Manager-Antifraud

Conversion scoring

Antifraud — Conversion Scoring Conversion Scoring is an anti-fraud system that evaluates the quality of your traffic by analyzing how well it converts. Instead of just counting clicks, it scores each conversion based on engagement, fraud signals, and behavioral patterns — helping risk managers identify which traffic sources bring real value and which are low-quality or fraudulent. How Scoring Works UCLIQ analyses multiple factors to assign a score to each conversion. These are evaluated in real time when a conversion is matched to its click, before any payout is finalized. Heuristic Checks The scoring engine runs approximately 15 heuristic checks against every conversion. Key signals include: - OS Mismatch — Browser-reported OS differs from fingerprint-detected OS (e.g., "Win10" browser on "Windows 7 or 8" OS). - Duplicate Fingerprint — Same browser fingerprint hash seen multiple times on the same click. - Same IP Conversions — Multiple conversions originating from the same IP address. - Timezone Mismatch — Fingerprint timezone differs from GeoIP timezone. - Cloud/VPS ASN — Traffic originating from data centre IPs (DigitalOcean, AWS, etc.). - Language Mismatch — English Accept-Language header in a non-English country. - Router/Proxy — OS fingerprint indicates NAT or proxy hiding. - Motivated Traffic — Referrer or User-Agent contains social media markers (kik.com, snapchat). - Touch Support — Android device with incomplete or empty touch support data (suggests an emulated browser). - Winsocks Detection — Over 90% of a publisher's recent transactions come from Windows (suggests uniform bot farm). - Connection Type — "Corporate" connection type flagged (corporate IPs rarely convert for consumer offers). Each heuristic adds to a cumulative risk score. The system does not use machine learning — it relies on deterministic rules that cover enough dimensions to make simultaneous gaming expensive. Score Propagation When a single click generates multiple conversions (e.g., a lead followed by a sale), the risk score is copied from the first conversion to subsequent ones. Two fields are recalculated per transaction: duplicate fingerprint count and same-IP conversion count. Automatic anti-fraud Conversion auto-delay You can set conversion to be automatically delayed, if the risk score exceeds limits configured either on System level in Control Center, at offer level or at publisher level. Delayed conversions are indicated in the conversion scoring panel as require manual confirmation to be credited to publishers or decline. In case of decline of delayed conversion - it won't be visible to publisher, unless it was previously confirmed. Conversion auto-decline Similarly to auto-delay, you can configure conversions to auto-decline based on risk score threshold. Auto-declined conversions won't be announced to publishers. You can manually revert the auto-decline in the conversion scoring panel by re-confirming it. Conversion Scoring Panel The main panel shows all conversions for a selected time period with their quality assessment and fraud check status. Filters and search - Period — Today, Last 7 days, Last 30 days, or custom date range - Search — Search by publisher name - Refresh — Reload data Additional filters available in the filter panel allow to further filter the list of conversions you need to display. Conversion List Columns - Publisher — Publisher username with link to publisher profile - Conversion IP — IP address of the click origin with country flag and copy button - Fingerprint — Unique browser fingerprint hash with copy button - Score — Risk score assigned to the conversion - Matches — Detected fraud patterns with risk type icon - Goal — The conversion goal - Type — Conversion type (sale, lead, etc.) - Sale — Conversion revenue amount - Payout — Payment generated for the publisher - Actual payout — Final payout after adjustments - OS — Operating system of the click origin with OS icon - Timezone — Time zone of the click origin - Date — Conversion date and time - Actions — Confirm or decline the conversion Click any conversion record to open the detail dashboard. Conversion Dashboard Shows click, conversion and received advertiser's postback details. Conversion States Conversions in the system fall into two states: Processed These conversions have been automatically processed. The publisher's payment is either registered or added to the campaign balance. To cancel a processed conversion, use the Decline action — this reduces the publisher's balance and generates a "decline" transaction. Cancellation reasons: - None — No specific reason - Fraud — Conversion canceled due to spam - Motivated — Conversion canceled due to fake/incentivised traffic - Duplicate — Conversion canceled due to a duplicate offer - Advertiser decline — Conversion canceled by the advertiser - Test — Conversion canceled due to a test offer Held (Pending) These conversions are waiting for a risk manager decision. No payment has been generated yet. They are marked with a clock icon. - Confirm — If the conversion is deemed legitimate, confirming it triggers payment to the publisher or adds it to the campaign balance. - Cancel — If canceled, no payment is made. The publisher will not be notified about the cancellation. Undoing a Decline If a decline was made by mistake, apply a Confirm action to it. This will create a new payment to the publisher for the original amount.

About Fraud Monitoring

The Fraud Monitoring dashboard provides a high-level overview of suspicious activity across all conversions. It helps you detect fraudulent traffic patterns, understand why conversions are being declined, and take action — whether that means blocking traffic sources or tightening conversion checks. Dashboard Overview The dashboard is organized into four key sections, each designed to surface different dimensions of fraud activity. Approved / Declined Conversions A line graph at the top of the dashboard shows the number of approved (green) and declined (red) conversions over the selected period. This trend view helps you spot sudden changes in traffic quality — a spike in declined conversions often signals an active fraud attempt. Detected Fraud Indicators This section lists every fraud detection trigger with a count of how many times it fired in the selected period. Each indicator links directly to a filtered view in Conversion Scoring so you can inspect the affected conversions. Top Sales Countries A circular chart breaks down traffic by country. Toggle between: - All traffic - Approved conversions only - Declined conversions only Use this to quickly identify regions with disproportionately high fraud rates. Top 10 Suspicious Offers A table listing up to ten offers or publishers with the highest levels of suspicious activity. Switch between Offers and Publishers view. Each row shows the number of conversions and the decline rate. Click a row to expand the risk type breakdown. Fraud Indicators — Full Reference Every conversion is checked against a set of deterministic heuristics. When a heuristic triggers, it adds to the conversion's risk score and appears in the Fraud Monitoring dashboard under the matching indicator. Duplicate Fingerprint Multiple conversions share the same browser fingerprint hash. Legitimate users rarely produce identical fingerprints — this usually indicates automated tools or click farms reusing the same browser profile. Same IP Multiple conversions originating from the same IP address. While a shared IP (office, university) can be legitimate, a high count across unrelated publishers strongly suggests click fraud. Motivated Source Traffic flagged as incentivized — the User-Agent or Referrer header contains markers from social or incentive platforms (e.g., kik.com, snapchat). Incentivized traffic typically converts at low quality and high refund rates. Timezone Mismatch The browser fingerprint reports a different timezone than the GeoIP lookup. For example, a user whose browser says "Europe/London" but whose IP is geolocated to "Asia/Manila". This often indicates proxy or VPN use. OS Mismatch The operating system reported by the browser differs from the OS detected by fingerprinting. Example: the browser claims "Windows 10" but the fingerprint reveals "Windows 7 or 8". This is a common sign of emulated devices. Language Mismatch The browser's Accept-Language header (e.g., en-US) does not match the expected language for the conversion's country. A weak signal on its own, but meaningful when combined with other mismatches. Connection Type Mismatch The connection type detected (e.g., "Corporate") is unusual for the offer vertical. Corporate IPs rarely convert for consumer offers, so this flags traffic that may be coming from a controlled environment. Autonomous System Mismatch Traffic originates from an IP address registered to a known data centre or cloud provider (DigitalOcean, AWS, Hetzner, etc.). Legitimate consumer traffic rarely comes from data centre ASNs — this is a strong fraud signal. Touch Support Mismatch An Android device reports empty or incomplete touch support data. Real Android devices always have full touch capability — missing touch data strongly suggests a desktop emulator running an Android browser profile. Using the Dashboard Fraud Monitoring is designed as a triage tool. Recommended workflow: 1. Check the Approved/Declined chart — if the decline rate has jumped, investigate. 2. Review Detected indicators — sort by count to find the most active fraud vector. 3. Check Top Sales Countries — toggle to "Declined only" to see if fraud is concentrated in specific regions. 4. Inspect Top 10 Suspicious Offers/Publishers — drill into specific offers or publishers with high decline rates. Click a row to see which fraud indicators triggered for that entity. 5. Take action — from the drill-down, link directly to Conversion Scoring to approve, decline, or investigate individual conversions. The dashboard uses a customizable date range. Quick presets: Today, Last 7 days, Last 30 days, Last 3 months. Use Refresh to reload after changing filters.

About average risk score

The Average Risk Score feature helps you understand whether the traffic from a specific publisher is trustworthy or suspicious. It shows how often risky patterns were detected, how severe they are, and gives a clear overview of each publisher's traffic quality — broken down by publisher + subsource pair. Use this tool to: - Decide how many risk points warrant flagging or blocking conversions - Enable conversion hold (retention mode) for suspicious publishers - Block specific publishers or subsources whose traffic underperforms on certain offers How Risk Scoring Works Every incoming click is analysed by the fraud detection system. When certain characteristics match known fraud indicators, the click is assigned risk points. The more indicators that match, the higher the score. Risk scores are calculated per conversion and then aggregated by publisher + subsource pair. This gives you a per-stream view of traffic quality — a publisher might have excellent traffic from one subsource and problematic traffic from another. The Report Table The report is grouped by Publisher + Subsource pairs. Each row represents a unique traffic stream. - Publisher — Publisher name, alias, and subsource identifier - Count — Total number of conversions in the selected period - Triggered — Percentage of conversions where at least one risk pattern fired - Avg — Average risk score across all conversions for this pair Risk Indicator Columns Following the summary columns, each known fraud signal appears as its own column showing: - Triggered count — how many times this indicator fired for this publisher+subsource - Percentage — what portion of total conversions triggered this indicator The full set of tracked indicators: - Duplicate Fingerprint — Same device fingerprint reused across conversions - Same IP — Too many conversions from the same IP address - OS Mismatch — Device OS doesn't match expected values (likely an emulator) - Connection Type Mismatch — Traffic from unexpected network types (proxy, VPN, corporate) - Language Mismatch — Device language doesn't fit the geo (risk of fake users) - Autonomous System Mismatch — Traffic from data centres or cloud providers - Timezone Mismatch — Time zone doesn't match geo (common for location spoofing) - Touch Support Mismatch — No touch support on a device that should have it (emulator signal) - Motivated Source — Traffic appears incentivised (social/incentive platform referrers) - Windows Conversions — Over 90% Windows-based traffic (WinSock detection, suggests bot farm) Each indicator cell includes icons to quickly communicate severity — warning, clock, dollar, windows, and risk-type icons. Click the More button on any row to drill into the details for that publisher+subsource pair. Taking Action Based on Risk Scoring Once you've analyzed a publisher's risk profile, you have several options. Blocking Publishers If a publisher consistently triggers fraud patterns and maintains a high average risk score, you can block them from working with specific offers or from the platform entirely. Review their risk score and identify recurring fraud indicators before taking this step. Blocking Sub-Sources For affiliate publishers generating traffic through multiple sub-sources, you may choose to block specific sub-sources rather than the entire publisher. This lets you cut off problematic traffic streams while keeping quality streams active. Conversion Retention Mode If a publisher's traffic shows signs of potential fraud but isn't clearly malicious, you can enable Conversion Retention Mode. This temporarily holds conversions for manual review before they are processed and paid out. It acts as a safety net — fraudulent conversions are caught before money moves, while legitimate conversions can be approved after inspection. Auto-hold If you determine that traffic past certain risk score disproportionally hurt the bottom line, you may chose to set a risk score limit to put conversions matching or exceeding the limit to auto-hold, when you won't be presented or credited to publishers and manager will have to decide whether confirm or decline them. You can set auto-hold on three levels: - System-wide level - applies to all offers and publishers, unless overriden - Offer level - applied to all conversions for this offer unless overriden on publisher level - Publisher level - setting a max risk score for this publisher to have conversions auto-apporoved Auto-decline Same as for auto-hold, but conversions will not be withheld for review, but automatically declined, without announcing them to publishers. Recommended Workflow 1. Filter by date range — use the date picker with quick presets 2. Review Publisher + Subsource rows — sort by Triggered % or Avg score to find the worst performers 3. Inspect risk indicator columns — identify which fraud signals are driving the score for each pair 4. Drill into details — use the More button to see the full breakdown per publisher+subsource 5. Take action — block the publisher, block a specific subsource, or enable retention mode Use the Filters panel to narrow results by publisher, offer, or date. The Reset button clears all filters. The footer provides pagination for large result sets.