Device Risk Signals

Shufti leverages advanced analysis to detect suspicious device and network behaviors, anomalies, and potential fraud during the verification process. If any irregularities are identified, they are flagged in the verification report, enabling businesses to detect patterns of suspicious activity, such as the use of proxies, VPNs, or automated systems. These warnings enable businesses to assess the authenticity of a user's device, location, and actions, providing a clearer picture of potential fraud risks.

Based on the warnings triggered, businesses can take informed actions, such as blocking access, requiring additional verification steps, or escalating the case for manual review to ensure the legitimacy of the user's activity and prevent fraudulent actions.

Warnings & Descriptions

1. Geolocation & Identity Mismatch

This warning is shown when discrepancies between the user's geolocation and the information on their submitted document are detected. Geolocation mismatches may indicate that the user is attempting to conceal their location or use false identification.

a) Country Mismatch

This warning appears when the country listed on the submitted document does not align with the user’s real-time geolocation. A mismatch could indicate that the user is attempting to spoof their location to bypass regional restrictions or fraud detection mechanisms.

b) IP/Timezone Mismatch

This warning appears when the user’s IP geolocation does not match the timezone settings on their device. A mismatch may indicate that the user’s device is configured to appear in a different timezone than where they are physically located, which could raise concerns about their intent or authenticity.

c) Geo-Spoofing Detected

This warning appears when the user is suspected of using software to fake their geolocation, such as GPS spoofing applications. Geo-spoofing may be used to disguise the user’s true location or identity, a tactic often employed in fraudulent activities.

2. Anonymity & Masking Risks

This section identifies attempts by users to mask their true identity and location, potentially to conceal malicious intent or bypass identity verification checks.

a) VPN Detected

This alert is triggered when a VPN is detected, which may be masking the user’s true IP address and location. VPN usage can indicate an attempt to conceal the user’s actual geolocation, often used to bypass restrictions or fraud prevention mechanisms.

b) Proxy Server Detected

This alert is triggered when the user is detected to be using a proxy server to hide their real IP address. Using a proxy can obscure the user’s location and identity, often a tactic used by fraudsters or malicious users to evade detection.

c) Cloud Hosting Provider Detected

This warning is triggered when access is detected from a cloud hosting provider. Such IPs often indicate automated or bot-driven traffic rather than legitimate users, especially when the access pattern deviates from typical human behavior.

3. Suspicious Network Behavior

This category flags unusual network activity, such as rapid IP changes or usage from multiple users, which may indicate fraud or unauthorized access attempts.

a) Frequent IP Changes

This warning appears when the user's IP address changes rapidly within a short period. Frequent IP address changes can indicate bot-driven activity or the use of proxies/VPNs to conceal a user’s true identity.

b) IP Associated With Multiple Users

This warning is triggered when multiple users are detected accessing from the same IP address. It may indicate shared usage, coordinated activity, or a potential account takeover if different users are connecting from the same IP address.

4. Device & Browser Anomalies

This category highlights potential issues with the user's device or browser environment, which could indicate the use of automated systems or suspicious activity.

a) Emulated Device Detected

This warning appears when the user is detected using an emulated or virtual device rather than a physical one. Emulators can mask the true device being used, often to bypass security or fraud detection mechanisms.

b) Jailbroken or Rooted Device

This warning is triggered when the user is detected using a jailbroken (iOS) or rooted (Android) device. Jailbroken or rooted devices can bypass security restrictions, allowing malicious software or actions to compromise the verification process.

c) Multiple Individuals on Same Device

This warning is triggered when a single device is used to access multiple different user accounts. While this may sometimes result from legitimate scenarios (such as family members or colleagues sharing the same device), it can also be a strong indicator of suspicious behavior. In many cases, fraudulent actors attempt to create and manage several accounts from one device to exploit the system, manipulate activity, or bypass security measures. Therefore, device sharing is considered a high-risk pattern and warrants closer monitoring to distinguish between normal shared usage and potentially fraudulent activity.

Device Risk Signals

Warnings & Descriptions​

1. Geolocation & Identity Mismatch​

a) Country Mismatch​

b) IP/Timezone Mismatch​

c) Geo-Spoofing Detected​

2. Anonymity & Masking Risks​

a) VPN Detected​

b) Proxy Server Detected​

c) Cloud Hosting Provider Detected​

3. Suspicious Network Behavior​

a) Frequent IP Changes​

b) IP Associated With Multiple Users​

4. Device & Browser Anomalies​

a) Emulated Device Detected​

b) Jailbroken or Rooted Device​

c) Multiple Individuals on Same Device​