Risk Signals

This reference documents all fraud risk signals detected by TrustGate, their severity, and recommended actions.

Signal Categories

Document Signals

Signals from document verification:

Signal	Severity	Description
document_tampered	Critical	Signs of physical or digital tampering
document_forged	Critical	Document appears to be fake
mrz_mismatch	High	MRZ data doesn't match visual zone
security_features_missing	High	Expected security features not found
document_expired	Medium	Document past expiration date
document_quality_poor	Low	Low image quality affects verification
document_type_mismatch	Medium	Document doesn't match claimed type
data_inconsistency	Medium	Data fields are inconsistent

Biometric Signals

Signals from biometric verification:

Signal	Severity	Description
face_mismatch	Critical	Face doesn't match document photo
liveness_failed	Critical	Failed liveness detection
deepfake_detected	Critical	AI-generated face detected
photo_of_photo	High	Selfie is a photo of a photo
screen_capture	High	Selfie taken from a screen
mask_detected	High	Face mask or covering detected
multiple_faces	Medium	Multiple faces in frame
face_partially_visible	Low	Face not fully visible

Device Signals

Signals from device intelligence:

Signal	Severity	Description
device_fraud_confirmed	Critical	Device linked to confirmed fraud
device_emulator	High	Virtual machine/emulator detected
device_rooted	Medium	Rooted Android device
device_jailbroken	Medium	Jailbroken iOS device
automation_detected	High	Browser automation tools
headless_browser	High	Headless browser detected
vpn_detected	Medium	VPN connection detected
tor_detected	High	Tor network detected
proxy_detected	Medium	Proxy server detected
datacenter_ip	Medium	IP from hosting provider

Email Signals

Signals from email verification:

Signal	Severity	Description
email_disposable	High	Disposable email service
email_fraud_domain	Critical	Domain associated with fraud
email_spam_trap	Critical	Known spam trap address
email_new_domain	Medium	Domain < 30 days old
email_invalid	High	Email doesn't exist
email_free_provider	Low	Free email (Gmail, etc.)
email_catch_all	Low	Domain accepts all addresses
email_role_account	Low	Generic address (info@, admin@)

Phone Signals

Signals from phone verification:

Signal	Severity	Description
phone_fraud_history	Critical	Phone linked to fraud
phone_voip	Medium	VoIP number detected
phone_virtual	High	Virtual phone service
phone_prepaid	Low	Prepaid SIM card
phone_ported_recently	Medium	Number ported in last 30 days
phone_sim_swap	High	Recent SIM swap detected
phone_invalid	High	Invalid phone number
phone_country_mismatch	Medium	Phone country differs from claimed

Velocity Signals

Signals from velocity checks:

Signal	Severity	Description
multiple_apps_same_device	High	3+ apps from same device
multiple_apps_same_ip	High	5+ apps from same IP
multiple_apps_same_email	High	Email used in multiple apps
multiple_apps_same_phone	High	Phone used in multiple apps
rapid_resubmission	Medium	Resubmitted within 24 hours
document_reused	High	Same document in multiple apps

Geographic Signals

Signals from location analysis:

Signal	Severity	Description
sanctioned_country	Critical	Sanctioned jurisdiction
high_risk_country	High	High-risk jurisdiction
ip_country_mismatch	Medium	IP location differs from claimed
timezone_mismatch	Low	Browser timezone mismatch
impossible_travel	High	Location change too fast

Behavioral Signals

Signals from behavior analysis:

Signal	Severity	Description
copy_paste_data	Low	Data was copy-pasted
rapid_form_fill	Medium	Form filled suspiciously fast
session_anomaly	Medium	Unusual session behavior
multiple_sessions	Low	Multiple concurrent sessions

Signal Response

Get All Signals for Applicant

curl -X GET "https://api.bytrustgate.com/v1/applicants/{applicant_id}/risk-signals" \
  -H "Authorization: Bearer YOUR_API_KEY"

Response

{
  "applicant_id": "550e8400-e29b-41d4-a716-446655440000",
  "signals": [
    {
      "signal": "vpn_detected",
      "category": "device",
      "severity": "medium",
      "detected_at": "2025-01-20T14:30:00Z",
      "details": {
        "vpn_provider": "NordVPN",
        "exit_country": "US"
      },
      "risk_contribution": 15
    },
    {
      "signal": "email_free_provider",
      "category": "email",
      "severity": "low",
      "detected_at": "2025-01-20T14:30:00Z",
      "details": {
        "provider": "gmail.com"
      },
      "risk_contribution": 5
    }
  ],
  "summary": {
    "total_signals": 2,
    "critical": 0,
    "high": 0,
    "medium": 1,
    "low": 1
  },
  "overall_risk_score": 35,
  "overall_risk_level": "medium"
}

Signal Weights Configuration

View Current Weights

curl -X GET "https://api.bytrustgate.com/v1/settings/risk-signals" \
  -H "Authorization: Bearer YOUR_API_KEY"

Update Signal Weights

curl -X PUT https://api.bytrustgate.com/v1/settings/risk-signals \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "signals": [
      {
        "signal": "vpn_detected",
        "enabled": true,
        "weight": 10,
        "severity": "low"
      },
      {
        "signal": "email_disposable",
        "enabled": true,
        "weight": 35,
        "severity": "high"
      }
    ]
  }'

Signal-Based Rules

Auto-Reject Critical Signals

curl -X POST https://api.bytrustgate.com/v1/workflows/rules \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "rule_id": "reject_critical_fraud",
    "trigger": "verification_complete",
    "conditions": {
      "any": [
        {"field": "signals.deepfake_detected", "operator": "eq", "value": true},
        {"field": "signals.document_forged", "operator": "eq", "value": true},
        {"field": "signals.device_fraud_confirmed", "operator": "eq", "value": true}
      ]
    },
    "actions": [
      {
        "type": "update_status",
        "status": "rejected",
        "reason": "Critical fraud signal detected"
      },
      {
        "type": "create_case",
        "case_type": "fraud",
        "priority": "critical"
      }
    ]
  }'

Escalate High-Severity Signals

curl -X POST https://api.bytrustgate.com/v1/workflows/rules \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "rule_id": "escalate_high_risk_signals",
    "trigger": "verification_complete",
    "conditions": {
      "all": [
        {"field": "signals.high_severity_count", "operator": "gte", "value": 2}
      ]
    },
    "actions": [
      {
        "type": "create_case",
        "case_type": "fraud",
        "priority": "high"
      },
      {
        "type": "assign_to",
        "team": "fraud_investigation"
      }
    ]
  }'

Signal Analytics

View Signal Distribution

curl -X GET "https://api.bytrustgate.com/v1/analytics/risk-signals?period=30d" \
  -H "Authorization: Bearer YOUR_API_KEY"

Response

{
  "period": "30d",
  "total_applicants": 10000,
  "applicants_with_signals": 3500,
  "signal_frequency": {
    "email_free_provider": 2800,
    "vpn_detected": 450,
    "phone_voip": 320,
    "document_quality_poor": 280,
    "email_disposable": 150,
    "deepfake_detected": 12
  },
  "top_signal_combinations": [
    {
      "signals": ["vpn_detected", "email_disposable"],
      "count": 45,
      "fraud_rate": 0.82
    },
    {
      "signals": ["device_emulator", "rapid_form_fill"],
      "count": 28,
      "fraud_rate": 0.89
    }
  ]
}

Signal Correlation

High-Risk Combinations

These signal combinations indicate high fraud probability:

Combination	Fraud Probability
deepfake_detected + any	95%+
document_tampered + face_mismatch	90%+
device_emulator + vpn_detected	85%+
email_disposable + phone_virtual	75%+
multiple_apps_same_device + rapid_resubmission	70%+

---

Next Steps

• About Fraud Prevention - Overview
• Device Intelligence - Device signals detail
• Workflow Rules - Automate responses