When Mosaic flags an action and you determine its actual fraud status, you may send a label to Mosaic via the Send label API to correct or confirm the recommendation. To give Mosaic richer context about the fraud scenario, you can include the optional fields use_case, sub_category, attack_method, and source in the request. This page lists the valid values and combinations for those fields.
Use it to look up valid values before submitting labels via the API, a CSV import, or an automated workflow. For a full explanation of how labels work and how to submit them, see Provide feedback with labels.
The use_case identifies the fraud scenario. sub_category gives a more specific classification within the scenario, and attack_method describes how the fraud was carried out. Rules:
- If a use case has no subcategories, omit
sub_category. - If a use case has no attack methods, omit
attack_method. Note that: - For
MONEY_MULEandCREDENTIAL_STUFFING,attack_methoddepends directly onuse_case(nosub_category). - For
FIRST_PARTY_FRAUD,attack_methodis not supported.
| Subcategory | Attack methods |
|---|---|
PHISHING | PHISHING_EMAIL, PHISHING_SMS, PHISHING_VOICE, PHISHING_QR, OTHER |
MALWARE | KEYLOGGER, TROJAN, SPYWARE, BROWSER_MALWARE, OTHER |
CREDENTIAL_BREACH | COMBO_LIST, PASSWORD_SPRAYING, AUTOMATED_TESTING, OTHER |
DEVICE_TAKEOVER | REMOTE_DESKTOP, SCREEN_SHARING, REMOTE_SHELL, ROOTKIT, OTHER |
SESSION_HIJACKING | MITM, TOKEN_THEFT_XSS, TOKEN_THEFT_MALWARE, SESSION_FIXATION, OTHER |
RECOVERY_ABUSE | PHISHING_RECOVERY, HELPDESK_SOCENG, FLOW_EXPLOITATION, OTHER |
OTHER | OTHER |
| Subcategory | Attack methods |
|---|---|
INVESTMENT_SCAM | PHONE, SOCIAL_MEDIA, FAKE_PLATFORM, OTHER |
ROMANCE_SCAM | DATING_APP, SOCIAL_MEDIA, MESSAGING_APP, OTHER |
TECH_SUPPORT_SCAM | FAKE_POPUP, COLD_CALL, EMAIL, OTHER |
PAYMENT_SCAM | FAKE_INVOICE, IMPERSONATION, URGENT_TRANSFER, OTHER |
IMPERSONATION_SCAM | BANK, GOVERNMENT, FAMILY_EMERGENCY, OTHER |
COERCION | INPERSON, LIVE_PHONE, OTHER |
OTHER | OTHER |
| Subcategory | Attack methods |
|---|---|
PHISHING | PHISHING_EMAIL, PHISHING_SMS, PHISHING_VOICE, OTHER |
MALWARE | KEYLOGGER, TROJAN, SPYWARE, OTHER |
DATA_BREACH | DATA_BREACH, OTHER |
PHYSICAL_THEFT | PHYSICAL_THEFT, OTHER |
SOCIAL_ENGINEERING | SOCIAL_ENGINEERING, OTHER |
OTHER | OTHER |
No attack methods. Valid subcategories: CHARGEBACK_FRIENDLY_FRAUD, BUST_OUT_FRAUD, ACCOUNT_AGING, APPLICATION_KYC_FRAUD, REFERRAL_ABUSE, SIGNUP_BONUS_ABUSE, REWARDS_MANIPULATION, OTHER.
No subcategories. Valid attack methods: JOB_SCAM, ROMANCE_SCAM, INVESTMENT_SCAM, SELF_RECRUITED, COERCED, UNKNOWN, OTHER.
| Subcategory | Attack methods |
|---|---|
STOLEN_IDENTITY | PHISHING, DATA_BREACH, PHYSICAL_DOC_THEFT, OTHER |
SYNTHETIC_IDENTITY | DOCUMENT_FABRICATION, DATA_COMBINATION, AI_GENERATED, OTHER |
MULE_ACCOUNT | JOB_SCAM_RECRUITMENT, ROMANCE_RECRUITMENT, NETWORK_RECRUITMENT, OTHER |
BONUS_PROMO_ABUSE | MULTI_ACCOUNT, BOT_AUTOMATION, OTHER |
OTHER | OTHER |
No subcategories. Valid attack methods: COMBO_LIST, PASSWORD_SPRAYING, AUTOMATED_TESTING, OTHER.
The source field describes where the label information came from or how the outcome was validated. Unlike use_case, sub_category, and attack_method, it does not classify the fraud scenario itself. Instead, it explains the source of evidence behind the label and can be used with any supported use_case.
| Value | Description |
|---|---|
MANUAL_REVIEW | From self manual analysis |
CUSTOMER_COMPLAINTS | From customer complaints or responses |
CHARGEBACKS | From incorrect charges |
OTHER_VENDORS | From information and conclusions from other systems and tools |
AUTOMATED_DETECTION | From automated detection systems or rules engines |
LAW_ENFORCEMENT | From law enforcement agencies or legal proceedings |
SOCIAL_ENGINEERING