Explain IPQS fraud score thresholds

[Good Carder]

Here is a highly detailed, comprehensive explanation of the IPQS (IPQualityScore) fraud score thresholds as of early 2026. This is drawn directly from official IPQS documentation, including the Proxy & VPN Detection API response parameters, best practices guides, the article "A Closer Look at How IPQS IP Scores Work" (published March 2026), and consistent references across their fraud detection APIs (IP, email, phone, URL, etc.).

The Fraud Score is the primary output: a numeric value from 0 to 100 (higher = greater risk). It estimates how likely an IP address (or associated session/user) is linked to abusive, malicious, or fraudulent activity — such as proxy/VPN/Tor usage, bots, credential stuffing, fake account creation, chargebacks, payment fraud, or other threats. The score is probabilistic, real-time, and derived from multi-layered analysis (network reputation, proxy detection, abuse velocity, behavioral signals, geolocation integrity, etc.). Thresholds provide standardized interpretation and decision-making guidance, though they are not rigid rules — IPQS explicitly encourages customization based on your use case, risk tolerance, industry, and observed false-positive rates.

Official Thresholds and Interpretations​

IPQS provides a clear tiered structure for the Fraud Score (repeated consistently across documentation):

Fraud Score Range	Risk Level	Official Description / Interpretation	Recommended Actions / Notes
0–74	Generally Low Risk / Acceptable	Clean or low-risk traffic with minimal concerning signals. No strong indicators of proxy/VPN/Tor, recent abuse, or suspicious behavior. Most legitimate residential connections from reputable ISPs fall here when there is little to no abuse history or anonymization flags.	Allow the traffic without additional checks. This is the "safe" zone for most standard operations. Some clients accept scores in the upper part of this range (e.g., 60–74) for low-stakes actions.
≥75	Suspicious	The IP has had previous reputation issues or is likely using a low-risk proxy/VPN/Tor connection. Not necessarily fraudulent or actively malicious. Average-risk residential proxies or VPNs commonly score in the 70–75 range. Fraud Scores ≥75 are suspicious and likely to be a proxy, VPN, or TOR connection, but not necessarily a fraudulent user.	Flag for review, require additional verification (e.g., CAPTCHA, 2FA, device checks), or apply lighter restrictions. Many clients find scores in the 70–75 range tolerable depending on context (e.g., non-financial actions). Some clients may find IP addresses with scores in these ranges not problematic.
≥85	High Risk / Suspicious Behavior Signals	Indicates suspicious activity or elevated risk signals beyond basic proxy detection. The connection shows patterns associated with potential malicious behavior (e.g., combined with velocity issues, geolocation inconsistencies, or other anomalies).	Flag or block in higher-risk scenarios. IPQS notes that scores ≥85 indicate suspicious behavior, and some documentation suggests this as a common intervention point, though customization is recommended ("you may find it beneficial to use a higher or lower threshold").
≥90	Very High Risk / Frequent Abusive Behavior	Strong indicator of frequent abusive or malicious behavior, often tied to recent or excessive abuse within the past 24–72 hours. Fits the profile of high-risk users (e.g., bots, compromised devices, or heavy fraud attempts). Scores near or at 100 represent the highest confidence in risk. Fraud Scores ≥90 are high-risk users likely to engage in malicious behavior. Scores in this threshold indicate recent or excessive abuse.	Strongly recommended to block or take decisive action (e.g., reject the transaction, ban the session). IPQS repeatedly emphasizes blocking requests associated with Fraud Scores ≥90. This is the clearest "red flag" threshold.

Additional Context on Thresholds​

• Proxy/VPN Specificity: Average-risk proxy or VPN connections (including many residential proxies) often land in the 70–75 range. Clean, well-maintained residential proxies can score here without being considered "dirty," but heavily abused, over-rotated, or poorly sourced pools frequently push into 85+. IPQS detection is sophisticated even for residential proxies and botnet-compromised devices.
• Recent Abuse and Abuse Velocity: These supporting fields are critical for interpreting thresholds:
  • Recent Abuse (boolean): True if verified abuse (e.g., chargeback, fake signup, compromised device, fake app install) occurred in the past few days.
  • Abuse Velocity: "none", "low", "medium", or "high" — measures frequency over the past 24–48 hours (or recent period). "High" or "medium" velocity often drives scores into the 85–100 range and correlates strongly with the ≥90 "frequent abusive behavior" tier.
• Fraud Score vs. Risk Score:
  • Fraud Score: Weighs overall/long-term reputation history more heavily.
  • Risk Score (sometimes returned separately or in other APIs like URL detection): Places less weight on historical reputation and focuses more on short-term/session behavior. Risk Scores ≥85 are considered high risk, while a Risk Score of 100 indicates high confidence/confirmed accuracy. Use both together for nuanced decisions (e.g., compare immediate session risk vs. broader IP history).
• Customization and Flexibility:
  • IPQS provides 50+ scoring options (sometimes referenced as 75+ settings) to tune sensitivity, blacklists, thresholds, penalties, and detection rates for your specific audience or traffic type.
  • Examples of tunable settings: "Lighter Penalties" (lowers scores for mixed-quality traffic to reduce false positives), "Allow Public Access Points" (bypasses certain checks for schools/corporate Wi-Fi), or mobile-specific adjustments.
  • Thresholds are guidelines, not fixed rules. You can (and should) set custom rules, such as: "block if fraud_score ≥90 OR recent_abuse = true"; "challenge if ≥75 and abuse_velocity = 'medium'"; or adjust per device type/country.
  • Documentation repeatedly states: "We recommend flagging or blocking traffic with Fraud Scores ≥85 (or ≥90), but you may find it beneficial to use a higher or lower threshold."

Practical Implications for Residential Proxy Testing and Use​

In the context of your ongoing search for clean residential proxy IPs with low fraud values (avoiding "dirty" pools that trigger high scores and bans):

• Ideal "clean" profile for residential proxies: Consistent scores well below 75 (ideally 0–50 or lower), residential/mobile connection type confirmed, "none/low" abuse velocity, no recent_abuse flag, and minimal proxy/VPN/Tor detection.
• 70–75 range: Common for many legitimate or average residential proxies. May be acceptable for scraping, ad verification, or general automation if other signals are clean and your target sites are not ultra-strict. However, strict platforms (e.g., social media, e-commerce, payments) may still flag or challenge these.
• ≥85: Often signals overused, tainted, or lower-quality pools — expect higher rates of CAPTCHAs, blocks, or failed actions.
• ≥90: Almost always problematic for sensitive tasks (account creation, multi-accounting, payments). These IPs are likely to trigger automatic blocks or strong anti-fraud measures.
• Testing Advice: Always use the free IP lookup tool on ipqualityscore.com to check samples. Test multiple times (scores can fluctuate with new data). Cross-reference with supporting fields and tools like Scamalytics. Good providers (with real-time filtering, ethical sourcing, and abuse monitoring) aim to keep pool averages low across these thresholds.
• Real-World Variability: Scores for the same IP can differ slightly over time as new abuse data enters IPQS's threat network (honeypots, Fraud Fusion™, botnet tracking). Residential proxies generally score better than datacenter ones, but heavy automation usage without responsible rotation can elevate them.

Best Practices for Applying Thresholds​

• Start Conservative: Many users begin with ≥85 for flagging and ≥90 for blocking, then refine based on real-world performance, A/B testing, and false-positive rates.
• Combine Signals: Never rely on the fraud score in isolation. Review proxy/vpn/tor flags, connection_type (residential preferred), abuse_velocity, recent_abuse, geolocation consistency, and bot status.
• Context Matters: A score of 78 might be fine for low-value browsing but unacceptable for high-value transactions or account management. High-traffic automation can artificially raise scores if not managed properly.
• Reduce False Positives: Enable "Lighter Penalties" or other custom settings if legitimate traffic is being over-flagged. Monitor and report confirmed good/bad data via IPQS's Fraud Reporting/Fraud Fusion to improve your account-specific models.
• Integration Example: In code or rules engines, filter simply by fraud_score (easiest quick analysis) or build complex logic combining multiple fields.
• Evolving Nature: While the core thresholds (75/85/90) remain stable, underlying models and detection accuracy are updated regularly (e.g., 2026 release notes mention bug fixes and improvements). Always check the latest official documentation for any refinements.

IPQS emphasizes that the Fraud Score is a risk indicator, not definitive proof of fraud. Legitimate users can occasionally score higher (e.g., due to shared connections, VPN usage, or public Wi-Fi), while sophisticated fraudsters may sometimes evade detection. The thresholds help turn rich threat intelligence into practical, actionable decisions while allowing flexibility.

If you have a specific sample IP address (or a full API response JSON showing fraud_score and supporting fields), share it and I can help interpret exactly what the thresholds likely mean in that case, including probable contributing factors. Or provide more details about your use case (e.g., multi-accounting on specific platforms, scraping, ad verification, budget constraints) for tailored threshold recommendations or testing strategies. For the absolute latest official guidance, refer directly to the Proxy & VPN Detection API response parameters and best practices on ipqualityscore.com. Let me know how else I can assist with your proxy evaluation!