Understanding signals
The Detect signals in Ocrolus provide insights into potential fraud by highlighting specific indicators that may suggest tampering or modifications within documents. These signals are automatically flagged during the document processing stage, allowing users to quickly identify suspicious activity. For example, the system may detect edits to account numbers, amounts, or document origins. Each signal is visualized, giving users an easy way to see and review highlighted areas that might require further investigation.
In addition to Dashboard, you can also use Detect via our API. To know more, refer to the following pages:
These pages explain the same functionality as this guide but in a format tailored for integration into your workflows. If you need further assistance, feel free to contact our support team at [email protected].
Fraud signals categories
We broadly classify fraud signals in one of two ways:
File origin signals
File origin signals are used to evaluate where a document has originated, offering insights into its authenticity. These signals help teams assess whether the document was issued by a legitimate financial institution or payroll provider. By inspecting the origin, teams can determine if the document can be trusted or if further verification is needed. This functionality enhances the ability to detect fraudulent or altered documents, ensuring that only authentic documents are processed.
File tampering signals
File tampering signals provide detailed information about alterations made to a document after it was initially generated. These signals help teams assess what types of modifications occurred and identify the specific information that has been changed.
Most file tampering signals are displayed as colored overlays on the document’s pages, making it easy to visually identify areas of concern. For more information on how to review and interpret these signals, see Reviewing Detect signals and Interpreting Visualization.
Reviewing detect signals
This section explains how the information is displayed in the Ocrolus Dashboardafter a document has finished processing, and guides you on how to access and review Detect signals.
Book overview
Detect signals will be available to review in the Dashboard on the Book Overview screen. Books with Detect signals for review will display a red flag in the status column.
The authenticity score column displays the lowest Authenticity Score for any document within a Book. This will help you identify potential fraud more efficiently. This column is sortable and allows you to prioritize your workflow by focusing on documents with low scores, which may indicate severe fraud and require immediate attention, or high scores, which are likely authentic and can be approved with minimal review.
To access the Book Overview page, select the Book you want to review from the Book List page. All the Books are displayed on the Ocrolus Dashboard, sorted by the authenticity score column, with lower scores appearing at the top. Books processed before the authenticity score release on November 15 will not have an associated score and will be listed at the bottom, regardless of the sorting direction. This allows you to easily focus on more critical cases by directing attention to documents with lower authenticity scores that may indicate fraud.
The following five icons indicate the status of a document:
- Green circle: The document was successfully uploaded and no fraud signals were detected.
- Red flag: The document has been processed and fraud signals were found.
- Green partial circle: The capture process has been completed successfully, but the Detect process is still running.
- Gray hourglass: The document is still being processed. Check back later for the final status.
- Red circle: The document could not be processed.
The Book Overview page displays Detect signals at the Book and Document level. See below for details about the information contained in each panel on the Book Overview page.
The panels on the Dashboard are as follows:
Book-level signals
It displays the total number of Detect signals at the Book level, representing all signals detected across all documents within the Book combined. This makes it clear and consistent for users to understand the significance of Detect signals at the Book level.
Uploads
It displays the Documents within the Book and their respective statuses.
The icons indicating document status are as follows:
- Green circle: The document was successfully uploaded, and no fraud signals were found.
- Red circle: The document could not be processed.
- Red flag: The document has been processed, and Detect has identified an issue with it.
- Gray hourglass: The document is still being processed. Please check back later.
If there is no flag present, that means there are no Detect signals; in that case, the Status column will display an icon that represents the upload status. Click the left checkbox to view that Document and its associated signals.
Documents
It displays the Documents that are contained within whichever file is selected in Uploads. If multiple documents are selected, they will be grouped by type. If multiple bank statements are selected, they will be grouped by bank account. If there are any Detect signals for a document, click on it to review them.
Preview
It displays the selected Document and the data captured from it. Click on the View Details link to view details about the fraud signals, if any.
Detect
Clicking on the Preview link will reveal details and visualizations for each Detect signal.
Don't see anything?
If you can't find this part of the Dashboard, you may need to get Detect enabled for your organization. Please reach out to Customer Support at support team at [email protected] or your account manager.
The panels are as follows:
Book-level signals
This is the same panel that appears in the Book Overview.
Visualizations
The Visualizations panel displays specific regions of the selected Document that were tampered with. In some cases, multiple overlapping signals may be shown. In this case, you can view them individually by selecting the thumbnails in the bottom-right corner.
To know more about visualizations that may be presented, see Interpreting Visualizations.
Details
The details panel displays an authenticity score given to the document, based on the context and confidence in what was tampered with as well as specific information about each fraud signal. You can expand individual signal types to reveal details about them.
Different signals have different information associated with them. To know more about additional guidance on interpreting them, see Intepreting Detect signals.
You can also view the data captured from this document by selecting the Capture tab.
To return to the Book Overview page, click the X on this panel or the arrow above the Book-Level Signals panel.
Interpreting the authenticity score
In addition to detailed fraud signals which indicate the context and method of tampering, we provide a single authenticity score indicating the likelihood that a document is authentic.
The authenticity score ranges from 0-100. The score weighs the context of what was tampered with and our confidence in the signal.
We categorize scores as follows:
- 0-30: VERY LOW authenticity
- 31-60: LOW authenticity
- 61-80: MEDIUM authenticity
- 81-100: HIGH authenticity
To learn more about how our score is determined and how to choose a threshold for your workflow, see the Authenticity score page.
In addition to a numerical score, reason codes are returned to offer transparency into the score. The reason codes also double as high-level signals that allow for simple logical rules to determine the flow of the document.
Interpreting detect signals
Detect signals provide a short description of what has been uncovered and additional information to help contextualize the signal. File tampering signals are also visualized as colored highlights. To know more about visualizations, see Interpreting Visualizations.
File origin signals
These signals are applied to all supported document types. They indicate the presence of tampering that isn't specific to any one type of document.
| Signal | Meaning |
|---|---|
| Editing software detected | The form has been edited with a recognized software package. |
| Suspicious document origin | The form was created by a recognized software package. |
Bank statement tampering signals
These signals indicate tampering that's specific to bank statements.
| Signal | Meaning |
|---|---|
| Account Number Edits | The account number has been changed. |
| Account Holder Edits | The account holder has been changed. |
| Account Holder Address Edits | The account holder's address has been changed. |
| Account Type Edits | The account type has been changed. This could refer to account type (e.g. savings or checking) or its branding, among other things. |
| Dollar Amount Edits | One or more of the following dollar amounts have been changed:
|
| Date Edits | One or more of the following dates have been changed:
|
| Transaction Description Edits | Transaction descriptions have been altered from their original state. |
| Misaligned Text | The field or text does not match the expected alignment compared to the rest of the document. |
| Unreconciled Balance | A bank statement's beginning and ending balances are invalid and don't reconcile based on the transactions available on the bank statement for the given period. |
| Invalid Transaction Dates | The date of the given transaction does not fall within the statement period dates. |
| No Transactions Present | There are no records of transactions or transaction pages present in the bank statement. |
| Future Date | The date that's been captured is in the future. For example, having a date like August 1 on a bank statement that's supposed to cover the period of June 1 to June 30. |
| Invalid Date | The captured date is not valid. For example, February 31st, which doesn't exist on the calendar. |
| Future Year | The year that's been captured is in the future. For example, in the 2023 bank statement year is captured as 2025. |
| Invalid Year | The year that was captured is not valid. For example, having the year 2023 on a document that was supposed to be prepared for 2021. |
| Suspicious Address | The address could not be validated. To verify the address, we recommend searching the specific address online and being wary of potential auto-corrections to the zip code or other parts of the address that may be made by Google or another search engine. |
| Suspected Template | The document was created using software designed for generating document templates. Note: Low confidence suggests that the template generation software detected is used by both suspicious template creation websites and some legitimate providers. Medium confidence means that the software is commonly used by template creation sites. High confidence indicates that Ocrolus has found an exact match to a known template. |
| Fingerprint Match | This is a positive indicator that confirms the authenticity of the bank statement’s origin. |
Pay stub tampering signals
These signals indicate tampering that's specific to pay stubs.
| Signal | Meaning |
|---|---|
| Employee Taxpayer ID Edits | The employee's social security number has been changed. |
| Employee Details Edit | The employee's marital status has been changed. |
| Employee Name Edits | Employee name has been changed. |
| Employee Address Edits | The employee's address has been changed. |
| Employer Name Edits | The employer's name has been changed. |
| Employer Address Edits | The employer's address has been changed. |
| Earnings Edits | The listed earnings have been changed. |
| Deductions Edits | Current or YTD deductions (including taxes) have been changed. |
| Date Edits | One or more of the following dates have been changed:
|
| Pay Frequency Edits | Pay frequency has been changed. |
| Online Generated Pay Stub | The pay stub format matches a template from sites known to create paystubs for a Fee. |
| Dollar Amount Edits | One or more of the following fields has been changed:
|
| Future Date | The captured date is in the future. For instance, having a date like August 1 on a pay stub meant for the period of June 1 to June 30. |
| Invalid Date | The signal indicates that the pay date on the paystub falls under one of the following categories:
|
| Future Year | The date that has been captured is in the future. For example, having the year 2025 on a document of 2021. |
| Invalid Year | The captured year is not valid. For example, having the year 2023 on a document that was supposed to be prepared for 2021. |
| Suspicious Address | The address could not be validated. To verify the address, we recommend searching the specific address online and being wary of potential auto-corrections to the zip code or other parts of the address that may be made by Google or another search engine. |
| Suspected Template | The document was created using software designed for generating document templates. Note: Low confidence suggests that the template generation software detected is used by both suspicious template creation websites and some legitimate payroll providers. Medium confidence means that the software is commonly used by template creation sites. High confidence indicates that Ocrolus has found an exact match to a known template. |
| Unreconciled gross pay | The gross pay does not match the sum of the current pay across all earnings categories, indicating potentially inaccurate pay stub calculations. |
W-2 tampering signals
These signals indicate tampering that's specific to W-2s.
| Signal | Meaning |
|---|---|
| Employee Taxpayer ID edits | The employee’s social security number has been changed. |
| Employee Name Edits | The employee's name has been changed. |
| Employee Address Edits | The employee's address has been changed. |
| Employee ID Edits | The employer's identification information has been changed. This signal indicates that one or more of the following values have been altered:
|
| Employer Name Edits | The employer's name has been changed. |
| Employer Address Edits | The employer's address has been changed. |
| Earning Edits | The employee's earnings have been changed. |
| Withholding Edits | The employee's withholdings have been changed. |
| Date Edits | Dates have been changed. |
| Other Edits | Certain other fields have been changed. |
| Invalid Social Security Tax Wage Base | Stated Social Security Tax Wage Base exceeds the limit for the year. |
| Invalid Social Security Taxes Paid | Stated Social Security Taxes withheld does not match expected 6.2%. |
| Invalid Medicare Taxes Paid | Stated Medicare Tax Withholdings do not match the expected amount. |
| Invalid Medicare Tax Wage Base | Stated Medicare Wages and Tips are below expected amount based on Total Taxable Wages, Total Tips, and Wages Subject to Social Security Tax. |
| Invalid Medicare Wages | Stated Medicare Wages are below expected amount based on Total Taxable Wages and Wages Subject to Social Security Tax. |
| Invalid Federal Income Tax for Statutory Employee | Statutory Employee should not have reportable Federal Income Tax. |
| State Taxes Paid in Non-Collecting State | State taxes being paid in a state that doesn't collect state taxes. |
| State Taxes not Paid | States taxes not being paid in a state that does collect state taxes. |
| Invalid State Tax Wage Base | State income taxes paid do not reconcile with state income tax wage base. |
| Social Security Tax Wage Base is Blank | Social Security Tax Wage Base is blank. Verify applicant is religious worker or H-2A visa worker. |
| Medicare Wage Tax Base is Blank | Medicare Tax Wage Base is blank. Verify applicant is religious worker or H-2A visa worker. |
| Invalid State Income Taxes Paid | State income taxes paid do not match the expected amount based on the state tax rate and state income tax wage base. |
| Future Date | The captured date is in the future. For instance, having a date like January 1 on a W-2 form from next year. |
| Invalid Date | The date that was captured is not valid. For example, mentioning February 31st, which is not a valid date. |
| Future Year | The captured date is in the future. For example, having the year 2025 on a document of 2021. |
| Invalid Year | The captured year is invalid. For example, having the year 2023 on a document that should have been prepared for the year 2021. |
| Suspicious Address | The address could not be validated. To verify the address, we recommend searching the specific address online and being wary of potential auto-corrections to the zip code or other parts of the address that may be made by Google or another search engine |
| Suspected Template | The document was created using software designed for generating document templates. Note: Low confidence suggests that the template generation software detected is used by both suspicious template creation websites and some legitimate payroll providers. Medium confidence means that the software is commonly used by template creation sites. High confidence indicates that Ocrolus has found an exact match to a known template. |
Interpreting visualizations
Detect visualizes specific regions that have been tampered with. The name of the current visualization type is shown at the bottom of the Detect dashboard's visualization panel. You can hover over the grey question mark for details about the visualization.
The following sections describe the available visualizations.
Tamper overview
This overview aggregates all other visualizations into one image. See the other sections for more information about the individual visualizations.
Recovered document
Some signals include the original text of the document (i.e. before it was tampered with). In such a case, this visualization shows the original document next to the received document, with any changes highlighted in red.
Tampered fonts
Multiple fonts have been used within the same field. The original font is shown with green highlights, while red and purple indicate additional fonts.
Added fonts
Text that has been added to the document is highlighted in red.
Overwritten text
New text has been added over existing text. If the original text was recovered, it will be highlighted in green. Modified text will be highlighted in red.
What if there's only one color?
In some cases, we may not be able to recover the original text, even if we still believe it was tampered with.
Misaligned text
The Misaligned Text visualization highlights the expected alignment of fields in grey and misalignments or discrepancies in red color.
Updated 2 months ago