persona-logo
Published September 24, 2025
Last updated January 12, 2026

Map signals to your risk surfaces: The first step every fraud leader should take

Learn how to identify your risk surface area and map signals to each surface to stop fraudsters.
Brian Davis
Brian Davis
6 min
Key takeaways
Your risk surface area includes every step in your user journey where fraud can occur. Start by going through the user journey as if you're a good user, and then go back through as a bad actor.
Map risk signals to each surface, hypothesize which combination of signals will work best, and identify gaps in your coverage. Then, figure out how to use and connect signals to build rules that block bad actors.
Try to do this exercise quarterly when you're building your program, and annually once you're more established. Fraud patterns evolve, your business grows, and new attack vectors emerge. Your risk surface mapping should evolve with them.

I've spent the last decade building fraud prevention programs as an in-house leader and as a consultant for early-stage startups and large enterprise organizations. Companies typically bring me in when fraud losses are starting to hurt their growth, or when they realize their current approach isn't working. 

Regardless of company size or industry, I face the same problem every time: figuring out where fraud occurs and how to use limited resources for the greatest effect.

You may have access to a lot of data, including transaction logs, user behavior analytics, third-party signals, and internal reports. But raw data isn't insight. Without a clear map of your risk landscape, you're essentially fighting fraud blindfolded.

I start every new team with an exercise. We map our risk surface area. Then, we identify signals that help us spot and deter bad actors in each area. It's foundational work that shapes everything we build afterward.

Identify your risk surface area

Your risk surface area includes every step in your user journey where fraud can occur. The best way to map this is to walk through your product as a legitimate user, and then start over from the first interaction and pretend to be a bad actor.

Let’s walk through an example for an online marketplace. A marketplace has different processes and risks than a lending platform, subscription service, or other business, but the process is the same. 

Start with the good user’s journey. For example, a new buyer on your marketplace might:

  • Visit your website or mobile app

  • Create an account and verify their email or phone number

  • Add payment info to their account

  • Make their first transaction using a coupon code for new users

  • Refer a friend to earn store credit

  • Ask to reset their password a few months later

As you walk through each step, ask, "What could go wrong here? What would a fraudster try to do at this moment?" Also consider what could affect the fraudster’s capabilities and motivations, including return policies, referral programs, and temporary promotions. 

For example, a bad actor might create an account using stolen credentials or a synthetic identity, test stolen credit cards at checkout, or attempt to take over someone else’s account.

On-demand webinar
About Fraud webinar poll — 2/3 of orgs are only "somewhat" comfortable mapping signals to fraud types
Watch now

6 steps to map your risk signals and fight fraud 

The real work happens when you start figuring out how to stop fraudsters across your entire user life cycle. For each risk surface you find, list the signals that can help detect fraud patterns and support your decisions. 

1. Start with what you already have

Most fraud teams are sitting on more useful data than they realize. You're probably already collecting device fingerprints, IP addresses, and behavioral signals, like completion times, distraction events, and transaction patterns. 

Make an inventory of existing signals across all your systems. Classify each one, but don't worry about signal type, strength, or making connections across systems right now. Just map what's available for each risk surface.

2. Layer passive, behavioral, and active signals

The best fraud strategies mix various signals to increase fidelity and create a clearer view of risk or trust. Some of the common types of signals you can use are:

  • Passive signals, like device fingerprints and geolocation, give you information without adding friction. 

  • Behavioral signals, like whether someone is copying and pasting credentials or using autofill, depend on how users interact with your platform. 

  • Active signals, like selfie liveness and email 2FA, come from verification checks that require users to take an additional action. 

For each risk surface, identify which combination of signal types gives you the best coverage. 

For example, if you identified account takeovers as a potential threat, you might turn to a combination of passive signals, like a new device and unusual location. Or, you might combine passive signals with behavioral signals, such as fast form completion or several failed login attempts. 

Or, perhaps you see the checkout process as a particularly large risk area, and you find that transaction velocity signals combined with the device fingerprint and address verification provide good coverage. 

Checklist
74 top signals for identifying fraudulent users and businesses
Download now

3. Consider signal reliability and context

Not all signals carry equal importance, and context matters enormously. A VPN connection can be normal for your users. However, it might raise concerns if other things look amiss. A user logging in from new places might mean the account is compromised. But it could also mean the legitimate user is traveling.

This is why understanding your baseline is crucial. What does normal user behavior look like for your platform? How do legitimate users typically interact with your verification flows? Bad actors often show their true selves by straying from these patterns in small but noticeable ways.

Read more: Stop fraud at onboarding by stacking weak risk signals

4. Figure out how to connect signals

Some organizations run into issues because their data exists in silos. Their payment processor, analytics platform, and internal systems all capture part of the picture, but they need a way to connect everything together. 

Addressing the issue requires deliberate infrastructure choices. Some companies build internal orchestration layers that pull data from multiple sources in real time. Others invest in fraud platforms that can ingest signals from various APIs and apply rules across the platform.

The key is avoiding the temptation to build point solutions for each risk area. You need a system that can correlate a user’s device fingerprint with their payment behavior from your processor and their verification status from your identity provider.

5. Build and revise rules 

You can start making big gains once your connected systems are in place and you create multi-signal rules. 

For example, instead of flagging every user with a VPN, you might flag users making a high-value purchase who also have a VPN, new device, and rapid form completion. Each signal might be benign on its own, but the combination reveals suspicious intent.

Start with simple rules and iterate. You might need to include new risk signals as fraudsters change tactics or remove signals that are leading to false positives. You’ll also have to monitor performance and adjust thresholds based on the specific fraud patterns you see.

Read more: How to use trust signals to decrease false positives and friction

6. Revisit this exercise regularly

Now that you’ve mapped your risk surfaces, found relevant signals, and set up context-aware rules, you can make better decisions about tools and process improvements. But the work doesn’t end there. 

Try to do this exercise quarterly when you're building your program, and annually once you're more established. Fraud patterns evolve, your business grows, and new attack vectors emerge. Your risk surface mapping should evolve with them.

Why this exercise pays off

By designing your strategy from the ground up, you’ll know how to prioritize engineering resources and design verification flows that balance security and user experience. It’s also important for building a fraud prevention strategy that grows with your business.

Additionally, the mapping exercise reveals gaps in your current coverage. Maybe you have strong signals for payment fraud, but limited visibility into synthetic identities. Or perhaps you're collecting behavioral signals but aren’t using them effectively in your decision-making process.

The fraud landscape changes constantly, but the fundamentals remain the same: understand where you're vulnerable, identify the signals that reveal threats, and build systems that connect those signals into actionable insights.

Get this foundation right, and everything else becomes significantly easier.

For a closer look at using the signals-based approach, check out Persona’s new ebook, Leader’s guide: signal-based fraud strategies. It provides real-world examples and frameworks to turn disconnected data into actionable insights.

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Brian Davis
Brian Davis
Brian builds fraud and trust and safety (T&S) teams from scratch. He likes to call it organizing the chaos. Now he gets to be an extension of T&S teams and help them build out their strategy to scale T&S to align with their companies’ lofty goals. His internal goal is to help the community find its voice and be seen as the true experts they are. Fraudsters work together, so it only makes sense we do too!
Continue reading