Data enrichment widgets

Use the Transaction Details page to review all the information SEON has collected about any user action you sent us. The comprehensive page details everything you need to know about a transaction, separated into smaller, user-friendly chunks called widgets. Learn about the widgets that house the results of SEON's data enrichment tools on this page, including social media and digital platform checks.

Learn more: Looking for different widgets? Check these pages:
- Custom fields & industry-specific widgets
- Device & OS widget
- AML widget

The Transaction Details page houses more than just widgets. Its four tabs help fraud analysts and risk managers evaluate transactions quickly and efficiently.

You'll see the Applied Rules widget at the top of the page. This widget will showcase which rules the transaction has triggered. It will also display the overall fraud score, category scores, and the Blackbox Fraud probability score.

Scroll down to find the widgets that house the detailed information that SEON used to calculate the fraud score.

Learn more: Head to the Transaction Details page to learn more about the Applied Rules widget and the other tabs of the Transaction Details page.

Uncover everything you need to know about your customer's email address. The Email Information widget houses the information returned by SEON's Email API.

At a glance, the widget will tell you if an email address can receive emails, the number of data breaches it's been part of, and the sites it's been registered on.

At the top, you’ll see the email address and the new email network score that predicts the likelihood of fraud associated with it. Note that in the case of gmail addresses, you may see both the email address and a raw email address field if they differ, as G-Mail offers the functionality of emails addressed to abcd+anystring@gmail.com going to the original abcd@gmail.com address. In the case of the email field, we trim the string after the + character, enabling us to see relevant social profiles. The raw email field, however, displays the email address as it was sent in the request.

A new Data Highlights section visually highlights key true/false attributes that may indicate fraudulent activity. Yellow highlights denote positive findings, such as "Deliverable" or "Registered domain," while grey highlights indicate absence or a negative result, like "No data breach." These visual cues help quickly assess the potential risk level associated with the email address at a glance.

Under the new Email details section, SEON calculates the minimum estimated age of the email address in months, using data aggregated from social platforms, breach records, and the new associated domain registrations. This estimate is based on the earliest date detected from the information available, such as the first instance in a data breach or the creation date of a social profile associated with the email. Note that the actual age of the email address could be older depending on factors not captured in the data.

Check the Domain field to uncover technical details about an address and its domain. Review SEON's email string analysis to discover trends in email addresses.

Expand any field for more details by clicking on the arrows on the right side of the widget.

Machine Learning-Powered Risk Scores

New proprietary network score is available for email, which can be used as a confidence indicator when assessing a user's digital profile. This score leverages machine learning alongside consortium data from over 5,000 customers. Network score is derived from an anonymized model trained on millions of onboarding events with over six years of historical data, ensuring precise and accurate risk assessments.

Global Consortium-Based Threat Intelligence

The consortium-based threat intelligence pools data from diverse sectors and geographies for comprehensive threat detection. Consortium data from SEON’s proprietary network is available in two ways:

• it is incorporated into the email network scores
• there is a new section within the Email information modules called the Fraudulent network transaction history

In this example above, the user was reported in a fraudulent transaction 5 out of 183 times in the SEON network. While the user was found in the SEON network 183 times, the user impacted 6 companies. It was first seen on the network on December 23, 2020, and last seen on the network on February 23, 2024. However, the first transaction deemed fraudulent was on January 11, 2021 with the most recent transaction marked fraudulent occurring on November 17, 2022.

Data Breaches

Check this field to see if the email address has been involved in any historical data breaches. At first glance, you'll see the number of data breaches we've found the address in and the date of the earliest incident.

You can use data breaches for two things:

• Prove how widely someone has used their email address on the web. SEON monitors over 90 social media sites and digital platforms, but you can also use data breaches to infer if an email address is known on the web and learn its history.
• Calculate the minimum estimated age of an email address: An address has to be used online to be part of a data breach. That means you can use the earliest data breach an email address was involved in to calculate its minimum age.

Associated Domain Registrations

Check this field to see if the email address has been used to register any domains. At a glance, you'll find the total number of domains linked to the email and the date of the earliest registration.

You can use this information for two purposes:

• Assess Usage: Discover if the email address has been used to register domains, indicating its activity and potential purpose.
• Estimate Age: The earliest domain registration date can provide an additional data point to estimate the minimum age of the email address.

Registered Online Profiles

SEON checks over 170 social and digital platforms for accounts created with the email address.

Email signals are organized into 13 categories in the digital footprint section of Email information modules. Aggregated categories group together signals such as email service, entertainment, social media and technology (see the example snippet to see how this information is displayed). Using these categories to assess risk instead of specific signals eliminates the need to fine-tune individual signals and continuously update rules to add new signals.

Learn more: Learn more: Timeouts affect the data you will receive from SEON. Learn more about them on the Timeouts overview page.

Domain Analysis

SEON divides email domains into three categories:

• Free domains are email addresses handled by free email service providers, such as Gmail or Outlook. These domains are low or high-risk categories based on whether they require a valid phone number to use or not.
• Disposable domains are especially high-risk throwaway emails created by online sites offering single-use or dummy email addresses. By default, SEON assigns disposable emails a fraud score of 80, well above the DECLINE threshold for transactions.
• Custom domains indicate that a company, university, or other organization likely issued the email address. Use secondary characteristics, like when the domain was registered and whether there is a website at the address, to determine whether custom email domains are safe.

If you think the domain category is incorrect, let our team know by clicking the Report button.

Expand the Domain Analysis field for detailed insight into the domain in question:

• Creation Date: Pinpoint the age of the domain name. The older the registration, the less risky the domain.
• Registrar Name: The person or entity who registered the domain. Fraudsters sometimes try to register domains to pose as legitimate companies.
• Registered to: The company that the domain name was registered through.
• Accept All: If there is an "accept all" policy on the domain, then the risk is increased as the mailbox may not be unique and could be used by multiple people. (It may also indicate that several aliases are tied to the same address.)
• DMARC/SPF Strict: These are both anti-spam features added to the DNS records of a domain name. They identify the domain and show that it is set up correctly, reducing risk slightly.
• Valid MX: If valid MX records exist for a domain, the domain can receive emails. If these are not set then the domain is risky.
• TLD Suspicious: the SEON Email API validates whether the TLD (e.g., .com, .io) is favored by fraudsters
• Website Exists: A live website increases trust in a domain, due to the effort required to set one up.

Did you know: Fraudsters often set up fresh email addresses to match the real name of the victim of identity theft. If an email address is registered with a free provider, has not been involved in data breaches, and has no connected digital profiles, you should consider it extremely risky.

Even when the data seemingly checks out, it's worth keeping a close eye on it. If the email is similar to the cardholder name, has a digital presence, and you can't see any strange user behavior, you may be facing family fraud. SEON's data can be useful and serve as evidence in any chargeback dispute process.

Email String Analysis

The email string analysis identifies various metrics associated with the structure of the email address.

Clicking on the API Runner button will resubmit the email data to the Email API in order to refresh and update the information available.

Deep dive into the details of your customers' phone numbers to counter fraud. The phone information widget shows you all the data SEON's Phone API uncovers about a number.

At a glance, the Phone Information widget will tell you the phone network score calculated for the number, whether it can actually receive calls, and if it's listed as disposable.

You can also uncover more information about the carrier or provider behind the number and access the CNAM and HLR check results if these are turned on for your account.

Phone number details

At the top, you’ll see the phone number and the new phone network score that predicts the likelihood of fraud associated with it.

A new Data Highlights section visually highlights key true/false attributes that may indicate fraudulent activity. Yellow highlights denote positive findings, such as "Disposable" or "Invalid" while grey highlights indicate absence or a negative result, like "Less than 2 accounts". These visual cues help quickly assess the potential risk level associated with the email address at a glance.

Machine Learning-Powered Risk Scores

The new proprietary network score is also available for phone numbers, which can be used as a confidence indicator when assessing a user's digital profile. This score leverages machine learning alongside consortium data from over 5,000 customers. Network score is derived from an anonymized model trained on millions of onboarding events with over six years of historical data, ensuring precise and accurate risk assessments.

Global Consortium-Based Threat Intelligence

The consortium-based threat intelligence pools data from diverse sectors and geographies for comprehensive threat detection. Consortium data from SEON’s proprietary network is available in two ways:

• it is incorporated into the phone network scores
• there is a new section within the Phone information modules called the Fraudulent network transaction history

In this example above, the user was reported in a fraudulent transaction 5 out of 183 times in the SEON network. While the user was found in the SEON network 183 times, the user impacted 6 companies. It was first seen on the network on December 23, 2020, and last seen on the network on February 23, 2024. However, the first transaction deemed fraudulent was on January 11, 2021 with the most recent transaction marked fraudulent occurring on November 17, 2022.

Phone types

SEON divides phone numbers into several types that help you determine the nature and goal of a number at a glance, regardless of whether it's connected to a mobile, VOIP, or a call center:

• Fixed line: Also known as a landline, it's just a regular phone number that relies on physical wires to enable voice calls.
• Mobile: A personal number associated with a single user.
• Premium rate: These numbers charge callers higher rates for select services, including information and entertainment. A portion of the call fee is paid to the service provider, making premium calls an additional source of revenue for businesses.
• Toll free: Toll-free numbers are telephone numbers with distinct three-digit codes that can be dialed from landlines at no charge to the person placing the call.
• Shared cost: Used in the UK, Australia, Germany, Switzerland, France, Portugal, and the Netherlands, by businesses and other institutions. Shared cost numbers are charged at a higher rate than regular numbers.
• Voip: When you sign up for a VoIP (Voice over Internet Protocol) service, you are assigned a digital phone number. While these work the same as traditional numbers, calls are often received by a PC.
• Personal number: (UK only) Personal numbering is the name of the virtual telephone number service in the UK. The service provides a flexible virtual telephone number routed to any other number, including international mobiles. For example, the UK number +44 70 0585 0070 might route to an Inmarsat satellite phone number, allowing the user to have a UK number while roaming globally.
• Pager: A number used to communicate with traditional pagers
• Uan: (India only) Members of the EPFO (Employees Provident Fund Organisation) must have a registered mobile number for them to be issued a UAN (Universal Account Number) or EPF Passbook.
• Voicemail: A number that directly connects to a voicemail.
• Unknown: We can't share any information about this number.

Technical data

Besides the phone number type, you'll find a collection of useful data points that can help you. 

• Possible: Check this field to see if the phone number can actually accept calls.
• Disposable: Companies provide single-use disposable phone numbers for various reasons. Don't trust transactions placed with these numbers.
• Valid: A simple check to determine whether the phone number provided follows a valid format (country code, area code, number of digits, etc.).
• Phone Carrier: The name of the carrier that serves the provided number. Our AI tools have shown that in some countries, certain carriers are used more often by fraudsters than others.
• Country: The country in which the phone number is registered.

Registered online profiles

Fraudsters rarely take the time to create a trail of digital breadcrumbs for their throwaway details. It's simply not economical for them. That's why SEON references over 30 social media sites and digital platforms to check for accounts that include the phone number provided.

Used alongside our email address profile checks, SEON looks at over 200 online sites to determine if a customer is legit or not.

Learn more: Timeouts affect the data you will receive from SEON. Learn more about them on the Timeouts overview page.

Additional services

SEON offers Home Location Register (HLR) and Caller Name Delivery (CNAM) database checks as additional features charged separately. You can contact our team if you want these checks turned on for your account.

Use the HLR check to uncover the detailed history of a telephone number. See whether it's been transferred between providers and which company originally registered it. You can also see the current roaming status of the number.

Check the CNAM field to uncover the name registered as the owner of the number. Remember that the CNAM Directory is only used in the United States and will only work with US phone numbers.

Make informed risk decisions with more information about your customer's connection and IP address. Learn whether an IP address is trustworthy in seconds from data about the internet service provider (ISP), connection characteristics (VPN, open ports), and spam lists.

IP risk scoring

SEON identified suspicious IP addresses using the rules enabled on your profile. You can customize rules anytime in the Scoring Engine or rely on our Default Rules and Machine Learning tools to defend your bottom line.

Did you know: If you use our default settings, any IP address that is not residential will get a score of 10. Suspicious connection types like tor or VPN will get 80, which is far above the default threshold to DECLINE transactions.

IP details

You'll find details about a customer's location, their ISP, and technical details about their connection on the widget.

Location and ISP

Just like physical addresses, you can use IP addresses to learn where your customer is in the world. Correlate this data with address information provided with an order, or bank card data to counter fraud.

• Location: The geolocation of the provided IP address helps you cross reference the physical location of a connection with other transaction location information, such as billing and shipping addresses.
• Country: Use country information to set up rules that correlate location information. Check, for example, if the IP address and payment card country match.
• IP type: Identify whether the user is using a residential internet connection or something potentially higher risk.
  • ISP - Residential Internet
  • MOB - Mobile/cellular network
  • DCH - Server or Data Center
• ISP: Checking the exact name of the Internet Service Provider (ISP) can be useful for transaction investigation and clone detection, as many fraudsters tend to stick to the same ISP.
• Open ports: Open HTTP ports can identify if the client is running any kind of web or other servers (like an RDP) through their IP. Proxies will have some ports open to let other computers join, so several open ports can be risky.

Connection details

Fraudsters will often take steps to hide their real connection and device in an effort to mask their identity. Some technical solutions are especially high-risk when it comes to fraud fighting.

• TOR: If we identify the IP address as a Tor node, we'll flag it here. The Tor network can be accessed through the Onion browser and is used when someone wants (or has to) stay anonymous online. However, honest customers will rarely connect to a service through Tor.
• VPN: VPNs are a network security solution often used to protect browsing traffic when someone uses an unsafe public network. However, they can also be used to mask someone's geolocation and real IP address. It's best to view them as a source of risk.
• Public Proxy: Public proxies function similarly to VPNs but without the security benefits. They serve as a "quick and dirty" solution to hiding an IP address.
• Web proxy: Similar to VPNs and Public proxies, Web Proxies are simpler and do not operate at the IP address or port level.
• Datacenter proxy: Similar to other proxies, a user purchases/installs the proxy's gateway software, and the device first connects to the data center, where it is assigned an available IP from one of their servers.

IP listing

Around the world, companies, NGOs, and individuals work to compile lists of suspicious IP addresses used in cyber-attacks and other nefarious activities. Listed IP addresses are a serious fraud risk as well.

• SPAM blacklists: This blacklist indicates whether the IP address has been marked as a spam source on any of the 60+ Domain Name System-based Blackhole lists SEON scans. Three or four spam blacklists indicate high risk. One or two entries are generally okay.
• Harmful IP: Harmful IPs are IPs that we know are used for SSH brute force attacks, hacking attempts, malicious IPs, Postfix/IMAP scans, Telnet scans, and spam hosts. These are automatically assigned higher risk scores.

Lookup Details

As with email addresses and phone numbers, our IP API will check the SEON database to see how many times an IP address has turned up in the entire SEON database. See when the first and more recent hits occurred.

The Credit Card widget shows all data related to any payment card details passed to SEON.

Credit card risk scoring

SEON won't assign cards a risk score automatically. Add the data fields of the Card Information widget to custom rules and these data points will influence your overall fraud score. 

Payment card details

The widget helps you review all important data connected to the card used in a transaction. We'll collect the following for you:

• Bank – The field will reveal which bank issued the card (e.g., Natwest, Citi Group, DBS)
• Brand – The card issuer whop provided the bank the card (e.g., VISA, MasterCard, Maestro, American Express).
• Type – What kind of account the card is connected to (e.g., debit or credit).
• Level – How the card draws its funds (e.g. gift card, prepaid, debit card).
• Country – The country in which the payment card was issued. In the case of banks that operate in several countries, this data is based on the card itself.
• Website – The local website of the financial institution that issued the card.
• Phone – A phone number for contacting the issuing bank.
• Card expiration – When the payment card used in the transaction will expire or expired.
• Valid – Is the card currently a valid payment method or has it expired or been blocked.

A single widget to check all addresses and location information connected to a transaction. See locations of interest pinpointed on Google Maps, to quickly correlate location information.

Address Risk Scoring

SEON does not calculate risk scores based on addresses by default. However, you can set up custom rules to monitor discrepancies in the data.

Addresses

The widget will display all applicable location information connected to the transaction, including

• Customer Address: The address provided by your customer on their profile.
• Billing Address: The address entered during the checkout process for invoicing.
• Shipping Address: Where any physical items ordered in the transaction will be shipped to.
• IP geolocation: The location uncovered by our IP API checks.
• Card country: The country where the bank that issued the card used for payment is registered.

You can check the street view image of each location to get a better picture of the type of address provided (e.g., home, office, etc.).

Map

The addresses dropped on an embedded map view. You can also quickly check the distance between each location.