes their own entry — prevents credit for fake referrals
- Use unique referral links that can be tracked and audited
Building a Fraud Prevention Strategy
Effective fraud prevention isn't about deploying every tool at maximum intensity. It's about matching your security measures to your risk profile — which varies by prize value, audience type, and campaign visibility.
Fraud Prevention Strategy Development
Assess your risk profile
High-value prizes ($5,000+), national promotions, and campaigns promoted on sweepstakes directories face higher fraud risk. Low-value prizes, local promotions, and campaigns promoted only to existing customers face lower risk.
Choose your security level
Start with Medium security (3 IP limit, optional CAPTCHA) for most campaigns. Escalate to Strict (1 IP, VPN block, CAPTCHA) for high-value prizes. Use Low or Off only for internal promotions with trusted audiences.
Add geo restrictions if applicable
If your promotion has geographic eligibility requirements (most do), enable geofencing to match your official rules. Add VPN blocking if the geographic restriction is important.
Monitor during the campaign
Watch for sudden entry spikes, unusually high entries from single IP ranges, or clusters of entries using disposable email domains. These patterns indicate fraud in progress.
Audit before winner selection
Before drawing winners, review the entry pool for obvious fraud — duplicate names with different emails, entries from blocked countries, or entries that somehow bypassed your security settings. Remove invalid entries before the draw.
Revup
Revup's five security levels — Strict, Medium, Low, Off, and Custom — let you configure IP limits, VPN blocking, CAPTCHA, and geofencing independently for each promotion, so your fraud prevention matches your specific risk profile.
Fraud Prevention and User Experience
The tension in fraud prevention is always the same: more security means more friction. Every CAPTCHA, every IP restriction, and every additional verification step reduces the number of legitimate entries alongside the fraudulent ones.
| Security Measure | Fraud Prevented | Conversion Impact | Recommendation |
|---|---|---|---|
| CAPTCHA | Bot entries (90%+) | 5-10% drop | Use for high-value prizes, skip for low-value |
| IP limits (3 per IP) | Duplicate entries | 1-3% drop | Recommended for all campaigns |
| VPN blocking | Geo circumvention, IP masking | 2-5% drop | Use for geo-restricted or high-value |
| Email validation | Fake/disposable emails | 1-2% drop | Recommended for all campaigns |
| Geofencing | Ineligible entries | Minimal for target audience | Use when eligibility is geographic |
The conversion impact of security measures is almost always worth it. A 5% reduction in entries from CAPTCHA might remove 500 legitimate entries from a 10,000-entry campaign — but it might also remove 3,000 bot entries that would have contaminated your data, inflated your metrics, and cost you money in wasted email sends.
Post-Campaign Fraud Auditing
Even with prevention measures in place, some fraudulent entries will get through. A post-campaign audit before winner selection catches entries that slipped past your automated defenses.
Post-Campaign Fraud Audit Checklist
- Check for email address patterns — sequential addresses (user1@, user2@, user3@) suggest a single person
- Review entries from disposable email domains — mailinator, tempmail, guerrillamail, etc.
- Look for clusters of entries with the same IP address that exceeded normal limits
- Check for entries from countries or regions outside your eligibility zone
- Review referral chains for self-referral patterns (referrer and referral share IP or name patterns)
- Verify that the winner pool excludes disqualified entries before the draw
- Document your audit process — this protects you legally if a winner's eligibility is challenged
Revup's winner draw system pulls from verified entries only, and the Contacts CRM provides merge suggestions that help identify duplicate contacts across your entry pool. Combined with proper random winner selection, this ensures your promotion remains fair and legally defensible.
Sweepstakes Hobbyists: A Different Kind of Problem
Sweepstakes hobbyists aren't fraudsters — they're real people who enter dozens or hundreds of sweepstakes through directories and deal sites. They're not breaking your rules, but they're also not your target audience.
You can't (and shouldn't try to) block hobbyists. But you can minimize their impact on your campaign quality:
| Strategy | How It Works | Impact on Hobbyists |
|---|---|---|
| Brand-relevant prizes | Give away your products, not cash | Hobbyists skip promotions for products they don't want |
| Don't list on directories | Avoid submitting to sweepstakes aggregator sites | Significantly reduces hobbyist traffic |
| Segment by source | Track where entries come from using UTM parameters | Lets you measure hobbyist impact separately |
| Post-entry qualification | Add a survey or quiz after entry | Identifies entrants with genuine interest |
| Email engagement filtering | Suppress non-engaged contacts after 30 days | Removes hobbyists who never open emails |
The most effective anti-hobbyist strategy is prize selection. A $1,000 Visa gift card will attract every sweepstakes hobbyist on the internet. A $1,000 bundle of your products will attract people who actually want what you sell.
Frequently Asked Questions
How much fraud should I expect in a typical sweepstakes?
Without any prevention measures, 10-40% of entries in a widely promoted sweepstakes could be fraudulent (bots, duplicates, fake emails). With medium security measures (IP limits + CAPTCHA), this drops to 2-5%. The percentage varies based on prize value, promotion visibility, and whether the campaign is listed on sweepstakes directory sites.
Will fraud prevention tools reduce my entry count?
Yes, slightly. CAPTCHA typically reduces entries by 5-10%, and IP limits add another 1-3% reduction. But the entries you lose are either bots or duplicates — not the kind of entries you want. A campaign with 8,000 legitimate entries and 2,000 blocked fraudulent entries gives you cleaner data and better ROI than 10,000 entries with 30% fraud contamination.
Should I use Strict security for every campaign?
No. Strict security (1 IP limit, VPN blocking, CAPTCHA) is appropriate for high-value prizes and nationally promoted campaigns. For lower-risk campaigns — local promotions, internal campaigns, or campaigns promoted only to your existing audience — Medium or Low security is sufficient and creates less entry friction.
What should I do if I discover fraud during a live campaign?
First, tighten your security settings immediately — increase IP restrictions or enable CAPTCHA if they're not already active. Second, document the fraudulent entries (save IP data, timestamps, email patterns). Third, audit and remove confirmed fraudulent entries before the winner draw. Fourth, note the patterns for future campaigns so you can set stronger initial prevention.
Can I be held legally liable if a fraudulent entrant wins?
Your official rules should include a fraud disqualification clause that gives you the right to disqualify any entrant suspected of fraud. Include language stating that the sponsor reserves the right to void entries obtained through fraudulent means. This protects you legally if you need to disqualify a winner and select an alternate. Consult with a promotion attorney to ensure your rules are comprehensive.
For a complete overview of running legally compliant, fraud-protected promotions, explore our sweepstakes marketing strategy guide or start with the fundamentals in how to run a sweepstakes legally.
