Detect

Retrieve suspicious activity data for uploaded documents

Detect combines algorithmic checks and reviews from specialists to stop fraud in its tracks.
By design, suspicious activity flags detect:

  • File tampering
  • Inconsistencies in data within a single document
  • Inconsistencies in data across multiple documents

🚧

Watch out for false positives!

Although Ocrolus detects potentially fraudulent activity, final determination of fraud is up to you. Some of the flagged documents that appear suspicious may have an explainable reason. For example:

  • Documents with multiple names might belong to someone who recently changed theirs, or to someone whose name has multiple spellings.
  • Unusual image data could be due to poor image conversion on the part of the document's owner.
  • Incorrect math can just be a simple error.

We encourage you to review any activity that Ocrolus reports as suspicious.

File tampering

Ocrolus's File Tamper Detection (FTD) technology identifies data in readable PDFs that was not part of the original PDF. For example, text added to an original PDF. The FTD checks use machine learning algorithms to unveil fraudulent activity such as balance padding, account takeovers, and loan stacking. The checks automatically occur when you upload a bank statement, paystub, or W2.

You can view the results of an FTD check in the suspicious activity results flags (response.suspicious_activity_results.flags) array. The response of the Suspicious activity flags endpoint includes the array.

Example - flags object

{
  "suspicious_activity_detected": true,
  "reason": "FILE_TAMPERING",
  "suspicious_activity_location": {
    "upload_origin": "PRE_IDENTIFIED",
    "doc_uuid": "cdbc74e9-e567-46e4-84ff-ef09d41fa450",
    "suspicious_activity_page_indexes": [
      0
    ]
  }
}

Inconsistencies in data within a single document

Detect inconsistencies within a single document that may suggest suspicious activity.
Every time you upload a bank statement to Ocrolus, Ocrolus scans the document for inconsistencies, including:

  • Incomplete transaction data
  • Invalid amounts
  • Balance missing pages
  • Photoshopped data

Any flagged results from the scan return in the form of suspicious activity flags in the periods object.
The periods object is part of the response of either of the following endpoints:

Example - period object

  {
    "pk": 1050,
    "begin_date": "03/28/2014",
    "end_date": "04/11/2014",
    "begin_balance": "5000.00",
    "end_balance": "1000.00",
    "primary_recon_error_reason": "Potential Fraud",
    "secondary_recon_error_reason": "Photoshopped Data",
    "period_month_days": {...},
    "period_month_txns": {...}
  }

Next steps

To learn how to upload, capture, and analyze an example document, see our Getting started with bank statements guide. Once you complete the steps in the tutorial, use the Suspicious activity flags endpoint to download example suspicious activity results.


See also
Did this page help you?