Understanding signals
The Detect signals in Ocrolus provide insights into potential fraud by highlighting indicators that may suggest tampering or manipulation within documents. The enhanced Detect combines three detection layers, namely Resistant AI (RAI) forensic analysis, Ocrolus fraud detection algorithms, and Authenticity Status classification, into a single, unified fraud assessment.
These signals are automatically flagged during document processing and allow you to quickly identify suspicious activity. For example, the system may detect edits to account numbers, amounts, document origins, metadata anomalies, AI-generated artifacts, or screenshot-based submissions. Each signal is visualized to help you review highlighted areas that may require further investigation.
In addition to Dashboard, you can also use Detect via our API. To know more, refer to the following pages:
These pages explain the same functionality as this guide but in a format tailored for integration into your workflows. If you need further assistance, feel free to contact our support team at [email protected].
Fraud signals categories
We broadly classify fraud signals in one of two ways:
RAI metadata and forensic signals
RAI metadata and forensic signals are powered by Resistant AI and evaluate the structural integrity and origin of a document through deep forensic inspection. These signals analyze properties that are typically not visible during standard document review, such as how the document was created, whether it has been digitally modified, and whether its metadata aligns with what is expected from a legitimate issuer.
By inspecting documents at a forensic level, these signals help determine whether a document can be trusted or requires further verification. Most forensic signals are displayed as colored overlays on the document pages, making it easy to visually identify areas of concern. For more information, see see Reviewing Detect signals and Interpreting Visualization.
Ocrolus algorithmic signals
Ocrolus algorithmic signals are generated by proprietary fraud detection algorithms and focus on validating the accuracy and consistency of data captured from a document. Instead of analyzing how a document was created, these signals evaluate whether numbers, dates, and calculations are internally consistent and align with expected rules.
These signals help identify cases where values may have been altered in ways that break internal consistency, even when the document appears visually untampered.
Reviewing detect signals
This section explains how the information is displayed in the Ocrolus Dashboardafter a document has finished processing, and guides you on how to access and review Detect signals.
Book overview
Detect signals will be available to review in the Dashboard on the Book Overview screen. Books with Detect signals for review will display a red flag in the Status column.
The Authenticity Score column displays the lowest Authenticity Score for any document within a Book. This will help you identify potential fraud more efficiently. This column is sortable and allows you to prioritize your workflow by focusing on documents with low scores, which may indicate severe fraud and require immediate attention, or high scores, which are likely authentic and can be approved with minimal review.
To access the Book Overview page, select the Book you want to review from the Book List page. All the Books are displayed on the Ocrolus Dashboard, sorted by the Authenticity Score column, with lower scores appearing at the top. Books processed before the Authenticity Score release on November 15 will not have an associated score and will be listed at the bottom, regardless of the sorting direction. This allows you to easily focus on more critical cases by directing attention to documents with lower Authenticity Scores that may indicate fraud.
Understanding signal icons
The following five icons indicate the status of a document:
- Green check circle: The document was successfully uploaded and processed. No fraud signals were detected, or the document received an Authenticity Score above 80, indicating high authenticity.
- Red flag: The document has been processed and Detect has identified fraud signals. The tooltip displays Detect signals found.
- Green partial check circle: The capture process has been completed successfully, but the Detect process is still running.
- Gray check circle with hourglass: The document is still being processed. Please check back later.
- Red tirangle with with exclamation mark: The document was rejected. The tooltip displays the rejection reason such as Rejected: instant not supported.
The Book Overview page displays Detect signals at the Book and Document level. See below for details about the information contained in each panel on the Book Overview page.
The panels on the Dashboard are as follows:
Book-level signals
It displays the total number of Detect signals at the Book level, representing all signals detected across all documents within the Book combined. This makes it clear and consistent for users to understand the significance of Detect signals at the Book level.
Uploads
It displays the Documents within the Book and their respective statuses. To learn more about signal icons shown on UI, see the Understanding signal icons section.
A red flag appears when Detect identifies risk signals and the document’s Authenticity Score is below 80. A green check circle indicates that no fraud signals were detected, or the document received an Authenticity Score above 80, indicating high authenticity. Use the checkbox on the left to open a document and review its associated signals.
Documents
It displays the Documents that are contained within whichever file is selected in Uploads. If multiple documents are selected, they will be grouped by type. If multiple bank statements are selected, they will be grouped by bank account. If there are any Detect signals for a document, click on it to review them.
Preview
It displays the selected Document and the data captured from it. Click on the View Details link to view details about the fraud signals, if any.
Detect
Clicking on the Preview link will reveal details and visualizations for each Detect signal.
Don't see anything?If you can't find this part of the Dashboard, you may need to get Detect enabled for your organization. Please reach out to Customer Support at support team at [email protected] or your account manager.
The panels are as follows:
Book-level signals
This is the same panel that appears in the Book Overview.
Visualizations
The Visualizations panel displays specific regions of the selected Document that were tampered with. In some cases, multiple overlapping signals may be shown. In this case, you can view them individually by selecting the thumbnails in the bottom-right corner.
To know more about visualizations that may be presented, see Interpreting Visualizations.
Details
This panel displays Authenticity Score and Authenticity Status given to the document and highlights key observations related to the document. It also provides details for each Detect signal, grouped by type. You can expand each signal group to view additional information.
Each signal includes an indicator:
- A red dot indicates a risk signal. Hover over it to view the label as Risk.
- A green dot indicates a trust signal identified for the document.
- A blue dot indicates an informational signal.
You can use the Expand All option to view details for all signal types at once.
Different signals have different information associated with them. To know more about additional guidance on interpreting them, see Intepreting Detect signals.
You can also view the data captured from this document by selecting the Capture tab.
To return to the Book Overview page, click the X on this panel or the arrow above the Book-Level Signals panel.
Interpreting Authenticity Score
In addition to detailed fraud signals which indicate the context and method of tampering, we provide a single Authenticity Score indicating the likelihood that a document is authentic.
The Authenticity Score ranges from 0-100. The score weighs the context of what was tampered with and our confidence in the signal.
We categorize scores as follows:
- 0-55: LOW authenticity
- 56-80: MEDIUM authenticity
- 81-100: HIGH authenticity
To learn more about how our score is determined and how to choose a threshold for your workflow, see the [Authenticity Score](https://docs.ocrolus.com/docs/authenticity-score page.
In addition to a numerical score, high-level observations provide transparency into the assessment by summarizing key findings in the document.
Detect signals are generated from multiple sources, including metadata-based and algorithmic signals. These signals also serve as high-level indicators that can help determine the document’s review flow.
Interpreting Detect signals
Detect signals provide a short description of what has been uncovered and additional information to help contextualize the signal. File tampering signals are also visualized as highlighted regions on the document such as red boxes around affected fields. To know more about visualizations, see Interpreting visualizations.
RAI metadata and forensic indicators
These indicators are powered by RAI and apply across all supported document types. They detect hidden manipulation, document origin issues, and structural anomalies that are typically not visible during standard review.
| Signal | Meaning |
|---|---|
anomalous_pdf_structure | Documents from this issuer typically follow a consistent structure. This one differs in layout, metadata, or file structure, suggesting it may have been edited, recreated, or saved using different software. |
suspicious_producer | The document was produced or modified using tools that are unusual for the identified issuer, suggesting possible reprocessing or tampering. |
overlapping_content | Content is layered over existing elements, such as text or images placed on top of backgrounds or scanned pages, potentially obscuring original content. |
anomalous_font | Fonts used in the document are not typically associated with this issuer or document type. |
digital_print | The document appears to be exported from a digital source, such as a PDF converted into an image, which may conceal editing traces or remove metadata. |
unusual_pdf_structure | Structural elements such as metadata, layout, fonts, or generation patterns do not match known issuer formats or standard document structures. |
content_tampering_suspected | Visual inconsistencies suggest that specific characters, fields, or regions may have been digitally altered. |
image_of_known_document | The document is submitted as an image of a type typically available as a native PDF, limiting access to metadata and structural details needed for verification. |
document_from_online_generator | The document originates from an online generation service, offering limited insight into content creation and requiring additional scrutiny. |
editing_software_detected | The document was modified or saved using third-party editing or design software, which may indicate tampering, especially when combined with other anomalies. |
content_diff_between_versions | Differences detected between versions of the same document indicate changes to content, which may suggest fraud. |
has_only_images | The document contains only images, possibly due to scanning or conversion, limiting the ability to extract and verify text. |
has_piece_info | Variable data elements detected in the document structure suggest that certain applications were used to create or modify the document. |
expected_pdf_structure | The document structure aligns with known authentic patterns for the document type. |
unmodified_per_metadata | Metadata timestamps show no evidence of incremental updates or modifications after creation. |
screenshot | The document appears to be a screenshot or screen capture, which may obscure editing artifacts or metadata. |
NoteThe list above represents the most common RAI indicators and is not exhaustive. RAI indicators are continuously updated as part of live fraud detection, and new indicators may be added over time.
Ocrolus algorithmic signals
These signals are generated by Ocrolus's proprietary fraud detection algorithms. They validate the accuracy and consistency of the data captured from a document and are specific to each document type.
Bank statement signals
| Signal | Meaning |
|---|---|
unreconciled_bank_statement_balance | The bank statement's beginning and ending balances do not reconcile based on the transactions for the given period. |
invalid_bank_statement_txn_date | The transaction date does not fall within the statement period. |
future_date | The captured date is in the future. |
future_year | The captured year is in the future. |
Pay stub signals
| Signal | Meaning |
|---|---|
EmployeeInfo:hireDate | The employee hire date is invalid or inconsistent. |
PayDetails:payDate | The pay date is invalid or inconsistent. |
PayDetails:periodEndDate | The period end date is invalid or inconsistent. |
PayDetails:periodStartDate | The period start date is invalid or inconsistent. |
invalid_date | A captured date value is invalid. |
unreconciled_gross_pay | The gross pay does not match the sum of the current pay across all earnings categories. |
unreconciled_hourly_current_pay | Hourly current pay does not reconcile with reported earnings. |
mismatched_pay_basis | The pay basis is inconsistent with other reported pay information. |
future_date | The captured date is in the future. |
future_year | The captured year is in the future. |
W-2 signals
| Signal | Meaning |
|---|---|
missing_medicare_tax | Medicare tax is missing from the W-2. |
missing_social_security_tax | Social Security tax is missing from the W-2. |
missing_federal_income_tax | Federal income tax is missing from the W-2. |
missing_state_income_tax | State income tax is missing from the W-2. |
unusual_retirement_amount | The retirement contribution amount appears unusual for the reported wages. |
unreconciled_fica_ss_tax | FICA Social Security tax does not reconcile with expected calculations. |
unreconciled_fica_medicare_tax | FICA Medicare tax does not reconcile with expected calculations. |
invalid_state_income_tax | State income tax values are invalid or inconsistent. |
mismatched_pay_basis | The pay basis is inconsistent with other reported pay information. |
unreconciled_gross_pay | Gross pay does not reconcile with reported wage components. |
unreconciled_hourly_current_pay | Hourly current pay does not reconcile with reported earnings. |
excessive_social_security_tax_wage_base_limit | Social Security Tax Wage Base exceeds the limit for the year. |
unreconciled_social_security_tax_withholding | Social Security taxes withheld do not match expected 6.2%. |
invalid_medicare_wages_and_tips | Medicare wages and tips are below expected amounts based on related fields. |
invalid_medicare_wages | Medicare wages are below expected amounts based on related fields. |
unreconciled_medicare_tax_withholding | Medicare tax withholding does not reconcile with expected amounts. |
invalid_statutory_employee_federal_tax | Statutory employees should not have reportable federal income tax. |
invalid_state_taxes_paid | State taxes are being paid in a state that does not collect them. |
state_taxes_not_paid | State taxes are not being paid in a state that does collect them. |
unreconciled_state_tax_base | State income taxes paid do not reconcile with the wage base. |
social_security_wage_base_missing | Social Security Tax Wage Base is missing. |
medicare_wage_base_missing | Medicare Tax Wage Base is missing. |
future_year | The captured year is in the future. |
future_date | The captured date is in the future. |
Interpreting visualizations
Detect highlights specific regions of the document where anomalies or potential tampering are detected. These areas are marked with red boxes, making it easy to identify fields or content that may require further review.
The name of the current visualization type is shown at the bottom of the visualization panel. You can hover over the grey question mark to view additional details about the visualization.
The visualization panel on the left displays the document pages with highlighted areas. Each red box corresponds to one or more signals listed in the Detect panel on the right. You can click on individual signals in the Detect panel to understand what was detected in each highlighted area.
Signals from both RAI forensic analysis, such as content manipulation, suspicious edits, and unusual PDF structure, and Ocrolus algorithmic checks, such as invalid Social Security taxes or Medicare taxes, are displayed together in a single panel to provide a unified view of detected anomalies.
Updated 8 days ago