How does BigShield detect fake signups?

BigShield uses multiple signals including format validation, burner/disposable domain detection (945+ known providers), MX record checks, domain reputation analysis, and SMTP verification to produce a 0-100 risk score for every email address.

How fast is the email validation API?

Tier-1 signals (format, domain, burner detection, MX records) return in under 100ms — fast enough for inline signup validation without impacting user experience.

How much can I save by blocking fake signups?

Up to 40% of signups on AI and SaaS platforms use fake or disposable emails. A single abusive account can consume $5-50 in AI tokens. Email validation costs pennies per check, potentially saving thousands in wasted compute.

What programming languages are supported?

BigShield provides 5 official SDKs for TypeScript/Node.js, Python, PHP, Ruby, and Go. All SDKs include typed responses, automatic retries with exponential backoff, and typed error classes. The REST API can also be called from any language using standard HTTP requests with Bearer token authentication.

Can I create custom validation rules?

Yes. BigShield includes a custom rules engine with 6 rule types (domain block/allow, email pattern, IP range, country, and risk threshold), 4 actions (block, allow, review, require verification), and priority ordering. Rules can be managed via the dashboard or the API.

Problem9 min readMarch 19, 2026

Free Tier Abuse Is Costing AI Startups Thousands. Here Is the Fix

A detailed cost breakdown of what fake signups really cost AI SaaS companies: wasted tokens, inflated ESP bills, Stripe overhead, and engineering hours. The math says prevention is 50-100x cheaper than the fraud itself.

The Math Nobody Does Until It Is Too Late

I talk to AI startup founders every week. Almost all of them know they have a fake signup problem. Almost none of them have done the actual math on what it costs. They wave their hand and say "yeah, we probably lose a few hundred bucks a month to abuse" and move on to the next feature sprint.

They are off by an order of magnitude. When you sit down and add up the wasted inference tokens, the bloated email campaigns, the Stripe billing noise, the server compute, and the engineering hours burned on cleanup, the real number for a mid-stage AI SaaS is $5,000 to $15,000 per month. For some companies, it is more.

This article is the spreadsheet your CFO has been asking for. Let us build it line by line.

Start With a Realistic Scenario

Take a hypothetical AI SaaS product. Maybe it is a writing assistant, a code generator, or an image tool. It has a free tier that gives users a taste of the product. Here are the baseline numbers:

10,000 monthly signups
25-35% are fake accounts (this range is consistent with data from our survey of 38 AI SaaS founders)
Free tier allows 50 AI requests per account

That gives us 2,500 to 3,500 fake accounts every month. Let us use 3,000 as our working number and trace the costs through every system those fake accounts touch.

Cost 1: Wasted Inference Tokens

This is the big one. AI products have a cost structure that is fundamentally different from traditional SaaS. Every user interaction burns real money in inference costs, and fake accounts exploit that ruthlessly.

The per-request cost depends on your model and usage pattern:

GPT-4o / Claude Sonnet: $0.01-$0.03 per request (typical prompt + completion)
GPT-4 / Claude Opus: $0.03-$0.10 per request
Image generation (DALL-E, Stable Diffusion): $0.02-$0.08 per image

With 3,000 fake accounts each burning through 50 free requests at an average cost of $0.02 per request, you are looking at:

3,000 accounts x 50 requests x $0.02 = $3,000/month in wasted tokens

That is the conservative estimate. Bot operators are not casual users. They tend to maximize extraction, running complex prompts that consume more tokens than a typical real user. Some operators create scripts that systematically exhaust every free credit before the account is abandoned. If average cost per request climbs to $0.03 (which is common for longer completions), the waste hits $4,500/month.

Cost 2: Email Campaigns Sent to Nobody

Every fake signup enters your onboarding funnel. Your welcome email fires. Your drip sequence kicks in. Your re-engagement campaign triggers when the "user" goes inactive after three days. None of it reaches a real person, but you pay for all of it.

Here is the lifecycle cost per fake subscriber across major ESPs:

Welcome email: $0.0005 per send (Mailchimp/SendGrid average)
5-email onboarding drip: $0.0025 total
Weekly product updates (4 sends before churn): $0.002
Re-engagement campaign (3 sends): $0.0015
ESP subscriber cost: $0.50-$1.00/month per contact on your list

The send costs look tiny in isolation. But the subscriber overhead is what kills you. Mailchimp charges by total contacts. SendGrid charges by total contacts. Every ESP on the market charges by total contacts. Three thousand fake addresses sitting in your list push you into higher billing tiers.

Conservatively, each fake subscriber costs $0.50-$1.50 over its lifecycle before you clean it out (assuming you even do). Across 3,000 fake signups per month, with churn and accumulation:

$1,500-$4,500/month in wasted ESP spend

And that does not account for the deliverability damage. Sending to dead addresses tanks your sender score, which means your real users start missing emails too. The downstream effects of list pollution are hard to quantify, but they are real.

Cost 3: Stripe Billing Overhead and Payment Noise

Even free-tier accounts generate Stripe activity if you use Stripe for account management, trial tracking, or metered billing. Stripe creates customer objects, subscription records, and invoice events for free-tier users. None of this costs much individually, but at scale it adds up:

Stripe customer object creation and webhook events: free, but they clutter your billing dashboard and reporting
Failed charge attempts when bots enter garbage payment info on upgrade prompts: $0.00 charge but the dispute/fraud signal degrades your Stripe Radar score
Engineering time debugging billing anomalies caused by bot accounts: 2-4 hours/month

Direct Stripe costs from fake accounts are modest. Call it $200-$500/month in indirect overhead and cleanup time. The real damage is analytical: 3,000 fake customer records per month pollute your MRR forecasts, trial-to-paid conversion rates, and cohort analyses.

Cost 4: Server Compute Beyond Inference

Inference tokens are the headline cost, but fake accounts also consume server resources that you pay for separately:

Database storage: user records, session data, activity logs. 3,000 fake accounts with associated data: roughly 50-100 MB/month accumulating.
Background jobs: onboarding workflows, analytics events, usage tracking. Each fake account triggers the same post-signup jobs as a real one.
API gateway and CDN traffic: bots hit your endpoints, consume bandwidth, and eat into rate limits that could serve real users.
Auth infrastructure: session tokens, JWT creation, password hashing. CPU cycles that scale linearly with signups.

This category is harder to isolate, but infrastructure teams at mid-stage startups consistently estimate $300-$800/month in compute waste from fraudulent accounts. If you are on usage-based cloud pricing (and most startups are), every fake request moves the meter.

Cost 5: Engineering Time

This is the cost that founders underestimate the most. Fake accounts do not just sit there quietly. They generate work.

Investigating abuse reports: 2-3 hours/week
Manual account cleanup and banning: 1-2 hours/week
Building and maintaining ad-hoc blocklists: 1-2 hours/week
Debugging metrics anomalies caused by fake data: 2-3 hours/week
Responding to support tickets from rate-limited real users affected by bot traffic: 1 hour/week

That is 7-11 hours per week. At a loaded engineering cost of $150/hour (salary + benefits + overhead for a mid-level engineer), you are spending:

$4,200-$6,600/month in engineering time on fraud-related work

This is time your engineers are not spending on product features, performance improvements, or customer requests. The opportunity cost is enormous.

The Total: $5,000-$15,000 per Month

Add it all up for our hypothetical AI SaaS with 10,000 monthly signups and 30% fake accounts:

Cost Category	Low Estimate	High Estimate
Wasted inference tokens	$3,000	$4,500
ESP / email campaign waste	$1,500	$4,500
Stripe and billing overhead	$200	$500
Server compute (non-inference)	$300	$800
Engineering time	$4,200	$6,600
Monthly total	$9,200	$16,900
Annual total	$110,400	$202,800

Read that last row again. A mid-stage AI startup with a free tier is losing $110K-$200K per year to fake signups. And that is with only 10,000 monthly signups. Scale to 50,000 or 100,000 signups and the numbers get genuinely scary.

Why CAPTCHAs Make This Worse, Not Better

The first instinct most teams have is to slap a CAPTCHA on the signup form. This is a mistake. CAPTCHAs are a tax on your real users, and they barely slow down the bots.

Here is the uncomfortable reality of CAPTCHAs in 2026:

reCAPTCHA Enterprise costs $1 per 1,000 assessments. At 10,000 monthly signups plus all the page loads that trigger assessments, you are paying $50-$150/month for the privilege of annoying your users.
CAPTCHAs reduce conversion by 8-12%. Research from Stanford and Baymard Institute consistently shows that adding friction to signup forms drives away real users. On mobile, the drop is even steeper.
Bot farms use CAPTCHA solving services at $2-$3 per 1,000 solves. Services like 2Captcha and CapSolver have made CAPTCHA solving a commodity. For a bot operator creating 3,000 accounts per month, the total CAPTCHA-solving cost is about $6-$9. That is not a deterrent. That is a rounding error.

So what do you actually get from a CAPTCHA? You pay $50-$150/month. You lose 8-12% of your real signups (at 10,000 signups, that is 800-1,200 legitimate users who bounce). The bots spend $9 to bypass it entirely. And you still eat every dollar of the fraud costs listed above.

If your fraud prevention costs more than your fraud, you are doing it wrong. And if your fraud prevention drives away more legitimate revenue than it saves, you are actively harming your business. We wrote a detailed breakdown of why CAPTCHAs are dead if you want the full picture.

The Email Validation Approach

Email validation works differently. Instead of challenging the user with a puzzle, it examines the email address and surrounding signals server-side, silently, in under 100ms. No friction. No conversion drop. No client-side scripts.

What does it catch? Disposable email domains, algorithmically generated addresses, invalid mailboxes, datacenter IPs, velocity anomalies, and a dozen other signals that correlate strongly with fake signups. Across the companies we work with, multi-signal email validation catches 85-95% of fake signups before they ever create an account.

And the cost? Pennies per validation. Literally.

BigShield's Starter plan runs $29/month for 5,000 validations. If you are processing 10,000 signups per month, the Pro plan at $99/month covers 50,000 validations with headroom to spare. Compare that to the $9,200-$16,900 you are losing each month to fraud.

Before vs. After: The Full Picture

Let us run the numbers for our hypothetical AI SaaS, comparing the current state (no validation) against adding BigShield at the Pro tier. We will assume BigShield catches 90% of fake signups, which is the midpoint of the 85-95% range we see in practice.

Metric	Before BigShield	After BigShield
Monthly signups	10,000	10,000
Fake accounts created	3,000	300
Wasted inference tokens	$3,000-$4,500	$300-$450
Wasted ESP spend	$1,500-$4,500	$150-$450
Billing and compute overhead	$500-$1,300	$50-$130
Engineering time on fraud	$4,200-$6,600	$600-$1,000
BigShield cost	$0	$99
Total fraud-related cost	$9,200-$16,900	$1,199-$2,129
Monthly savings		$8,001-$14,771

The ROI is somewhere between 80x and 149x. Spend $99 to save $8,000-$15,000. You do not need an MBA to approve that purchase order.

Engineering time drops the most dramatically. When 90% fewer fake accounts are created, there are 90% fewer abuse reports to investigate, 90% fewer accounts to clean up, and 90% less noise in your metrics. Your engineers get 6-9 hours per week back. That is almost a full engineering day, every week, recovered.

Why This Hits AI Companies Harder Than Everyone Else

Traditional SaaS has relatively low marginal costs per user. A fake account on a project management tool consumes some database storage and maybe triggers a few background jobs. The cost per fake account might be $0.05-$0.10. Annoying at scale, but not existential.

AI products are different. Every user interaction involves inference, and inference is expensive. Here is a comparison of marginal cost per fake account across product types:

Social media app: $0.001-$0.01 per fake account (storage and bandwidth only)
Traditional SaaS: $0.05-$0.10 per fake account (compute, storage, email)
AI writing tool: $1.00-$5.00 per fake account (50 requests at $0.02-$0.10 each)
AI code generator: $2.00-$10.00 per fake account (longer context windows, more tokens)
AI image generator: $1.00-$4.00 per fake account (GPU inference per generation)

A fake account on an AI product costs 100x to 1,000x more than a fake account on traditional SaaS. That is why free-tier abuse is an existential problem for AI startups in a way it simply is not for other categories. The economics of free trial abuse are brutal when your marginal cost per user is measured in dollars, not fractions of a cent.

And bot operators know this. They specifically target AI products because the free tier gives them access to expensive compute. A bot farm that creates 500 free accounts on an AI coding tool gets access to what might be $2,500-$5,000 worth of inference. They resell that access, use it for bulk content generation, or strip-mine the free credits and move on. Your free tier is their business model.

The Scenario Nobody Wants to Think About

Here is what keeps me up at night when I talk to AI founders. You raise a seed round. You launch a free tier to drive adoption. Growth looks incredible: 10,000 signups in the first month, 25,000 by month three. Your investors are thrilled. You start planning your Series A around these numbers.

Six months later, someone finally audits the user base. Thirty percent of accounts never activated. Twenty percent used disposable email domains. The "growth" that justified your fundraising story was inflated by thousands of fake accounts. Your real user base is 40% smaller than you reported. Your unit economics are worse than you modeled. And you have burned $60,000-$100,000 in inference costs on accounts that never had any chance of converting.

This is not hypothetical. We have heard this exact story from multiple founders. One told us they discovered the problem only after their cloud bill tripled in a single quarter and their CFO started asking questions.

What to Do Right Now

If you have not audited your signup base for fraud, do it today. Export your last 90 days of signups and look for the red flags: disposable email domains, accounts that never activated, clusters of signups from the same IP range, usernames that look algorithmically generated. You will almost certainly find that 20-35% of your signups are junk.

Then do the math. Take the number of fake accounts, multiply by your average inference cost per user, add your ESP overhead, and estimate the engineering hours your team spends on cleanup. The total will be larger than you expect.

BigShield's free tier gives you 1,500 validations per month. That is enough to validate two months of signups for a smaller app, or run a meaningful test on a portion of your traffic. If the results show what we typically see, the $29/month Starter plan will pay for itself within the first week.

The math on this is not close. Spending pennies per validation to save dollars per fake account is one of the highest-ROI investments an AI startup can make. Every month you wait is another $5,000-$15,000 in preventable losses. Your free tier should be acquiring real users, not funding bot operators.