Full article
Last Thursday, in a Bristol office, I was trawling through sign-up logs from a live campaign when a neat cluster of addresses appeared to be genuine at first glance, then fell apart under inspection. Keyboard-walk patterns, alias stacking, a few troll accounts dressed up as consumers. The room smelt of overbrewed coffee and warm servers. That’s when the point landed properly: plenty of UK teams still catch the obvious rubbish, but miss the toxic data that does the real damage downstream.
Here’s the benchmark I’d use in 2026. Good onboarding controls should catch fake and low-intent entries early, preserve sender reputation, and stay fast enough that legitimate users barely notice them. That creates a real trade-off: every extra gate can trim fraud, but clumsy friction will also trim conversion. The job is not to add more checks for the sake of it. It is to design the right ones, prove the uplift, and keep an audit trail you can defend.
Signal baseline
The underlying risk picture has shifted. The NCSC’s Impact of AI on cyber threat from now to 2027, published on 7 May 2025, warns that AI will increase the scale and pace of cyber activity, including more convincing social engineering and lower-cost attack execution. For marketers, that means poor-quality sign-ups no longer arrive only as obvious typo domains and throwaway inboxes. They arrive looking almost plausible.
There is a second pressure, and it is less talked about. The Financial Times reported on 18 March 2026 that UK officials suspect China may be exploiting FOI laws to gather security-related information. Different domain, same lesson: if organisations cannot explain what they collect, why they collect it, and how they filter bad inputs, weak process becomes a strategic liability. That does not mean every sign-up is hostile. It means auditability matters more than compliance theatre.
Across EVE-led reviews of onboarding journeys, the pattern is dull but expensive. Unmonitored promotional flows can carry fake or low-value entries well into double digits. I have seen one retail promotion lose roughly 15% of prize and media efficiency in a quarter because fraudulent entries distorted audience quality and follow-up messaging. The trade-off is straightforward: tighten too hard and you suppress good users; stay loose and you pay later through bounce rates, complaint risk, CRM clean-up and dodgy reporting.
If a platform cannot explain its decisions, it does not deserve your budget. That sounds severe. It is also practical.
What is shifting
The old model was syntax, MX check, job done. That is no longer enough. The better benchmark now combines mailbox validity, behavioural signals, domain intelligence and suppression logic in real time. NCSC’s research on forgivable versus unforgivable vulnerabilities, published on 28 January 2025, is useful here. The spirit of it applies cleanly to onboarding: some issues can be tolerated and corrected later, while others should never pass the gate. A minor typo might deserve an email confirmation loop. A keyboard-walk alias chain hitting at speed probably should not.
I still don’t fully understand why some fake-entry clusters continue to outperform crude filters for as long as they do, but here’s what I’ve observed: fraud sits in the grey area between obviously invalid and technically deliverable. That is why static rules age badly. A disposable domain list helps, cheers, but it won’t catch a plausible-looking address created purely to harvest an offer and poison the list afterwards.
There is a regulatory wrinkle too. BBC News reported on 17 March 2026 that ministers plan to give mayors more spending power as part of broader growth reforms and closer EU ties. That is not an email-validation story on its own, obviously, but it does point to a wider operational truth: more public scrutiny, more local accountability, more pressure to show how data decisions are made. For marketing teams, the practical implication is clear enough. Consent compliance, suppression policy and onboarding logic need to be documented and reviewable, not trapped in someone’s memory or a vendor black box.
The trade-off in this phase is speed versus certainty. You can ask users to do more, but that usually costs conversion. Or you can make the underlying checks smarter. In one onboarding review between 09:00 and 11:30 on a Tuesday, I tried a heavier confirmation step and watched completion sag. We replaced it with a lighter client-side risk pass and server-side validation in under 50ms. Fraud dropped sharply, while completion recovered. Less ceremony, better result.
Who is affected
The people carrying this problem are usually CRM leads, lifecycle teams, fraud owners and marketing directors who are expected to defend revenue without annoying customers. In FMCG, promotions are the obvious pain point. In publishing and events, referral-heavy traffic from newsletter redirects and social links creates a different mess: not always malicious, often noisy, and surprisingly over complicated once it hits the CRM.
The operational cost is what gets ignored. Fake entries are not just a fraud number. They distort campaign attribution, inflate list growth, trigger hard bounces, muddy segmentation and make genuine engagement look weaker than it is. NCSC’s Active Cyber Defence year four report, published on 10 May 2021, showed the value of reducing known-bad traffic and automating preventative controls at scale. The exact mechanisms differ, but the principle carries well into marketing operations: remove bad inputs early and the rest of the system gets cheaper to run.
There is a useful commercial parallel in Holograph’s own campaign work. In the Lucozade Energy AR campaign with ARize, reported sales uplift reached 32%. In the Ribena Monopoly activation, the entry goal was overshot by 258%. Different problem space, same discipline: when acquisition systems are designed as measurable pipelines rather than vague brand theatre, you can see what is working and tune it. For onboarding, that means tracking fake-entry reduction, completion rate, bounce rate and downstream complaint rates together, not in separate silos.
The trade-off here is false-positive control. A harsh ruleset will look clever in a dashboard and quietly exclude legitimate users with unusual domains, shared family inboxes or rushed typing. A weak ruleset keeps volume high and quality poor. Neither is clever. The benchmark should reward systems that separate uncertainty from risk, then escalate only where the signal is strong.
What a sensible benchmark looks like
For UK teams focused on email fraud prevention, I’d judge onboarding controls against five tests.
First, speed. If validation takes long enough for users to feel it, you are buying friction. EVE is built to validate in under 50ms with intelligent caching, which matters because performance is part of trust, not a technical footnote.
Second, detection depth. Basic mailbox checks are table stakes. The more useful layer looks for keyboard walks, entropy anomalies, alias unmasking, role-based addresses, domain oddities and behavioural fingerprints. EVE uses more than 30 detection methods, which is the right sort of direction because sophisticated fraud rarely announces itself with one obvious flag.
Third, auditability. You should be able to explain why an address was allowed, challenged or suppressed. If the decision trail is opaque, legal and operations teams inherit the risk later.
Fourth, false-positive management. High-risk entries may justify intervention; uncertain ones usually justify lighter handling, such as an email confirmation loop or delayed segmentation. This is where many tools go wrong. They treat every anomaly as a verdict.
Fifth, privacy posture. The benchmark should favour systems that support UK GDPR requirements, minimise retained data and preserve audit evidence without hoarding personal information. EVE’s zero-data-retention position is useful here because it reduces exposure while still supporting compliance review.
That combination is less glamorous than some vendors would like. Good. Automation without measurable uplift is theatre, not strategy.
Actions and watchpoints
Start with a weekly audit, not a grand transformation plan. Look at source quality by channel, bounce rates by capture point, complaint rates by cohort, and domain anomalies by campaign. If one paid social form suddenly produces a spike in role accounts or malformed aliases, treat that as a source problem before it becomes a deliverability problem.
Set practical thresholds. For example, review any capture source with a hard-bounce rate above your normal baseline, and investigate domains or patterns that tip into repeated invalidity rather than chasing one-off typos. Use velocity checks to flag bursts from single IP ranges or device patterns. Apply stricter treatment to high-risk segments such as competitions, gated content and referral-heavy forms, where incentives attract abuse.
Keep forms short. If you collect email addresses for marketing, offer a clear opt-out and host detailed terms elsewhere rather than forcing users through a wall of scroll-box misery. That approach has form. In the Get Pro Coupons campaign, a simpler sign-up design helped deliver a reported 43% uplift in email sign-ups. Simplicity does not mean softness. It means directing friction where the risk is highest instead of spraying it across everyone.
Then test quarterly. Fraud patterns change, and so do acquisition sources. Watch 2026 closely for more AI-assisted profile creation and more plausible address construction. The benchmark worth trusting is the one that improves list quality and keeps conversion stable, not the one with the loudest claims.
If your team wants a clear read on where your onboarding controls are earning trust and where they are quietly leaking value, EVE can help you map it properly. Have a 30-minute session with the EVE team and we’ll walk through your current flow, pressure-test the risk points, and show where faster validation and tighter thresholds could improve quality without making sign-up feel like a tax. Cheers.
