Evidence Framework

TL;DR

Tier 1 = Conviction (one alone justifies fraud classification): Device linked to 3+ fraud cases, identity confirmed stolen, previous confirmed fraud
Tier 2 = Evidence (combine 3+ for fraud): Never-pay, email under 30 days old, device anomalies, phone recently ported
Decision: 1+ Tier 1 = Block/Decline. 3+ Tier 2 = High risk, review. 1-2 Tier 2 = Medium risk. 0 = Low risk

A systematic approach to evaluating fraud signals using tiered indicators.

Overview

Not all fraud signals are equal. This framework categorizes indicators by confidence level to support consistent, defensible decisions.

Core Principle

Tier 1 = Conviction (one is enough)
Tier 2 = Evidence (multiple required)

Tier 1 Indicators

High-confidence signals that alone justify fraud classification:

Indicator	How to Confirm
SSN issued after stated DOB would suggest	Bureau data, SSA verification
Identity confirmed as fraud victim	Police report, affidavit, bureau alert
SSN belongs to deceased individual	Bureau data, death records
SSN never issued	SSA verification
Document forensically invalid	Document verification technology

Indicator	How to Confirm
Device/IP linked to 3+ confirmed fraud cases	Device intelligence, internal data
Address used by known fraud ring	Consortium data, internal analysis
Exact application data matches confirmed fraud	Pattern matching, feature vectors
Account explicitly claimed by identity theft victim	Affidavit, manual review

Tier 2 Indicators

Supporting signals that require combination for confidence:

Application Signals

Indicator	Weight	Notes
Email created < 30 days ago	⚠️ Medium	Common in fraud, but also new customers
Phone recently ported	⚠️ Medium	SIM swap indicator
Address mismatch (stated vs. bureau)	⚠️ Low	May be recent move
Employment unverifiable	⚠️ Medium	Check method matters
Income stated >> bureau income indicators	⚠️ Medium	Could be recent change

Behavior Signals

Indicator	Weight	Notes
Never-pay (0 payments from origination)	⚠️ High	Strong but not conclusive (see first-party fraud)
Bust-out pattern (utilization spike)	⚠️ High	May be financial hardship
Device seen on prior fraud (1-2 cases)	⚠️ Medium	Could be shared device
Velocity anomaly	⚠️ Medium	Context dependent

Link Analysis Signals

Indicator	Weight	Notes
Same phone on multiple identities	⚠️ Medium	Could be family
Same device on multiple identities	⚠️ Medium	Could be shared device
Address velocity (3+ apps, same address, 30 days)	⚠️ High	Strong ring indicator

Decision Matrix

Classification Rules

Evidence	Classification
1+ Tier 1 indicator	Fraud
3+ Tier 2 indicators (High weight)	Fraud
4+ Tier 2 indicators (any weight)	Fraud
1-2 Tier 2 indicators	Investigation
0 indicators	Credit loss (if loss exists)

Example Scenarios

Scenario A: Clear Fraud

SSN issued after DOB → Tier 1 ✓
Classification: FRAUD

Scenario B: Clear Credit Loss

Verified employment, verified income
No velocity anomalies
No device/address flags
Customer payment pattern consistent with financial hardship
Classification: CREDIT LOSS

Scenario C: Needs Investigation

Email created recently (Tier 2)
Never-pay pattern (Tier 2)
Employment unverifiable (Tier 2)
Action: Gather more evidence, time-box decision

Documentation Requirements

For each fraud classification, document:

Indicators present – List all relevant signals
Evidence sources – Where each signal came from
Decision rationale – Why classification was made
Reviewer – Who made the decision
Date – When decision was made

Next Steps

Setting up evidence framework?

Define Tier 1 indicators - High-confidence signals
Define Tier 2 indicators - Supporting signals
Create decision matrix - Classification rules

Investigating a case?

Check for Tier 1 indicators - One is enough for fraud
Count Tier 2 indicators - 3+ for fraud classification
Manual review - Human investigation for complex cases

Documenting decisions?

Review documentation requirements - What to record
Use example scenarios - Apply to your case
Classify per decision matrix - Make the call

Manual Review - Human investigation for complex cases
Fraud Types - All fraud type definitions
Fake Identity Fraud - Fabricated identities
First-Party Fraud - Customer abuse
Risk Scoring - Combining signals into scores
Velocity Rules - Detecting abuse patterns
Device Fingerprinting - Tracking devices
Fraud Rings - Organized fraud attacks

Overview​

Tier 1 Indicators​

Identity-Related​

Pattern-Related​

Tier 2 Indicators​

Application Signals​

Behavior Signals​

Link Analysis Signals​

Decision Matrix​

Classification Rules​

Example Scenarios​

Documentation Requirements​

Next Steps​

Related Topics​