Fraud Score ≠ Rejection: How Scamalytics, Forter, and Sift Make Decisions

[BadB]

Deconstructing Fraud Engine Logic: Which Signals Matter More – IP, Behavior, or Device?

Introduction: The Binary Decision Illusion​

Many carders believe that a fraud engine is a simple "traffic light":
Score > 50 → Rejection,
Score < 20 → Approval.

But the reality is much more complex. Modern systems — Scamalytics, Forter, Sift, Riskified — do more than simply assign a score. They make multifactorial, contextual decisions in real time, where the same score can lead to different outcomes depending on the product type, amount, geography, and even time of day.

In this article, we will deeply deconstruct the logic of three key systems, reveal the hierarchy of signal weights, and explain why a "low score" is no guarantee of success, while a "high score" is not a death sentence.

Part 1: Architecture of a Modern Fraud Engine​

A modern fraud engine is a multi-layer neural network that processes hundreds of signals in 4 key categories:

Category	Examples of signals
Identity	Email, phone, name, SSN (if available)
Device	Browser fingerprint, OS, GPU, Canvas hash
Net	IP geolocation, ASN, proxy detection, TLS JA3
Behavior	Form filling speed, mouse trajectory, session time

Each signal has a dynamic weight depending on the transaction context.

Part 2: Comparison of the Three Systems – Philosophy of Approach​

Scamalytics (IP Reputation Focus)​

• Main signal: IP reputation,
• Method: aggregation of data from thousands of sources (banks, merchants, dark web),
• Strengths: instant detection of proxies, TOR, VPS,
• Weaknesses: Ignores behavior and device.

Weights:

• IP: 45%,
• Device: 25%,
• Behavior: 20%,
• Identity: 10%.

Forter (Behavioral Biometrics Focus)​

• Main signal: behavioral biometrics,
• Method: comparison with the global profile of the "real user",
• Strengths: detection of bots, cookie robots, scripts,
• Weaknesses: Requires behavior history.

Weights:

• Behavior: 40%,
• Device: 30%,
• IP: 20%,
• Identity: 10%.

Sift (Graph-Based Intelligence)​

• Main signal: connections between entities (graph network),
• Method: analysis of connections between email, IP, device, card,
• Strengths: Identification of synthetic identities,
• Weaknesses: Less effective on new accounts.

Weights:

• Connections: 35%,
• Device: 25%,
• IP: 20%,
• Behavior: 20%.

Part 3: Signal Hierarchy – What's More Important?​

1. Geo-consistency (IP + Device + Address)​

This is the main trigger for all systems:

• IP from Miami,
• Device with EST time zone,
• Shipping address in ZIP 33101.

Violation of at least one element → instant increase in score by 30–50 points.

2. Behavioral naturalness​

• Form completion time: 30–90 seconds (not 3 seconds),
• Mouse trajectory: smooth curves (not straight lines),
• Input errors: 1-2 typos (not perfect input).

Cookie-Robot without pauses → score +40.

3. Device and browser fingerprint​

• Consistency between:
  • User-Agent,
  • WebGL renderer,
  • TLS JA3 fingerprint,
  • WebRTC IP.

Mismatch (e.g. Windows + Android TCP/IP) → score +35.

4. IP reputation​

• Residential IP with a good history → score -10,
• Datacenter/VPS/Proxy → score +25,
• IP in blacklists → score +50.

Scamalytics is particularly sensitive to this.

Part 4: Why Fraud Score ≠ Solution​

Transaction context changes everything​

Scenario	Fraud Score	Solution	Why
$5 Steam Wallet	45	Approved	Low risk, digital product
$500 Apple MacBook	45	Deflected	High cost, physical delivery
$100 Walmart GC	60	Challenge Flow	Confirmation required

Key principle:
Fraud engines evaluate not only “who you are”, but also “what you buy”.

Case Study (Forter, 2026):​

• Carder: IP = Miami, device = Windows 10, behavior = human,
• Score: 38,
• Purchase: $500 Steam Wallet → approved,
• Same session, purchase: $500 iPhone → declined.

Why? Because Steam is a digital product without delivery, while the iPhone is a high-risk physical product.

Part 5: How Fraud Engines Learn from Your Mistakes​

Modern systems use real-time feedback:

1. You make a transaction,
2. The merchant reports: "Chargeback" or "Legit",
3. The system recalculates weights for your IP/device/behavior.

One mistake = long-term score increase.

Example:

• You use one IP for 5 unsuccessful attempts,
• Even when changing the map and profile, the score remains high.

Part 6: Practical Takeaways for Carders​

What to do:​

1. Maintain geo-consistency: IP, time zone, address - must match.
2. Imitate human behavior: pauses, mistakes, smooth movements.
3. Use bare metal + residential proxy: avoid VPS and datacenter.
4. Test on low-risk products: Steam, Razer Gold before making expensive purchases.

What to avoid:​

• Perfect, instant data entry,
• IP reuse after failure,
• Purchases of physical goods on new accounts.

Conclusion: A fraud engine is not a judge, but an analyst​

The Fraud Score is not a verdict. It's a dynamic risk assessment that depends on context, history, and global correlations.

The most successful carders of 2026 understand:
You can't "trick" a fraud engine.
You can only convince it that you're a real person making a typical purchase.

Final thought:
In the world of Forter and Sift, the winner is not the one who hides, but the one who becomes so ordinary that he is not noticed.

Stay consistent. Stay natural.
And remember: the best camouflage isn't the absence of marks, but their complete normality.