Before synthetic identities, before bot traffic at scale—there was email fraud.
Email is the original online scam. And as our industry embraces hashed emails (HEMs) as the deterministic identity solution signal of choice, the old tricks haven’t gone away. They’ve just found a new home in your bidstream.
The Problem With “Authenticated” Traffic
The shift to authenticated traffic was supposed to clean up programmatic. Instead, it created a new attack surface.
An email address is easy to create, persistent over time, and accepted everywhere. When you hash it and pass it through the bidstream, you’re not anonymizing fraud—you’re laundering it. A HEM tells you that someone created an email address and put it to use somewhere online. It tells you nothing about whether that person is real, actually viewing your ad (or any ad for that matter), or has any intention of becoming a customer.
The Fraudster’s Playbook
Here’s a sample of the myriad of ways bad actors weaponize email identity:
Disposable Email Farms — Services like temp-mail and fake-email make it trivially easy to generate unlimited “real” email addresses on demand. No verification, no phone number, no trace. Fraudsters use these to create accounts at scale, build fake audience segments, and manufacture what looks like authenticated traffic. When hashed, a disposable email is indistinguishable from your best customer. The infrastructure exists specifically to defeat identity verification—and it’s free.
Data Breach Recycling — Over 70 billion data records have been breached in the last decade. That’s billions of real, legitimate email addresses floating around the dark web, available for purchase at pennies per thousand. Fraudsters buy them, hash them with the same SHA-256 everyone uses, and suddenly have “verified” identities that match against first-party data. The email is real. It belongs to a real person. Unfortunately, whatever is clicking your ad isn’t that person.
Synthetic Identity Construction — This is the sophisticated long game. Fraudsters don’t just use fake emails—they build entire personas around them. They create social media profiles, sign up for newsletters, generate browsing history, and nurture these synthetic identities for months before activating them. By the time that HEM appears in a bid request, it has a verifiable digital footprint that looks more legitimate than half your actual customers. These aren’t throwaway identities. They’re investments—designed to pass every verification check the industry has built.
Spam and Abuse Networks — Some emails have histories. They’ve been flagged for spam complaints, used for phishing attempts, or tied to known abuse patterns. But none of that context travels with the hash. When that email gets hashed and enters the bidstream, it arrives clean—no reputation, no history, just another identifier commanding premium CPMs.
Coupon and Promo Fraud Rings — Serial abusers create dozens of email addresses to exploit sign-up bonuses, first-time buyer discounts, and promotional offers. These identities exist solely to game the system. They’re not customers—they’re arbitrageurs. And when those emails show up in your bidstream as “authenticated users,” you’re paying to reach people who have already demonstrated they’ll never pay full price for anything.
The Bottom Line
Email has been the universal identifier—and a universal fraud vector—since the beginning of the internet. As our industry doubles down on HEMs, we need to be clear-eyed: not every authenticated impression is valuable, and not every “deterministic match” is what it claims to be.
The fraudsters figured this out a long time ago. It’s time the rest of the industry caught up.