We run 140+ behavioral signals through every transaction score. Most contribute marginal lift — they matter at the edges, fill gaps in specific merchant categories, help the model stay calibrated as fraud patterns shift. But a handful do the heavy lifting. Working through real transaction data over months of iteration, we have identified the twelve signals that show up most consistently in feature importance when we peel back the model.
This is not a theoretical list. These are the features we find ourselves defending most often in model reviews and tuning sessions — the ones where removing them measurably degrades detection performance. We are sharing them because the conversation around fraud signals in the industry tends toward the abstract, and practitioners deserve more specificity.
Session and Device Layer Signals
1. Device-to-account age delta
The gap between when a device was first associated with an account and when that account was created. For legitimate users, this gap is typically months or years — people use devices they already own. When a device is first seen on the same day or within hours of an account opening, it is a strong indicator of a freshly provisioned fraudster environment. This signal is particularly high-value for new account fraud and synthetic identity patterns where the entire identity stack — device, email, phone, address — was assembled in a short window.
2. Session interaction entropy
A measure of how variable and organic a user's session behavior is: field focus patterns, scroll events, back-navigation, time distribution across form pages. High-entropy sessions look like real people navigating unfamiliar interfaces. Low-entropy sessions look like scripts — consistent field timing, no backtracking, no lingering on disclosure pages. We compute this as a per-session score and compare it against the account's historical entropy baseline. New accounts with very low entropy on their first transaction event are flagged for elevated review.
3. IP-to-device-to-billing address triangulation mismatch
Not a simple IP geolocation check — those are easy to game with a residential proxy. Rather, the internal consistency between the IP geolocation, the device's registered time zone, and the billing address on the transaction. Each element can be faked individually. Faking all three consistently requires operational discipline that most fraud operations do not maintain at volume. Mismatch across two or more dimensions elevates the score proportionally, with weighting based on the magnitude of geographic discrepancy.
4. Device fingerprint mutation rate
How frequently device fingerprint attributes change across sessions on the same account. Legitimate users show stable fingerprints with occasional minor changes from OS updates or browser version increments. Fraudsters who cycle through fingerprint-spoofing tools or rotate hardware show abrupt, complete fingerprint replacements between sessions. The mutation rate feature captures this — measuring both frequency and magnitude of fingerprint change events over a rolling 30-day window per account.
Transaction Pattern Signals
5. Merchant category velocity spike
The rate of change in transaction frequency within a specific merchant category over a rolling 72-hour window, measured against the account's historical baseline for that MCC. A cardholder who suddenly makes 15 transactions at digital goods merchants after months of zero activity in that category is anomalous. This signal does not fire on absolute velocity — it fires on relative velocity change. That distinction is what separates unusual-but-legitimate behavior from the characteristic probing patterns we see before major fraud events.
6. Transaction amount percentile drift
Where a given transaction falls in the distribution of historical amounts for that account. An account that has never exceeded $80 in a single transaction suddenly attempting a $600 purchase is a distribution outlier. We model this as a continuous score rather than a binary threshold, because legitimate users do occasionally make large purchases. The question is how far the transaction falls from the account's established distribution and what else in the session context supports or contradicts the legitimacy of that outlier.
7. Cross-BIN attempt clustering
Multiple payment instruments from different BINs being used in rapid succession on the same account or from the same device. Legitimate users rarely have five cards from five different issuing banks cycling through a 20-minute window. This pattern is characteristic of card-testing operations where the attacker is running through a list of stolen card numbers to identify which ones authorize. The cross-BIN signal does not catch this on a single event — it accumulates across a session and elevates as the pattern persists.
8. Authorization-to-capture latency outlier
The time between a transaction authorization event and its capture. Most legitimate merchant transactions capture within standard windows. Fraudulent transactions sometimes show anomalous authorization-capture gaps because the operation involves an intermediary step — a drop service, a reshipping operation, or a manual fulfillment process that creates irregular timing. This signal is particularly useful in digital goods and marketplace contexts where authorization and capture timing patterns are well-established baselines.
Network and Identity Layer Signals
9. Email address entropy score
A structural analysis of the email address itself. Organic personal email addresses exhibit characteristic patterns: real-name components, numeric suffixes corresponding to birth years or disambiguation conventions, and a provider distribution that matches account demographics. Fraudster-provisioned addresses often come from throwaway providers, exhibit sequential or random string patterns in the local part, or cluster in creation-date ranges corresponding to fraud campaign launches. We score this continuously against a learned baseline, not as a blocklist.
10. Phone number age and carrier history
Phone numbers that were ported recently, associated with prepaid carriers, or show a registration date close to the account creation date carry elevated risk. We are not suggesting blocking all prepaid numbers — there are many legitimate users on prepaid plans. The signal fires on temporal clustering: a phone number registered three days before account creation, combined with a device first seen the same day and an email provisioned the same week, is a composite identity construction signal that no single element would surface alone.
11. Shipping address network density
How many other accounts have recently used the same shipping address, or addresses within the same building or postal route. A single shipping address appearing across 40 different accounts in a 30-day window is a drop address. We compute address network density as a graph feature rather than a simple count, which catches partial address obfuscation — unit number variations, abbreviation patterns — that defeat naive deduplication. The graph approach also surfaces address clusters that a per-address count would miss entirely.
12. Account-to-transaction latency on new registrations
How quickly a newly registered account attempts a high-value or high-risk transaction. Legitimate new customers typically explore an account before transacting — they check their profile, look at account settings, browse. Fraudsters tend to move directly to the transaction that is the point of the attack. We measure time-to-first-high-risk-transaction as a feature, weighted by transaction value, and consistently find that accounts attempting large transactions within minutes of registration are statistically distinct from the legitimate new-customer population.
How These Signals Work Together
These twelve signals do not function independently in the scoring model. A low-entropy session is unremarkable by itself — some legitimate users are just fast and consistent. A device first seen today is not inherently suspicious — people buy new phones. What makes these signals powerful is their co-occurrence weighting. When four or five fire simultaneously on a single transaction, the joint probability of that being a legitimate customer drops sharply.
We are not suggesting any of these should be used as blocklist triggers in isolation. That approach produces exactly the false-positive problem that makes fraud operations painful — you block real customers who trigger one signal for innocent reasons. The value is in the model's ability to weight combinations, calibrate against each merchant's specific customer base, and score the full picture rather than any single dimension.
The remaining signals in our 140+ set provide real value at the margins — they improve detection on specific fraud typologies, catch patterns the top twelve miss in particular contexts, and keep the model current as tactics evolve. But when fraud teams ask which signals to prioritize understanding first, these twelve explain the majority of score variance in the model. Start here, understand what each one is actually measuring, and you will have a much clearer framework for evaluating any fraud scoring system — ours or otherwise.
One honest caveat: signal importance shifts over time. As fraud tactics adapt to known detection methods, some of these will see their discriminatory power erode. The model update cycle matters as much as the signal set itself — which is why feedback loops, not signal counts, are the real competitive differentiator in fraud scoring at meaningful scale.