How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
Residential proxies, VPNs, and Tor all change how a request appears to a destination service. They can support privacy, testing, security research, corporate access, and personal safety. They can also be used to hide automation, account abuse, scraping, fraud, or policy violations.
For defenders, the useful question is not "which one is bad?" It is: what does the signal mean for this request, this account, this route, and this business decision?
For a broader taxonomy, start with types of proxies.
What is a residential proxy?
A residential proxy routes traffic through an IP address associated with a consumer ISP, household, small office, or mobile network. The destination sees a residential or mobile-looking source rather than the original operator.
Residential proxies are difficult to handle because the same IP space can carry ordinary users and proxy traffic. A reputation database may not know that a fresh residential exit is active. A mobile carrier IP may be shared by many legitimate users through CGNAT.
That makes residential proxy detection a false-positive problem as much as a detection problem.
What is a VPN?
A VPN routes user traffic through a VPN provider or managed network. VPNs are common for privacy, travel, remote work, security, and network access control. Many legitimate users rely on them.
VPN exits are often easier to catalogue than residential proxy exits because many providers operate known infrastructure. IP intelligence can often identify VPN ranges, hosting networks, and historical reputation.
That does not mean every VPN request should be blocked. A VPN signal may be normal on a content page, suspicious on a payment recovery flow, and expected for an enterprise user. The policy should depend on route sensitivity and supporting evidence.
What is Tor?
Tor is an anonymity network that routes traffic through relays and public exit nodes. Tor has legitimate privacy and safety uses, especially for users facing censorship, surveillance, or personal risk.
From a website security perspective, Tor exits are usually more visible than residential proxies because exit nodes are public. That visibility makes classification easier, but the decision still requires context. A Tor signal may justify extra friction on account changes or payments, but it does not prove fraud on its own.
How they differ for defenders
| Signal | Residential proxy | VPN | Tor |
|---|---|---|---|
| Typical source | Consumer ISP, mobile carrier, household, small office | VPN provider or managed network | Public Tor exit node |
| Visibility | Often dynamic and hard to catalogue | Often known through provider ranges | Public exits are easier to list |
| False-positive risk | High on shared residential and mobile networks | Medium; many legitimate privacy and work uses | Medium; legitimate safety uses, but high-risk for some workflows |
| Best use in policy | Per-request evidence plus behaviour and account context | Risk context by route and account sensitivity | Strong context signal, not a standalone fraud verdict |
| Common abuse overlap | Credential stuffing, ad fraud, scraping, fake accounts, anti-detect browsers | Account abuse, scraping, payment risk, policy evasion | Anonymous abuse, spam, account attacks, sensitive workflow risk |
The main distinction is how stable and explainable the infrastructure is. VPN and Tor infrastructure is often more visible. Residential and mobile proxies borrow trust from ordinary user networks, so IP-only controls are less reliable.
Detection does not equal enforcement
A proxy label should feed a decision, not replace one.
Useful decision inputs include:
- Proxy type and confidence.
- IP allocation, ASN, geolocation, and reputation history.
- Request-level residential proxy detection evidence.
- Network and TLS fingerprinting.
- Browser, device, and automation consistency.
- Account history, route sensitivity, and credential risk.
- Behaviour such as cadence, retries, failures, and path mix.
The same VPN or residential proxy signal can be harmless on a public article view and high risk on repeated login attempts. Bot management should combine the signals before choosing allow, log, challenge, rate limit, or block.
Where policy usually differs
Residential proxy traffic usually needs the most careful false-positive handling because the source IP may be shared with real users who are not part of the proxy activity.
VPN traffic often calls for route-specific policy. A VPN may be fine for browsing but may require step-up verification for password reset, payment changes, or high-value account actions.
Tor traffic often receives stronger scrutiny on abuse-sensitive workflows because anonymity is the point of the network. Even then, teams should separate public content access from account, payment, signup, and administrative actions.
A practical comparison model
When deciding how to treat residential proxy, VPN, and Tor signals, ask:
- Is the proxy type confidently classified?
- Is the route sensitive?
- Is the user known, new, or already risky?
- Does the behaviour match normal human use?
- Do fingerprint and device signals agree with the claimed context?
- Would an IP-level action affect unrelated legitimate users?
- Can the decision be reviewed and tuned later?
This keeps the policy focused on risk. The goal is not to punish privacy tools or blindly trust residential-looking traffic. The goal is to match enforcement to evidence and user impact.
For consumer-network comparisons, see datacenter proxies vs residential proxies. For detection depth, see what is residential proxy detection.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
AI Crawler User Agents
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Misuse
AI Misuse explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.