Suspicious activity flags (Legacy)


We have a better version!

This product is superseded by our new Detect offering, which we recommend for all new work. A deprecation plan will be announced in the future.


Detect combines algorithmic checks and reviews from specialists to stop fraud in its tracks. By design, suspicious activity flags detect:

  • File tampering
  • Inconsistencies in data within a single document
  • Inconsistencies in data across multiple documents


Watch out for false positives!

Although Ocrolus detects potentially fraudulent activity, final determination of fraud is up to you. Some flagged documents that appear suspicious may have an explainable reason. For example:

  • Documents with multiple names might belong to someone who recently changed theirs, or to someone whose name has multiple spellings.
  • Unusual image data could be due to poor image conversion on the part of the document's owner.
  • Reports of unusual fonts could be due to the design of the bank statement itself.

We encourage you to manually review any activity that Ocrolus reports as suspicious.

File Tampering

Ocrolus's File Tamper Detection (FTD) technology identifies data in readable PDFs that were not part of the original PDF. For example, text added to an original PDF. The FTD checks use machine learning algorithms to unveil fraudulent activity such as balance padding, account takeovers, and loan stacking. The checks automatically occur when you upload a bank statement, pay stub, or W2.

You can view the results of an FTD check in the suspicious activity results flags (response.suspicious_activity_results.flags) array. The response of the Suspicious activity flags endpoint includes the array.

Example - flags object

  "suspicious_activity_detected": true,
  "reason": "FILE_TAMPERING",
  "suspicious_activity_location": {
    "upload_origin": "PRE_IDENTIFIED",
    "doc_uuid": "cdbc74e9-e567-46e4-84ff-ef09d41fa450",
    "suspicious_activity_page_indexes": [

Inconsistencies in data within a single document

Detect inconsistencies within a single document that may suggest suspicious activity.

Every time you upload a bank statement to Ocrolus, Ocrolus scans the document for inconsistencies, including:

  • Incomplete transaction data
  • Invalid amounts
  • Balance missing pages
  • Photoshopped data

Any flagged results from the scan are returned as suspicious activity flags in the periods object. The periods object is part of the response of either of the following endpoints:

Example - period object

    "pk": 1050,
    "begin_date": "03/28/2014",
    "end_date": "04/11/2014",
    "begin_balance": "5000.00",
    "end_balance": "1000.00",
    "primary_recon_error_reason": "Potential Fraud",
    "secondary_recon_error_reason": "Photoshopped Data",
    "period_month_days": {...},
    "period_month_txns": {...}