Fraud detection systems are only as strong as the signals they monitor. A signal is an observable indicator — a data point that, alone or in combination with others, suggests fraudulent intent or compromised behaviour. Most detection failures are not algorithm failures. They are signal failures: the right indicator was never being collected, or it was being collected but not correlated with anything meaningful.

This reference covers the core behavioural fraud signal categories used across Zarelva's investigation and detection architecture work. It is drawn from the Zarelva Fraud Signal Library, which catalogues signals across identity, device, network, transaction, and behavioural dimensions.

Why Signals Matter More Than Rules

Rules are static. Fraud is adaptive. A fraud ring that triggers a rule will adjust its behaviour within days. Signals, by contrast, reflect underlying intent patterns that are harder to disguise — velocity cannot easily be made to look human when the underlying automation is operating at non-human scale.

The goal of signal-based fraud detection is not to catch every individual fraudulent event. It is to raise the cost of fraud to the point where it is no longer economically viable for the attacker to continue.

Core Signal Categories

The following categories form the foundation of any comprehensive fraud signal library. Each category represents a distinct attack surface and requires different collection infrastructure.

🛡️ Identity & Credential Signals Layer 1
Identity age (new/very new) Unverified credential Revoked credential Unknown issuer No DID present Expired credential Address inconsistency Name variation clusters
Velocity & Behavioural Signals Layer 3
Action velocity (high) Action velocity (critical) Off-hours activity Task sequence anomaly Repeated failed actions Non-human timing pattern Capability outside scope Session rhythm anomaly
🌐 Network & Infrastructure Signals Layer 2
Datacenter IP origin VPN / proxy detected Tor exit node IP cluster pattern Geolocation mismatch Impossible travel speed Emulator fingerprint Device farm signature
💳 Transaction & Financial Signals Layer 4
Financial action without approval Data exfiltration pattern Privilege escalation Config modification Round-number clustering Beneficiary concentration Card testing pattern Refund-to-purchase ratio spike
🕸️ Network & Coordination Signals Layer 5
Coordinated timing Shared credentials Multi-agent convergence Credential sharing pattern Ring graph density Shared device clusters Referral chain anomaly Simultaneous session pattern

Signal Correlation Is Where Detection Happens

Individual signals are weak evidence. A single off-hours login is not fraud. A new identity is not fraud. A datacenter IP is not fraud. But a new identity, operating from a datacenter IP, at off-hours, with high action velocity, executing financial actions without approval — that is a strong fraud signal cluster.

The Zarelva Agent Risk Engine implements signal correlation with calibrated weights across all five layers. Each signal carries a weighted score, and scores compound when signals co-occur in the same session or identity profile.

The full signal library is published as open research:

github.com/Gururaj-GJ/fraud-signal-library

Gap Analysis: What Most Detection Systems Miss

In Zarelva's platform assessments, the most common detection gaps are:

What Signals Is Your Platform Missing?

Zarelva maps detection signal gaps and designs coverage architectures for fintech and digital platforms.

Request a Signal Gap Review →