Providing feedback with labels

Improve detection accuracy by providing feedback on risk recommendations you received from Mosaic. labeling helps enhance our machine learning (ML) models and improve our fraud detection algorithms. Labels categorize entities based on their fraud status, allowing the ML model to adapt and learn from both confirmed and suspected fraud cases, as well as legitimate activities. This dynamic feedback loop ensures Mosaic stays up-to-date with evolving fraud patterns.

Note

Unlike rules that completely override risk recommendations, labels are meant to adapt risk detection and response strategies in real-time.

How labels work

This describes the building blocks of labels and how they work.

Label types

The label type helps distinguish recommendations. To improve detection accuracy, you can assign one of the following labels:

  • Known Malicious : For entities confirmed to be involved in fraudulent activities.
  • Suspected Malicious : For entities suspected of fraudulent behavior that has not yet been confirmed.
  • Known Legit : For entities confirmed to be legitimate and not involved in fraud.
  • Unknown : For entities for which the fraud status is undetermined.

Label subjects

Labels are assigned to subjects—attributes, indicators, or entities that make an action fraudulent or legit. Below are available label subjects:

  • Action ID : Unique identifier for a specific action or transaction within your system.
  • Correlation ID : Unique identifier that links related actions or transactions, helping to track sequences of events. Correlation IDs remain the same throughout user interactions.
  • Security insights : Fraud ring ID / Fraud campaign ID; represents an interaction pattern rather than specific actions.
  • User ID : Unique identifier for individual users in your system. When labeling a User ID subject, you are classifying the user account as fraudulent or legitimate. This can be particularly useful for "New Account Fraud" or "First-Party Fraud" use cases . For other scenarios, such as compromised accounts, it's better to use a subject that relates directly to the fraud events rather than the user accounts involved.
  • IP address : (via API only) The IP address from which the action was performed. Consider labeling an action ID instead in order to take into account other network-related parameters, such as ASN, domain, the IP address's history, and other enrichment data.
Tip

With the multifaceted fraud landscape, it is best to provide labels without being too discrete, especially when reviewing risks manually. Tagging a fraudulent action or pattern rather than a specific entity (such as an IP address) helps build a more thorough risk profile and account for multiple signals and parameters. However, when leveraging external security tools, you usually have indicators of fraudulent interactions (e.g., from chargebacks), problematic user accounts, or suspicious IP addresses. See Mosaic's recommendations on setting label subjects depending on your risk assessment workflow:

  • Manual risk review : Security Insights, Action ID, User ID
  • Leveraging external data : Correlation ID, User ID, IP Address

Use cases

Labels are used in various fraud scenarios, including the use cases listed below. While optional, you can specify the fraud scenario used, if known.

  • Account Takeover : Identifying and preventing unauthorized access to user accounts.
  • First Party Fraud : Detecting fraudulent activities initiated by the account owner.
  • Identity Theft : Protecting against cases where a fraudster uses someone else's identity.
  • Money Mule : Identifying users involved in transferring stolen funds.
  • Bot Attack : Detecting and preventing automated fraudulent activities.
  • Synthetic Identity : Identifying fake identities created by combining real and fake information.
  • Social Engineering : Recognizing and preventing fraud resulting from manipulative tactics used to deceive individuals into divulging confidential information.

Sources

Labels can be derived from multiple sources, including but not limited to:

  • Manual review : Analyst-driven investigations that identify fraud or confirm legitimacy.
  • Customer complaints : Feedback from customers reporting unauthorized activities or fraud.
  • Chargebacks : Financial disputes indicating fraudulent transactions.
  • Other vendors : Labels provided by third-party fraud detection tools or external data providers integrated into your system.

Set labels

Tip

Collaborate with analytics tools or internal systems to extract relevant Correlation IDs or User IDs. This will ensure accurate labeling and improve the effectiveness of Detection and Response services. Integrating these tools can streamline the process and ensure consistent data quality across your operations.

Assign to actions

From the Recommendations page, click the Set label button; for individual actions or in bulk.

Import labels using CSV file

Import labels in bulk from the Recommendations page by uploading a CSV file with the following structure:

  • Columns must be named as follows: label_type , subject_type , subject_value , source , user_case
  • The first 3 columns are mandatory, while the last two ( source and use_case ) are optional
  • Within columns, the values must comply with API reference (enum values)

Some file examples:

Copy
Copied
  subject_type,label_type,subject_value
  ACTION_ID,KNOWN_MALICIOUS,a05f8ae1-718f-4c33-a20c-682df281af7c
Copy
Copied
  label_type,subject_type,subject_value,source,use_case
  KNOWN_MALICIOUS,ACTION_ID,a05f8ae1-718f-4c33-a20c-682df281af7c,MANUAL_REVIEW,IDENTITY_THEFT

Via API

Assign labels via Send label API.

Via Automated workflows

Set lables using Automated workflows.

Review labeled recommendations

On the Recommendations page, you can see recommendations with assigned labels by adding the Label type column or by filtering labeled or unlabeled recommendations. You can notice the label next to a subject (user ID, action ID, etc.) when reviewing recommendation details.

Understand label impact

By setting a label, you update the reputation of its subject, such as user ID or IP address. Mosaic's Detection and Response instantly takes into account the reputation change for this and subsequent recommendations.

As a first step, Mosaic temporarily adjusts recommendations with automatically created rules to improve real-time detection and response: for example, in case of a fraud label, a "Deny" recommendation will be generated for similar actions, in case of a legitimate label—an "Allow" recommendation. In the affected recommendations, a reason will be reported as having a risky reputation or a trusted reputation, for example DEVICE_RISKY_REPUTATION or IP_TRUSTED.

After the initial phase, Mosaic issues recommendations based on more balanced analysis and an updated reputation. For example, as risk data accumulates over time, reputation can improve and recommendations can change from "Deny" to "Challenge", and then from "Challenge" to "Allow". Over time, and with a substantial number of labels, Mosaic may suggest model retraining. This process enhances the accuracy of the ML model, ensuring it adapts to the ever-changing fraud landscape and ensures a balanced approach to fraud prevention, focusing on both security and customer experience.

Submitting a significant amount of labels over time contributes to more reliable risk detection. A case study shows Mosaic's semi-supervised ML models are capable of detecting fraud with higher precision if trained with labeled recommendations. In other words, the recall rate (a proportion of fraud events correctly recognized as fraud events) grows over time leading to a better security posture and faster fraud prevention.