Skip to content

Specify fraud scenarios with labels

When Mosaic flags an action and you determine its actual fraud status, you may send a label to Mosaic via the Send label API to correct or confirm the recommendation. To give Mosaic richer context about the fraud scenario, you can include the optional fields use_case, sub_category, attack_method, and source in the request. This page lists the valid values and combinations for those fields.

Use it to look up valid values before submitting labels via the API, a CSV import, or an automated workflow. For a full explanation of how labels work and how to submit them, see Provide feedback with labels.

About label information taxonomy

The use_case identifies the fraud scenario. sub_category gives a more specific classification within the scenario, and attack_method describes how the fraud was carried out. Rules:

  • If a use case has no subcategories, omit sub_category.
  • If a use case has no attack methods, omit attack_method. Note that:
  • For MONEY_MULE and CREDENTIAL_STUFFING, attack_method depends directly on use_case (no sub_category).
  • For FIRST_PARTY_FRAUD, attack_method is not supported.

ACCOUNT_TAKEOVER

SubcategoryAttack methods
PHISHINGPHISHING_EMAIL, PHISHING_SMS, PHISHING_VOICE, PHISHING_QR, OTHER
MALWAREKEYLOGGER, TROJAN, SPYWARE, BROWSER_MALWARE, OTHER
CREDENTIAL_BREACHCOMBO_LIST, PASSWORD_SPRAYING, AUTOMATED_TESTING, OTHER
DEVICE_TAKEOVERREMOTE_DESKTOP, SCREEN_SHARING, REMOTE_SHELL, ROOTKIT, OTHER
SESSION_HIJACKINGMITM, TOKEN_THEFT_XSS, TOKEN_THEFT_MALWARE, SESSION_FIXATION, OTHER
RECOVERY_ABUSEPHISHING_RECOVERY, HELPDESK_SOCENG, FLOW_EXPLOITATION, OTHER
OTHEROTHER

SOCIAL_ENGINEERING

SubcategoryAttack methods
INVESTMENT_SCAMPHONE, SOCIAL_MEDIA, FAKE_PLATFORM, OTHER
ROMANCE_SCAMDATING_APP, SOCIAL_MEDIA, MESSAGING_APP, OTHER
TECH_SUPPORT_SCAMFAKE_POPUP, COLD_CALL, EMAIL, OTHER
PAYMENT_SCAMFAKE_INVOICE, IMPERSONATION, URGENT_TRANSFER, OTHER
IMPERSONATION_SCAMBANK, GOVERNMENT, FAMILY_EMERGENCY, OTHER
COERCIONINPERSON, LIVE_PHONE, OTHER
OTHEROTHER

IDENTITY_THEFT

SubcategoryAttack methods
PHISHINGPHISHING_EMAIL, PHISHING_SMS, PHISHING_VOICE, OTHER
MALWAREKEYLOGGER, TROJAN, SPYWARE, OTHER
DATA_BREACHDATA_BREACH, OTHER
PHYSICAL_THEFTPHYSICAL_THEFT, OTHER
SOCIAL_ENGINEERINGSOCIAL_ENGINEERING, OTHER
OTHEROTHER

FIRST_PARTY_FRAUD

No attack methods. Valid subcategories: CHARGEBACK_FRIENDLY_FRAUD, BUST_OUT_FRAUD, ACCOUNT_AGING, APPLICATION_KYC_FRAUD, REFERRAL_ABUSE, SIGNUP_BONUS_ABUSE, REWARDS_MANIPULATION, OTHER.

MONEY_MULE

No subcategories. Valid attack methods: JOB_SCAM, ROMANCE_SCAM, INVESTMENT_SCAM, SELF_RECRUITED, COERCED, UNKNOWN, OTHER.

NEW_ACCOUNT_FRAUD

SubcategoryAttack methods
STOLEN_IDENTITYPHISHING, DATA_BREACH, PHYSICAL_DOC_THEFT, OTHER
SYNTHETIC_IDENTITYDOCUMENT_FABRICATION, DATA_COMBINATION, AI_GENERATED, OTHER
MULE_ACCOUNTJOB_SCAM_RECRUITMENT, ROMANCE_RECRUITMENT, NETWORK_RECRUITMENT, OTHER
BONUS_PROMO_ABUSEMULTI_ACCOUNT, BOT_AUTOMATION, OTHER
OTHEROTHER

CREDENTIAL_STUFFING

No subcategories. Valid attack methods: COMBO_LIST, PASSWORD_SPRAYING, AUTOMATED_TESTING, OTHER.


source

The source field describes where the label information came from or how the outcome was validated. Unlike use_case, sub_category, and attack_method, it does not classify the fraud scenario itself. Instead, it explains the source of evidence behind the label and can be used with any supported use_case.

ValueDescription
MANUAL_REVIEWFrom self manual analysis
CUSTOMER_COMPLAINTSFrom customer complaints or responses
CHARGEBACKSFrom incorrect charges
OTHER_VENDORSFrom information and conclusions from other systems and tools
AUTOMATED_DETECTIONFrom automated detection systems or rules engines
LAW_ENFORCEMENTFrom law enforcement agencies or legal proceedings