Transaction Details

Updated on 19.05.22
20 minutes to read
Copy link
Video Guide
A quick video guide explaining the Transaction Details shown by SEON.

Understanding the information provided under the transaction details widgets.

Transaction Details

Clicking on any transaction row in the Transaction List will bring up the Transaction Details view for that transaction. The Transaction Details screen has five main tabs for investigating and analysing the selected transaction - Details, Activity, Customer Connections, Raw Data and Analyst Log.



All details for the selected Transaction are displayed on the Transaction Detail screen - including raw inputs and result data from the SEON data enrichment APIs.

The top section shows key transaction information, applied rules and score results. 

You can change the state of a transaction directly from this top section, which will provide valuable feedback for our machine learning system.

The Applied Rules section shows all the rules that have been triggered for a given transaction, whether they are default, custom or those generated by the Machine Learning module. If a velocity rule has been triggered, then an explanation shall be given as to why it has been triggered. 

If applicable, then it is possible to quickly jump to the Scoring Engine and edit an applied rule by clicking the “Edit Rule” button to the right of the relevant rule, or to prevent a rule from being applied to the current user again by using the “Exclude user from rule” feature, which will bring up a new window where you can specify the details of the exclusion (more on this later, in the Scoring Engine section).


Applied rules
Main information & Applied Rules sections

Beneath the top section, are a number of sections that contain other relevant information for the selected transaction, allowing easy manual review. This includes User Identity, Lists, Address Information, Payment Details, etc.

Our data enrichment APIs enhance all the data you send to SEON. This provides you additional data in the IP, email, and phone widgets, in addition to the card/BIN and device-related details. Data is then aggregated and combined to reduce the time required to access and process information for human analysts as much as possible.

Each widget can be freely moved around to customize the Transaction Details Page in a way that fits your workflows the best. 

Additionally, many elements can be used to filter the transaction list - when a green filter symbol appears when hovering over a metric, a new browser window will appear showing all transactions that match the selected value.

Identity Widget

The Identity Widget shows a combined list of all known customer related information.

You can access previously used data and our string analysis of the user’s username by clicking the arrows next to the values.

It is also possible to create a custom fraud rule, based on your preferences of the selected user’s data, by selecting the Exclude Settings button.

identity widget



Lists Widget

The Lists Widget allows for the review of all the blacklisted or whitelisted data-points within the current transaction.  

Clicking the 'Change' button allows you to see a detailed view of every data-point used by the transaction. In addition it allows for the change of state, addition of comments and ability to set an expiration date for a particular data point.

lists widget
list status


Addresses Widget

Relevant addresses associated with the user and the transaction are displayed on the map showing Google Street View images and the distances between every location. 

address widget



IP address



IP Information Widget


The IP API response can be seen in the IP Information widget where all of the IP address related data relating to the selected transaction is displayed. The following information is displayed:

  • IP Score
    Our IP scoring system identifies suspicious IP addresses. The higher the score, the more risky an address is deemed to be. 
    Using the default settings, any IP that is a server and not residential will be scored at least 10, with VPNs & TOR nodes always scored at over 80.
  • TOR
    If we identify the IP address as a TOR node then it will also be flagged here. TOR is the Onion browser used by those who want to maintain anonymity through a browser that connects to an open network, these IP addresses are TOR Exit Nodes. 
  • Location
    The Geolocation of the provided IP address is obtained, allowing you to cross reference against any other transactional location information.
  • VPN
    VPNs offer users a publicly accessible network for the purpose of hiding one’s IP address. If it has been possible to identify the IP address as a VPN then it will be flagged here.
  • IP Type
    This allows the analysts to identify whether the user is using a residential internet connection or something potentially higher risk.
    ISP - Residential Internet
    MOB - Mobile/cellular network
    DCH - Server or Data Center
  • Spam Blacklists
    This blacklist indicates whether the IP address has been previously marked as a spam source on any of the 60+ Domain Name System-based Blackhole Lists that we scan. Seeing more than three or four spam blacklists indicates high risk. Being listed in one to two places is usually not considered risky.
  • ISP
    You can view the exact name of the Internet Service Provider (ISP). This can be very useful for transaction investigation and clone detection as many fraudsters tend to stick to using the same ISP.
  • Public Proxy
    Public proxies function similar to VPNs, the main difference is in the limitations in functionality compared to VPNs. Additionally, proxy server software can be configured to listen on a specified port.
  • Open Ports
    Open HTTP ports can identify if the client is running any kind of web or other server (like an RDP) through their IP. All proxies will have some ports open to let other computers join, so if there are more ports open it can mean a higher fraud risk.
  • Web Proxy
    While still similar to VPNs and Public proxies, Web Proxies are more simple and do not operate at the IP address or other ports’ level.
  • Harmful IP
    Harmful IPs are IPs that we know are used for SSH brute force attacks, hacking attempts, malicious IPs, Postfix/IMAP scans, Telnet scans, and spam hosts. These are automatically assigned higher risk scores.



IP information displayed in SEON


Phone Information Widget


The Phone Information Widget provides a risk score, which indicates how risky the phone number provided is deemed to be. 

This score is based on default SEON rules which can be reviewed in the Scoring Engine. A score of 4 or more is considered risky.

In addition, a number of additional information regarding the submitted phone number are shown within the widget:

  • You can instantly see whether the phone number is valid or not, what country it originates from, whether it is a landline or mobile number, as well as the carrier’s name. We also check whether the phone number is listed by disposable phone number provider sites.
  • The phone widget cross references with 15 social media networks including WhatsApp, Viber, Twitter, Facebook and Telegram to highlight details from any registered accounts such as last seen status or any profile pictures where applicable.
  • Additionally the Phone API also queries the Home Location Register (HLR) and Caller Name Delivery (CNAM) database to provide additional metadata for any fraud analysis. Please keep in mind that this is a premium feature, you can contact our team if you want this enabled in your account.

You can see how many times the phone number in question has been seen across the entire SEON database under the Lookup details, as well as how many different SEON clients encountered it.

Clicking on the API Runner button will resubmit the phone data to the Phone API in order to refresh and update the information available.


Email Information Widget

The Email API response can be seen in the Email Information widget where all social media and domain information for the selected transaction is displayed. 

You can see how many times the email address in question has been seen across the entire SEON database under the Lookup details, as well as how many different SEON clients encountered it.


Email Risk Scoring

The Email API response can be seen in the Email Information widget where all social media and domain information for the selected transaction is displayed. 

Our Email Risk Scoring system identifies suspicious email addresses, with the higher the score, the more risky an address is deemed to be. The score is based on the default rules, which can be reviewed in the Scoring Engine. 

Free email providers have a no-risk and high risk category. A provider is flagged as High Risk when the customer can create a new mailbox without text message or other type of additional verification methods.

Data Breaches

The SEON Email API gives insight as to whether the email address supplied has been involved in any historical data breaches. 

If any data breaches are identified then the system shows many times the email address has been involved and when the first identified breach was. 

The first time an email address was part of a data breach can help to verify the age of an email address as it identifies that the email address was in use at this time. If an email address hasn't been part of any historical data breaches then it can mean it’s higher risk as it could be a newer email address.

Registered Online Profiles

The SEON Email API checks the provided email address against more than 28 online and social platforms in real time.

If the email is registered on the platform it is marked green and, if not, it is marked as grey.

SEON will show any additional public profile information that may be associated with any matched social platforms. This may include the profile picture, description and location details.

Domain Analysis

A domain can be manually updated from within this section to mark it as being a Free, Custom or Disposable address. 

Additional metadata about the domain is shown within the Domain Analysis section including:

  • Creation Date - This allows you to identify the age of the domain name. The older the registration, the less risky the domain.
  • Registrar Name - The person/entity who registered the domain. Fraudsters sometimes try to register domains to pose as legitimate companies.
  • Registered to - The company that the domain name was registered through.
  • Accept All - If there is an accept all policy on the domain then the risk is increased as the mailbox is not unique and can be used by multiple people. 
  • DMARC/SPF Strict - These are both anti-spam features added to the DNS records for a domain name and identifies that the domain is likely to be set up correctly, thereby reducing the risk slightly.
  • Valid MX - If valid MX records exist against a domain it means that the domain can receive emails. If these are not set then there is an increased risk associated with the domain. 
  • TLD Suspicious - the SEON Email API can validate whether the TLD (e.g. .com) is favoured by fraudsters
  • Website Exists - If there is a live website on the domain then this identifies the domain as being lower risk.


Lookup Details

The SEON Email API identifies the number of times that the email address has been seen across the entire SEON database.


Email String Analysis

The email string analysis identifies various metrics associated with the structure of the email address.

Clicking on the API Runner button will resubmit the email data to the Email API in order to refresh and update the information available.


Devices & OS Widget

Integrating SEON Device Fingerprinting allows the collection of a range of information about the user’s client device. Device Fingerprinting Modules are available for JavaScript or as a mobile SDK (iOS and Android). 

To learn more about how the system works, please refer to the Device Fingerprinting Documentation

  • If the device widget is not active and showing as no data being received, please make sure you have set up your integration correctly. Our API Documentation can help to understand what may have gone wrong and our support team is ready to help with any troubleshooting.
  • We collect more than 50 different data points using our JS Agent/SDKs to provide you with the clearest possible picture of your users’ devices, you can find a full list of these in our API Documentation.

Returning users are identified by using cookie, browser and device hashes:

Cookie hash

Unique identifier based on the cookie session. If someone shares the same cookie hash with someone else, they are most likely using the same browser and device. It is the most accurate identifier for shared devices. However if the client clears the browser’s cookies and storage cache this ID will change.

Browser hash

A unique identifier based on the complete browser profile. This includes details on the screen resolution, hardware, font, plugin set, network layers and specific features in the browser. 
This is a very good way to make connections between shared devices, but in some rare cases, specifically for mobile devices, the ID can be the same. This may occur if they have completely the same hardware, software and settings profile.
If the client clears the browser’s cookie and storage cache then this ID will not change. Likewise, if someone is browsing using Incognito or InPrivate tabs then the same ID will be returned.

Device hash

Unique identifier based on the hardware of a device. It is generated based on a number of data points including the HTML5 canvas fingerprint, WebGL driver, audio fingerprint and others. 
It's useful to detect virtual machines and emulators. We recommend using it for blacklists, if there are bad actors who share a hash, or using it as an extra parameter for rules if needed.
Two identical devices with the same hardware will share the same hash. However customers who share the hash are not likely to be related. 
We also offer native iOS and Android SDKs for Device Fingerprinting purposes. These return slightly different device details, the most important among these, at least for clone search purposes, is the device_hash. In the case of the native SDKs, there is no Browser or Cookie hash, only the Device hash, however this value will always be a 100% match if more users are sharing the same value.

How we determine device risk scores

When you check user profiles in SEON, you probably noticed that we assign an individual risk score to each device.

Our fraud experts constantly collect and analyze data from different fraud rings and malicious attacks. We then identify behavioral patterns and create rules in SEON to spot the telltale signs such as bots, device spoofing, and many more.

These rules are used to add points to the risk score, determining the final device score of a transaction. A device score of 4 or higher is considered suspicious.

Most notable data points to observe for fraud detection purposes:

WebRTC IP checks

  • Web real-time-communications, known as WebRTC, is a technology that enables your browser to communicate with websites by establishing a real-time peer-to-peer connection. 
  • While using a VPN, users might think they can mask their public IP address but with WebRTC checks you can detect what the user’s actual IP address behind their proxy is because the communication channel between the website and the user’s browser exchanges their public IP address along with other data. 
  • The presence of WebRTC IPs can be a sign of suspicious activity, which is why SEON has a Default rule built in your system to flag such users.

Domain IP checks

  • Similar to WebRTC IPs, users can have DNS (Domain Name System) IP addresses that are different from their regular IP. The use of proxy connections can also be detected by checking for distinct DNS IPs. This is not always a cause for concern however, because a number of legitimate users tend to utilise large, well-known companies DNS servers to protect their privacy and to prevent their ISPs from observing their traffic. 
  • In conclusion, if you see a DNS IP with a much less common DNS ISP Name and the regular and DNS IP addresses of users are different, the connection can be considered suspicious. 

Time zone offset and Region language

  • Differences in the IP location’s time zone and that of the device can be an obvious sign of suspicious activity, same goes for differences between languages. 

Window’s size and Screen resolution

  • We have found that these attributes, especially the Window’s size, can be a great tool for clone searches when dealing with a large fraud ring.
device widget


device widget 2


Credit Card Widget

The Credit Card widget shows all data related to any payment card details passed to SEON via the API. 
This can be used to spot unusual BINs, issuer countries, issuing bank, card type, level and whether the card is prepaid or virtual.

credit card widget


User Revenue Widget

The User Revenue widget lets you quickly see a snapshot of the user's revenue based on how much they’ve deposited and withdrawn within a certain time frame.

The amounts are calculated based on transactions where  deposit or withdrawal was sent as action_type.

On the top right corner you are able to choose the time frames you want to view within the past year and select a Brand where the revenue was earned. This is based on the brand_id field sent via the Fraud API. The charts and all the aggregated numbers change according to these filters.

On the bottom you see the total bonus or deposit rate for the user.

  • Total bonus used: Sum of the transaction amount in transactions where bonus_campaign_id field was sent as not null or empty.
  • Total bonus / total deposit: Total bonus as described above / Sum of transaction amount in transactions where action_type was deposit.


Transactional Information Widget

The Transactional Information Widget shows all other transactional and payment information  passed to SEON via the API.

This includes details about the payment method, bank account and any relevant verification steps such as user verification or 3D-Secure.

transaction widget


Flight Information Widget

Where flight information is passed to the SEON API,  the Flight Information Widget is displayed. 

It shows any information related to the flight itself, including departure times, cabin classes and any personal details about the passenger(s).

flight widget
detailed flight ticket information


Order Details Widget

Any additional information about the order that has been passed into SEON via the API can be accessed from the Order Details widget. 
This includes notes, discount codes and gift messages.

order widget


Custom Fields Widget

You can send additional business-specific data points that aren’t covered by any of the standard SEON fields as custom fields to the API. 

This allows for the scoring model to be more accurate for your business.

All custom fields passed into SEON are shown on the Custom Fields widget and it is possible to search for these via filtering. 

Additionally, customer custom rules can be created directly based on these passed-in values.


custom fields widget


Notes Widget

The notes widget allows for the saving of any relevant notes about the transaction.
This is useful for giving other analysts information about the transaction or the reasoning behind a given decision. 
The notes are saved in a chat-like format, including the users’ name, date & time and avatar.

notes widget


Activity Page

activity categories

When viewing the details of a transaction, all historical transactions for the same customer can be viewed on the Activity tab accessible at the top of the screen. 

This view shows the detail of each transaction, along with the ability to update the state of each transaction directly. 

The type of transaction can be selected from the drop down above the column headers and additionally, the date range shown can be changed to either show all transactions or those within the last 30 or 7 days. 

The screen can be customized to show specific columns of data by clicking the settings option at the end of the column headers. 

Clicking on a specific transaction will update the Transaction Details tab to show the selected transaction.

activity animation
The ‘action type’ and ‘date’ can be filtered using the options at the top of the screen.


Customer Connections

The Customer Connections tab allows for the data relationships between the customer for the current transaction and other related customers to be investigated and interrogated. 

You can tick the checkboxes next to the values you want to see connections for. 

If you select multiple data points, only those who share all the selected values with the currently selected customer will be shown.

Clicking on the ‘Blacklist’ or ‘Normal’ buttons next to connected customers allows them to be easily added to the block list or likewise removed from it. If multiple, fraudulent accounts are identified then they can all be added or removed by using the ‘Ban All’ or ‘Restore All’ options.

The time interval for identifying matching connections can be changed by using the filter options at the top of the screen. 

customer connections animation
Select the data field required from the list on the left of the screen to find connections
with the same data points.


Raw Data

data 1
The raw data tab allows you to see the actual API request and response for the currently selected transaction. This can be useful for data and/or integration investigation purposes.


Analyst Log

The Analyst Log screen shows an audit trail of all actions related to the transaction made by admin users.

All action types are shown in the listing by default however it can be filtered by using the Action Type dropdown. Furthermore, the date range shown can be changed using the date filter at the top-right of the screen.

analyst log
Action type and date can be filtered in the top sections.

Was this article helpful?

?Got a question

Talk to sales