Skip to main content

Data Enrichment for Fraud Rules

On this page
Prerequisites

Before adding enrichment, understand:

TL;DR
  • Data enrichment = looking up what you don't know about a transaction via API. No SDK, no client-side code. Just server-side calls
  • Start free: MaxMind GeoLite2 (IP) costs nothing. IPQS offers a free plan (limited lookups) to test email/phone/IP signals
  • All-in-one options: IPQS and SEON bundle IP + email + phone lookups into a single API
  • Enrichment feeds rules, it doesn't block anything alone. You still need a rules engine to act on the signals
  • Don't double-buy: If you're already on Sift, Sardine, or Kount, these signals are baked into your platform

Data enrichment is the cheapest and simplest layer you can add to your fraud stack. You send a data point (an IP address, an email, a phone number) to an API and get back context: Is the IP from a datacenter? Is the email 2 days old? Is the phone a burner?

That context feeds your fraud rules. Enrichment doesn't make decisions. It gives your rules better information to make decisions with.

What Data Enrichment Is (and Isn't)

Enrichment is a specific layer in the fraud stack. It's easy to confuse with related concepts:

Data EnrichmentDevice FingerprintingIdentity VerificationFull-Stack Platform
What it doesLooks up context on IP, email, phone via APICollects device/browser attributes via client-side SDKConfirms a person's identity (documents, liveness, KYC)Combines enrichment, fingerprinting, ML, and decisioning
IntegrationServer-side API callJavaScript SDK or mobile SDKSDK + user-facing flowSDK + API + dashboard
Customer frictionNoneNoneHigh (document upload, selfie)Varies
CostFree tiers available, paid from $99/month$0.002-0.05/session$0.50-5.00/check% of GMV or per-transaction
ExamplesMaxMind, IPQS, AtData, TelesignThreatMetrix, Fingerprint, SardineSocure, Veriff, PersonaSift, Sardine, Signifyd

The key difference: enrichment requires no SDK and no customer interaction. You make an API call from your backend, get signals back, and feed them into rules. It's the cheapest layer to add and the fastest to integrate.

Do You Need Standalone Enrichment?

Not always. Here's the decision tree:

  • Already on a full-stack fraud platform (Sift, Sardine, Signifyd, Forter, Kount)? These platforms consume IP, email, and phone signals internally - often from MaxMind, Emailage, and carrier data feeds. Adding standalone enrichment on top is redundant. Ask your vendor what signals they already use before buying anything on this page.
  • Using processor tools only (Stripe Radar, Adyen RevenueProtect) and want more signal without the cost of a full platform? Enrichment is your best next step. It's cheap, fast to integrate, and gives you data to write smarter rules.
  • Evaluating whether to buy enrichment vs. a full-stack platform? See What to Buy by Merchant Size below. The answer depends on volume and fraud complexity. Enrichment is a stepping stone, not a destination - most merchants who grow past $5M eventually move to a full-stack platform or a guarantee provider that includes these signals.

IP Intelligence

IP enrichment is the most common starting point. Every transaction has an IP address, and a single API call tells you whether that IP is suspicious.

Signals

SignalWhat It Tells YouFraud Relevance
GeolocationCountry, region, city, lat/longCompare to billing/shipping address, card country
IP typeResidential, datacenter, mobile, educationDatacenter IPs are 20-50x more likely to be fraud
VPN detectionWhether the IP belongs to a known VPN providerVPN + country mismatch = higher risk
Proxy detectionOpen proxy, anonymous proxy, residential proxyResidential proxies are harder to detect and increasingly used in fraud
Tor exit nodeWhether the IP is a known Tor exitVery high risk for e-commerce transactions
ISP/ASNInternet service provider, autonomous system numberHosting providers (AWS, DigitalOcean) vs. consumer ISPs (Comcast, BT)
Connection typeBroadband, cellular, satelliteUnexpected types for the transaction context
IP age/first seenHow long the IP has been active in the vendor's networkBrand-new IPs (recently provisioned VPS) are higher risk
Risk scoreComposite score combining multiple signalsQuick triage - dig into components for rule building

Vendors

VendorWhat You GetFree TierPaid Pricing
MaxMindGeoIP2 (geolocation, ISP, connection type) + minFraud (risk scoring, device, email, phone)GeoLite2: free database with city/country/ASN accuracyGeoIP2 Web: $0.0001-0.002/query depending on tier. minFraud: from $0.005/query
IP2LocationGeolocation, proxy detection, VPN, Tor, ISPLITE: free database downloadAPI plans from $49/month. Database subscriptions from $99/year
IPQSIP + email + phone + device in one APIFree plan (limited daily lookups)From $99/month (5K lookups). Volume discounts at higher tiers

MaxMind is the industry standard. GeoLite2 is free and good enough for basic geolocation. The paid GeoIP2 databases add accuracy, and minFraud adds risk scoring with email, phone, and device signals. Most fraud platforms (Sift, Kount, Sardine) use MaxMind data under the hood.

IP2Location is a budget alternative. Their LITE database is free, and downloadable databases let you run lookups locally instead of making API calls per transaction.

IPQS bundles IP intelligence with email, phone, and device signals into one API. The free plan is limited but useful for testing. Paid plans start at $99/month.

For deeper network signals that require a client-side SDK (WebRTC leak detection, TLS fingerprinting, residential proxy detection via device correlation), see Device Fingerprinting: True IP and Network Intelligence.

Email Intelligence

Email is one of the highest-signal enrichment sources. A legitimate customer's email has history. A fraudster's email was created yesterday.

Signals

SignalWhat It Tells YouFraud Relevance
Validity/deliverabilityWhether the email exists and accepts mailInvalid email = throwaway account
Domain typeFree (Gmail), corporate, disposable (Guerrilla Mail, Mailinator)Disposable domains are very high risk
Domain ageWhen the domain was registeredBrand-new domains are suspicious
Email age/first seenHow long the email has existed in the vendor's networkEmails first seen < 7 days ago are higher risk
Social media presenceLinked profiles across platformsReal people have social footprints. Fraud accounts usually don't
Breach historyWhether the email appeared in known data breachesBreached credentials are used in ATO attacks
Name-to-email matchWhether the name on the order matches the email owner"John Smith" using sarah.jones@gmail.com is worth investigating
Gibberish detectionWhether the local part looks auto-generated (e.g., xkj38fn2@)Auto-generated emails signal bot-created accounts
Private relayApple Private Relay, Firefox Relay, or similarNot inherently risky, but limits your ability to verify email history

Vendors

VendorWhat You GetPricing
Emailage (LexisNexis)Largest email risk network. Consortium data from thousands of merchants. Email + IP risk scoringEnterprise only. Contact LexisNexis for pricing
AtData (Experian)Email validation + age + activity + demographic append (name, location from email). Acquired by Experian in Feb 2026Custom pricing. Contact vendor
IPQSEmail validation, age detection, disposable detection, fraud scoring. Bundled with IP + phoneFree plan (limited). Paid from $99/month
SEONEmail validation + social media lookups across 90+ platforms. Deepest social media coverageFree trial. Starter from $599/month

Emailage has the biggest network because LexisNexis sees email-to-identity mappings across thousands of merchants. If an email was used in a fraud transaction at another merchant, Emailage knows. The downside: enterprise pricing means it's not accessible to SMBs.

SEON stands out for social media lookups. It checks whether an email has linked accounts on 90+ platforms (LinkedIn, Facebook, Twitter, Instagram, etc.). A real person's email is usually connected to several platforms. A fraudster's throwaway email has zero social presence. Note that SEON is really a lightweight fraud platform (enrichment + device signals + fraud scoring dashboard), not just an email API. At $599+/month, compare it against full-stack fraud platforms to make sure you're buying the right tier of tool.

Ekata (Mastercard) also offers email intelligence as part of their multi-signal identity API. Already covered in Identity Verification - it's more of an identity enrichment tool than a pure email lookup.

Phone Intelligence

Phone signals are underused by most merchants. A phone number tells you a lot about the person behind a transaction - if you ask the right questions.

Signals

SignalWhat It Tells YouFraud Relevance
Line typePostpaid, prepaid, VoIP, landlinePrepaid and VoIP are higher risk (easier to obtain anonymously)
CarrierCurrent carrier nameUseful for geographic and demographic context
Carrier tenureHow long the number has been with the current carrierShort tenure + new account = higher risk
Active/disconnectedWhether the number is currently activeDisconnected numbers on active accounts are suspicious
SIM swap detectionWhether the SIM was recently swappedSIM swap within the last 48 hours is a strong ATO indicator
Port historyWhether the number was recently ported between carriersPorting can be legitimate, but recent port + high-value transaction = worth reviewing
Name-to-phone matchWhether the name on the order matches the phone ownerMismatch is a supporting fraud signal
Number deactivation alertsReal-time notification when a number on file is deactivatedProactive signal that an account may be compromised

Vendors

VendorWhat You GetPricing
TelesignDeepest phone intelligence. PhoneID for line type, carrier, SIM swap. Number deactivation alerts are unique to TelesignFrom ~$0.005-0.01/query (PhoneID). Contact for volume pricing
ProvePhone-as-identity platform. Uses carrier signals for silent authentication (no SMS OTP needed)From $1,000/month. Contact for pricing
IPQSPhone validation, line type, carrier, fraud scoring. Bundled with IP + emailFree plan (limited). Paid from $99/month

Telesign is the specialist. Their number deactivation alerts let you know when a phone number on a customer's account gets disconnected - before the fraudster who took over the number can use it. No other vendor offers this as a standalone product.

Prove is more of an identity platform than a phone enrichment API. It uses carrier data to silently verify that the person holding the phone is who they claim to be - no SMS OTP required. Pricing starts at $1,000/month, which puts it in a different tier than enrichment APIs. Already covered in Identity Verification.

What About Device Signals?

Device intelligence is a separate layer from data enrichment. Most device fingerprinting requires a client-side SDK (a JavaScript snippet or mobile SDK) to collect browser, hardware, and behavioral signals. That puts it outside the scope of pure server-side enrichment.

If you need device signals, you have two paths:

  • Lightweight device ID (e.g., Fingerprint Pro): A small JS snippet that returns a persistent visitor ID. Good for linking sessions and detecting returning visitors. See Device Fingerprinting for details.
  • Full device intelligence (e.g., Sardine, ThreatMetrix, Sift): An SDK that collects hundreds of signals - behavioral biometrics, emulator detection, remote desktop detection, TLS fingerprints. These are full-stack fraud platforms, not enrichment APIs.

SEON and IPQS include basic device hash and OS/browser data in their enrichment bundles, but these are shallow compared to what a dedicated device fingerprinting SDK collects. If device-level fraud (emulators, bots, fraud rings) is your problem, enrichment APIs won't solve it. See Device Fingerprinting for the full signal catalog and vendor comparison.

Identity Resolution

Identity resolution connects data points to answer: "Do these elements belong to the same person?" You have an email, a phone number, a name, and a shipping address. Do they all map to the same real person?

VendorWhat You GetPricing
FullContactMaps email, phone, social profiles, and physical address to a unified person record. Returns confidence scores on each matchFrom $99/month (Starter: 25K matches). Annual contracts required

FullContact doesn't tell you if someone is a fraudster. It tells you whether the identity elements on a transaction are consistent with a real person. When the email belongs to "Jane Doe" in Seattle but the phone belongs to "Mike Chen" in Houston, that's a signal worth acting on.

For deeper identity verification (document checks, biometric liveness, KYC), see Identity Verification. For correlation scoring and identity graph analysis in full-stack platforms, see the Vendor Landscape.

All-in-One Enrichment Platforms

If you want one vendor instead of three or four, two platforms bundle IP + email + phone enrichment into a single API:

IPQSSEON
IP signalsGeolocation, VPN, proxy, Tor, datacenter, ISPGeolocation, VPN, proxy, Tor, datacenter, ISP
Email signalsValidation, age, disposable, fraud scoreValidation, age, disposable, social media (90+ platforms)
Phone signalsValidation, line type, carrier, fraud scoreValidation, line type, carrier
Also includesBasic device fingerprint, bot detectionBasic device hash, OS/browser, fraud scoring dashboard
Free tierFree plan (limited daily lookups)Free trial only
Paid pricingFrom $99/month (5K lookups)From $599/month (2,500 fraud checks)
Best forBudget-conscious merchants who want broad coverage cheapMerchants who value social media signals for email risk

Both include basic device data, but neither replaces a dedicated device fingerprinting solution. If you need emulator detection, behavioral biometrics, or consortium device reputation, you need a separate tool or a full-stack platform.

IPQS is significantly cheaper and has a free plan for testing. SEON has deeper social media lookups - checking 90+ platforms for linked accounts is something no other vendor does at that depth. But at $599+/month, SEON is in the same price range as some full-stack fraud platforms, so make sure you're comparing the right tier of tool.

When to Skip Enrichment and Buy a Full-Stack Platform Instead

IPQS and SEON give you signals. You still need to write rules, manage thresholds, and build your own decisioning logic. If that sounds like more work than you want, a full-stack fraud platform (Sift, Sardine, Signifyd, Forter, Kount) bundles enrichment signals with ML models, a rules engine, case management, and often a review dashboard - all in one integration.

The tradeoff is cost and effort. A full-stack platform at $1M+ volume might cost $500-2,000+/month. IPQS at the same volume might cost $99-500/month. The question is whether you have the time and expertise to build rules from raw signals, or whether you'd rather pay more for a platform that makes decisions for you.

If you...Go with...
Want to learn fraud ops and build your own rulesEnrichment APIs (this page) + building fraud rules
Want someone else to make decisions (with guarantee)Signifyd, Riskified, or Forter
Want ML + rules engine + enrichment in one platformSift, Sardine, or Kount
Have a full-stack platform but want to supplement specific gapsIndividual enrichment vendors (MaxMind for IP, Telesign for phone, etc.)
SMB Recommendation

For most merchants under $2M who want to stay hands-on, start with IPQS. The free plan lets you test signals, and paid plans start at $99/month. If you'd rather not manage fraud rules yourself, skip enrichment and evaluate a guarantee provider or a full-stack platform instead.

Building Rules with Enrichment Data

Enrichment data is only useful if you turn it into rules. Here are practical rules you can build from enrichment signals, following the same pattern as Building Fraud Rules: Day-One Rule Set.

Example Rules

RulePseudocodeActionWhat It Catches
Datacenter IPIF ip_type = "datacenter"ReviewBots, scrapers, fraud from hosted infrastructure
VPN + country mismatchIF vpn_detected = true AND ip_country != card_countryReviewCross-border fraud hiding behind VPNs
Disposable emailIF email_domain_disposable = trueDeclineThrowaway accounts created for one-time fraud
New email + high valueIF email_age_days < 7 AND order_total > $200ReviewFresh accounts targeting high-value goods
Prepaid phone + new accountIF phone_line_type = "prepaid" AND account_age < 7_daysReviewAccounts created with burner phones
No social presenceIF email_social_profiles = 0 AND order_total > $100ReviewSynthetic or throwaway identities on medium+ orders
Identity mismatchIF name_to_phone_match = "none" AND name_to_email_match = "none"DeclineStolen identity - none of the contact info matches the name
Tor exit nodeIF tor_exit_node = trueDeclineAnonymous browsing on e-commerce is almost always fraud

Layering Enrichment with Existing Rules

Your day-one rules use transaction data: amount, velocity, country. Enrichment makes those rules smarter:

Existing Rule+ Enrichment SignalImproved Rule
Country mismatch (card != IP)+ vpn_detected = falseIf no VPN, the mismatch is a real geographic discrepancy
New account + high value+ email_age_days < 7New account AND new email = much higher risk than new account with established email
Hourly velocity > 3+ ip_type = "datacenter"Velocity from a datacenter IP = almost certainly automated
Amount ceiling ($300+)+ phone_line_type = "voip"High-value order from a VoIP number deserves extra scrutiny

Risk Score Adjustments

If your system uses point-based scoring (see Risk Scoring), enrichment signals feed directly into score adjustments:

Base score: 0

# IP signals
IF ip_type = "datacenter"         THEN +25
IF vpn_detected = true            THEN +15
IF tor_exit_node = true           THEN +40
IF ip_country != card_country     THEN +20

# Email signals
IF email_domain_disposable = true THEN +35
IF email_age_days < 7             THEN +20
IF email_social_profiles = 0      THEN +15

# Phone signals
IF phone_line_type = "prepaid"    THEN +10
IF phone_line_type = "voip"       THEN +15
IF sim_swap_last_48hrs = true     THEN +30

# Thresholds
IF total_score >= 70              THEN decline
IF total_score >= 40              THEN review
IF total_score < 40               THEN approve
Shadow Mode First

Deploy all enrichment-based rules in shadow mode for at least 2 weeks before enforcing. Enrichment signals have false positive patterns you won't anticipate - VPN usage varies by country, some legitimate businesses use datacenter IPs, and prepaid phones are common in certain demographics. See Shadow Mode: Test Before You Block for the full testing methodology.

What to Buy by Merchant Size

Annual VolumeEnrichment RecommendationOr Consider Instead
Under $100KNothing. Processor tools are enough-
$100K-$500KMaxMind GeoLite2 (free IP geolocation database)-
$500K-$2MMaxMind GeoIP2 + IPQS free plan for testingStill manageable with enrichment + manual rules
$2M-$10MIPQS paid plan (~$99-500/month)A full-stack platform ($500-2,000+/month) that includes these signals + ML + decisioning
Over $10MLayer specialists: MaxMind + Telesign + EmailageAlmost certainly better served by a full-stack platform or guarantee provider at this volume

At $2M+, the real question isn't "which enrichment vendor?" It's "enrichment + DIY rules, or a platform that does it all?" If you have a fraud analyst who can write and tune rules, enrichment APIs give you more control at lower cost. If you don't, a full-stack platform or guarantee provider is a better use of your money.

Already on Sift, Sardine, Kount, Signifyd, or Forter? Don't double-buy. These platforms consume IP, email, phone, and device signals internally - often from MaxMind, Emailage, and carrier data feeds. Adding standalone enrichment on top is redundant. Ask your vendor what signals they already ingest before buying anything on this page.

Experiment to Run

Pull your last 30 chargebacks. For each one, look up the IP (MaxMind GeoLite2 is free) and the email/phone (IPQS free plan). How many would have shown obvious risk signals? If more than half show datacenter IPs, disposable emails, or VoIP numbers, enrichment will pay for itself. If the signals look clean, your fraud problem is more sophisticated and enrichment alone won't solve it.

Privacy and Compliance

Data Handling

Enrichment APIs process personal data (IP addresses, email addresses, phone numbers). Ensure your implementation complies with applicable privacy laws:

  • GDPR: Enrichment is typically justified under "legitimate interest" for fraud prevention, but you need a documented DPIA and must disclose the processing in your privacy policy
  • CCPA/CPRA: Fraud prevention is an exempted purpose, but you must still disclose the data sharing in your privacy notice
  • Data retention: Don't store enrichment results longer than necessary. 90 days is a reasonable default for fraud investigation
  • Vendor DPAs: Sign Data Processing Agreements with every enrichment vendor. They're processing your customers' personal data on your behalf

Next Steps

Just getting started?

  1. Sign up for MaxMind GeoLite2 (free) and check IPs on your last 10 chargebacks
  2. Create an IPQS free account and test email/phone lookups on a few transactions
  3. Build rules using the enrichment signals that show the most signal

Ready to buy?

  1. Pick a tier from the size recommendation table
  2. Run your chosen vendor in shadow mode for 2 weeks
  3. Compare enrichment-flagged transactions against actual chargebacks

Already have enrichment?

  1. Review your rule performance monthly
  2. Layer enrichment with device fingerprinting for deeper signals
  3. Consider identity verification for high-risk transactions
Last updated on