About Fisherman

Use Sumsub Fisherman to detect fraud as early as applicants are onboarding.

Fisherman is a powerful yet simple tool that allows you to seamlessly integrate fraud detection capabilities into your applications.

With the Sumsub Fisherman solution, you can easily detect and prevent fraudulent activities within your system, providing a safer and more secure environment for your users.

📘

Note

Fisherman is an independent product and can be used separately from other Sumsub products and services.

How Fisherman works

Fisherman detects fraud attempts quickly and efficiently. The process is divided into two main stages:

  1. Data collection. Every time your applicants interact with the application UI—such as filling out forms, clicking buttons, or switching windows or tabs—Fisherman collects the behavioral signals and technical data from their devices.
  2. Data analysis. The collected data is sent to a database, where it is compared against average statistics for standard user behavior. The data is analyzed and assessed to determine whether the user is a suspected fraudster or not.

This process is especially critical for the SDK. Users who upload fake documents may be rejected, but this rejection is unrelated to their behavior. If a user is flagged and blocked during the Fisherman check, it is entirely independent of the standard KYC verification process.

Follow the guide to integrate Fisherman and do not let cyber crooks fool you.

Understanding behavioral signals

Fraud recognition is based not only on analyzing the technical parameters of user devices, but also on evaluating how users interact with these devices through the UI, specifically by examining behavioral signals. Therefore, it is crucial to understand what behavioral signals represent in the context of cyber fraud detection.

Behavioral signals are the patterns of user actions and responses captured during interaction with a software interface. These signals reflect how users navigate, engage, and input data, providing insights into their behavior. The following are a few examples of these signals.

  • Interaction timing — time taken to complete specific actions, such as filling out forms or navigating pages.
  • Mouse dynamics — movement patterns, clicks, and hover behaviors.
  • Keyboard dynamics — typing speed, pressure, and rhythm.
  • Touchscreen gestures — swipe, tap, and pinch actions.
  • Navigation patterns — the sequence and frequency of visited pages or features used.

When compared to the statistical average and analyzed, these signals can uncover patterns of genuine user behavior, which act as a baseline for detecting anomalies or suspicious activity.

Fraud techniques Fisherman can prevent

With Sumsub Fisherman, you can prevent the following and not only methods of fraud.

Bots and automation tools

When used maliciously, automation tools and bots can mimic legitimate user activities such as mass account creation, credential entry, and/or automated form completion. Such user behavior is suspicious and Sumsub Fisherman can detect it. This includes the following behaviors:

  • Unnatural or rapid mouse movements.
  • Irregular typing speeds, inconsistent keystrokes, or unusual input sequences.
  • Rapid filling out forms and pasting information.
  • Signs of automation tools or scripts controlling the device.

Device farms

Technically, device farms are extensive networks of physical devices or virtual environments. While they can serve legitimate purposes, such as testing tools, they are often exploited for fraudulent activities, including ad fraud, synthetic identity creation, or mass account takeovers. Fisherman can detect:

  • Devices with environmental or interaction characteristics resembling those used in device farms, such as persistent motion models, similar device configurations, or unusual IP and network behavior.
  • Abnormal device characteristics that indicate a simulated environment. For example, discrepancies between a device's claimed performance and its actual performance may suggest the use of virtual machines or emulators.

Account takeover

To take over users' accounts, cybercriminals often use stolen credentials or repeatedly attempt to log in using leaked usernames and passwords. To detect this, Fisherman takes into account:

  • Unusual typing patterns, such as inconsistent pauses or erratic input timing during login. Additionally, if users frequently copy and paste, it might suggest they are attempting to crack a password.
  • Frequent autofilling or pasting which can signal an attempt to use pre-compiled lists of account details.

Fake accounts creation

Fraudsters may create fake accounts or engage in illegal activities by fabricating artificial identities and combining real and fictitious data. With Fisherman, you can prevent these attempts by:

  • Detecting rapid or highly uniform form-filling behaviors that indicate the use of automated tools for mass account creation.
  • Spotting atypical touch or typing behaviors during registration, which may signal attempts to create accounts using fake or synthetic identities.

Transaction and payment fraud

When unauthorized transactions or payment methods are attempted, fraudsters often exhibit irregular behavior during sensitive financial processes. Fisherman detects these attempts by identifying abnormal activity at critical transaction stages (e.g., inputting payment information), such as rushed typing or inconsistent touch inputs.

Unauthorized access and identity theft

Identity theft occurs when cybercriminals gain unauthorized access to accounts or personal data. Fisherman detects such breaches by identifying device and environmental irregularities (e.g., logins from unfamiliar devices or locations paired with suspicious user behavior).

Parameters Fisherman collects and analyzes

To detect fraudulent behavior based on user behavior, Fisherman typically collects a variety of parameters and data that capture the nuances of user interactions with the SDK interface. These data points can be then analyzed for anomalies or patterns indicative of fraudulent activity. Below is a detailed breakdown of the types of data and parameters collected.

📘

Note

Fisherman does not collect any personal and/or sensitive information, only behavioral signals and technical parameters that help us analyze user behavior in the system.

User interaction data

These parameters capture how users physically interact with the interface.

  • Keystroke dynamics:
    • Typing speed and rhythm.
    • Error rate (e.g., backspaces or corrections).
    • Transition time between keystrokes.
  • Mouse dynamics and touchscreen interactions.

Navigation and behavioral patterns

These parameters relate to how users navigate and interact with the system.

  • Session timing:
    • Total session duration.
    • Time spent on specific pages or sections.
    • Inactivity periods and session interruptions.
  • Page and action sequences:
    • Order of visited pages.
    • Actions taken (e.g., form submissions, button clicks).
    • Repeated actions or loops (e.g., retrying login).
  • Form interaction:
    • Time taken to fill out forms.
    • Number of corrections or backspaces.
    • Consistency of entered data (e.g., mismatched address formats).

Device and environmental data

These parameters identify the user's device and environment, which can signal anomalies.

  • Device metadata:
    • Device type (desktop, mobile, tablet).
    • Operating system and browser details.
    • Screen resolution and orientation.
  • Network information:
    • IP address and geolocation.
    • Proxy or VPN usage.
  • Environment variables:
    • Language and timezone settings.

Data consistency and contextual parameters

These parameters assess the plausibility and consistency of user behavior.

  • Geographic consistency:
    • Sudden changes in geographic location (e.g., logging in from different countries in a short span).
    • IP address mismatches with registered location.
  • Temporal anomalies:
    • Logging in or performing actions at unusual times (e.g., late at night for the user’s timezone).
    • Frequency of interactions (e.g., repeated login attempts within seconds).
  • Behavioral consistency:
    • Deviation from historical patterns (e.g., slower typing compared to prior sessions).
    • Changes in interaction preferences (e.g., mouse usage vs. keyboard shortcuts).

Data input patterns

These parameters examine the nature of entered data.

  • Formatting errors — inconsistent or improbable data (e.g., invalid email formats, mismatched postal codes).
  • Pasting behavior — detecting pasted inputs (common with bots or stolen credentials).
  • Duplicate data — repeated use of the same credentials or details across multiple accounts.

Anomalous interaction indicators

These flags are raised when interactions deviate significantly from expected patterns.

  • Speed and precision:
    • Actions completed too quickly (e.g., form filling in milliseconds).
    • Perfect cursor paths or timing intervals (indicative of automation).
  • Erratic behavior:
    • Sudden spikes or drops in interaction speeds.
    • Unusual or illogical navigation paths.
  • Automated signatures:
    • Uniform intervals between actions.
    • Known patterns of bots or scripts.

By collecting and analyzing these parameters, Fisherman can detect fraudulent activities, such as bot attacks, account takeovers, or identity theft, while ensuring legitimate users have a seamless experience. The combination of interaction data, device information, and behavioral patterns provides a robust framework for fraud prevention.