Understanding signals
Overview
This user guide helps fraud teams understand where and how to review Detect signals and visualizations within the Dashboard.
What about the API?
For information on using Detect via our API, please see the following pages:
These pages describe the same functionality that this guide does but in a manner suitable for integrating into your own workflows.
If you have any additional questions, contact our Customer Success team at [email protected].
Fraud signals categories
We broadly classify fraud signals in one of two ways:
File Origin Signals
File origin signals inspect and indicate where a document has originated, allowing teams to evaluate whether the document:
- Can be considered authentic.
- Was generated by a financial institution or payroll provider.
File tampering signals
File tampering signals provide information about how a document has been altered after it was generated, allowing teams to assess what types of modifications occurred and what information has been changed.
Most file tampering signals are visualized as colored rectangles overlaid on the submitted pages. See Reviewing Detect signals and Interpreting Visualization for further details.
Reviewing detect signals
This section describes the information presented in the Dashboard once a document has completed processing and how you can access and review Detect signals.
Book Overview
Detect signals will be available to review in the Dashboard via the Book Overview screen. Books with Detect signals for review will display a red flag in the Detect Signals column. The number beside the red flag represents the total number of Detect signals within the book. To access the Book Overview page, select the book you would like to review from the Book List page.
Several books are listed on the Ocrolus Dashboard. Two books respectively have two and ten Detect signals.
The Book Overview page displays Detect signals at the Book and Document level. See below for details about the information contained in each panel on the Book Overview page.
The panels on the Dashboard are as follows:
Book-level signals
The first panel displays the total number of Detect signals at the Book level, i.e. across all documents within the Book combined.
The leftmost panel on the dashboard. 132 signals have been identified in the book. Sensitive information about the book and our analysis has been redacted.
Note that this panel can be collapsed by clicking the arrow in the top right corner.
Uploads
The second panel displays the Documents within the Book and their respective statuses.
The second panel of the Ocrolus Dashboard, showcasing three bank statements in a book. One bank statement is selected. All three bank statements are flagged as having Detect signals.
The icons that can be displayed are as follows:
- A green circle indicates that the Document was successfully uploaded, and that no fraud signals were found.
- A red circle indicates that the Document couldn't be processed.
- A red flag indicates the document has been processed and Detect has identified an issue with the document.
- A gray hourglass indicates that a file is still being processed. Check back later.
The four icons that indicate the status of a document. The green circle means Completed, the red flag means Completed with Detect signals, the red circle means Rejected, and the gray hourglass means Processing.
If there is no flag present, that means there are no Detect signals; in that case, the Status column will display an icon that represents the upload status. Click the left checkbox to view that Document and its associated signals.
Documents
The Documents panel displays the Documents that are contained within whichever file is selected in the second panel. If multiple documents are selected, they will be grouped by type. If multiple bank statements are selected, they will be grouped by bank account. If there are any Detect signals for a document, click on it to review them.
Three selected bank statements from a book, grouped under a Bank Statements heading within the Documents panel. Two of the documents are flagged for fraud.
Preview
The preview panel displays the selected Document and the data captured from it. Click on the View Details link to view details about the fraud signals, if any.
The first page of a four-page bank statement is shown on the Preview tab. The user is prompted to review signals of fraud within this document.
Detect
Clicking on the aforementioned link will reveal details and visualizations for each Detect signal.
The Detect dashboard showing a sample bank statement with 48 fraud signals, some of which are highlighted on the selected page.
Don't see anything?
If you can't find this part of the Dashboard, you may need to get Detect enabled for your organization. Please reach out to Customer Support or your account manager.
The panels are as follows:
Book-level signals
This is the same panel that appears in the Book Overview.
Visualizations
The Visualizations panel displays specific regions of the selected Document that were tampered with. In some cases, multiple overlapping signals may be shown. In this case, you can view them individually by selecting the thumbnails in the bottom-right corner.
See Interpreting Visualizations for more information on the visualizations that may be presented.
Details
The details panel displays an authenticity score given to the document, based on the context and confidence in what was tampered with as well as specific information about each fraud signal. You can expand individual signal types to reveal details about them.
Several fraud signals are shown on the Details panel. The Dollar Amount Edits section is expanded, identifying specific amounts that were altered.
Different signals have different information associated with them. See here for additional guidance on interpreting them.
You can also view the data captured from this document by selecting the Capture tab.
Specific transactions captured from a bank statement are shown on the Details panel.
To return to the Book Overview page, click the X on this panel or the arrow above the Book-Level Signals panel.
Interpreting the Authenticity score
In addition to detailed fraud signals which indicate the context and method of tampering, we provide a single Authenticity score indicating the likelihood that a document is authentic.
The Authenticity score ranges from 0-100. The score weighs the context of what was tampered with and our confidence in the signal.
We categorize scores as follows:
- 0-29: VERY LOW authenticity
- 30-49: LOW authenticity
- 50-79: MEDIUM authenticity
- 80+: HIGH authenticity
To learn more about how our score is determined and how to choose a threshold for your workflow, see the Authenticity score page.
In addition to a numerical score, reason codes are returned to offer transparency into the score. The reason codes also double as high-level signals that allow for simple logical rules to determine the flow of the document.
Authenticity score as shown in the Detect details tab. The document received a score of 35. Reason codes are listed below the score.
Interpreting detect signals
Detect signals provide a short description of what has been uncovered and additional information to help contextualize the signal. File tampering signals are also visualized as colored highlights; see here for further details about what these visualizations mean.
File origin signals
These signals are applied to all supported form types (bank statements, pay stubs, and W-2s). They indicate the presence of tampering that isn't specific to any one type of document.
| Signal | Meaning |
|---|---|
| Editing software detected | The form has been edited with a recognized software package. |
| Suspicious document origin | The form was created by a recognized software package. |
Bank statement tampering signals
These signals indicate tampering that's specific to bank statements.
| Signal | Meaning |
|---|---|
| Account Number Edits | The account number has been changed. |
| Account Holder Edits | The account holder has been changed. |
| Account Holder Address Edits | The account holder's address has been changed. |
| Account Type Edits | The account type has been changed. This could refer to account type (e.g. savings or checking) or its branding, among other things. |
| Dollar Amount Edits | One or more of the following dollar amounts have been changed:
|
| Date Edits | One or more of the following dates have been changed:
|
| Transaction Description Edits | Transaction descriptions have been altered from their original state. |
| Misaligned Text | The field or text does not match the expected alignment compared to the rest of the document. |
| Unreconciled Balance | A bank statement's beginning and ending balances are invalid and don't reconcile based on the transactions available on the bank statement for the given period. |
| Invalid Transaction Dates | The date of the given transaction does not fall within the statement period dates. |
| No Transactions Present | There are no records of transactions or transaction pages present in the bank statement. |
| Future Date | The date that's been captured is in the future. For example, having a date like August 1 on a bank statement that's supposed to cover the period of June 1 to June 30. |
| Invalid Date | The captured date is not valid. For example, February 31st, which doesn't exist on the calendar. |
| Future Year | The year that's been captured is in the future. For example, in the 2023 bank statement year is captured as 2025. |
| Invalid Year | The year that was captured is not valid. For example, having the year 2023 on a document that was supposed to be prepared for 2021. |
Pay stub tampering signals
These signals indicate tampering that's specific to pay stubs.
| Signal | Meaning |
|---|---|
| Employee Taxpayer ID Edits | The employee's social security number has been changed. |
| Employee Details Edit | The employee's marital status has been changed. |
| Employee Name Edits | Employee name has been changed. |
| Employee Address Edits | The employee's address has been changed. |
| Employer Name Edits | The employer's name has been changed. |
| Employer Address Edits | The employer's address has been changed. |
| Earnings Edits | The listed earnings have been changed. |
| Deductions Edits | Current or YTD deductions (including taxes) have been changed. |
| Date Edits | One or more of the following dates have been changed:
|
| Pay Frequency Edits | Pay frequency has been changed. |
| Misaligned Text | The field or text does not match the expected alignment compared to the rest of the Document. |
| Online Generated Pay Stub | The pay stub format matches a template from sites known to create paystubs for a Fee. |
| Dollar Amount Edits | One or more of the following fields has been changed:
|
| Future Date | The captured date is in the future. For instance, having a date like August 1 on a pay stub meant for the period of June 1 to June 30. |
| Invalid Date | The date that was captured is not valid. For example, mentioning February 31st, which is not a real date. |
| Future Year | The date that has been captured is in the future. For example, having the year 2025 on a document of 2021. |
| Invalid Year | The captured year is not valid. For example, having the year 2023 on a document that was supposed to be prepared for 2021. |
W-2 tampering signals
These signals indicate tampering that's specific to W-2s.
| Signal | Meaning |
|---|---|
| Employee Taxpayer ID edits | The employeeβs social security number has been changed. |
| Employee Name Edits | The employee's name has been changed. |
| Employee Address Edits | The employee's address has been changed. |
| Employee ID Edits | The employer's identification information has been changed. This signal indicates that one or more of the following values have been altered:
|
| Employer Name Edits | The employer's name has been changed. |
| Employer Address Edits | The employer's address has been changed. |
| Earning Edits | The employee's earnings have been changed. |
| Withholding Edits | The employee's withholdings have been changed. |
| Date Edits | Dates have been changed. |
| Other Edits | Certain other fields have been changed. |
| Misaligned Text | The field or text does not match the expected alignment compared to the rest of the document. |
| Invalid Social Security Tax Wage Base | Stated Social Security Tax Wage Base exceeds the limit for the year. |
| Invalid Social Security Taxes Paid | Stated Social Security Taxes withheld does not match expected 6.2%. |
| Invalid Medicare Taxes Paid | Stated Medicare Tax Withholdings do not match the expected amount. |
| Invalid Medicare Tax Wage Base | Stated Medicare Wages and Tips are below expected amount based on Total Taxable Wages, Total Tips, and Wages Subject to Social Security Tax. |
| Invalid Medicare Wages | Stated Medicare Wages are below expected amount based on Total Taxable Wages and Wages Subject to Social Security Tax. |
| Invalid Federal Income Tax for Statutory Employee | Statutory Employee should not have reportable Federal Income Tax. |
| State Taxes Paid in Non-Collecting State | State taxes being paid in a state that doesn't collect state taxes. |
| State Taxes not Paid | States taxes not being paid in a state that does collect state taxes. |
| Invalid State Tax Wage Base | State income taxes paid do not reconcile with state income tax wage base. |
| Social Security Tax Wage Base is Blank | Social Security Tax Wage Base is blank. Verify applicant is religious worker or H-2A visa worker. |
| Medicare Wage Tax Base is Blank | Medicare Tax Wage Base is blank. Verify applicant is religious worker or H-2A visa worker. |
| Invalid State Income Taxes Paid | State income taxes paid do not match the expected amount based on the state tax rate and state income tax wage base. |
| Future Date | The captured date is in the future. For instance, having a date like January 1 on a W-2 form from next year. |
| Invalid Date | The date that was captured is not valid. For example, mentioning February 31st, which is not a valid date. |
| Future Year | The captured date is in the future. For example, having the year 2025 on a document of 2021. |
| Invalid Year | The captured year is invalid. For example, having the year 2023 on a document that should have been prepared for the year 2021. |
Interpreting visualizations
Detect visualizes specific regions that have been tampered with.
The name of the current visualization type is shown at the bottom of the Detect dashboard's visualization panel. You can hover over the grey question mark for details about the visualization.
The bottom-left corner of the visualizations panel is shown. The current page has multiple visualizations available.
The following sections describe the available visualizations.
Tamper overview
This overview aggregates all other visualizations into one image. See the other sections for more information about the individual visualizations.
Recovered document
Some signals include the original text of the document (i.e. before it was tampered with). In such a case, this visualization shows the original document next to the received document, with any changes highlighted in red.
Tampered fonts
Multiple fonts have been used within the same field. The original font is shown with green highlights, while red and purple indicate additional fonts.
Added fonts
Text that has been added to the document is highlighted in red.
Overwritten text
New text has been added over existing text. If the original text was recovered, it will be highlighted in green. Modified text will be highlighted in red.
What if there's only one color?
In some cases, we may not be able to recover the original text, even if we still believe it was tampered with.
Misaligned text
The Misaligned Text visualization highlights the expected alignment of fields in grey and misalignments or discrepancies in red color.
Unredacted document
The visualization of the Unredacted Document feature highlights areas of a document that were previously obscured using a photo editor. It also shows the redacted field values that have been recovered.
Updated 17 days ago