Linked Accounts Detection
5 min read
The Linked Accounts Detection module identifies customers who share fingerprints — shipping address, billing address, phone number, IP address, payment method, or device user-agent — across what would otherwise look like separate accounts. It’s the module that exposes fraud rings: groups of accounts operated by the same person or small team using slight variations on email addresses to multiply discounts, evade blocks, or distribute coordinated refund abuse.
Module ID: linked_accounts. Default: enabled. Free tier (complete).
What It Observes #
Every time a checkout completes, the module:
- Reads the billing and shipping address from the order
- Reads the phone number, the IP, the payment method fingerprint (last-4 + brand), and the device user-agent fingerprint
- Computes a keyed HMAC-SHA256 hash for each fingerprint (so raw addresses, IPs, and personal info are never stored in plaintext)
- Looks up the resulting hashes in the
{prefix}trustlens_fingerprintstable - If a match is found on any fingerprint with a different customer hash, records the link in
{prefix}trustlens_linked_accounts - Updates the
linked_accountscount on both linked customer records - Fires the
trustlens/linked_accounts_detectedaction — other modules (Coupons, automation rules) listen for this
The keyed-hash design is important: raw addresses and IPs never leave the database in cleartext. The hash key is plugin-instance-specific so the same address on two different stores produces different hashes and cannot be cross-referenced externally.
What Counts as a Link #
The module checks six fingerprint types, each with its own normalization rules.
| Fingerprint Type | Inputs Normalized Into the Hash | Sensitivity |
|---|---|---|
| Shipping address | address line 1, city, postcode (lowercased, whitespace stripped) | High — most reliable link signal |
| Billing address | address line 1, city, postcode | High |
| Phone number | digits-only normalized form (country code optional) | High |
| IP address | full IPv4 or IPv6 address from the checkout request | Medium — shared NAT, mobile carrier, VPNs can produce false positives |
| Payment method | last-4 digits + brand (e.g. “Visa-4242”) | Medium — different cards from same person link, but family-shared cards can false-positive |
| Device fingerprint | user-agent + accept-language + viewport + canvas hash (computed client-side) | Medium-high |
A link exists if any fingerprint type matches between two customer hashes. The module records which fingerprint produced the link, so on the customer detail page you can see whether two accounts are linked by address (strong) versus IP only (weaker).
What It Signals #
| Trigger | Score | Reason Shown on Profile |
|---|---|---|
| Linked to 3+ other accounts | -30 | “Linked to 4 other accounts” |
| Linked to ≥1 risky/critical account | -25 | “Linked to 1 high-risk accounts” |
| Linked to 1–2 normal/trusted accounts | -5 to -10 | “Linked to 2 other accounts” |
| No links | 0 | (no signal) |
The “linked to a risky account” signal is the strongest single fraud-ring indicator. The logic: if the account you’re linked to is already classified as Risk or Critical by other modules, the link itself becomes a stronger negative signal than just count alone.
The Linked Accounts Panel #
The Customer Detail page shows a Linked Accounts panel listing every link with:
- The linked customer’s segment badge
- The linked customer’s email (or hash if no email is known)
- Which fingerprint(s) produced the link — address, IP, phone, payment, device
- The first time the link was detected
- A click-through to the linked customer’s profile
This is the workflow for investigating fraud rings: open one suspected account, click through the linked accounts panel to see the others, and confirm they all share characteristics (similar order patterns, coordinated timing, shared coupons).
Settings #
| Setting | Default | Description |
|---|---|---|
| Module enabled | On | Master toggle |
The fingerprint computation rules are fixed — there’s no per-fingerprint enable/disable in Free, because each fingerprint individually has too high a false-positive rate. The module’s strength is in combining them.
Common Patterns #
The Email-Variation Ring #
Signature: 5 accounts: [email protected], [email protected], [email protected], [email protected], [email protected]. All share the same shipping address. All used new-customer coupons.
Detection: Shipping address hash matches across all 5 accounts. Linked Accounts module records all pairwise links. Each account shows “linked to 4 other accounts” — fires the -30 signal.
Profile: All 5 accounts Critical.
The Family / Household #
Signature: 2–3 accounts at the same address with different names and different payment methods, normal order patterns, no abuse signals.
Detection: Address link present, but no abuse signals on any of the accounts.
Profile: Each account shows -5 or -10 from the linked-accounts signal but no other module signals. Likely false positive — allowlist if confirmed legitimate.
The Reseller / Drop-shipper #
Signature: 1 account placing many orders to many different shipping addresses.
Detection: Not flagged by Linked Accounts — this is the inverse pattern. Caught by Shipping Anomalies instead.
The Block-Evasion Account #
Signature: A previously-blocked customer creates a new account with a slightly different email and tries to place orders.
Detection: Payment method fingerprint or device fingerprint matches the blocked account. Linked Accounts records the link. The new account inherits “linked to a critical account” signal -25.
Profile: New account immediately lands in Risk or Critical even with no order history.
False-Positive Watch List #
Linked Accounts has the highest false-positive rate of any module. Common sources:
- Family / household sharing. Spouses, roommates, parents and adult children — all legitimately separate customers sharing an address. Frequency: very common.
- Office addresses. Multiple coworkers ordering to the same office address. Frequency: occasional, depends on industry.
- Shared payment methods. Parent paying for adult child’s order, married couples with joint accounts. Frequency: occasional.
- Mobile carrier NAT. Mobile customers can share a public IP with hundreds of unrelated users. The IP fingerprint produces noise here — but it’s only one of six fingerprint types, and a link by IP alone doesn’t produce a strong signal.
- Corporate VPNs. Employees of the same company can all appear to come from the same IP.
The mitigations:
- The module requires the link to count against the score — a single weak link doesn’t trigger the -30 signal
- The “linked to risky account” signal is the strongest, but only fires when one of the linked accounts already has other abuse signals from other modules
- You can allowlist confirmed-legitimate household accounts; the allowlist locks the customer at score 100 and suppresses the linked-accounts signal entirely
Disabling the Module #
Disabling Linked Accounts loses one of TrustLens’s strongest fraud-ring detection capabilities. Only consider this if you’re consistently seeing false positives that aren’t being mitigated by allowlisting. When disabled:
- No new links are recorded
- Existing links remain in the database
- The Coupons module’s “linked-account coupon aggregate” signal stops firing (it depends on this module)
- Cross-account fraud-ring detection becomes blind
Reading the Linked Accounts Section of a Profile #
- Signal breakdown shows one Linked Accounts signal with the count
- Linked Accounts panel lists each linked customer with the fingerprint type(s) that produced the link
- Event timeline shows
linked_account_detectedevents when new links were found
The fingerprint-type column in the linked accounts panel is the most useful piece of evidence. Two accounts linked by “Address + Phone + Payment” is overwhelming evidence of shared identity. Two accounts linked by “IP only” is barely evidence at all — IPs are noisy.
Privacy Considerations #
Linked Accounts processes personal data — addresses, phones, IPs, payment fingerprints. TrustLens handles this with several safeguards:
- Keyed HMAC-SHA256 hashing — raw values are never stored. Hashes use a plugin-instance-specific secret, so two different stores cannot cross-correlate hashes.
- GDPR data export includes the customer’s fingerprints and linked-accounts records
- GDPR data erasure removes the customer’s hashes and links from all tables
- No external sharing — fingerprint data never leaves your WordPress install unless you explicitly configure webhooks or alerts
See Privacy & GDPR FAQ for the full data-handling description.
