.png?sv=2022-11-02&spr=https&st=2026-03-25T23%3A20%3A02Z&se=2026-03-25T23%3A30%3A02Z&sr=c&sp=r&sig=SxoFZtFQFyTToiBGqvbtOcIiWQuFMo5a0TqovtLY9i0%3D){kind=logo}
Label Names and IDs
- 22 Dec 2025
- 12 Minutes to read
- Contributors
- Print
- DarkLight
Label Names and IDs
- Updated on 22 Dec 2025
- 12 Minutes to read
- Contributors
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback!
=
| Display Name | ID / name | ID | Category (auto-assigned) | Disposition (auto-assigned) | Contexts | Description |
|---|---|---|---|---|---|---|
| Bonus Abuse | bonus_abuse | 4040 | Abuse | negative | Confidence, Source | Bonus Abuse is the gaming industry analog of Promo Abuse. An perpetrator signs up multiple times using different identities (often synthetic) to receive the same new customer bonus (free spins, introductory offers, sign-up promos etc). |
| Click Fraud | click_fraud | 4050 | Abuse | negative | Confidence, Source | Click Fraud is a type of abuse where the advertising budget of the victim (a business) is deliberately depleted by targeted bot (or script) based attacks. |
| Fake Listing | fake_listing | 4090 | Abuse | negative | Confidence, Source | Fake Listing Abuse occurs when an auction or marketplace listing is created for goods that do not exist. The perpetrator collects the money but does not ship the goods. |
| Fake Review | fake_review | 4020 | Abuse | negative | Confidence, Source | Fake Review Abuse involves the posting of fake reviews either by paid individuals, special groups or marketplaces or even traded directly between businesses to falsely boost the profile of legitimate business or legitimize fraudulent online businesses. |
| Phishing Content | phishing_content | 4095 | Abuse | negative | Confidence, Source | Phishing is a type of social engineering attack where the perpetrator sends a fraudlent message designed to trick the victim into disclosing sensitive information. |
| Promo Abuse | promo_abuse | 4010 | Abuse | negative | Confidence, Source | Promo Abuse (also known as discount fraud) occurs when an perpetrator abuses a business's promotional campaigns by using promo codes and discounts multiple times for financial gain. |
| Reseller Abuse | reseller_abuse | 4030 | Abuse | negative | Confidence, Source | Reseller abuse is performed by bots at scale, targeting time-sensitive, limited edition, discounted or discontinued stock. The goods obtained are then resold later at a profit because of the exclusive nature of the goods. Ticket sales, fashion, technology and events are often targeted by the perpetrator. |
| Inbound Spam | spam_inbound | 4070 | Abuse | suspicious | Confidence, Source | Inbound Spam occurs when a service or platform is used to send spam content to other users of the service/platform. |
| Outbound Spam | spam_outbound | 4080 | Abuse | suspicious | Confidence, Source | Outbound Spam occurs when a service or platform is used to send spam outside of the service/platform. |
| Toxic Content Abuse | toxic_content_abuse | 4060 | Abuse | suspicious | Confidence, Source | Toxic Content Abuse is the deliberate posting of offensive text or image content within a social media, forum or group platform. Hate speech, inappropriate images and bullying are all examples of toxic content abuse. |
| Account Lock | account_lock | 8400 | Authentication | negative | The account has been locked after a number of failed login attempts or other suspicious behavior. | |
| Challenged | challenged | 8200 | Authentication | suspicious | The user was challenged due to risk. | |
| Challenge Failed | challenge_failed | 8300 | Authentication | negative | The user failed the challenge. | |
| Challenge Passed | challenge_passed | 8250 | Authentication | positive | The user successfully passed the challenge. | |
| Challenge Timeout | challenge_timeout | 8350 | Authentication | suspicious | The user did not respond to the challenge. | |
| Login Failed | login_failed | 8150 | Authentication | suspicious | The user failed authentication. | |
| Login Passed | login_passed | 8100 | Authentication | positive | The user successfully passed authentication. | |
| Self Excluded | self_excluded | 8450 | Authentication | neutral | Self Exclusion occurs when a user requests that a service not be provided to them. | |
| Fake Crawler | fake_crawler | 7130 | Bot | suspicious | Source, Crawler Family | A Fake Crawler bot tries to appear as a real search engine bot by using the same user agent as Google, Yahoo, Bing etc. Fake crawlers often download (or scrape) the entire website content for malicious purposes. |
| Feed Fetcher | feed_fetcher | 7020 | Bot | neutral | Source, Crawler Family | Feed Fetchers crawl RSS or Atom feeds for news and other information feeds that are requested by app/service users. |
| Link Checker | link_checker | 7080 | Bot | neutral | Source, Crawler Family | Link Checkers are tools (often part of SEO) that scan a website to find broken links. Error pages caused by broken links lead to user friction and revenue loss. |
| Marketing Crawler | marketing_crawler | 7060 | Bot | suspicious | Source, Crawler Family | Marketing Crawlers are tools that are used to create screenshots and scrape content for automated competitive analysis and review of marketing trends and brands. |
| Screenshot Creator | screenshot_creator | 7120 | Bot | suspicious | Source, Crawler Family | Screenshot Creator bots can be used for testing to ensure pages are being displayed correctly. However, Screenshot Creator bots can also be used for as proof that the content being scraped is the same as what is displayed on the page. |
| Search Engine Crawler | search_engine_crawler | 7100 | Bot | neutral | Source, Crawler Family | Search Engine Crawlers are good bots that continuously scan the internet, creating search indexes of pages. Search Engine Crawlers will obey robots.txt, XML sitemaps and nofollow tags. |
| Site Monitor | site_monitor | 7040 | Bot | neutral | Source, Crawler Family | Site Monitors periodically check websites to ensure and verify that a website is up and working so that website visitors can use the site as expected. |
| Speed Tester | speed_tester | 7070 | Bot | neutral | Source, Crawler Family | Speed testing tools are used for performance testing and tuning of websites. |
| Crawling Tools | tools_crawler | 7050 | Bot | neutral | Source, Crawler Family | Crawling Tools are used to optimize search engines, audit websites and scan website health. |
| Uncategorized Crawler | uncategorized_crawler | 7030 | Bot | negative | Source, Crawler Family | Uncategorized Crawlers are new crawlers that have not yet been categorized. Their behaviour is unknown and therefore pose risk. |
| Virus Scanner Crawler | virus_scanner_crawler | 7110 | Bot | neutral | Source, Crawler Family | Virus Scanner Crawlers scan websites for suspicious code, malware and viruses. |
| Vulnerability Scanner | vulnerability_scanner | 7090 | Bot | neutral | Source, Crawler Family | Vulnerability Scanners are automated tools that allow organizations to monitor their networks and applications for security vulnerabilities. |
| Web Scraper | web_scraper | 7010 | Bot | suspicious | Source, Crawler Family | Web Scraping (web harvesting or web data extraction) is a software technique for extracting information from websites. |
| ATO - Misc | account_takeover | 3170 | Fraud | negative | Confidence, Source | Account Takeover fraud occurs when the perpetrator gains access to the account through various means (social engineering, stolen credentials or brute force) but does not immediately change passwords or details of the account which might alert the victim. |
| ATO - Change of Details | account_takeover_change_of_details | 3100 | Fraud | negative | Confidence, Source | Change of Details Account Takeover fraud occurs when the perpetrator gains access to the account through various means (social engineering, stolen credentials or brute force) and immediately changes the users details, such as shipping address, phone number or even password. This type of attack may draw the attention of the victim who in tern alerts the provider, so these attacks are often very targeted and short-lived in nature. The perpetrators goal is to obtain the maximum financial benefit possible before the victim is alerted to the attack. |
| ATO - Social Engineering | account_takeover_social_engineering | 3080 | Fraud | negative | Confidence, Source | Social Engineering Account Takeover occurs when the perpetrator uses one or more Social Engineering attack vectors to trick the victim into providing their account and password information, allowing the perpetrator to take control of the victims account. Attack vectors include Phishing, Scareware, Baiting, Pre-texting and Spear Phishing. |
| Benefit Theft Fraud | benefit_theft_fraud | 3150 | Fraud | negative | Confidence, Source | Benefit Theft Fraud is a specific type of First Party Fraud where the perpetrator is knowingly with holding information or deliberately falsifying information in order to claim benefits that they are not entitled to. |
| Chargeback - Payment Fraud | chargebacks_payment_fraud | 3050 | Fraud | negative | Confidence, Source | Chargeback fraud (also known as friendly fraud or "gambler's regret in the gambling industry) denies buying an item on a credit or debit card in order to get a refund from the card provider. |
| First Party Fraud | first_party_fraud | 3010 | Fraud | negative | Confidence, Source | First-party fraud is when a person knowingly misrepresents their identity or provides false information for financial or material gain. |
| Second Party Fraud | second_party_fraud | 3020 | Fraud | negative | Confidence, Source | Second-party fraud is when a person knowingly gives their identity or personal information to another person, for the purpose of committing fraud. |
| SIM Swap | sim_swap_fraud | 3030 | Fraud | negative | Confidence, Source | SIM swap fraud occurs when a fraudster contacts the victims mobile phone carrier and trick the carrier into activating a SIM card in the possession of the perpetrator, giving them control of the victims phone number. This fraud is commonly performed as a means of bypassing phone based two-factor authentication. |
| Ghost Broker | ghost_broker_fraud | 3040 | Fraud | negative | Confidence, Source | Ghost broking is a type of insurance fraud where the fraudster (aka ghost broker) will pretend to be a genuine insurance broker acting between the victim and a legitimate insurance company. The perpetrator will provide the victim with fake, forged or invalid insurance policies and profit by means of the premium/payment. |
| Identity Fraud - Stolen Credentials | identity_fraud_stolen_credentials | 3060 | Fraud | negative | Confidence, Source | Identity Fraud with Stolen Credentials is performed by a fraudster or fraud syndicate who have obtained stolen credentials on the darkweb or via other means. The stolen credentials allow access to one or more accounts (such as email address or phone via SIM swap fraud) which is then used to gain access to other accounts and subsequently take control of the victims identity. |
| Synthetic Identity - Fraud | synthetic_identity_fraud | 3070 | Fraud | negative | Confidence, Source | Synthetic identity is fraud performed with a combination of fabricated and real identity data to form a synthetic identity that is not associated with a real person. |
| Money Mule - Money Laundering | money_mule_money_laundering | 3090 | Fraud | negative | Confidence, Source | Money Muling is a type of money laundering. A money mule is a person who receives money from a third party in to their bank account. The money mule either then transfers the money to another bank account or takes the money out in cash and hands it to someone else, effectively "cleaning the money". Money mules help criminal syndicates remain anonymous while transferring the proceeds of cybercrime. Money mules obtain a commission on the amount transferred as an incentive. |
| Scripted Attack Fraud | scripted_attack_fraud | 3110 | Fraud | negative | Confidence, Source | Scripted Attack fraud is performed using bot-scripts. Attacks involve multiple new accounts creating bulk fraudulent orders and the accounts typically disappear immediately following the attack. Scripted Attack fraud is often employed to leverage a known vulnerability and maximize the revenue of the attack before the vulnerability is patched. |
| Click and Collect Fraud | click_and_collect_fraud | 3120 | Fraud | negative | Confidence, Source | Click and Collect Fraud targets businesses that offer online purchase with in-store pickup. The perpetrator utilizes stolen card or credentials to complete a purchase online, then collect the goods in-store before the stolen card or credentials are identified. perpetrators deliberately target businesses that do not ask for identification or proof of purchase upon collection. |
| Subscription Fraud | subscription_fraud | 3130 | Fraud | negative | Confidence, Source | Subscription Fraud involves signing up to new telecom contracts or services with a valid authorization, but no intent of paying for the products or services. Typically Subscription Fraud involves stolen and occasionally synthetic identities. |
| Collusive Payment Fraud | collusive_payment_fraud | 3140 | Fraud | negative | Confidence, Source | Collusion Payment fraud occurs when two or more perpetrators conspire to defraud another participant (the victim, another business) in a digital transaction involving multiple participant groups. In this scenario the perpetrator(s) appear as a legitimate user and one or more legitimate business. The perpetrator purchases goods from a collusive business participant in order to earn cashback reward points. Once the reward points have been consumed, the colluding business participant cancels the purchase and refunds the original sum to the user citing such as unavailability of stock. At this point the cashback rewards are not recoverable. |
| Claims Fraud | claims_fraud | 3160 | Fraud | negative | Confidence, Source | Insurance Claims Fraud generally falls into a few categories, from unintentional, opportunistic through premeditated deliberate fraud. The perpetrator gains a financial advantage by defrauding the insurer via claims where there has been no actual loss. |
| Trusted Identity | trusted_identity | 9100 | Identity | positive | Confidence, Source | A Trusted Identity has been manually verified as a legitimate user. Typically this is Added and Checked against multiple Identifiers. |
| Data Breach | data_breach | 9200 | Identity | suspicious | Confidence, Source | A Data Breach is occurs where personal information of users is lost, stolen or taken without authorization. This not only results in damage to the target companies reputation, but also often identity theft and financial loss for the victims whose information is stolen. |
| Identity Theft | identity_theft | 9300 | Identity | negative | Confidence, Source | Identity Theft is the use of stolen personal identifiying information by a perpetrator to commit fraud or other crimes. |
| Allow List | allow_list | 1100 | Lists | positive | An Allow List is used to bypass fraud or abuse decisioning that result in false positives. This is often used as a temporary, immediate fix until the decisioning can be updated to prevent the false positive. | |
| Block List | block_list | 1200 | Lists | negative | A Block List is used to block Identifier attributes that are almost always associated with fraudulent or abusive behaviour. The financial or security risk greatly outweighs the benefits of allowing the event to proceed. | |
| Watch List | watch_list | 1300 | Lists | suspicious | A Watch List is used to monitor the behaviour of suspicious Identifier attributes that are currently suspected of fraud, abusive or other undesired behaviour. | |
| Monitor List | monitor_list | 1400 | Lists | neutral | A Monitor List is used for passive monitoring of specific Identifier attributes for logging, reporting, analysis, investigative or compliance purposes. The fact that an identifier is on a Monitor List should not impact any fraud, abuse or other decision made in relation to the identifier. | |
| VIP List | vip_list | 1500 | Lists | positive | A VIP List is used to streamline important/frequent customers from friction that occurs as a result of false positives. Only verified, well known customers with no history of fraud or account takeover should be added to the VIP List. | |
| Onion Router | onion_router | 6010 | Risk | suspicious | Source | An Onion Router is part of the TOR network, routing traffic from one node to the next. Whilst TOR traffic does not exit from the router node onto the internet, the fact that a routing node is performing events is suspicious. |
| TOR Exit Node | tor_exit_node | 6020 | Risk | negative | Source | A TOR exit node is the last node that traffic passes through in the TOR network before exiting onto the internet. The TOR network's intended purpose is to protect the users privacy, freedom and ability to communicate confidentially. This anonymity is frequently abused by cybercriminals and fraudsters to make their activities untraceable. |
| Anonymous Proxy | anon_proxy | 6030 | Risk | suspicious | Source | Anonymous Proxies identify themselves as a proxy service to the web server, but do not disclose or leak the IP address of the user. Anonymous proxies are often paid services used legitimatley by people wanting to keep their identity and activity hidden. Anonymous proxies are sometimes utilized by hackers and cyber criminals to help cover their tracks. |
| Open SOCKS Proxy | open_socks_proxy | 6040 | Risk | suspicious | Source | Unlike an Open Proxy, an Open SOCKS Proxy enforces data security via encrypted tunnelling and the user of the proxy is less likely to have their information stolen. However the fact that the proxy is open means that anyone on the internet can connect to and freely use the proxy. Hackers and cybercriminals use open proxies to hide their identity when performing attacks. |
| Bitcoin Node | bitcoin_node | 6050 | Risk | suspicious | Source | A Bitcoin Node is constantly running the Bitcoin Core, storing the entire blockchain and also processing new transactions as they happen. |
| CGI Proxy | cgi_proxy | 6060 | Risk | negative | Source | CGI (Common Gateway Interface) Proxies are a type of anonymous proxy that provides its service via web forms. Because the CGI proxy is web-based, it allows users to bypass proxy detection. This also poses a great risk for the user of the CGI proxy, as all of the password and sensitive information entered is often written direct to web logs that the CGI proxy operator can access. |
| Open Proxy | open_proxy | 6070 | Risk | negative | Source | Most open proxy servers are run by hackers and cybercriminals in order to steal logins, identity and credit card data. In some cases the webpages and javascript is modified on its way through the open proxy in order to collect additional identity information or perform attacks from the victims device to cover their tracks. |
| Web Attack | web_attack | 6080 | Risk | negative | Source | Attack Sources scan websites for vulnerable web application and also attempts brute force logins. |
| SSH Attack | ssh_attack | 6090 | Risk | negative | Source | SSH Attack Sources run attacks against SSH services attempting to find and exploit vulnerabilities. |
| Mail Attack | mail_attack | 6100 | Risk | negative | Source | SSH Attack Sources run attacks against Mail, SMTP, IMAP and POP3 services attempting to find and exploit vulnerabilities. |
| Anonymous VPN Service | anon_vpn_service | 6110 | Risk | suspicious | Source | Commercial Anonymizing VPN services are used by customers who which to keep their identity anonymous. Cybercriminals and hackers may also use commercial VPN services to cover their tracks. |
| VoIP Fraud | voip_fraud | 6120 | Risk | negative | Source | VoIP fraud occurs when the perpetrator use VoIP services with no intention of paying for them |
| Cybercrime | cybercrime | 6130 | Risk | negative | Source | Cybercrime is any criminal activity that is carried out using computers, networked devices or a network. |
| Malware | malware | 6140 | Risk | negative | Source | Malware is malicious software that is designed to harm or exploit devices, services or networks. |
| Bot Abuse | bot_abuse | 6150 | Risk | negative | Source | |
| Cookie Copying | cookie_copy | 7070 | Risk | negative | Source | Cookie Copying occurs when the perpetrator obtains a browser cookie from the victims device and then uses that browser cookie value on their device in order to impersonate the victim, taking control of their web session. |
| Schema Validated | schema_validated | 5020 | Security | positive | The API payload was successfully validated against the schema. | |
| Schema Violation | schema_violation | 5030 | Security | negative | The API payload failed validation against the schema. | |
| Additional Payload | additional_payload | 5040 | Security | suspicious | The API payload contains additional data that is not part of the schema. | |
| Incorrect Format Data | incorrect_format | 5050 | Security | suspicious | The API payload contains incorrectly formatted data. | |
| False Positive | false_positive | 2100 | Truth Data/Review | positive | Confidence | A false positive was generated by a model. |
| False Negative | false_negative | 2200 | Truth Data/Review | negative | Confidence | A false negative was generated by a model. |
| Operator Review Passed | operator_review_passed | 2300 | Truth Data/Review | positive | Confidence | The event has passed manual review by an operator after being marked for review by the workflow. |
Was this article helpful?