# Specify fraud scenarios with labels

When Mosaic flags an action and you determine its actual fraud status, you may send a label to Mosaic via the [Send label API](/openapi/risk/label.openapi/other/sendlabel) to correct or confirm the recommendation. To give Mosaic richer context about the fraud scenario, you can include the optional fields `use_case`, `sub_category`, `attack_method`, and `source` in the request. This page lists the valid values and combinations for those fields.

Use it to look up valid values before submitting labels via the API, a CSV import, or an automated workflow. For a full explanation of how labels work and how to submit them, see [Provide feedback with labels](/guides/risk/labels).

## About label information taxonomy

The `use_case` identifies the fraud scenario. `sub_category` gives a more specific classification within the scenario, and `attack_method` describes how the fraud was carried out. Rules:

- If a use case has no subcategories, omit `sub_category`.
- If a use case has no attack methods, omit `attack_method`.
Note that:
- For `MONEY_MULE` and `CREDENTIAL_STUFFING`, `attack_method` depends directly on `use_case` (no `sub_category`).
- For `FIRST_PARTY_FRAUD`, `attack_method` is not supported.


### `ACCOUNT_TAKEOVER`

| Subcategory | Attack methods |
|  --- | --- |
| `PHISHING` | `PHISHING_EMAIL`, `PHISHING_SMS`, `PHISHING_VOICE`, `PHISHING_QR`, `OTHER` |
| `MALWARE` | `KEYLOGGER`, `TROJAN`, `SPYWARE`, `BROWSER_MALWARE`, `OTHER` |
| `CREDENTIAL_BREACH` | `COMBO_LIST`, `PASSWORD_SPRAYING`, `AUTOMATED_TESTING`, `OTHER` |
| `DEVICE_TAKEOVER` | `REMOTE_DESKTOP`, `SCREEN_SHARING`, `REMOTE_SHELL`, `ROOTKIT`, `OTHER` |
| `SESSION_HIJACKING` | `MITM`, `TOKEN_THEFT_XSS`, `TOKEN_THEFT_MALWARE`, `SESSION_FIXATION`, `OTHER` |
| `RECOVERY_ABUSE` | `PHISHING_RECOVERY`, `HELPDESK_SOCENG`, `FLOW_EXPLOITATION`, `OTHER` |
| `OTHER` | `OTHER` |


### `SOCIAL_ENGINEERING`

| Subcategory | Attack methods |
|  --- | --- |
| `INVESTMENT_SCAM` | `PHONE`, `SOCIAL_MEDIA`, `FAKE_PLATFORM`, `OTHER` |
| `ROMANCE_SCAM` | `DATING_APP`, `SOCIAL_MEDIA`, `MESSAGING_APP`, `OTHER` |
| `TECH_SUPPORT_SCAM` | `FAKE_POPUP`, `COLD_CALL`, `EMAIL`, `OTHER` |
| `PAYMENT_SCAM` | `FAKE_INVOICE`, `IMPERSONATION`, `URGENT_TRANSFER`, `OTHER` |
| `IMPERSONATION_SCAM` | `BANK`, `GOVERNMENT`, `FAMILY_EMERGENCY`, `OTHER` |
| `COERCION` | `INPERSON`, `LIVE_PHONE`, `OTHER` |
| `OTHER` | `OTHER` |


### `IDENTITY_THEFT`

| Subcategory | Attack methods |
|  --- | --- |
| `PHISHING` | `PHISHING_EMAIL`, `PHISHING_SMS`, `PHISHING_VOICE`, `OTHER` |
| `MALWARE` | `KEYLOGGER`, `TROJAN`, `SPYWARE`, `OTHER` |
| `DATA_BREACH` | `DATA_BREACH`, `OTHER` |
| `PHYSICAL_THEFT` | `PHYSICAL_THEFT`, `OTHER` |
| `SOCIAL_ENGINEERING` | `SOCIAL_ENGINEERING`, `OTHER` |
| `OTHER` | `OTHER` |


### `FIRST_PARTY_FRAUD`

No attack methods. Valid subcategories: `CHARGEBACK_FRIENDLY_FRAUD`, `BUST_OUT_FRAUD`, `ACCOUNT_AGING`, `APPLICATION_KYC_FRAUD`, `REFERRAL_ABUSE`, `SIGNUP_BONUS_ABUSE`, `REWARDS_MANIPULATION`, `OTHER`.

### `MONEY_MULE`

No subcategories. Valid attack methods: `JOB_SCAM`, `ROMANCE_SCAM`, `INVESTMENT_SCAM`, `SELF_RECRUITED`, `COERCED`, `UNKNOWN`, `OTHER`.

### `NEW_ACCOUNT_FRAUD`

| Subcategory | Attack methods |
|  --- | --- |
| `STOLEN_IDENTITY` | `PHISHING`, `DATA_BREACH`, `PHYSICAL_DOC_THEFT`, `OTHER` |
| `SYNTHETIC_IDENTITY` | `DOCUMENT_FABRICATION`, `DATA_COMBINATION`, `AI_GENERATED`, `OTHER` |
| `MULE_ACCOUNT` | `JOB_SCAM_RECRUITMENT`, `ROMANCE_RECRUITMENT`, `NETWORK_RECRUITMENT`, `OTHER` |
| `BONUS_PROMO_ABUSE` | `MULTI_ACCOUNT`, `BOT_AUTOMATION`, `OTHER` |
| `OTHER` | `OTHER` |


### `CREDENTIAL_STUFFING`

No subcategories. Valid attack methods: `COMBO_LIST`, `PASSWORD_SPRAYING`, `AUTOMATED_TESTING`, `OTHER`.

## `source`

The `source` field describes where the label information came from or how the outcome was validated. Unlike `use_case`, `sub_category`, and `attack_method`, it does not classify the fraud scenario itself. Instead, it explains the source of evidence behind the label and can be used with any supported `use_case`.

| Value | Description |
|  --- | --- |
| `MANUAL_REVIEW` | From self manual analysis |
| `CUSTOMER_COMPLAINTS` | From customer complaints or responses |
| `CHARGEBACKS` | From incorrect charges |
| `OTHER_VENDORS` | From information and conclusions from other systems and tools |
| `AUTOMATED_DETECTION` | From automated detection systems or rules engines |
| `LAW_ENFORCEMENT` | From law enforcement agencies or legal proceedings |