Bizarre browsing habits, sneaking IP moves, shifty typing: How startups are sniffing out digital fraudsters

It started with something small—a loan application that just didn’t feel right. The customer moved through the app too quickly, the way he typed, even how he held his phone—silent alarms were triggered. On the surface, nothing seemed amiss, but under the hood, an AI-powered system picked up subtle signals suggesting that this wasn’t a legitimate user. It was a fraudster, trying to slip through the cracks.

In seconds, a major fraud attempt was thwarted by Bengaluru-based identity verification platform Bureau. “You need to think like a hacker but be on the right side,” says Growth head Nikhil Jois.

Bureau is one of many companies in India’s rapidly growing ecosystem of identity verification and fraud detection startups. Other prominent names include IDfy, Signzy, Perfios, Hyperverge and newer players like Digitap, Surepass, BeFiSc and Ongrid which are developing advanced tools and algorithms to help banks, fintech companies, non-banking financial companies (NBFCs), e-commerce platforms, gaming apps, matrimonial apps, etc., identify and prevent fraud before it infiltrates their systems disguised as “genuine customers”.

No complex passwords or conspicuous alarms here—just a hidden layer of security that doesn’t activate just on cue like traditional KYC or know your customer processes but instead analyses thousands of data points to detect abnormalities.

These data points, far from isolated, are funnelled into highly sophisticated algorithms built by these startups. They include public data like Aadhaar numbers, PAN cards, criminal records and consent-based alternative data such as location (IP address), browsing history, device analytics, social media footprint, purchase history, behaviour with the app or digital transactions, creating a detailed pattern or anomaly.

Thinking like a hacker

“The four questions we answer as a company are: does the customer exist, is the person doing the transaction the one they claim to be, have they committed fraud before, and are they likely to do so in the future? These are the broad areas we focus on, and our solutions are designed to address them,” explains Ashok Hariharan, co-founder and CEO of Mumbai-based IDfy, which boasts around 100 products to assess individuals or entities.

In the shadows of digital transactions, companies are leveraging these insights to fight fraud.

For instance, Bureau works with over 130 enterprises, including seven banks and 40 NBFCs, providing a crucial buffer against fraudsters. “More than 60 percent of fraudulent accounts have perfect KYC,” says Jois “KYC is necessary from a compliance perspective, but it's not foolproof. You need a holistic perspective on identity and intent."

Identity verification: Is that really you?

The bulk of startups working in this ecosystem focus on building end-to-end solutions for financial institutions. This begins with simple identity verification by checking public documents and completing video KYC for enrolling customers. Multiple APIs or application programming interfaces are integrated, pulling data from public databases like the Ministry of Corporate Affairs, court records and income tax returns. The entire process is automated, but verifying the legitimacy of the documents is just the beginning.

IDfy, for example, deploys an additional artificial intelligence (AI) layer to detect tampering or forgery. Using optical character recognition, the system extracts data from documents and cross-references it with official databases. Inconsistencies, such as mismatched fonts or altered image sizes, are flagged. “If someone tries to manipulate a birthdate on an ID, our system can detect anomalies like blurred text or unusual spacing,” explains Hariharan.

Basic video KYC is also getting a makeover as the threat of deepfakes becomes more prevalent.

According to AI Foundation’s 2023 report, deepfake-related incidents have spiked by 300 percent over the past year, presenting a growing challenge for ID verification systems. “We scrutinise key indicators like inconsistencies in facial movements, lighting and pixelation patterns. Our proprietary models can identify discrepancies in micro-expressions and natural eye movements that are difficult to replicate accurately in deepfake videos,” Hariharan adds.

Platforms such as Signzy, Bureau and Perfios use similar technologies to detect live users during video KYC. “We match real-time biometric data, like facial recognition, against stored Aadhaar data to verify that the person presenting the ID is the same as the registered individual,” explains Ankit Ratan, co-founder at Signzy.

As identity verification systems become more sophisticated, AI-driven technologies are transforming the way organisations combat fraud. Technology consulting company Gartner predicts that by 2025, AI-powered identity verification will reduce identity fraud losses by up to 75 percent for companies that adopt these technologies.

Underwriting a loan has evolved since such platforms came into being. Once the document verification process is complete, the next layer of scrutiny involves assessing a borrower’s monetary history. Background checks include criminal records, balance sheets and the financial health of an individual or entity. IDfy, for instance, assigns risk scores to individuals and entities based on data points, providing banks with insights into high-risk individuals.

“For background checks on small and medium-sized enterprises (SMEs), we look at various data points—filings, returns, business alliances, adverse media mentions and even social media profiles—to get a holistic picture of a business’s intent,” says Ratan.

ALSO READ: A sneak peek into I4C: Tackling India’s rising fintech frauds, one mule account at a time

Detecting anomalies: Claiming to be in Patna, logging in from Paris!

“Detecting anomalies isn’t just about checking documents. It involves understanding the digital footprint left behind by users and seeing if their behaviours align with their claims,” says Jois.

Platforms are now tracking device data, including the unique device fingerprint, hardware and software signals, VPN or virtual private network, proxy emulator, bot, remote viewer, spoofing, rooted device checks, TrueOS, true IP checks and so on.

For example, if a user claims to be in a rural area of Maharashtra but is using an IP address commonly associated with urban fraudsters or even another country, it raises a red flag, says Ratan.

He cites a real case Signzy, which recently launched a dedicated stack for fraud called Muleshield, encountered: a person logged into a financial platform claiming to be in a rural area of Rajasthan. The plattform, however, detected that the user was accessing it from an IP originating from Eastern Europe! This immediately set off alarm bells. Muleshield claims to have detected over 4 lakh mule accounts in the last eight months.

"How could someone sitting in a village use an IP address from Europe?" he asks rhetorically. It turns out, this was a classic case of a fraudster using a VPN to mask their actual location. VPNs can make it appear as though a person is logging in from anywhere in the world, allowing fraudsters to manipulate their identity and geographic location to bypass regional checks.

Further, a fraudster may use high-end browsers more common in urban settings, even when claiming to be from a rural area—raising a doubt.

Decoding the “digital” body language

“If you think about a fraudster sitting in Jamtara or Bharatpur, they have almost unlimited access to identities and phone numbers. What costs them money is the devices—whether a mobile phone or laptop. If I want to combat fraud, I have a better chance of targeting the device than the identity,” explains Jois.

Bureau has developed a “device fingerprint” that remains even after a factory reset. This fingerprint allows companies to block devices rather than just identities. “The way a fraudster holds a phone, types, swipes, taps, moves a mouse (digital body language) is different from how the legitimate owner does,” Jois adds. The system picks up on subtle cues, such as hesitation when typing or familiarity with an app interface, which can indicate whether a user is genuine or someone attempting a fraud.

In one instance, Bureau’s system detected a fraud ring attempting to exploit a banking app’s lending system by creating synthetic identities to take out loans just below the bank’s KYC threshold. The platform uncovered a cloned app that had been tampered with and identified users attempting to mask their IP addresses.

The power of intent data

Intent data, a key component in fraud detection, involves understanding a user’s actions and behaviours online to infer their intentions. By analysing browsing histories, social media activity and financial behaviours, banks can determine the likelihood of loan repayment.

“We look at whether someone is browsing financial planning websites or gambling platforms. This helps us create an intent score, which correlates with the likelihood of default,” explains Hariharan. For example, a fraudster may present legitimate documents but their browsing history may reveal a pattern that doesn’t match the behaviour of a genuine customer.

Signzy, which works with over 250 financial institutions globally, excels in spotting such irregularities. “In today’s world, browser-based intent data is incredibly useful. It helps us go beyond static identity checks and dig into how people behave online,” explains Hariharan.

Behavioural footprints provide a key source of fraud detection.

“One of the key things we look at is the behavioural footprint—what a user does online. Someone with a healthy browsing history of financial websites is more likely to exhibit financial discipline than someone with a disjointed, sporadic browsing pattern,” Ratan adds.

For a scammer, his unusual purchasing history on e-commerce websites like Amazon and Flipkart and conduct on social media platforms like Facebook, Instagram, Twitter or LinkedIn could also give him away. API have been integrated by some of these platforms to analyse and map the footprint, with consent.

Beyond BFSI

Fraud prevention technology has now moved beyond traditional financial sectors. E-commerce platforms, ride-hailing services, gaming apps and matrimonial platforms are leveraging the tools provided by the startups to not just sign up merchants, users and partners but also catch fraudsters who abuse the system, like promo codes and referral programmes.

“If I can tell you it’s the same device trying to sign up multiple times, you’re able to block it,” says Jois.

He also highlights the growing importance of trust in today’s business landscape. “Three years ago, we were seen as a cost centre. Today, banks brag about working with us. Trust is now a moat.”