Fraud Typology Reference
This reference describes the major fraud typologies detected by FraudShield AI Engine, the behavioral signals that characterize each pattern, the primary Risk Indicators (RIs) that fire, and the detection models responsible for scoring. Use this guide to understand why an alert was generated for a specific transaction, to tune thresholds for a specific typology, and to train analyst teams on recognizing fraud patterns in investigation.
Quick reference
| Typology | Primary channels | Detection model | Dominant RI categories |
|---|---|---|---|
| Account Takeover (ATO) | Web, Mobile | MDL_WIRE_ATO |
Device & channel, behavioral biometrics, velocity |
| Authorized Push Payment (APP) Fraud | RTP, FedNow, Web wire | MDL_RTP_MULE, MDL_WIRE_ATO |
Beneficiary, velocity, behavioral, amount anomaly |
| Card-Not-Present (CNP) Fraud | eCommerce, API | MDL_CARD_CNP |
Network/IP, device, velocity, amount anomaly |
| Check and Deposit Fraud | Branch, Mobile (RDC), ATM | MDL_ACH_FRAUD |
Velocity, account lifecycle, amount anomaly |
| ACH Fraud (BEC / Unauthorized Debit) | ACH origination, Batch | MDL_ACH_FRAUD |
Beneficiary, account lifecycle, velocity |
| Money Mule Activity | RTP, FedNow, Web, ACH | MDL_RTP_MULE |
Network graph, velocity, beneficiary, account lifecycle |
| Synthetic Identity Fraud | New account origination, Loan | MDL_1PF_APPFRAUD |
Account lifecycle, enrichment (identity), network graph |
| First-Party Fraud | New account, Loan origination | MDL_1PF_APPFRAUD |
Account lifecycle, velocity, amount anomaly |
| Cross-Border Wire Fraud | SWIFT, Fedwire, Web | MDL_WIRE_ATO |
Beneficiary, network/IP, velocity, amount anomaly |
Account Takeover (ATO)
Account takeover occurs when a fraudster gains unauthorized access to a legitimate customer's online banking account — typically through credential theft (phishing, credential stuffing, SIM swap) or social engineering — and uses the access to initiate fraudulent transfers.
Behavioral pattern
- Login from a new, previously unregistered device or a device associated with multiple unrelated accounts.
- IP address from a different country than the customer's normal geolocation, or IP flagged as VPN/proxy/TOR exit node.
- Unusual keystroke dynamics — typing cadence doesn't match the enrolled behavioral biometric for this customer.
- Navigation anomaly: direct navigation to the payment screen without the typical pre-payment browsing pattern.
- Password or security question changed in the 24–72 hours before the fraudulent transaction.
- High-value transfer to a new beneficiary in the same session as the credential change.
- Rapid session: payment initiated within seconds or minutes of login, far shorter than the customer's normal session pattern.
Key RIs
| Risk Indicator | Signal | Typical sub-score |
|---|---|---|
RI_DEVICE_FINGERPRINT_CHANGE | Login device not seen before for this account | 55–85 |
RI_IP_COUNTRY_MISMATCH | IP country differs from account registration country | 40–75 |
RI_KEYSTROKE_ANOMALY_SCORE | Typing pattern below biometric similarity threshold | 60–95 |
RI_CREDENTIAL_CHANGE_72H | Password or security credential changed in last 72 hours | 70–90 |
RI_NAVIGATION_ANOMALY | Atypical navigation path before payment | 45–70 |
RI_SESSION_DURATION_SHORT | Session duration below 5th percentile for this customer | 35–60 |
RI_NEW_PAYEE_FIRST_TXN | Beneficiary not previously paid by this account | 55–90 |
Authorized Push Payment (APP) Fraud
In APP fraud, the legitimate account holder is manipulated into authorizing a payment to a fraudster-controlled account. The transaction is technically authorized by the customer — the fraud is in the social engineering that convinced them to make it. Common pretexts: fake HMRC/IRS tax demands, investment scams, romance scams, impersonation of bank staff or law enforcement.
APP fraud is the fastest-growing fraud typology on instant payment rails (RTP, FedNow) because irrevocability means there's no recall window once the payment is sent.
Behavioral pattern
- Payment to a new, never-before-paid beneficiary account.
- Account number or beneficiary name pasted (not typed) into the payment form — a strong indicator of social engineering instruction.
- Unusually short session: customer arrived with the beneficiary details already in hand.
- Amount in a range specifically below round-number thresholds ($9,800 rather than $10,000).
- Narrative in the memo field includes unusual keywords: "HMRC," "tax refund," "investment," "crypto," "solicitor," "police hold."
- Beneficiary account opened very recently (often within days of the fraud).
Key RIs
| Risk Indicator | Signal | Typical sub-score |
|---|---|---|
RI_COPY_PASTE_BENEFICIARY | Beneficiary account number was pasted, not typed | 60–80 |
RI_NEW_PAYEE_FIRST_TXN | No prior payments to this beneficiary from any account | 70–90 |
RI_MEMO_KEYWORD_RISK | NLP analysis of memo field detects social engineering keywords | 50–85 |
RI_BENEFICIARY_ACCOUNT_AGE | Receiving account opened within last 7 days | 75–95 |
RI_AMOUNT_ROUND_THRESHOLD | Amount designed to fall just under $10,000 CTR threshold (structuring signal) | 55–75 |
RI_SESSION_DURATION_SHORT | Transaction initiated with unusually brief session | 40–65 |
Card-Not-Present (CNP) Fraud
CNP fraud uses stolen card credentials (card number, expiry, CVV) to make purchases in online or phone channels where the physical card isn't presented. Card data is typically obtained through phishing, data breaches, or dark-web markets.
Behavioral pattern
- Transaction from an IP address in a different country than the cardholder's billing address.
- High velocity of small test transactions (charge validation attempts) followed by a larger transaction if tests succeed.
- Multiple card numbers attempted from the same device or IP (enumeration attack).
- Purchase category inconsistent with the cardholder's historical spending profile.
- High-value digital goods or gift cards — frequently liquidated by fraudsters without requiring physical delivery.
- Shipping address differs from the billing address and is a freight forwarder or reshipping address.
Key RIs
| Risk Indicator | Signal | Typical sub-score |
|---|---|---|
RI_IP_COUNTRY_MISMATCH | IP country ≠ billing address country | 50–80 |
RI_VELOCITY_CARD_ATTEMPTS_1H | Multiple card auth attempts in last hour (enumeration) | 65–95 |
RI_DEVICE_FINGERPRINT_CHANGE | Transaction from new/unknown device | 45–70 |
RI_MCC_ANOMALY | Merchant category inconsistent with cardholder spending history | 40–65 |
RI_DIGITAL_GOODS_HIGH_VALUE | High-value purchase in digital goods or gift card category | 55–80 |
RI_VPN_DETECTED | Transaction originating through VPN or proxy | 35–60 |
Check and Deposit Fraud
Check and deposit fraud encompasses check kiting (exploiting float between accounts), remote deposit capture (RDC) fraud (depositing the same check multiple times), return deposit item fraud, and cash deposit fraud. FraudShield AI monitors transactions across all deposit channels: branch, ATM, mobile (RDC), and offline (batch posting).
Base Transaction Activity (BTA) coverage
Deposit fraud detection uses channel-specific BTAs. Each BTA combination (channel + deposit type) has calibrated detection logic.
| BTA | Description | Key fraud patterns |
|---|---|---|
M_DCK_D | Mobile app — check deposit (RDC) | Duplicate mobile deposit, altered check amount, deposited payee mismatch |
A_DCK_D | ATM — check deposit | Envelope stuffing (depositing cash inside empty envelope), altered checks |
B_DCK_D | Branch — check deposit | Counterfeit business checks, kiting between institutions |
O_DCK_D | Offline — check deposit (batch) | Large-volume check kiting rings across multiple accounts |
A_DCS_D | ATM — cash deposit | Short deposits (deposit less than claimed), staged deposits |
Key RIs for check kiting
| Risk Indicator | Signal |
|---|---|
RI_KITING_PATTERN_SCORE | Cyclical deposit/withdrawal pattern between two accounts consistent with float exploitation |
RI_VELOCITY_DEPOSIT_24H | Unusually high number of deposits in 24 hours |
RI_RETURN_RATE_30D | High return rate on deposited items in last 30 days (R01, R02, R09 returns) |
RI_WITHDRAWAL_BEFORE_CLEARANCE | Funds withdrawn before the deposited check has cleared |
RI_DUPLICATE_CHECK_DEPOSIT | Check serial number or MICR line matches a previously deposited item |
ACH Fraud — Business Email Compromise and Unauthorized Debits
ACH fraud takes two main forms. In Business Email Compromise (BEC), fraudsters compromise or spoof an email account to redirect ACH payroll or vendor payments to fraudster-controlled accounts. In unauthorized debit, stolen account credentials are used to originate ACH debits from victim accounts without authorization.
BEC pattern
- ACH payee account number changes in the 24–72 hours before a regular payroll or vendor payment run.
- Change instruction arrived via email; banking portal login for the change came from an IP inconsistent with the business's usual locations.
- New beneficiary routing number routes to a bank associated with a high volume of mule account openings.
Unauthorized debit pattern
- ACH debit initiated against an account that has no history of outgoing ACH transactions.
- Originator company ID not previously seen on this account.
- Debit amount just below the balance available — designed to drain the account.
- Multiple debit attempts across short intervals (velocity) — consistent with credential testing.
Key RIs
| Risk Indicator | Signal |
|---|---|
RI_PAYEE_CHANGE_BEFORE_REGULAR_RUN | Beneficiary account changed within 72 hours of a recurring payment |
RI_NEW_ORIGINATOR_COMPANY_ID | ACH company ID not previously seen on this account |
RI_ACCOUNT_LIFECYCLE | Originator account has no prior outgoing ACH history |
RI_PAYEE_HIGH_RISK_ROUTING | Destination routing number associated with elevated mule account risk |
RI_AMOUNT_BALANCE_DRAIN | Debit amount within 5% of available balance — drain pattern |
Money Mule Activity
Money mule accounts receive proceeds from fraud committed against other victims and pass the funds onward — either knowingly (complicit mules) or unknowingly (recruited via job scams). Mule detection in FraudShield AI works in two directions: detecting when an account is sending to a mule account, and detecting when an account is acting as a mule.
Mule receiver pattern (account is a mule)
- Account was recently opened (Early Account Monitoring period: <90 days).
- Account receives multiple inbound transfers from unrelated senders in a short window, then immediately sends the funds outward (pass-through pattern).
- Inbound funds arrive via multiple rails (RTP, ACH, wire) and are consolidated before rapid outbound movement.
- The account's entity profile (address, device, IP) is shared with other recently opened accounts.
- The outbound beneficiary is in a high-risk jurisdiction or a known mule destination account.
Key RIs for mule detection
| Risk Indicator | Signal |
|---|---|
RI_MULE_NETWORK_SCORE | Network graph centrality score — account connected to known mule nodes |
RI_RAPID_MOVEMENT_THROUGH_ACCOUNT | Funds received and re-sent within <24 hours (layering signal) |
RI_SHARED_DEVICE_CLUSTER | Device or IP shared across >3 unrelated accounts |
RI_INBOUND_MULTI_SOURCE_24H | Multiple unrelated inbound senders within 24 hours |
RI_ACCOUNT_AGE_DAYS | Account <90 days old (Early Account Monitoring) |
RI_MULE_ACCOUNT_CONFIRMED | Destination account confirmed as mule by Early Warning Services or prior confirmed fraud |
Synthetic Identity Fraud
Synthetic identity fraud uses a fabricated identity — often combining a real Social Security number (usually belonging to a child, elderly person, or recent immigrant with no credit file) with a fake name and address — to open accounts and build credit before committing "bust-out" fraud. Synthetic identities are the fastest-growing fraud type in the US.
Key signals
- SSN issued recently but tied to a name and date of birth that don't match SSA records.
- Thin credit file or no credit history associated with the SSN.
- Identity verification score below the configured synthetic ID threshold (sourced from Experian or Socure enrichment).
- Address associated with multiple other recently opened accounts (shared address cluster).
- IP and device at application inconsistent with the stated residential address.
- After account opening: rapid credit utilization build-up followed by a sudden increase in cash advances or transfers before the account is abandoned.
Key RIs
| Risk Indicator | Signal |
|---|---|
RI_SYNTHETIC_ID_SCORE | Identity verification provider's synthetic identity probability score |
RI_ADDRESS_MISMATCH | Stated address doesn't match address associated with SSN in reference databases |
RI_SHARED_DEVICE_CLUSTER | Application device previously used for other synthetic identity applications |
RI_CREDIT_BUST_OUT_PATTERN | Rapid utilization to maximum credit limit followed by cash advance or balance transfer — bust-out signal |
RI_ACCOUNT_AGE_DAYS | Account <90 days old with high transaction velocity |
First-Party Fraud
First-party fraud is committed by a legitimate, correctly identified customer who intentionally misuses their account or misrepresents their situation to obtain a financial benefit. Unlike identity fraud, the person's real identity is known. Common forms include intentional overdraft abuse, false dispute claims, application fraud (overstating income or assets), and deliberate default.
Key signals
- Dispute filed for a transaction where behavioral data shows the cardholder was present (device, location).
- Repeated dispute patterns across multiple accounts — serial disputer.
- Large cash advance or balance transfer shortly before declared bankruptcy or account default.
- Income stated at application is inconsistent with transaction data over the first 90 days.
- Application data (income, employer, address) matches a pattern flagged by the identity verification provider as inflated or fabricated.
Cross-Border Wire Fraud
Cross-border wire fraud targets high-value SWIFT or international Fedwire transactions. The typology typically involves ATO as the entry point, followed by rapid outbound wire transfers to foreign accounts in jurisdictions with limited recovery prospects. Fraudsters specifically target international transfers because recall is complex, slow, and often unsuccessful once funds leave the domestic banking system.
Behavioral pattern
- ATO signals at login (new device, foreign IP, credential change).
- First international wire ever sent from this account, or first to this specific destination country.
- Destination country is on the FATF grey list or institutional high-risk country list.
- Transfer amount at or near the account's daily wire limit — designed to maximize loss in a single transaction.
- Beneficiary name or bank details changed in the portal shortly before the wire is submitted.
Key RIs
| Risk Indicator | Signal |
|---|---|
RI_PAYEE_HIGH_RISK_COUNTRY | Destination country on FATF grey/black list or institutional high-risk list |
RI_FIRST_INTERNATIONAL_WIRE | No prior international wire transfers from this account |
RI_AMOUNT_SPIKE_3SD | Amount significantly above historical wire amounts for this account |
RI_BENEFICIARY_DETAIL_CHANGE_SAME_SESSION | Beneficiary account or name changed in the same session as the wire submission |
RI_IP_COUNTRY_MISMATCH | IP country matches destination country — suggests fraudster is the initiator |