Fraud prevention solutions succeed on the strength of the data underpinning their models. The more data available and the greater the quality of that data, the more precisely a model (or rules system) can differentiate legitimate identities from fake or stolen ones.
SentiLink's team continually hunts for new signals that help sharpen that differentiation. With the release of the latest version of our Identity Theft Model (1.9.1), we’re sharing how an unusual pattern spotted during case review led to a new feature that detects identity theft with high precision and minimal false positives.
Observation: a curious mismatch
As more consumers apply for financial products on their phones, IP address metadata has become a powerful tool for fraud detection. An IP address, when used in combination with personal information, can provide an additional layer of insight without introducing friction for applicants. During routine review of identity theft cases, one of our product managers noticed something surprising: in several confirmed identity theft applications where the device was a mobile phone and the IP address was associated with a cellular connection, the phone’s carrier and the internet service provider (ISP) associated with the IP did not match.
Intuitively, we expect two situations when someone applies on their phone:
- They’re on Wi‑Fi (in which case a mismatch makes sense because the ISP reflects the Wi‑Fi provider)
- They’re on cellular data (in which case the ISP should match the phone carrier)
Seeing a mismatch in cases when the user was on cellular data raised suspicions of hidden manipulation, possibly by fraudsters masking their identity.
Hackathon test: from curiosity to evidence
Curiosity turned into action during an internal hackathon. The product manager built a prototype to evaluate this signal. They controlled for obvious confounders, such as VPN/proxy use and Wi‑Fi connections, and isolated cases where:
- The phone number was associated with a mobile device,
- The IP address indicated a cellular connection (non‑Wi‑Fi),
- No VPN or residential proxy was detected, and
- The ISP did not match the declared phone carrier.
The results were compelling. In a retrostudy spanning thousands of applications, this mismatched condition appeared rarely among legitimate applicants but frequently in confirmed cases of identity theft.
Preliminary analysis showed very high precision and a very low false‑positive rate. In other words, when this pattern surfaced, it almost always signaled fraud.
Integration: a new feature in v1.9.1
The decision to include it in v1.9.1 of our identity theft model was straightforward based on the hackathon results. During implementation, however, we encountered the messy reality of network data. Network ownership information can be inconsistent because carriers and ISPs constantly merge and acquire one another. An IP might still list the pre‑acquisition ISP even though it’s now part of the applicant’s carrier. If uncorrected, our logic would have incorrectly flagged these legitimate scenarios as mismatches.
To avoid those false positives, our data science team built and maintains a lookup table of known acquisitions and corporate relationships. When an applicant’s carrier and IP‑reported ISP appear different, we now check this table to see whether they’re actually part of the same parent company. Only genuine mismatches—where no corporate connection exists and the other criteria (mobile device, cellular connection, no proxy) are met—trigger the new binary flag. Thanks to this rigorous data‑quality work, the carrier–ISP mismatch signal is part of our new Identity Theft Model v1.9.1 and is available via API.
Why this matters
Identity thieves constantly look for new ways to mask their footprints, and our teams are committed to staying one step ahead. The addition of the carrier–ISP mismatch feature illustrates how observational insights, tested through rigorous analysis, can translate into tangible model improvements.
Looking ahead
We will continue to monitor the performance of this feature and explore related signals as fraud tactics evolve.
If you’re interested in how SentiLink’s Identity Theft Model v1.9.1 can help your organization fight identity theft, please get in touch! Our experts are ready to share best practices and recommend strategies tailored to your business needs.
