A Closer Look at How IPQS IP Fraud Scores Work

An IP address is one of the first things you learn about a visitor, often before they have typed an email, entered a card, or chosen a password. That makes IP intelligence one of the earliest and most valuable signals in fraud prevention. The challenge is that a raw IP address on its own does not tell you much. The IPQS IP fraud score solves that by turning reputation, behavior, and network data into a single, practical number you can act on in real time.

This guide breaks down what that number actually means, what goes into it, how to read it, and how to tune it for your own risk tolerance. It is written to be useful whether you are a small business setting up your first fraud checks or an enterprise team fine-tuning scoring across millions of events.

What Is an IP Fraud Score?

An IP fraud score is a rating from 0 to 100 that reflects how likely an IP address is to be tied to abusive or malicious activity. A low score points to a clean, ordinary connection. A high score signals an IP associated with things like automated bots, proxies and VPNs, credential stuffing, or payment fraud.

New to IP fraud scoring? Start with our explainer on what an IP fraud score is for a plain-English overview, then read on for how those scores are calculated and tuned.

The point of the score is to compress a large amount of network intelligence into one decision-ready value, while still keeping all the supporting detail available for any case that needs a closer look. You get a fast answer for automated rules, plus the underlying fields for manual review and analytics.

Why the IP Address Is Your Earliest Signal

Every registration, login, and checkout starts with a connection, and that connection carries a surprising amount of context. An IPQS IP lookup can return geolocation, ISP, hostname, ASN (the network operator the IP belongs to), time zone, and connection type, along with checks for whether the address is a proxy, VPN, or Tor connection.

Evaluating the IP early gives your fraud models context before the user does anything risky. If the connection already looks like masked or high-risk infrastructure, you can decide to add friction, request another verification step, or watch the session more closely, all before a fraudulent action takes place.

What Goes Into an IPQS IP Score

The score is not a single lookup against a list. It blends several independent categories of signal so that no one factor decides the outcome on its own.

IP reputation and abuse history

IPQS weighs the history tied to an address against its recent activity. Reputation data reflects whether an IP has been seen participating in attacks, fake account creation, spam, or other abuse, and how recently. An address with a long, clean record is treated very differently from one that was relaying attacks an hour ago.

Network context: hosting, residential, and mobile

Where an IP lives on the internet matters. Traffic from a data center or hosting provider is inherently more suspicious for consumer-facing actions, because real customers rarely browse or buy from a server farm. Residential and mobile connections carry different baseline expectations. IPQS factors this network context in, so the score reflects more than a single isolated event.

Anonymizer detection: proxy, VPN, Tor, and residential proxies

Masked traffic is not automatically fraud, but it changes the risk picture depending on your use case. IPQS distinguishes between different kinds of anonymization, including standard proxies, commercial VPNs, Tor, and the trickier category of residential proxies, where attackers route traffic through hijacked consumer devices to look like ordinary households. It also separates connections with confirmed recent anonymizer use from those with only older associations, which helps you tell an active threat from stale history.

Behavioral and session signals

Scoring can also take in the user agent, language, and other optional inputs you pass with the request. Combined with abuse history and geolocation integrity, these help flag mismatches and automation that a static reputation check would miss.

Two Scores, Two Jobs: Fraud Score vs. Risk Score

One of the most useful and least understood parts of the IPQS response is that you get more than one number.

The overall fraud score leans on the full picture, including longer-term reputation and abuse history. Alongside it, IPQS returns a risk score that intentionally places less weight on historical reputation and more on the current session and recent behavior.

Why does that matter? Because the two answer different questions. The fraud score is great for "has this address been a problem in general?" The risk score is better for "is this specific session behaving suspiciously right now?" Comparing the two lets you separate an IP with a bad past that is currently behaving normally from a previously clean IP that just started acting maliciously. That nuance is exactly what helps reduce false positives while still catching new threats.

What the API Returns

The number is only the headline. The IPQS Proxy Detection API response includes the supporting fields that explain why an address scored the way it did, including signals such as:

• fraud_score and the session risk score

• recent_abuse, indicating confirmed abusive activity in the recent past

• abuse_velocity, describing how frequently the address has been linked to abuse

• bot_status and other automation indicators

• proxy, vpn, and tor flags, including active versus historical use

• connection_type (residential, mobile, data center, and so on)

• Geolocation and network details: country, region, city, ISP, ASN, organization, hostname, and time zone

Always read the score together with these fields. They turn a single rating into an explanation, which is what makes confident, defensible decisions possible. The API documentation lists the complete, authoritative field set.

How to Read an IP Score: Risk Bands and Tuning

The default risk bands

As a general guide, IPQS scores can be read in bands:

• 75 and above: treat with caution and consider added verification.

• 85 and above: likely suspicious behavior worth a stronger response.

• 90 and above: strongly associated with abusive or malicious activity.

These are starting points, not hard rules. The right cutoff depends entirely on what is at stake in the action you are protecting.

Choosing the right strictness for your use case

IPQS lets you tune how aggressive the scoring is through adjustable strictness levels, so you can dial sensitivity up or down rather than accepting one fixed setting. The logic is straightforward:

• High-risk actions like new account creation, password resets, and payments justify stricter settings and lower thresholds, because the cost of letting fraud through is high.

• Low-risk actions like browsing or newsletter signups can use looser settings, so you do not add friction where it is not needed.

For payment flows specifically, IPQS also offers transaction-focused scoring through the transaction risk scoring parameters. The documentation covers the exact strictness options and penalties you can configure.

Putting IP Scores to Work Across the User Journey

IP scoring earns its value at every vulnerable step:

• Sign-up: block fake and bot-created registrations before they pollute your user base.

• Login: catch account takeover and credential stuffing coming from known-bad infrastructure.

• Checkout: add scrutiny to payments from high-risk or masked connections to cut chargebacks.

• Ad and affiliate traffic: filter invalid traffic so your spend reaches real people.

Best Practices: Avoiding False Positives

A high score is a reason to look closer, not always a reason to hard-block. A few principles keep accuracy high:

1. Match the response to the risk. Reserve outright blocks for the highest scores and clearest cases. For middling scores, step-up verification is often the smarter move.

2. Never rely on IP alone. The strongest programs combine IP scoring with email, phone, and device fingerprinting signals, so a single noisy data point cannot drive a decision by itself.

3. Use the supporting fields. Two IPs with the same score can tell very different stories once you read recent abuse, connection type, and anonymizer status.

4. Tune per use case. A score that should block a payment might be perfectly acceptable for a low-stakes action.

Why Freshness Makes IPQS Scores More Accurate

IP intelligence is only as good as it is current. Attack infrastructure churns constantly, so an address that is dangerous today may be a normal household tomorrow, and vice versa. Scores built on stale data both miss new threats and punish reformed addresses.

IPQS scoring is backed by billions of events and a global network of honeypots and deception traps across more than 150 countries. That honeypot network observes fake accounts, automated attacks, stolen-credential use, brute force, spam, and phishing as they happen, then feeds those firsthand signals back into scoring. Because the data is refreshed continuously rather than on a slow external cycle, scores reflect what is actually happening on the network right now, which is what keeps both detection rates high and false positives low.

Frequently Asked Questions

What is a good IP fraud score? Lower is better. Scores under the mid-70s generally represent ordinary traffic, while scores of 75 and above warrant increasing caution. The right threshold for action depends on your use case and risk tolerance.

Does a high score always mean fraud? No. A high score means elevated risk, not a confirmed bad actor. It is best used to trigger a proportionate response, such as added verification, rather than an automatic block in every case.

What is the difference between the fraud score and the risk score? The fraud score reflects the full picture including longer-term reputation. The risk score de-emphasizes history to focus on current session behavior. Reading them together helps separate a bad past from present-moment activity.

Will a VPN or proxy user automatically get flagged? Not automatically. IPQS identifies anonymized traffic and lets you decide how much it matters for a given action, since legitimate users sometimes use VPNs and the appropriate response varies by use case.

How often is the IP data updated? Continuously. The underlying threat data is refreshed on a fast cycle and informed by live honeypot activity, so scoring stays current as infrastructure changes.

Get Started

The fastest way to understand IPQS IP scoring is to run your own traffic through it and read the results. Start a free trial with 1,000 free lookups per month, or schedule a demo to see how IP, email, phone, and device signals work together across your entire user journey.