How to identify AI agents, device farms and automation fraud with suspicious flags
Updated on 11.03.26
1 minute to read
Copy link
Overview
Suspicious flags are among the strongest fraud indicators in SEON. They are returned in the suspicious_flags field of the Fraud API response and are triggered by known fraud patterns, device and browser anomalies and behaviors consistent with malicious activity. These flags allow you to gain a deeper understanding of user behavior and identify high-risk transactions with greater precision.
This page serves as a comprehensive reference for all available suspicious flags across SEON's device intelligence features, grouped by use cases.
How to use suspicious flags
With suspicious flags, you can create powerful custom rules in the Scoring Engine, allowing you to tailor risk scoring and fraud prevention strategies based on the specific flags that are most relevant to your business.
- Go to the Scoring Engine page in SEON.
- Open the Custom rules tab.
- Click Create new rule.
- Provide a descriptive name for your rule (e.g., “AI agent detected” or “Possible vishing activity”).
- For the parameter type, select Compare.
- For the value, select Suspicious browser profile.
- Choose the Contains operator.
- In the text field, enter the specific flag you want to target (e.g.,
potential_ai_agentorpossible_vishing). - Define the action you want to take, such as increasing the risk score or changing the transaction state.
- Click Create rule to save and activate it.
Suspicious flags by category
AI agent and automation
This category of flags helps you detect the emerging threat of AI agents that can autonomously browse websites, fill forms and execute workflows without human interaction. These are critical for preventing automated account creation abuse, checkout automation and workflow exploitation.
| Flag | Description | SDK/Agent |
potential_ai_agent | The browsing session shows strong indicators of being controlled by an AI agent. | JavaScript Agent v6+ |
openai_agent | Identifies browsing sessions that show strong indicators of originating from OpenAI. | JavaScript Agent v6+ |
opera_neon_agent | Identifies browsing sessions from the Opera Neon browser, which has been associated with automated browsing. | JavaScript Agent v6+ |
devin_agent | Identifies browsing sessions that show strong indicators of originating from the Devin AI agent. | JavaScript Agent v6+ |
manusai_agent | Identifies browsing sessions that show strong indicators of originating from the Manus AI agent. | JavaScript Agent v6+ |
possible_automation | Indicates that automation tools or scripts may be controlling the device. | Android SDK 6.5+, iOS SDK 5.4+ |
bots_and_automation | Checks for automated browsers witch may indicate general automation activity. | JavaScript Agent v6+ |
experimental_user_agent_spoofing | Checks that the user may be modifying their browser's User-Agent string. | JavaScript Agent v6+ |
htmlcanvaselement_spoof | Indicates that the browser’s Canvas API has been spoofed or tampered with, meaning its rendered image data appears to have been potentially altered or faked, suggesting possible fingerprint spoofing or environment manipulation. | JavaScript Agent v6+ |
Device farm and virtualization
These flags are designed to identify fraud infrastructure, such as cloud-hosted Android device farms. Attackers use these tools to spin up thousands of virtual devices simultaneously to automate abuse at scale. By detecting the infrastructure layer rather than individual behaviors, you can better surface coordinated abuse patterns.
| Flag | Description | SDK/Agent |
possible_cloud_device | Identifies sessions with hardware-level indicators consistent with virtualized Android environments and cloud-hosted device farms. | Android SDK 6.8+ |
possible_device_farm | Suggests that the device is part of a device farm used for fraudulent activities, based on behavioral and environmental signals. | Android SDK 6.5+, iOS SDK 5.4+ |
potential_simulator | Detects emulated devices or virtualized environments. | JavaScript Agent v6+ |
Behavioral
Behavioral flags identify non-human patterns in how a user interacts with your site or app. They are effective at catching a wide variety of fraud, including bot attacks, account takeover and social engineering. For a detailed breakdown of use cases like bot detection, vishing and payment fraud, please see our full guide on understanding behavioral data signals with device intelligence.
| Flag | Description | SDK/Agent |
suspicious_keypress_characteristics | Analyzes typing patterns such as keypress durations and typing rhythms to detect abnormal, non-human behaviors. | JavaScript Agent v6+ |
suspicious_mouse_movement | Indicates that automation tools or scripts may be controlling the mouse. | JavaScript Agent v6+ |
suspicious_form_fillout | Monitors how users fill out forms, flagging unusual completion times, sequences, or corrections. | JavaScript Agent v6+ |
suspicious_touch_movement | Anomalous touch interactions on mobile devices. | JavaScript Agent v6+ |
paste_used | Indicates that the user pasted content into a form field rather than typing it manually. | JavaScript Agent v6+ |
autofill_used | Indicates that the user relied on browser autofill to complete a form field. | JavaScript Agent v6+ |
possible_vishing | Flags potential voice phishing activity where a user may be coerced into providing sensitive information. | Android SDK 6.5+, iOS SDK 5.4+ |
possible_ongoing_call | Flags ongoing phone calls during the session, which can be an indicator of vishing. | Android SDK 6.5+ |
possible_device_farm | Identifies sessions likely originating from device farms that include interaction characteristics such as stable motion patterns, identical device configurations or unusual IP and network behavior. | JavaScript Agent v6+ |
Remote access
These flags help detect the use of remote access tools like AnyDesk or TeamViewer. While these tools have legitimate uses, they are increasingly leveraged in cyber attacks to take over user devices, bypass security controls and commit fraud. For more information, please see our full guide on remote access detection with SEON's device intelligence SDKs.
| Flag | Description | SDK/Agent |
potential_remote_interaction | Remote access is detected based on user interaction and behavioral signals. | JavaScript Agent v6+ |
potential_screen_sharing | Network analysis indicates a medium-confidence possibility of screen sharing. | JavaScript Agent v6+ |
potential_remote_control | A high-confidence flag combining network and behavioral signals to detect an active remote control session. | JavaScript Agent v6+ |
VPN and proxy
This category of flags identifies users who are attempting to conceal their true IP address and location using VPNs or proxy services. This is a common tactic used to bypass geo-restrictions and engage in activities like carding, account takeover and phishing. For more information, please see our full guide on residential proxy and VPN detection.
| Flag | Description | SDK/Agent |
vpn1, vpn2, vpn3, vpn4 | Differentiates between various VPN technologies and detection methods. | JavaScript Agent |
proxy1, proxy2, proxy3, proxy4 | Identifies different types of proxy services and their detection techniques. | JavaScript Agent |