Understanding signals


This user guide helps fraud teams understand where and how to review Detect signals and visualizations within the Dashboard.


What about the API?

For information on using Detect via our API, please see the following pages:

These pages describe the same functionality that this guide does, but in a manner suitable for integrating into your own workflows.

If you have any additional questions, contact our Customer Success team at [email protected].

Fraud Signals Categories

We broadly classify fraud signals in one of two ways:

File Origin Signals

File origin signals inspect and indicate where a document has originated, allowing teams to evaluate whether the document:

  • Can be considered authentic.
  • Was generated by a financial institution or payroll provider.

File Tampering Signals

File tampering signals provide information about how a document has been altered after it was generated, allowing teams to assess what types of modifications occurred and what information has been changed.

Most file tampering signals are visualized as colored rectangles overlaid on the submitted pages. See Reviewing Detect signals and Interpreting Visualization for further details.

Reviewing Detect Signals

This section describes the information presented in the Dashboard once a document has completed processing and how you can access and review Detect signals.

Book Overview

Detect signals will be available to review in the Dashboard via the Book Overview screen. Books with Detect signals for review will display a red flag in the Detect Signals column. The number beside the red flag represents the total number of Detect signals within the book. To access the Book Overview page, select the book you would like to review from the Book Listing page.


Several books are listed on the Ocrolus Dashboard. Two books respectively have two and ten Detect signals.

The Book Overview page displays Detect signals at the Book and Document level. See below for details about the information contained in each panel on the Book Overview page.

The panels on the Dashboard are as follows:

Book-Level Signals

The first panel displays the total number of Detect signals at the Book level, i.e. across all documents within the Book combined.


The leftmost panel on the dashboard. 132 signals have been identified in the book. Sensitive information about the book and our analysis has been redacted.

Note that this panel can be collapsed by clicking the arrow in the top right corner.


The second panel displays the Documents within the Book and their respective statuses.


The second panel of the Ocrolus Dashboard, showcasing three bank statements in a book. One bank statement is selected. All three bank statements are flagged as having Detect signals.

The icons that can be displayed are as follows:

  • A green circle indicates that the Document was successfully uploaded, and that no fraud signals were found.
  • A red circle indicates that the Document couldn't be processed.
  • A red flag indicates the document has been processed and Detect has identified an issue with the document.
  • A gray hourglass indicates that a file is still being processed. Check back later.

The four icons that indicate the status of a document. The green circle means Completed, the red flag means Completed with Detect signals, the red circle means Rejected, and the gray hourglass means Processing.

If there is no flag present, that means there are no Detect signals; in that case, the Status column will display an icon that represents the upload status. Click the left checkbox to view that Document and its associated signals.


The Documents panel displays the Documents that are contained within whichever file is selected in the second panel. If multiple documents are selected, they will be grouped by type. If multiple bank statements are selected, they will be grouped by bank account. If there are any Detect signals for a document, click on it to review them.


Three selected bank statements from a book, grouped under a Bank Statements heading within the Documents panel. Two of the documents are flagged for fraud.


The preview panel displays the selected Document and the data captured from it. Click on the View Details link to view details about the fraud signals, if any.


The first page of a four-page bank statement is shown on the Preview tab. The user is prompted to review signals of fraud within this document.


Clicking on the aforementioned link will reveal details and visualizations for each Detect signal.


The Detect dashboard showing a sample bank statement with 57 fraud signals, some of which are highlighted on the selected page.


Don't see anything?

If you can't find this part of the Dashboard, you may need to get Detect enabled for your organization. Please reach out to Customer Support or your account manager.

The panels are as follows:

Book-Level Signals

This is the same panel that appears in the Book Overview.


The Visualizations panel displays specific regions of the selected Document that were tampered with. In some cases, multiple overlapping signals may be shown. In this case, you can view them individually by selecting the thumbnails in the bottom-right corner.

See Interpreting Visualizations for more information on the visualizations that may be presented.


The details panel shows specific information about each fraud signal. You can expand individual signal types to reveal details about them.


Several fraud signals are shown on the Details panel. The Transaction Description Edits section is expanded, identifying specific transactions that were altered.

Different signals have different information associated with them. See here for additional guidance on interpreting them.

You can also view the data captured from this document by selecting the Capture tab.


Specific transactions captured from a bank statement are shown on the Details panel.

To return to the Book Overview page, click the X on this panel or the arrow above the Book-Level Signals panel.

Interpreting Detect Signals

Detect signals provide a short description of what has been uncovered and additional information to help contextualize the signal. File tampering signals are also visualized as colored highlights; see here for further details about what these visualizations mean.

File Origin Signals

These signals are applicable to all supported form types (bank statements, pay stubs, and W-2s). They indicate the presence of tampering that isn't specific to any one type of document.

Signal Meaning
Editing software detected The form has been edited with a recognized software package.
Suspicious document origin The form was created by a recognized software package.

Bank Statement Tampering Signals

These signals indicate tampering that's specific to bank statements.

Signal Meaning
Account number edits The account number has been changed.
Account holder edits The account holder has been changed.
Account holder address edits The account holder's address has been changed.
Account type edits The account type has been changed. This could refer to account type (e.g. savings or checking) or its branding, among other things.
Dollar amount edits One or more of the following dollar amounts have been changed:
  • Beginning balance
  • Ending balance
  • Total deposits
  • Total withdrawals
  • Daily balance
  • Individual amounts
  • Ledger balances
Date edits One or more of the following dates have been changed:
  • Begin date
  • End date
  • Individual dates
Transaction edits Transactions or transaction descriptions have been changed.

Pay Stub Tampering Signals

These signals indicate tampering that's specific to pay stubs.

Signal Meaning
Employee taxpayer ID edits The employee's social security number has been changed.
Employee details edits The employee's marital status has been changed.
Employee name edits Employee name has been changed.
Employee address edits The employee's address has been changed.
Employer name edits The employer's name has been changed.
Employer address edits The employer's address has been changed.
Earnings edits The listed earnings have been changed.
Deductions edits Current or YTD deductions (including taxes) have been changed.
Date edits One or more of the following dates have been changed:
  • Hire date
  • Pay date
  • Period start date
  • Period end date
Pay frequency edits Pay frequency has been changed.

W-2 Tampering Signals

These signals indicate tampering that's specific to W-2s.

Signal Meaning
Employee taxpayer ID edits The employee’s social security number has been changed.
Employee name edits The employee's name has been changed.
Employee address edits The employee's address has been changed.
Employer ID edits The employer's identification information has been changed. This signal indicates that one or more of the following values have been altered:
  • Employer control number
  • Employer ID number
  • Employer primary state ID number
  • Employer secondary state ID number
Employer name edits The employer's name has been changed.
Employer address edits The employer's address has been changed.
Earnings edits The employee's earnings have been changed.
Withholding edits The employee's withholdings have been changed.
Date edits Dates have been changed.
Other edits Certain other fields have been changed.

Interpreting Visualizations

Detect visualizes specific regions that have been tampered with.

The name of the current visualization type is shown at the bottom of the Detect dashboard's visualization panel. You can hover over the grey question mark for details about the visualization.


The bottom-left corner of the visualizations panel is shown. The current page has multiple visualizations available.

The following sections describe the available visualizations.

Tamper Overview

This overview aggregates all other visualizations into one image. See the other sections for more information about the individual visualizations.


Recovered Document

Some signals include the original text of the document (i.e. before it was tampered with). In such a case, this visualization shows the original document next to the received document, with any changes highlighted in red.


Tampered Fonts

Multiple fonts have been used within the same field. The original font is shown with green highlights, while red and purple indicate additional fonts.


Added Fonts

Text that has been added to the document is highlighted in red.


Overwritten Text

New text has been added over existing text. If the original text was recovered, it will be highlighted in green. Modified text will be highlighted in red.



What if there's only one color?

In some cases we may not be able to recover the original text, even if we still believe it was tampered with.