Applicant risk labels

Be aware of the risk level of your applicants.

Risk labels are assigned during verification and indicate certain characteristics of an applicant.

View risk labels

To see the risk labels:

  1. In the Dashboard, go to the Applicants page.
  2. Open an applicant profile and scroll down to the Risk labels section.

Email risk labels

Email risk labels are associated with email and phone verification.

Label API name Description
Disposable email
disposable Temporary email address that usually expires after a short period of time.
High risk email
highRisk A verdict made by the system according to the check results and internal logic.
Medium risk email
mediumRisk A verdict made by the system according to the check results and internal logic.
No registrations on Web services found
noWebRegistrations Email address registration is not detected.
No website exists
noWebsiteExists Email domain does not exist.
Non-deliverable
nonDeliverable An email address to which the messages cannot be delivered.

Phone risk labels

Phone risk labels are associated with email and phone verification.

Label API name Description
Disposable phone number
disposable A temporary phone number that usually expires after a short period of time.
High risk phone
highRisk A verdict made by the system according to the check results and internal logic.
Medium risk phone
mediumRisk A verdict made by the system according to the check results and internal logic.
No registrations on Web services found
noWebRegistrations Phone number registration is not detected.
Virtual phone
virtual A virtual phone number is a number not associated with any physical location, allowing to make calls via internet.

Device risk labels

Device risk labels are associated with devices used by applicants to pass verification.

Label API name Description
Ad blocker
adblock Detects whether the advertisement blocking software is used.
App tampering
tampering Indicates the usage of anti-detect browser or tampering with the browser default behaviour.
Cloned application
clonedApp Indicates whether the request is coming from a cloned application.
Developer tools detected
developerTools Informs whether developer tools were manually opened in Chrome or Firefox browsers.
Devices from distant IP locations were used
distantIpLocations Login from different and distant IP addresses over a short period of time.
Emulator detected
emulator Informs whether the request was made with an emulator software.
Failure to continue on another device
failedSessionContinuation The session was interrupted due to inability to seamlessly transfer sessions from one device to another.
Frida tool detected
fridaTool Informs whether the Frida tool was used to intercept the app at runtime and change its behaviour.
High risk IP
highRiskIp Indicates high risk IP addresses.
Incognito mode
incognito Detects whether incognito or private modes are being used.
Jailbroken device
jailbroken Detects unauthorized modifications made to the device.
Known bot
goodBot Indicates that the bot is a well-known web crawler or other search engine bot.
Lengthy onboarding session
lengthySession The session lasts too long.
Link access via external source
thirdPartyLinkAccess The verification link has been opened in messaging apps or link shortening services.
Location spoofing
locationSpoofing Indicates whether the location of the mobile device has been spoofed or not.
Malicious bot
badBot Indicates that the bot is an automated tool that does not have legitimate uses and assumes fraudulent activity.
Man-in-the-Middle attack
mitmAttack Detects whether the communication between two parties was intercepted and potentially modified.
Multiple devices were used
multipleDevices Informs whether the applicant uses multiple devices.
Multiple mobile devices were used
multipleMobileDevices Informs whether the applicant uses multiple mobile devices.
Privacy settings enabled
privacySettingsMode Privacy settings that have the ability to randomize and obfuscate signal output are enabled.
Remote control detected
remoteControl Indicates whether the request originated from a device being remotely controlled or remotely controlling another device.
Rooted device
rooted User device has been modified to give them access to the root file system and administrative rights.
TOR usage
torUsage Detects whether TOR connection is used.
Unusual activity
highActivity The number of visits for the past 24 hours surpasses a threshold. The threshold is calculated for each user separately and is determined through a normal traffic distribution.
Virtual machine
virtualMachine Detects whether the browser is running inside a virtualization software by examining the browser configuration.
VPN usage
vpnUsage Detects whether VPN connection is used.

Cross-check risk labels

Cross-check risk labels are associated with the cross-checks based on matching different applicant data.

Label API name Description
Accounts in many other services
accountsInManyServices The same account is registered in different services (>=5 accounts in different sources).
Country of photo creation is different from IP and ID document countries
exifCountryVsIdDocCountryOrIpCountryMismatch Country of photo creation is different from IP and ID document countries.
Diverse countries in ID documents
diverseIdDocCountries Identity documents were issued in different countries.
Many duplicates exists
manyAccountDuplicates Lots of account duplicates are detected (>=3 accounts from one source; one client and one source key).
Mismatch between applicant address and IP country
addressCountryVsIpCountryMismatch The physical address does not meet the IP address.
Mismatch between ID document country and IP country
idDocCountryVsIpCountryMismatch ID document country mismatches the country IP address.

Selfie risk labels

Selfie risk labels are associated with selfies.

Label API name Description
Estimated age is different from the age on the ID document
estimatedAgeMismatch The estimated age does not match the age indicated in documents.
Many attempts to submit a selfie
manyAttempts There were too many attempts of passing a selfie check (>5 selfie attempts).
Multiple faces on selfies
multipleFaces There are multiple faces present in the photo.
Persons seems to be asleep
asleep The person in the picture is asleep.
Similar applicants with different data
sameFaceWithDifferentData Supposedly different data in documents with the similar face detected. Such applicants might also be registered in other services.
Usage of virtual cameras
virtualCameraPresent A visual software simulating real camera is detected.

AML risk labels

AML risk labels are associated with AML screening and monitoring.

Label API name Description
Adverse media
adverseMedia Compromising information related to the applicant was found in the media.
Crime
crime Applicant is suspected of criminal activities.
PEP
PEP Applicant belongs to the PEP (Politically Exposed Person) category.
Sanctions
sanctions Applicant was found in sanctions lists.
Terrorism
terrorism Applicant is suspected of terrorism.

Person risk labels

Person risk labels are assigned when the applicant has certain characteristics as per the following table.

Label API name Description
Famous person
famousPerson Indicates an assumption that the applicant is a famous person.
Name mismatch with the names associated with the email
emailNameMismatchFromWebServices The provided applicant name does not match the names found by the specified email address.
Name mismatch with the names associated with the phone
phoneNameMismatchFromWebServices The provided applicant name does not match the names found by the specified phone number.
No email names found in web services
noEmailNamesFromWebServices No email names found in web services.
No phone names found in web services
noPhoneNamesFromWebServices No phone names found in web services.
Strange name
strangeName Applicant name seems to be not a real one.