Risk data
Along with a Trust/Allow/Challenge/Deny recommendation and risk score, a complete recommendation record includes extended data explaining why a specific recommendation was issued in response to the action and what was taken into account during risk assessment.
Context
The context identifies the environment and the setup in which the action occurred, for example, the browser name and version, application name, IP address of the country, and other characterics. The full name of the context entry includes the prefix context, for example, context.browser_name.
| Context | Type | Description |
|---|---|---|
| action_id | Text (ID) | A unique string identifier for the action, generated when the action was initially reported. |
| action_performed_at | Number (Time) | The Unix epoch timestamp (in milliseconds) indicating when the action was performed. |
| action_result | Object (Categorical) | The outcome of the performed action, reported by the application after the recommendation is given. This result aids in future detection and analysis of user behavior. |
| action_type | Categorical | The name of the action. If no custom action is defined, this will be the predefined category name; otherwise, it will be the custom action name. |
| app_version | Text | The version number of the application in which the action occurred. |
| application_id | Text (ID) | A unique identifier for the application associated with the action. |
| application_name | Text | The name of the application where the action took place. |
| browser_name | Text | The name of the browser used during the action. |
| browser_version | Text | The version number of the browser used for the action. |
| campaign_id | Text (ID) | A unique identifier for a fraud campaign, which is a series of actions occurring within a specific period, sharing common characteristics and associated with fraudulent or suspicious activity. |
| claimed_user_id | Text | An opaque identifier of the claimed (unconfirmed) user within your system. |
| client_id | Text (ID) | A unique identifier of the application client that reported this action. |
| correlation_id | Text (ID) | A unique identifier used to link related events or actions across different systems or processes, ensuring traceability and consistency. |
| device_fingerprint | Text | A unique identifier generated from various device attributes, used to recognize and track a specific device across sessions and interactions. |
| device_id | Text (ID) | A unique identifier assigned to the device, used to distinguish it from other devices. |
| device_languages | Array (Text) | The list of languages installed on the device. |
| device_platform | Categorical | The platform type of the device, such as web or mobile. |
| device_public_key | Text (ID) | The unique identifier derived from cryptographic binding of this device. |
| device_timestamp | Number (Time) | The Unix epoch timestamp (in milliseconds) on the device when the action occurred. |
| device_timezone | Text | A public cryptographic key associated with the device, used for reliable identification. |
| fraud_ring_id | Text (ID) | Identifier associated with a group of fraudulent activities or entities that are linked together, helping to detect and prevent coordinated fraud efforts. |
| ip | Text | The IP address from which the action was performed, used to identify the geographical location and network of the client device. |
| ip_asn_id | Text | The unique identifier for the Autonomous System Number (ASN) associated with the IP address, representing the network's routing prefix. |
| ip_asn_name | Text | The name of the organization or network provider that owns the ASN associated with the IP address. |
| ip_country | Text | The country associated with the IP address, indicating the geographic location of the network. |
| ip_domain | Text | The domain name associated with the IP address of the network connection. This domain name can provide additional context about the origin or hosting service of the IP address. |
| ip_location_latitude | Number (Float) | The latitude coordinate of the geographic location associated with the IP address. |
| ip_location_longitude | Number (Float) | The longitude coordinate of the geographic location associated with the IP address. |
| ip_location_timezone | Text | The timezone of the geographic location associated with the IP address, reflecting the local time. |
| ip_location_zip | Text | The ZIP or postal code of the geographic location associated with the IP address. |
| ip_organization_name | Text | The name of the organization that owns or is associated with the IP address. |
| ip_organization_type | Categorical | The type of organization associated with the IP address, such as an ISP, business, or educational institution. |
| ip_region | Text | The region or state associated with the IP address, indicating the broader geographic area within the country. |
| location | Text | The full URL of the webpage where the action occurred, or in the case of a native mobile app, the identifier for the specific screen or view where the action took place. |
| os_name | Text | The name of the operating system running on the device at the time of the action. |
| os_version | Text | The specific version of the operating system running on the device at the time of the action. |
| sdk_version | Text | The version of the SDK (Software Development Kit) that is integrated into the application at the time of the action. |
| user_agent | Text | Information about the device's browser and operating system, as provided by the user agent string from the browser’s navigator. |
| user_id | Text (ID) | An opaque identifier of the user within your system. |
| private_user_identifier | Text | An identifier of the user within your system, used internally to maintain user privacy. It is stored encrypted at rest, you can send this identifier as plain text. |
Risk signals
Risk signals provide insights on specific indicators that have been verified during the risk assessment. Below are some examples of risk signals that may be provided (which may change over time). The full name of the signal includes the prefix risk_signals and category, for example, risk_signals.device.emulated or risk_signals.behavior.typing_velocity. Since not every signal is applicable to each action and use case, risk signals can be set to null.
Behavior
| Signal | Type | Description |
|---|---|---|
| input_method | Boolean | Identifies the method used for input in the context of the user action. Inconsistent or unexpected input methods for the context may indicate unusual behavior. |
| minor_angles_ratio | Number (Float) | The percentage of minor-angle movements out of all movements in the context of the user action. High ratios might suggest careful, precise movements often seen in automation. |
| movement_latency | Number (Float) | Measures the median delay of mouse or touchscreen movements, calculated as the time between each captured location change in milliseconds within the context of the user action. High latency might indicate the device is being controlled remotely. |
| movement_velocity | Number (Float) | Measures the median speed of mouse or touchscreen movements in the context of the user action, calculated in pixels per millisecond. Extremely high or low speeds may indicate automated interactions or atypical user behavior. |
| no_user_interaction | Boolean | A boolean flag indicating periods where there was no user interaction, such as no mouse movement before clicking. True value could indicate pre-scripted actions or lack of natural interaction. |
| right_angles_ratio | Number (Float) | The ratio of right-angle movements out of all movements in the context of the user action. Unusually high ratios may indicate non-human interactions. |
| straight_line_ratio | Number (Float) | The ratio of straight-line movements out of all movements in the context of the user action. High ratios could suggest automated or scripted behavior. |
| typing_velocity | Number (Float) | Measures the user's typing speed in the context of the user action, calculated in characters per second. Extremely high speeds may suggest automated input or non-human typing patterns. |
| corner_click | Boolean | Indicates whether there were multiple clicks on the corner of a button in the context of the user action. Corner clicks could indicate repetitive, automated clicking patterns. |
Device
| Signal | Type | Description |
|---|---|---|
| accept_languages | Text | The Accept-Language header value sent by the device, which lists the preferred languages for content. This information supports and provides insights across behavior, device, and localization domains. |
| available_storage | Number (Integer) | The amount of storage space currently available on the device, measured in bytes. This metric provides information on the device's storage capacity and supports insights into device usage and resource availability. |
| battery_level | Number (Float) | The current battery level of the device, represented as a percentage. This signal provides information on the device's power status and can offer context related to device usage and behavior. |
| core_number | Number (Integer) | The number of CPU cores available on the device. This information helps understand the device's processing capability and supports insights into device characteristics and authenticity. |
| cpu_arch | Text | The architecture of the device's CPU. This information helps understand the device's processing capability and supports insights into device characteristics and authenticity. |
| device_esim_usage | Boolean | Indicates whether the device is using an embedded SIM (eSIM) for connectivity. This signal provides information about the device's connectivity setup and supports insights into device configuration and network behavior. |
| device_navigator_useragent | Text | The user-agent string reported by the Navigator object in JavaScript, detailing the browser and operating system information. |
| device_timezone_offset | Number (Float) | The difference in minutes between the device's local time and Coordinated Universal Time (UTC). |
| emulated | Boolean | Indicates whether the device is emulated. This signal helps identify if the device is a virtual or simulated environment, providing context on potential discrepancies in device behavior or authenticity. |
| font_count | Number (Integer) | Represents the number of fonts used in the website where the action occurred. |
| graphic_card | Text | Provides the name of the device's graphic card as reported by the web or mobile platform. |
| incognito | Boolean | Indicates whether the action was performed using incognito browsing. |
| mobile_network_code | Number | Represents the Mobile Network Code (MNC) of the device's carrier. |
| model | Text | Specifies the model of the device being used. |
| ram | Number (Float) | The amount of memory available on the device, expressed as a floating-point number. |
| screen_avail_height | Number (Integer) | Represents the available height of the screen in pixels when performing the action. |
| screen_avail_width | Number (Integer) | Represents the available width of the screen in pixels when performing the action. |
| screen_height | Number (Integer) | Specifies the total height of the screen in pixels when performing the action. |
| screen_width | Number (Integer) | Specifies the total width of the screen in pixels when performing the action. |
| spoofed | Boolean | Indicates whether the device's attributes or identity have been altered or falsified. This signal helps determine if the device's characteristics are being manipulated. |
| tampered | Boolean | Indicates if the device has been tampered with, such as through rooting or jailbreaking. This signal helps assess the device's integrity and potential security risks. |
| total_storage | Number (Integer) | The total storage capacity of the device, as reported by the mobile platform. |
| tz_mismatch | Boolean | Indicates if the device's timezone differs from the expected timezone. |
History
| Signal | Type | Description |
|---|---|---|
| device_action_rate_60_sec | Number (Float) | The number of actions performed from the device within the past 60 seconds. This metric helps identify unusual activity patterns or potential automation. |
| ip_action_rate_60_sec | Number (Float) | The number of actions originating from the IP address within the past 60 seconds. High rates may indicate rapid or automated actions from a single IP. |
| ip_device_count_last_hour | Number (Integer) | The number of unique devices associated with the same IP address within the past hour. This signal helps assess the diversity of devices using a specific IP. |
| ip_user_count_last_hour | Number (Integer) | The number of unique user IDs associated with the same IP address within the past hour. This metric helps identify potential shared or compromised IPs. |
| linking_device_to_users_count | Number (Integer) | The total number of unique user IDs associated with a specific device. This metric helps understand how many different users have been linked to a single device. |
| linking_user_to_device_count | Number (Integer) | The total number of unique devices associated with a specific user ID. This metric helps understand how many different devices a single user has been linked to. |
| user_action_rate_60_sec | Number (Float) | The number of actions performed by the user ID within 60 seconds prior to the current action. This metric helps assess the frequency of user activity and can indicate unusual behavior patterns. |
| user_login_count | Number (Integer) | The total number of login attempts or sessions associated with a specific user ID over time. This signal helps track user activity levels and identify patterns of repeated or suspicious logins. |
Network
| Signal | Type | Description |
|---|---|---|
| anonymizer | Boolean | Indicates whether the network connection is through an anonymizer service, which hides the user's true IP address and identity. This signal helps identify potential attempts to obscure or mask user activity. |
| ip_x_forwarded_for | Text | A set of IP addresses showing the sequence of proxy servers used to route the request, revealing the original client IP. |
| proxy | Boolean | Indicates whether the network connection is through a proxy server. Proxy connections can mask the user's IP address and may be used to bypass restrictions or hide the user's true location. |
| tor | Boolean | Indicates whether the network connection is routed through the Tor network. Tor is used to anonymize user activity by routing connections through multiple nodes, which can obscure the user's IP address and location. |
| vpn | Boolean | Indicates whether the network connection is through a Virtual Private Network (VPN). VPNs encrypt user traffic and mask the IP address, which can be used to mask geographical location. |
| hosting | Boolean | Indicates whether the network connection is associated with a hosting provider. Hosting connections can be used for various services, including websites and applications, and may be used to obscure the user's true location or identity. |
| device_true_useragent | Text | A user agent string that is derived from client hints to provide more accurate browser and device information during user actions. It offers improved visibility into the actual user environment, helping to identify discrepancies or potential spoofing attempts. |
Transaction data
The transaction data object contains additional details related to the transaction involved in the action, including details such as the amount, currency, and participants. This information helps in analyzing the context and impact of the transaction. The transaction_data is returned as an object (categorical).
Threats
The Threats is an array of categorical values representing identified potential risks or malicious activities associated with a user action.
Reasons
The calculation of the risk score also relies on the combination of reasons that contribute to the risk assessment. You can fine-tune the weight allocated to each reason in this calculation (see Fine-tune detection sensitivity).
Below are some examples of reasons that may be provided (which may change over time). The prefix of the reason indicates the category of reason, and not every reason is applicable to each action and use case. The reasons are relevant for all platforms (Web, Android, iOS) unless stated otherwise.
As fraud analysts review actions and entities, labeling them as legitimate or fraudulent, Mosaic incorporates these labels into future risk assessments. Historical labeling decisions are explicitly reflected through dedicated label-driven reason codes. To learn more, see Label-driven reasons.
Activity
| Reason | Description |
|---|---|
| ACTION_IS_LEGIT | The user's action appears legitimate. |
| ACTION_IS_SUSPECTED_FRAUD | This action is assumed to be fraudulent with high confidence, most commonly in new account fraud (NAF) or account takeover (ATO). |
| DEVICE_INCOGNITO_BROWSER | Indicates usage of an incognito browsing session. |
| DEVICE_PRIVATE_BROWSER | Indicates usage of a private browser. |
| DEVICE_FAILED_LOGIN_VELOCITY | Indicates a high rate of failed login attempts on the same device in a short period of time (may be across multiple user accounts). |
| PROFILE_DEVICE_HIGH_VELOCITY | Indicates an abnormally high number of events occurring from multiple devices connecting to a single, likely breached, user profile in a short period of time. |
| DEVICE_BROWSER_DOWNGRADE | Indicates a security risk where the browser was intentionally downgraded, potentially to exploit vulnerabilities or as a result of cookie hijacking. |
| DEVICE_OS_DOWNGRADE | Indicates a security risk where the OS was intentionally downgraded, potentially to exploit vulnerabilities or as a result of cookie hijacking. |
| DEVICE_SCREEN_OVERLAY_DETECTED | Indicates the presence of a screen overlay, which could be used by malicious applications to intercept or alter screen content. |
| DEVICE_ACTIVE_CALL_DETECTED | Indicates that an active call is detected on the device while the user is interacting with the app. |
| PROFILE_DEVICE_VELOCITY | Indicates an abnormally rate of events coming from multiple devices connecting to a single, likely breached, user profile in a short period of time. |
| PROFILE_TRUSTED | The user's action appears legitimate considering historical user profile and activity. |
| USER_TRUSTED | The user profile has previously been listed with a high reputation by Mosaic. |
| PROFILE_RISKY_REPUTATION | Indicates that this user profile has been previously associated with fraudulent activity. |
| DEVICE_TRUSTED | The device appears legitimate considering its historical activity and reputation. |
Behavior
| Reason | Description |
|---|---|
| BEHAVIOR_SUSPICIOUS_INPUT | Indicates suspicious user input before action is taken, such as no input at all or pasting only on account registration. |
| BEHAVIOR_SUSPICIOUS_INPUT_PASTING | On account registration or login, it indicates suspicious users pasting input before taking action. |
| BEHAVIOR_SUSPICIOUS_NO_INPUT | Indicates no input before action is taken. |
| BEHAVIOR_SUSPICIOUS_NO_MOVEMENT | Before clicking the mouse, there is no movement of the mouse. |
| BEHAVIOR_SUSPICIOUS_LOW_MOVEMENT | Before clicking the mouse, there is a short movement of the mouse. |
| DEVICE_ACTION_HIGH_VELOCITY | The number of events occurring from the same device within a short period of time is unusually high. |
| DEVICE_ACTION_VELOCITY | Indicates an abnormally rate of events coming from the same device within a short period of time, these can be from multiple action types. |
| DEVICE_ORIGIN_ANOMALY | Indicates browsing to an unknown, hence high risk, URL address. Commonly associated with phishing website activity. |
| DEVICE_PAYEE_HIGH_VELOCITY | In a short period of time, this device processed payments to an unusually high number of different payees. |
| DEVICE_PAYER_HIGH_VELOCITY | An unusually high number of users used this device to make payments in a short period of time. |
| DEVICE_PROFILE_VELOCITY | Indicates an abnormally rate of events coming from the same device; these could be across multiple user accounts. |
| DEVICE_PROFILE_HIGH_VELOCITY | Indicates an abnormally high rate of events occurring on the same device in a short period of time (may be across multiple user accounts). |
| IP_PROFILE_VELOCITY | Indicates an abnormally rate of events coming from the same user and IP in a short period of time. |
| PROFILE_ACTION_HIGH_VELOCITY | Indicates an abnormally high number of events occurring within a short period of time in the same user profile. |
| PROFILE_ACTIVITY_ANOMALY | The user activity is considered anomalous for the user’s profile. |
| PROFILE_FAMILIAR | A previously established user profile aligns with the observed behavior of the user. |
| USER_PROFILE_ANOMALY | Indicates there has been anomalous behavior compared to the user's historical profile. |
Bot
| Reason | Description |
|---|---|
| BEHAVIOR_BOT_BY_TYPING | Indicates the user's typing matches known bot and automated tool typing patterns. |
| BEHAVIOR_BOT_BY_MOVEMENT | Indicates a straight line mouse movement pattern that is commonly associated with bots and automated tools. |
| BEHAVIOR_INHUMAN_FAST_CLICK | A fast clicking speed between mouse up and down actions indicates a non-human interaction. |
| BEHAVIOR_INHUMAN_FAST_INPUT | A fast typing speed between typing actions indicates a non-human interaction. |
| BEHAVIOR_INHUMAN_INPUT | Indicates a non-human interaction has been detected due to very low variance between typing actions. |
| DEVICE_BOT | Indicates bot activity, such as use of a headless web browser or automated interactions. |
| DEVICE_PLATFORM_AUTOMATION | Indicates an automation framework was detected on the device, such as Appium. |
| DEVICE_SUSPECTED_BOT | The activity is assumed, with high probability, to originate by a bot or an automated tool. |
| DEVICE_SUSPICIOUS_BROWSER_FINGERPRINT | Indicates a suspicious device fingerprint that has previously been associated with automated tools. |
| DEVICE_SUSPICIOUS_USERAGENT | Indicates that a user agent is associated with an automated tool that is likely to be utilized by a bot. |
| GOOD_BOT | Indicates legitimate traffic originating from good bots. |
Device
| Reason | Description |
|---|---|
| DEVICE_COOKIE_REUSED | Indicates cookie hijacking as an identical device ID was sent from more than one device. |
| DEVICE_DEBUG_MODE | Indicates the use of debug mode on the device. |
| DEVICE_EMULATED_GPU | Indicates suspicious graphical card attributes have been detected by either emulation or generation. |
| DEVICE_EMULATOR_BY_BATTERY | The battery attribute indicates that a device emulator is being used. |
| DEVICE_EMULATOR_BY_METADATA | Based on the metadata attribute, indicates that a device emulator is being used. |
| DEVICE_EMULATOR | Indicates that a device emulator is being used, such as unexpected mobile attributes or the browser attributes do not match the device's OS. |
| DEVICE_HISTORY_SUSPICIOUS_FINGERPRINT | Indicates use of a device fingerprint that was associated with a fraudulent activity in the past. |
| DEVICE_MALWARE_DETECTED | (Android only) Indicates that dangerous apps are installed on the device. |
| DEVICE_NEW | A new device that our system detected for the first time. |
| DEVICE_OLD_VERSION | An old (between 365 and 730 days), less secure browser version is being used. |
| DEVICE_VERY_OLD_VERSION | A very old (version is older than 730 days), insecure browser version is being used. |
| DEVICE_PLATFORM_ANOMALY | An unexpected platform attributes were reported by the device which may indicate a possible fraudulent activity. |
| DEVICE_FONTS_PLATFORM_ANOMALY | The device reported unexpected fonts, which may indicate spoofing. |
| DEVICE_AUDIO_PLATFORM_ANOMALY | The device reported an unexpected audio fingerprint attribute, which may indicate fraud. |
| DEVICE_RISKY_REPUTATION | Indicates a device that has previously been associated with fraud. |
| DEVICE_ROOTED | (iOS and Android only) Indicates an unlocked and jailbroken device, this introduces risk as it allows access to sensitive configuration. |
| DEVICE_SPOOFED | The device is being spoofed (trying to hide its real identity), as indicated by the use of a several models. |
| DEVICE_SPOOFED_BY_USERAGENT | A modified user agent indicates that the device is being spoofed. |
| DEVICE_SPOOFED_BY_CPU | A modified CPU indicates that the device is being spoofed. |
| DEVICE_SUSPICIOUS_CPU_CORE | Indicates suspicious CPU attributes, such as odd CPU cores number while a power of 2 is expected. |
| DEVICE_SUSPICIOUS_DISPLAY | Indicates suspicious device display settings related to resolution, color depth, or else. |
| DEVICE_SUSPICIOUS_FONT | This indicates suspicious fonts on the device. |
| DEVICE_SUSPICIOUS_PLUGIN | This indicates that there are one or more suspicious plugins on the device. |
| DEVICE_INVALID_SIM | Indicates the presence of an invalid SIM card installed on the device |
| DEVICE_SUSPICIOUS_PLATFORM_OS | Indicates that a suspicious device or operating system configuration has been detected, for example, if the operating system does not match the device's platform. |
| DEVICE_SUSPICIOUS_PLATFORM_WEBGL | Indicates that a suspicious device or operating system configuration has been detected by WebGL. |
| DEVICE_SUSPICIOUS_PLATFORM | Indicates a suspicious device or operating system configuration was detected, for example, uncommon device platform. |
| DEVICE_TAKEOVER_BY_RDC | Indicates a device has been taken over and is being controlled remotely. |
| DEVICE_TAMPERED | (iOS and Android only) Indicates a device's software or hardware has been modified, for example, cloning apps are deployed or a device has been rooted. |
| DEVICE_VM | Indicates use of a VM based on the screen resolution. |
| DEVICE_VM_BY_GPU | Indicates use of a VM, such as when an emulated GPU is detected, there is an odd number of device cores. |
| DEVICE_VM_BY_FONTS | Based on fonts, indicates the use of a VM. |
| PROFILE_DEVICE_ANOMALY | The device attributes are considered anomalous for the user’s profile. |
| PROFILE_DEVICE_FAMILIAR | The device is considered to be familiar for this user profile. |
| PROFILE_DEVICE_FAMILIAR_MODEL | The device model (for example, iPhone 13) is considered to be familiar, such as a new device that is the same model as a known previous device for this user. |
| PROFILE_DEVICE_NEW | The device is considered to be new for this user profile. |
| PROFILE_NEW_DEVICE_CRYPTO_KEY | The device is considered to be new for this user profile, based on cryptographic key data. |
| PROFILE_DEVICE_FAMILIAR_CRYPTO_KEY | The device is considered to be familiar for this user profile, based on cryptographic key data. |
| DEVICE_LIBRARY_INJECTION_DETECTED | Indicates that unauthorized libraries were injected into the app, potentially modifying its behavior or stealing data. |
| DEVICE_UNTRUSTED_INSTALL_SOURCE_APK | Indicates that the app was installed from an untrusted source, increasing the risk of tampering or malware. |
| DEVICE_UNTRUSTED_INSTALL_SOURCE_APPS | Indicates that other apps on the device were installed from untrusted sources, which may pose security risks. |
| DEVICE_ACTIVE_CALL_DETECTED | Indicates that an active phone call is in progress, which could be used for social engineering or fraud. |
| DEVICE_HISTORICAL_SCREEN_OVERLAY_DETECTED | Indicates that screen overlay was previously detected, which may have been used for phishing or fraud attempts. |
| DEVICE_ACTIVE_SCREEN_OVERLAY_DETECTED | Indicates that a screen overlay is currently active, which could be masking the app for fraudulent activity. |
| DEVICE_KEYBOARD_NOT_DEFAULT | Indicates that a non-default keyboard is being used, which may capture sensitive user input. |
| DEVICE_DEVELOPER_TOOLS_ENABLED | Indicates that developer tools, such as debugging, are enabled, which may allow unauthorized app modifications. |
| DEVICE_RAT_APP_DETECTED | Indicates that a remote access tool (RAT) or similar app is installed, which could be used for unauthorized control. |
| DEVICE_SMS_SERVICE_APP_INSTALLED | Indicates that an app with SMS permissions is installed, which could intercept or manipulate messages. |
| DEVICE_SCREEN_MIRROR_APP_INSTALLED | Indicates that a screen mirroring app is installed, which could be used to capture sensitive on-screen data. |
| DEVICE_SCREEN_READER_APP_INSTALLED | Indicates that a screen reader app is installed, which could be used to extract app content. |
| DEVICE_SCREENSHOT_DETECTED | Indicates that a screenshot was taken while the app was in use, potentially exposing sensitive information. |
Geolocation
| Reason | Description |
|---|---|
| DEVICE_IMPOSSIBLE_TRAVEL | The device's location changed faster than possible, for example, a device is located in the UK 15 minutes after it was located in the US. |
| DEVICE_SUSPICIOUS_IP_LANGUAGE | This indicates the device uses a language that doesn't match the primary device location (based on IP address). |
| DEVICE_SUSPICIOUS_LANGUAGE | Indicates a device that uses an anomalous language, e.g., an uncommon language or one that was never seen before. |
| DEVICE_SUSPICIOUS_TIMEZONE | Indicates a suspicious timezone since it doesn't match the application history. |
| DEVICE_IP_TIMEZONE_MISMATCH | Indicates that the timezone of the device doesn't match the IP location. |
| PROFILE_IMPOSSIBLE_TRAVEL | The user's location changed faster than possible, for example, a device is located in the UK 15 minutes after it was located in the US. |
| PROFILE_LOCATION_ANOMALY | The user location is considered anomalous for the user’s profile. |
| PROFILE_LOCATION_FAMILIAR | The user location is the same for more than 30 days. |
| PROFILE_LOCATION_NEW | The device's location (determined by IP) is considered to be new. |
| PROFILE_NEW_LANGUAGE | The user's language is considered to be new. |
Network
| Reason | Description |
|---|---|
| DEVICE_SUSPICIOUS_NETWORK | Indicates suspicious network configuration on the browser or application, such as disabled WebRTC on browsers. |
| IP_ACTION_HIGH_VELOCITY | The number of events occurring from the same IP address in a short time period is abnormally high. |
| IP_ACTION_MEDIUM_VELOCITY | Indicates an abnormal rate of events occurring from the same IP address in a short period of time. |
| IP_ACTION_VELOCITY | Indicates an abnormally rate of events coming from the same IP in a short period of time. |
| IP_DEVICE_HIGH_VELOCITY | Indicates a high number of events occurring from the same IP address and device in a short period of time. |
| IP_IS_BIZ | The originating IP is registered to a corporate organization. |
| IP_IS_CORP | The originating IP is registered to a corporate organization. |
| IP_IS_EDU | The originating IP is registered to an education organization. |
| IP_IS_GOV | The originating IP is owned by a government organization. |
| IP_IS_HOTEL | The originating IP is registered to a hotel. |
| IP_IS_MIL | The originating IP is owned by a military organization. |
| IP_IS_MUNI | The originating IP is registered to a municipal organization. |
| IP_IS_PUBLIC | The originating IP is registered to a public organization. |
| IP_IS_VPN | The originating IP is masked by a VPN. |
| IP_PAYER_VELOCITY | The originating IP was used by an unusually high number of different users to make payments within a short period of time. |
| IP_RISKY_ANONYMIZE | The originating IP is associated with a high risk network, such as proxy, VPN, TOR, anonymous networks, etc. |
| IP_RISKY_REPUTATION | The originating IP is suspicious, such as use of the Tor network or IPs regarded as unsafe. |
| IP_SUSPICIOUS_INFORMATION_BY_TENANT | Indicates suspicious IPs, associated to specific tenant. |
| IP_TRUSTED | The originating IP has previously been listed with a high reputation by Mosaic. |
| IP_HISTORICAL_BAD_REPUTATION | Indicates use of an IP address that was associated with suspicious activity in the past. |
| IP_HISTORICAL_GOOD_REPUTATION | Indicates use of an IP address that was associated with trusted activity in the past. |
| NETWORK_GOOD_REPUTATION | Indicates high rate of TRUST per IP. |
| PROFILE_IP_FAMILIAR | The originating IP is considered to be familiar for the user profile. |
| PROFILE_NETWORK_ANOMALY | The user network is considered anomalous for the user’s profile. |
Transactions
| Reason | Description | |
|---|---|---|
| TRANSACTION_RISKY_BRANCH_PAYEE | The payee's bank branch is considered risky. | |
| TRANSACTION_RISKY_CRYPTO_PAYEE | The payee is associated with cryptocurrency transactions, which may carry increased risk. | |
| TRANSACTION_RISKY_FOREIGN_PAYEE | The payee is based in a foreign jurisdiction that is flagged for potential risks, such as fraud or regulatory non-compliance. | |
| TRANSACTION_RISKY_PAYEE | The payee's account is flagged due to patterns commonly associated with high-risk or fraudulent activity. |
Label-driven reasons
When a fraud analyst labels an action as legitimate or fraudulent, Mosaic immediately updates the reputation of the entities involved in that action—such as the device, IP address, or user.
If a new action involves one of those entities within the defined impact window, Mosaic may include a label-driven reason code in the recommendation. These reasons indicate that the entity was recently associated with a previously labeled action. They reflect customer-provided labels, not system-detected fraud patterns.
Reason codes follow the structure <ENTITY_TYPE>_<LABEL_TYPE>_LABEL_<TIMESPAN>, clearly identifying the type of entity, the label assigned, and how recent the label is.
For more about how labels work and affect recommendations, see our dedicated page.
Note
Analysts label actions—not specific entities. Mosaic automatically determines which entities are affected and for how long, and applies the appropriate reason code if one of those entities appears in a new action within the defined window.
Suspected fraud
| Reason | Description |
|---|---|
| IP_SUSPECTED_FRAUD_ACTIVITY_LAST_HOUR | The originating IP has been involved in activities labeled as suspected fraud within the last hour, suggesting a recent association with potentially fraudulent activity. |
| IP_SUSPECTED_FRAUD_ACTIVITY_LAST_WEEK | The originating IP has been involved in activities labeled as suspected fraud within the last week, indicating a continued or recent association with potentially fraudulent activity. |
| DEVICE_SUSPECTED_FRAUD_ACTIVITY_LAST_DAY | The device has been involved in activities labeled as suspected fraud within the last 24 hours, suggesting recent association with potentially fraudulent behavior. |
| DEVICE_SUSPECTED_FRAUD_ACTIVITY_LAST_WEEK | The device has been involved in activities labeled as suspected fraud within the last week, indicating ongoing or recent association with potentially fraudulent behavior. |
Confirmed fraud
| Reason | Description |
|---|---|
| IP_CONFIRMED_FRAUD_ACTIVITY_LAST_HOUR | The originating IP has been involved in activities labeled as confirmed fraud within the last hour, indicating a recent association with fraudulent activity. |
| IP_CONFIRMED_FRAUD_ACTIVITY_LAST_WEEK | The originating IP has been involved in activities labeled as confirmed fraud within the last week, suggesting a continued or recent association with fraudulent activity. |
| DEVICE_CONFIRMED_FRAUD_ACTIVITY_LAST_DAY | The device has been involved in activities labeled as confirmed fraud within the last 24 hours, indicating a recent association with fraudulent behavior. |
| DEVICE_CONFIRMED_FRAUD_ACTIVITY_LAST_WEEK | The device has been involved in activities labeled as confirmed fraud within the last week, suggesting ongoing or recent association with fraudulent behavior. |
| DEVICE_CONFIRMED_FRAUD_ACTIVITY | The device has been involved in activities labeled as confirmed fraud in the past (more than a week ago), suggesting ongoing or recent association with fraudulent behavior. |
Confirmed legit
| Reason | Description |
|---|---|
| IP_CONFIRMED_LEGIT_ACTIVITY_LAST_HOUR | The originating IP has been involved in activities labeled as confirmed legitimate within the last hour, indicating a recent association with legitimate activity. |
| IP_CONFIRMED_LEGIT_ACTIVITY_LAST_WEEK | The originating IP has been involved in activities labeled as confirmed legitimate within the last week, suggesting an ongoing or recent association with legitimate activity. |
| DEVICE_CONFIRMED_LEGIT_ACTIVITY_LAST_DAY | The device has been involved in activities labeled as confirmed legitimate within the last 24 hours, indicating a recent association with legitimate behavior. |
| DEVICE_CONFIRMED_LEGIT_ACTIVITY_LAST_WEEK | The device has been involved in activities labeled as confirmed legitimate within the last week, suggesting ongoing or recent association with legitimate behavior. |
| DEVICE_CONFIRMED_LEGIT_ACTIVITY | The device has been involved in activities labeled as confirmed legitimate in the past (more than a week ago), suggesting ongoing or recent association with legitimate behavior. |
Preview rule
A rule configured in preview mode that would have influenced the outcome of this recommendation if it had been active in production. This provides insight into the potential impact of preview rules without affecting the actual recommendation result. The preview_rule is returned as an object (Categorical), displaying a simulated result of the rule applied to user actions. This allows you to assess the rule's potential impact before activating it in production.