{"article":{"id":36105307572759,"url":"https://plaid.zendesk.com/api/v2/help_center/en-us/articles/36105307572759.json","html_url":"https://support.plaid.com/hc/en-us/articles/36105307572759-What-types-of-fraud-and-risk-checks-are-available-in-Plaid-IDV","author_id":5390778350871,"comments_disabled":true,"draft":false,"promoted":false,"position":0,"vote_sum":0,"vote_count":0,"section_id":36096092362775,"created_at":"2025-11-04T20:14:54Z","updated_at":"2026-06-03T18:15:21Z","name":"What types of fraud and risk checks are available in Plaid IDV?","title":"What types of fraud and risk checks are available in Plaid IDV?","source_locale":"en-us","locale":"en-us","outdated":false,"outdated_locales":[],"edited_at":"2026-06-03T18:15:20Z","user_segment_id":null,"permission_group_id":1121794,"content_tag_ids":[],"label_names":[],"body":"<p>Plaid takes a defense-in-depth approach when it comes to fraud detection. You can leverage diverse fraud risk signals as needed depending on your risk appetite. Our Identity Verification (IDV) solution uses many powerful tools to help detect fraud and protect your platform from bad actors. Below is a brief overview of various checks that can be done whenever a user moves through Identity Verification. Though not absolutely comprehensive, it covers our general approach to detecting fraudulent activity.</p>\n<p><img alt=\"\" src=\"https://support.plaid.com/hc/article_attachments/36105307563415\"></p>\n<p>Whether the overall Risk check passes or fails is determined by the <strong>Risk Rules</strong> that you configured in the template. As you review these different checks, please remember that no single check gives a conclusive yes or no as to whether the user is fraudulent; all of the fraud and risk checks need to be considered holistically.</p>\n<p>The configurable Risk Rules cover eight categories: Phone, Email, Network, Device, Behavior, Stolen Identity, Synthetic Identity, and Facial Duplicate. Several additional checks below (Age Estimation, DMV Checks) are surfaced in the IDV session but are not part of the configurable Risk Rules.</p>\n<p>Plaid leverages fraud risk metadata that you’re already collecting in the background of a user’s verification session – which means that it doesn't introduce customer friction. The following categories of data are collected, analyzed, and assigned a risk level. We’ll go into more detail for these robust risk indicators below.</p>\n<p><strong>Facial Duplicate Detection</strong></p>\n<p><a href=\"https://support.plaid.com/hc/en-us/articles/36105010948119\">See this article</a></p>\n<p><strong>Age Estimation</strong></p>\n<p><a href=\"https://support.plaid.com/hc/en-us/articles/36105010948119\">See this article</a></p>\n<p><strong>DMV Checks</strong></p>\n<p>Plaid has an integration with the American Association of Motor Vehicle Administrators (AAMVA) <a href=\"https://plaid.com/blog/dmv-checks-license-verification-fight-fraud/\">DMV checks</a> directly in our Identity Verification (IDV) solution.</p>\n<p>When a user submits a US driver's license for Documentary Verification, our system can now seamlessly cross-reference key data points, such as driver’s license number, date of birth, gender, first name, and last name, with the corresponding DMV records. This adds a powerful layer of authenticity and accuracy to your identity verification process, acting as a robust form of step-up authentication.</p>\n<p><img alt=\"\" src=\"https://support.plaid.com/hc/article_attachments/36105349031319\"></p>\n<p>Enabling AAMVA DMV checks is straightforward for existing Plaid IDV clients. You will find an option for \"DMV/Secretary of State Validation\" within the Workflow tab of your IDV templates.</p>\n<p><img alt=\"\" src=\"https://support.plaid.com/hc/article_attachments/36105307565975\"></p>\n<p><strong>Stolen Identity Fraud Score</strong></p>\n<p><a href=\"https://support.plaid.com/hc/en-us/articles/29223242998423\">See this article</a></p>\n<p><strong>Synthetic Identity Fraud Score</strong></p>\n<p><a href=\"https://support.plaid.com/hc/en-us/articles/29223242998423\">See this article</a></p>\n<p><strong>Network Risk</strong></p>\n<p>As mentioned in the fingerprinting section, we perform a highly accurate check that helps us detect if we have seen the current user before. This check is consistent and reliable even over months of time as long as the user visits from the same computer. We track how many times we've seen a specific device create separate Identity Verification sessions, both within your integration and across our platform, and we estimate risk from that based on the time frame within which those separate sessions were created. We view it as risky if multiple sessions are created on your platform in the same day or week, since this is likely a user with multiple accounts on your service. Likewise, we look at account velocity during the last 3 months across our entire network in order to flag devices that seem to be creating a large number of accounts across different services.</p>\n<p>We check for:</p>\n<ul>\n<li>Number of Identity Verification sessions across the entire network in the last 3 months</li>\n<li>Number of Identity Verification sessions for your organization in the last 24 hours</li>\n<li>Number of Identity Verification sessions for your organization in the last 7 days</li>\n<li>Number of Identity Verification sessions for your organization ever</li>\n</ul>\n<p><strong>Device and IP Risk</strong></p>\n<p>When the end user opens the Identity Verification UI, we start by \"fingerprinting\" the session by looking at hundreds of different attributes, including:</p>\n<ul>\n<li>IP Address</li>\n<li>Location</li>\n<li>Browser plugins used</li>\n<li>Browser and OS settings</li>\n<li>WebGL parameters</li>\n<li>User agent details</li>\n<li>TCP settings</li>\n<li>Cookies</li>\n<li>Screen resolution</li>\n<li>Battery usage</li>\n<li>Device memory</li>\n</ul>\n<p>On top of using IP Address for fingerprinting, we do a number of IP fraud checks:</p>\n<ul>\n<li>\n<strong>Proxy, VPN, and Tor detection</strong> - We detect whether the user is using a VPN or Tor. Using a VPN is correlated with a slight increase in fraud risk; using Tor is associated with a very high fraud risk. We also check if a public or web proxy is being used.</li>\n<li>\n<strong>Abuse lists</strong> - We check a number of IP abuse reporting lists to see if the user's IP is associated with a large number of spam complaints. This can often be an indicator that the user's machine is compromised by malware and increases potential risk of fraud.</li>\n<li>\n<strong>Data Centers</strong> - We detect if the user's IP is associated with a data center, which is correlated with abuse.</li>\n<li>\n<strong>IP geolocation country mismatch</strong> - We report if the user's IP address is associated with a different country than the one they provided as part of their KYC data.</li>\n<li>\n<strong>IP geolocation device timezone mismatch</strong> - We report if the user’s IP address is associated with a country that is in a different timezone than the one we detect as part of the device fingerprinting.</li>\n<li>\n<strong>Open ports</strong> - We check for any suspicious open ports, as well as whether port 80 is open on the IP Address.</li>\n<li>\n<strong>Incognito session</strong> - We detect whether the user is going through the Identity Verification session in a browser that's in incognito mode.</li>\n</ul>\n<p><strong>Phone Risk</strong></p>\n<p>We also perform an external account registration check on the user's phone number. We check 14 different services to see if the user's phone is linked to accounts elsewhere on the web.</p>\n<p><strong>Email Risk</strong></p>\n<p>We support (and highly recommend) providing a user's email address when doing a verification so it is associated with the session. If it is provided, we perform these checks:</p>\n<ul>\n<li>Disposable emails - We check to see if the user is using one of hundreds of disposable email services (for example, Mailinator). This signal is highly correlated with fraud.</li>\n<li>Email deliverability - We do a live check on the domain associated with their email to see if it is actually configured to receive email. Failing this test means the email is fake, which is a strong fraud signal.</li>\n<li>Recent domain registration checks - For emails using custom domains (for example, “@plaid.com\" would be a custom domain and \"@gmail.com\" would not), we check when that domain was registered. Emails associated with domains registered in the last 3 months are correlated with fraud risk.</li>\n<li>External account registration checks - We do a live check against ~90 different popular social networks and services to see if this email is registered on other services. If it's linked with many different services, that is a strong positive signal. Conversely, failing to link to any services is viewed as a risk. If no services or very few services link to the given email, we show a medium or high risk flag in the risk section of the dashboard. Otherwise, we show icons in the sidebar for all accounts linked.</li>\n<li>Email data breach checks - We check services like Have I Been Pwned to see if the user's email has shown up in known breaches. Specifically, we record: 1) how many data breaches this email has appeared in, and 2) how long ago the first breach occurred and how recent the latest one is. This check is counter-intuitive but informative: it is a strong positive signal if the user's email has been found in many data breaches, and it is especially positive if, for example, the dates of those breaches go back 5+ years. We treat this as a positive signal because it indicates that the email is authentic and actively used. As a proxy for the age of an email address, this is a powerful check to catch disposable emails that use reputable services. Likewise, an email not being found in any data breaches is correlated with fraud risk for a similar reason as not being linked to external services. It suggests the email is disposable.</li>\n</ul>\n<p><strong>Behavioral Analytics</strong></p>\n<p>When the user goes through the Identity Verification UI (note this cannot be done if using Data Source Verification via API only), we monitor and assess how a user enters their PII to assess how familiar they are with it or if they exhibit behavior that’s typical of fraud rings or bots. We look at things like:</p>\n<ul>\n<li>How fast a user types in their PII</li>\n<li>How accurately a user enters their PII</li>\n<li>Method of data entry and whether the data is copied and pasted</li>\n<li>The order in which a user inputs data</li>\n</ul>\n<p>If the exhibited behavior is consistent with bad actors, fraud rings, or bots, we flag these behaviors and provide a “User Behavior” risk level. Based on the acceptable risk level set, Identity Verification will either prevent a risky user from completing the signup process or simply inform you of the risk level.</p>","user_segment_ids":[]}}