Understanding Scores
Understanding Scores
Every Trustfull product returns a score and a score_cluster that summarize the risk level of the input being analyzed. This guide explains how scores are calculated, what each cluster means, and how to use them to make decisions.
The Scoring Scale
Trustfull scores range from 0 to 1000:
- 0 represents the highest risk (most likely fraudulent or suspicious)
- 1000 represents the lowest risk (most likely legitimate and trustworthy)
The score is computed by a proprietary scoring engine that evaluates hundreds of signals and applies weighted rules and gates. For details on how the engine works, see Score Normalization.
Score Clusters
While the numeric score provides granularity for automated decision-making, the score_cluster provides a human-readable risk band that simplifies review workflows and reporting.
| Cluster | Score Range | Interpretation |
|---|---|---|
very_low | 0 - 199 | Very high risk. Strong fraud indicators detected. Multiple red flags present. |
low | 200 - 399 | High risk. Significant suspicious signals. Likely requires blocking or enhanced verification. |
review | 400 - 599 | Medium risk. Mixed signals detected. Manual review or additional verification recommended. |
high | 600 - 799 | Low risk. Mostly positive signals. Minor concerns may be present but generally trustworthy. |
very_high | 800 - 1000 | Very low risk. Strong trust indicators. Consistent, legitimate digital footprint. |
Note: Score ranges are approximate and may vary slightly depending on the product and model configuration. The cluster assignment is determined by the scoring engine and takes into account normalization and gating logic. Always rely on the
score_clusterfield for cluster-level decisions rather than applying fixed numeric thresholds.
How Scores Are Built
Each score is the result of a transparent, rule-based evaluation process:
-
Data Collection — Trustfull's fraud agents collect signals from carriers, social networks, messaging apps, OSINT databases, WHOIS records, and other sources.
-
Rule Evaluation — Each signal is evaluated against a set of weighted rules. For example:
- A disposable phone number triggers a risk rule (high weight)
- An active WhatsApp profile with a real photo triggers a trust rule (medium weight)
- A recently ported number triggers a risk rule (low weight)
-
Gates — Gates act as upper bounds, ensuring that critical risk signals cap the score regardless of positive signals. For example, a disposable phone number will never score above a certain threshold, no matter how many trust signals are present.
-
Normalization — After gating, scores are normalized to preserve relative ordering within each cluster. Two users in the same cluster remain distinguishable for prioritization purposes. See Score Normalization for details.
-
Reason Codes — The rules that contributed to the final score are returned as reason codes, making every score fully explainable.
Scores Across Products
Each Trustfull product returns its own score:
| Product | Score Field | Cluster Field |
|---|---|---|
| Phone | phone_score | phone_score_cluster |
email_score | email_score_cluster | |
| IP | ip_score | ip_score_cluster |
| Domain | domain_score | domain_score_cluster |
| Onboarding | All of the above, plus cross-signal checks | All of the above |
| Session | score | score_cluster |
| Login | score | score_cluster |
When using the Onboarding product, you receive individual scores for each signal (phone, email, IP) as well as cross-signal consistency checks. There is no single "onboarding score" — instead, you get granular visibility into each component, which gives you flexibility in how you combine them for your decisioning logic.
Using Scores in Your Workflow
Automated Decisioning
For fully automated flows, use score clusters to drive accept/review/reject decisions:
| Cluster | Recommended Action | Example Implementation |
|---|---|---|
very_high | Accept — Proceed with no friction | Allow registration, approve transaction |
high | Accept — Proceed, optionally flag for monitoring | Allow with standard monitoring |
review | Review — Apply additional friction or manual review | Request OTP verification, queue for analyst review |
low | Reject or Escalate — High likelihood of fraud | Block registration, trigger enhanced due diligence |
very_low | Reject — Very high likelihood of fraud | Block immediately, add to internal watchlist |
These are general guidelines. The right thresholds for your business depend on your risk appetite, user base, and regulatory requirements. We recommend starting with the table above and adjusting based on your observed fraud and false-positive rates.
Manual Review Prioritization
Within the review cluster, use the numeric score to prioritize which cases analysts should look at first. A score of 410 represents higher risk than a score of 580, even though both are in the same cluster. This is possible thanks to score normalization, which preserves internal ordering.
Combining Multiple Scores
When using the Onboarding product, you receive scores for phone, email, and IP separately. Common strategies include:
- Minimum score: Use the lowest individual score as the overall risk indicator. This is the most conservative approach.
- Weighted average: Apply business-specific weights to each score (e.g. phone: 40%, email: 35%, IP: 25%).
- Worst cluster: Trigger review if any individual cluster is
loworvery_low, regardless of other scores. - Reason code analysis: Instead of relying on scores alone, check for specific high-weight reason codes that are critical for your use case.
Reason Codes: The "Why" Behind the Score
Every score comes with reason codes that explain which rules contributed to it. Reason codes are the most powerful tool for building custom decisioning logic.
- Risk signals (prefix
R) indicate red flags — e.g.RP001(Phone Disposable),RE005(Email Invalid) - Trust signals (prefix
T) indicate positive indicators — e.g.TP004(Phone Regular Velocity),TE005(Email With Web Reviews) - Each reason code has a weight (1 = low, 2 = medium, 3 = high) indicating its severity or importance
For example, a phone number with score 350 and cluster low might include these reason codes:
| Code | Signal | Weight | Meaning |
|---|---|---|---|
| RP001 | Phone Disposable | 3 | The phone number is a temporary/disposable number |
| RP008 | Phone Without Messaging App | 2 | No WhatsApp, Telegram, or other messaging apps found |
| RP009 | Phone Low Velocity | 2 | Few or no external account connections |
Conversely, a phone number with score 850 and cluster very_high might include:
| Code | Signal | Weight | Meaning |
|---|---|---|---|
| TP001 | Phone Image With Person | 1 | Profile pictures contain a real person |
| TP002 | Phone Internal Consistency | 1 | Names are consistent across services |
| TP004 | Phone Regular Velocity | 1 | Active account connections and messaging apps |
| TP003 | Phone Number Is Ported | 1 | The number has been ported, indicating long-term usage |
For the complete list, see Reason Codes.
What's Next
- Your First API Call — Get started with a working API request
- Integration Guide — End-to-end integration walkthrough
- Score Normalization — Deep dive into how normalization preserves intra-cluster ordering
- Reason Codes — Full catalogue of all risk and trust signals
Updated 3 months ago