In a recent tutorial, we showed you how to build an IP-based threat detection system using IPStack’s security module (You can watch the step-by-step youtube video here)
In this article, we’ll build on that lesson by incorporating real-time alerts that let you know when a suspicious IP address attempts to access your site.
Fraud detection is critical for securing your user-facing services. Whether it’s detecting bots on your signup page or securing online transactions through a payment system, you need to know that the users accessing your endpoints are acting in good faith.
Table of Contents
✅ You Will Learn
- How to monitor IP threats using IPStack’s Security Module
- How to build a real-time fraud scoring system in Node.js
- How to configure Novu to send email alerts
- How to trigger alerts only for high-risk traffic
- How to secure your frontend against malicious IPs
- How to integrate APIs like IPStack + Novu in production
Build a Real-Time Fraud Detection System with IPstack
We covered the implementation of the malicious IP address detection system itself in a previous article. If you haven’t read that yet, check it out here to brush up or give it a go before you move on. In the previous article, you’ll learn how to get started with IPstack, how to enable their advanced security module, how to send and receive requests from the API to perform IP lookup, and how to create a fraud-scoring algorithm that assesses the risk of a given IP.
This article will focus primarily on the notification side of the implementation.
This real-time IP monitoring tutorial assumes familiarity with React and APIs. If you need to brush up on React before starting, check the docs. If you’re unfamiliar with what an API is, have a look at APILayer’s overview.
Recap
To quickly recap, here are the steps we outlined in that article on how to build real-time fraud monitoring with the IPstack threat-detection API.
Step One: Set Up IPstack with Security Features
IPstack is an IP geolocation API with security features that provides accurate and reliable geolocation data for any IP address, in JSON format, via secure HTTPS network calls. We enabled their advanced security module by signing up for the Professional Plus Plan.
Step Two: Decide on an IP Risk Scoring Algorithm
Using data from the API, we figured out a scoring system to determine whether the IP address was high risk, medium, or low risk. The thresholds we set depended on the level of risk we were comfortable with for our business.
Feature | Risk Indicator | Risk Score |
is_proxy | true | +15 |
proxy_level | elite | +15 |
proxy_level | anonymous/distorting | +10 |
proxy_level | transparent | +5 |
proxy_type | Tor | +20 |
proxy_type | SOCKS, Web, Privacy Proxy | +10 |
is_tor | true | +20 |
is_crawler | true | +15 (unless known benign crawler) |
crawler_type | malicious or unknown | +10 |
threat_level | high | +25 |
threat_level | medium | +15 |
threat_level | low | +5 |
threat_types | includes attack, malware, fraud | +20 |
anonymizer_status | Active | +15 |
anonymizer_status | Suspect | +10 |
anonymizer_status | Inactive | +5 |
anonymizer_status | Private | +10 |
proxy_last_detected | within last 30 days | +10 |
vpn_service | known VPN provider | +10 |
hosting_facility | true | +10 |
Step Three:
Implement Real-Time Detection
We built a route in our back end to grab the IP address from each incoming request. In the article, we walked through a basic implementation of this on a Node.js back end.
Step Four: Set Up a Reverse Proxy with Nginx (Development Only)
The IP address we got from our local browser in development mode was ::1, the IPv6 address for the localhost, which we can’t send to IPstack because it isn’t a public IP address. We simulated a production environment by setting up a reverse proxy with Nginx.
Step Five: Send the IP Address to IPstack
Once we had the IP address from the incoming request, we forwarded it to IPstack, appending the IP address and the &security=1 flag to the parameters, so IPstack could perform IP lookup on the address and send us back data about the IP.
Step Six: Write a Risk Assessment Algorithm
We created a risk assessment algorithm in a module on our backend using the weights we determined earlier in step two and used this algorithm to evaluate the data returned to us by the IPstack security API. Based on the result of this algorithm, we were able to block suspicious IP addresses from progressing further in our signup flow.
Picking Up Where we Left Off
From here, we’re going to use Novu to trigger an email alert whenever our system detects a suspicious IP address. With just a few lines of code and some configuration, we can easily set up alerts to go to ourselves, or any other member of our team.
Step One: Set Up Novu for Real-Time IP Alerts
Novu is an open-source notification framework that allows you to create workflows to send messages in different formats, triggered by a single event. In this article, we’ll focus on an email alert, but you can also use it to trigger SMS messages, push notifications, in-app notifications, or messages to chat apps like Slack.
1. Create an Account
Sign up for a free 14-day trial that allows you unlimited access to all Novu’s features. Once your trial ends, you can move to the free tier, which allows you up to 30K events per month.
When you land on your dashboard, you’ll see links to workflows, subscribers, topics, API keys and documentation. Pretty much everything we need to do with Novu for our real-time IP monitoring system can be done through the user interface here.
2. Update your Subscriber
Subscribers are users who will receive your email, SMS, etc. By default, Novu creates one for you when you sign up. Click on “Subscribers” and then edit the subscriber to add your name and email address.
If you need to add more team members to your alert system, you can create subscribers manually or via the API. Check the Novu docs for more.
3. Create a Workflow
Next, click on the “Workflows” tab to create your first workflow. A workflow is the series of messages that will be sent once the “workflow trigger” kicks everything off. The workflow is triggered by code in your app, using the Novu SDK (see next section.)
To create a workflow, just click to add which types of messages you’d like to be sent. We’re focusing on email for now, but here you could add a step to send an SMS, Slack notification, push notification, or in-app notification using Novu’s Inbox component.
We’ll use Novu’s built-in demo email provider, but you can also choose to hook up Mailgun, Sendgrid, Postmark, or your preferred email provider. If you choose to hook up SMS, you’ll need to select a provider such as Twilio, Plivo, or Telnyx. Likewise, hooking up “Chat” will require you to enter credentials for your Slack channel, Discord group, etc.
4. Edit the Email Template
Once you’ve added an “Email” step to your workflow, you’ll be prompted to customize the template. A simple editor allows you to enter whatever message you’d like your end user (in this case you) to receive.
By default, this email will be sent to the default subscriber we set up in the last step (you.) To change which subscribers receive this event, click “Step Conditions” and configure which subscribers should receive it.
5. Test the Workflow
We can test this workflow directly from the Novu UI, using the “Test Workflow” button on the Trigger tab. Clicking this should trigger an email to be sent to the email address you added to your subscriber in step 1.2. Novu outputs a log of the test into the UI.
Step Two: Connect Novu Alerts to Your Fraud Detection System
Once you’re set up with Novu, you can import their Node SDK into your IP geolocation backend using NPM or Yarn, and add the code snippet that triggers this workflow to run. Novu provides the code snippet under the “Trigger” tab of the “Workflows” screen, where you can also test the workflow once you get the code added to your app.
1. Install the Novu NodeJS SDK
Run the following command in the /server folder of your existing IPstack fraud detection app to install the dependency:
$ npm install @novu/api
You should now see the dependency in your package.json file.
2. Paste the Configuration Code
Open the project in your desired editor and navigate to the index.js file. Add the code to import and configure the app at the top
The code in your file will look like this:
const {Novu} = require('@novu/api')
...
const novu = new Novu({
secretKey: process.env['NOVU_SECRET_KEY']
});
3. Trigger the Workflow
We only want to send an email if a threat is detected, based on the data we receive from the IPstack threat detection API about the IP address of the incoming request to our frontend. We already wrote the algorithm that intakes the IPstack data and returns a fraud score, which tells us how risky we think the IP address is.
Based on this fraud score, we will decide whether or not we think it’s necessary to send an email alert. The code for that is simple and can be added right into the /api/fraud-score route we created in the previous tutorial:
app.get('/api/fraud-score', async (req, res) => {
const ip = req.ip;
const response = await fetch(BASE_URL + `/${ip}?access_key=${ACCESS_KEY}&security=1`);
const json = await response.json();
const fraudScore = calculateFraudScore(json);
// new code
if (fraudScore === 'High' || fraudScore === 'Moderate') {
novu.trigger({
workflowId: 'security-alert',
to: {
subscriberId: 'your Novu subscriber ID',
email: 'your email',
phone: '{{phone}}'
},
payload: {}
});
}
res.send(fraudScore);
})
The threshold you set to determine if you should trigger the Novu workflow will be something you need to decide with your own team.
Deploying Your Real-Time IP Alerting System
You now have a fully-functioning alert system that does IP lookup on the IP address of every incoming request to your front end, determines the threat-level of that IP address, based on data from the IPstack, API, and triggers an email alert to be sent to you if that threat-level meets a certain threshold.
Combined with proper email validation, and front-end security best practices, this is a great first step in protecting your user’s data and securing your web app against spam, bots, and malicious actors.
IPstack: A Powerful API for Fraud Detection
This article, in tandem with Building an IP-Based Fraud Detection System with IPstack’s Security Module should have given the basics on how to implement an IP fraud detection system using IP geolocation. Take your project to the next level by combining this back end with one of our simple front end tutorials!
FAQs
How do I detect fraud using an IP address?
By using services like IPstack’s Security Module, you can check for proxy use, VPNs, Tor activity, threat level, and anonymizers. These signals help determine if an incoming request may be fraudulent.
How does an IP address indicate fraud?
IPs can reveal use of proxies, VPNs, Tor networks, or hosting services—often used to mask identity or location. They can also originate from countries with known high levels of fraud, or indicate past incidents of fraud or abuse. Combined with threat intelligence, they help flag risky behavior.
How accurate is IP fraud detection?
It depends on the provider. Good IP intelligence sources update frequently and can spot threats within hours. But fraudsters rotate IPs fast, so detection has limits. IP-based fraud detection is a strong signal, but not the full picture. It works best when combined with device, behavioral, and transactional data. It’s important not to block solely based on an IP address without further context.
Can I receive real-time alerts for suspicious IP addresses?
Yes — this tutorial shows how to set up Novu to send email alerts whenever a high-risk IP is detected by your backend fraud scoring system.
How do I secure my API key when using IPstack?
Always call the IPstack API from your backend to keep your API key hidden. Never expose it in frontend code or static environments.
Can I block traffic based on IPstack data?
Yes — many developers use IPStack’s threat_level, is_proxy, and anonymizer_status fields to build risk thresholds that automatically deny access or flag a user for review.
