Fraud Network Detection

Stay one step ahead of fraud with the new AI-based solution from Sumsub.

Fraud Network Detection helps you uncover hidden connections between applicants using all data available within the Sumsub platform. Instead of reviewing accounts one by one, you can see how they relate to each other — through shared devices, IPs, cookies, document templates, selfie images and selfie backgrounds, liveness signals, behavioral patterns, and other technical attributes.

The solution focuses on detecting coordinated or linked activity that would be impossible to identify at the single-applicant level. By analyzing both technical infrastructure and identity-level similarities, it surfaces patterns that indicate risks of organized or abusive behavior.

Fraud Network Detection is especially effective for:

  • Detecting multi-accounting. Identify users who create multiple accounts to bypass rules and abuse the platform.
  • Exposing account farms. Uncover large-scale account creation driven by shared infrastructure, automation, or repeated document and selfie patterns.
  • Identifying money mules. Reveal networks of accounts created to be operated by third parties or used to move funds on behalf of others.
  • Uncovering organized fraud rings. Pinpoint groups of individuals coordinating fraudulent activity, even when they use different identities, devices, or environments.

By shifting the focus from isolated applicant checks to relationship analysis across identity, behavioral, and technical signals, Fraud Network Detection enables proactive investigation of complex fraud schemes at scale.

How Fraud Network Detection works

Fraud Network Detection analyzes data collected during user verification across connected Sumsub services, including ID verification, address verification, Liveness checks, and Device Intelligence. It continuously evaluates this information to identify meaningful patterns that indicate connections between applicants.

As soon as the system detects a strong and reliable pattern — for example, shared device infrastructure, repeated document templates, similar selfie backgrounds, or behavioral overlaps — it links the relevant applicants into a network. More complex patterns may require additional data and time to accumulate before a confident connection can be established.

Once a pattern is confirmed, a new applicant network is created automatically. These networks are dynamic: if new applicants exhibit the same signals or behavioral characteristics, they are added to the existing network in real time.

For Fraud Network Detection, a fraudulent applicant is any applicant who was either:

  • Blocklisted with the BLOCKLIST rejection label.
  • Rejected with one of the following rejection labels: FORGERY, FRAUDULENT_PATTERNS, DOCUMENT_TEMPLATE, FRAUDULENT_LIVENESS, or STOLEN_DOCS.

If at least one applicant in a fraud network is marked as fraudulent, Sumsub can add one of the following risk labels to other applicants linked to this applicant depending on the case context and the strength of the detected connection:

  • Strong link to fraudulent applicant — A strong link to a known fraudulent applicant is detected based on duplicate search, such as biometrics, documents, email, or phone, or a reliable fraud networks pattern, such as the exact same device.
  • Potential link to fraudulent applicant — A potential link to a known fraudulent applicant is detected based on a fraud networks pattern with softer signals, such as a similar device.

Applicant link visibility depends on the link type:

  • Duplicate-based links are visible to all clients.
  • Network-based links, including both Strong link to fraudulent applicant and Potential link to fraudulent applicant, are visible only if you have Fraud Networks enabled for your client key.

You can review detected networks directly in the Dashboard or access it via API, allowing you to integrate network insights into your decision-making flows, automation logic, or investigation processes.

Get started with Fraud Network Detection

Almost nothing is needed to start detecting potential fraudulent patterns amongst your applicants:

  1. Contact your Customer Success Manager to implement Fraud Networks Detection in your verification process.
  2. Review the results on the criminal connections detected when verifying applicants.
📘

Use WebSDK, MobileSDK and Device Intelligence

Fraud Network Detection becomes more powerful as more data is available. The broader the signal coverage, the more accurately the system can identify hidden relationships and coordinated activity.

To maximize effectiveness, it is strongly recommended to enable Device Intelligence and use WebSDK or MobileSDK so that Sumsub can collect richer behavioral and technical signals during verification.

Review Fraud Network Detection results

You can find the results on the Fraud Network Detection findings in the following ways:

  • Use the Sumsub API:
    • To get the list of all fraud networks, use this method.
    • To get the list of all fraud networks by applicantId, use this method.
    • To get the fraud network by networkId, use this method.
  • In the Dashboard, go to the Applicants menu and select the Networks tab. Here, you can see the list of fraud networks associated with your applicants.
  • In an applicant profile, scroll down to the Applicant Networks block and find information on the fraud networks related to the applicant.

The following table describes network properties available in the Dashboard:

Property nameDescription

Network ID

Shows a unique identifier of a network.

Created

Contains information on the date when a network was created.

ModifiedShows the date when the last applicant was added to the network.
PatternIndicates the reasons for network creation and its similarities:

  • Exact same device — applicants used shared device and camera during verification (high confidence signal).

  • Similar device – applicants may use the same devices during verification (moderate confidence signal).

  • Same IP address – multiple applicants pass identity verification using the same IP address.

  • Same address – applicants provide PoA documents which indicate similar addresses.

  • Similar ID documents – some similarities in the applicants' ID documents have been detected.

  • Similar POA documents – some similarities in the applicants' PoA documents have been detected.

  • Similar selfie backgrounds – the same background has been detected on the applicants' selfies.
StatsShows the statistics based on the following parameters:

  • Number of rejected/approved/pending applicants.

  • Top 3 countries.

  • Median age of applicants.
NotesContains the notes that you have added to the case including the attached tags.

Export detected Fraud Networks as CSV

You can export the results of Fraud Network Detection from the Dashboard as a CSV report.

A generated CSV export contains the networks matching your selection, with one row per applicant. Network-level fields (such as network.id, network.reasons, and network.reviewStatus) repeat across every applicant row within each network, allowing a single file to contain many networks without nesting.

📘

Note

To download CSV exports you must have the Download bulk applicant report permission.

To export Fraud Network Detection results:

  1. In the Dashboard, go to ApplicantsNetworks.
  2. Apply the required filters if needed.
  3. Click Download CSV in the upper-right corner.
👍

Tip

You can also select the specific networks that will be included in the report by using the checkboxes next to the Network ID and clicking Download CSV within the selection toolbar at the bottom of the screen.

Available CSV export fields

The following fields are available in the exported CSV files:

Value in reportDescriptionAdditional permission requirements
network.idUnique network identification number.-
network.createdAtTime and date of network creation.-
network.modifiedAtDate and time when the network was last updated (when the last applicant was added). -
network.reviewStatusCurrent processing status of the network: completed (fully processed) or pending (still being processed). -
network.reasonsSignals that triggered network creation, listed as comma-separated codes (for example, exactSameDevice, similarDevice, ip). -
applicant.idUnique applicant identifier in the Sumsub system.-
applicant.externalUserIdUnique applicant identifier in your system.-
applicant.createdAtTime and date when the applicant profile was created.-
applicant.addedAtTime and date when the applicant was added to the network.-
applicant.reviewStatusCurrent verification status of the applicant.-
applicant.reviewAnswerFinal verification result displaying the GREEN or RED status:
  • GREEN — the applicant has passed verification.
  • RED — the applicant has not passed verification.
-
applicant.rejectReasonsRejection labels assigned to the applicant, listed as comma-separated codes (for example, FORGERY, DUPLICATE, FRAUDULENT_LIVENESS). Empty if the applicant was not rejected. -
applicant.levelName of the verification level used for verification.  -
applicant.riskLabelsRisk labels detected for the applicant, listed as comma-separated codes (for example, highRiskIp, manyApplicantsSameDevice, vpnUsage).Requires the View check results permission
applicant.riskScoreNumeric risk score assigned to the applicant. Empty if not calculated.Requires the View check results permission. 
applicant.countryApplicant country (ISO 3166-1 alpha-3). Empty if not available.Requires the View applicant's personal data permission.

View network data as table, chart, or map

When checking the network data, you can switch between the table and chart views:

The table view shows the list of applicants with the links and all related information.

The table view shows the list of applicants with the links and all related information.


The chart displays applicants, their IP addresses, device fingerprints, and various templates as nodes connected by edges.

The chart displays applicants, their IP addresses, device fingerprints, and various templates as nodes connected by edges.


The map view shows the applicants’ locations on a global map based on their detected IP addresses.

The map view shows the applicants’ locations on a global map based on their detected IP addresses.



Did this page help you?