Case study: Shared intelligence for preventing visual risk

How Truepic’s Risk Network identified and prevented 2,000 claims and $1 million in fraud for one company

The move to mobile onboarding, processing, and verification has unlocked efficiency and increased the velocity of activity in enterprise channels. This dynamic creates business opportunities but also introduces visual risk and significant fraud.

Teams investigating risk and fraud often notice similar patterns. Individual cases appear isolated until they later discover the same device or data points appearing in incidents at different times or locations. A single device can move from a loan application to an insurance claim to an identity check in minutes, leaving each institution to interpret each event as separate. With sophisticated fraud actors, the “tells” or clues of fraud may be unnoticeable or incredibly difficult to detect in a vacuum. The rise of widely accessible AI tools makes it harder to identify fraud. AI is enabling fraud networks to operate faster, impersonating businesses, people, and transactions at a rate traditional defenses cannot handle.

The Truepic Risk Network was created to address this growing gap. Housed within Truepic Vision, the Risk Network delivers insights derived from over 40 million signal and informational data points. These data points include fraudulent devices, visual deception behaviors such as rebroadcast attacks, geolocation spoofing, and the addresses, emails, or other information associated with the bad actors. These signals begin to help reveal patterns and fraudulent actors across a wide range of unrelated businesses, enterprises, and events. By sharing this intelligence in a privacy-preserving way, the network bolsters defenses and helps prevent fraud before it starts.

‍

Catching over $1 million in fraud 

This thinking underpinned the creation of the Risk Network. Truepic found that advanced fraud rings operating out of Eastern Europe were using deceptive devices and media to fabricate U.S. businesses and defraud financial services companies nationwide. Truepic’s analysis revealed repeated patterns, reused devices, and coordinated spoofing tactics that appeared again and again, rapidly deployed not just against a single client but across related organizations throughout the financial services industry. This prompted Truepic to develop a method to anonymize and share relevant data to mitigate fraudulent activity. Since its launch, the Risk Network has been assisting clients in identifying the very same vulnerabilities that spurred its creation. 

Most recently, Truepic uncovered a highly coordinated and expansive retail fraud ring targeting a major manufacturer. The ring spanned multiple cities and states, and thousands of attempted fraud submissions. Over several months, the Truepic Risk Network identified specific devices across the United States that were hacked and modified for deception, engaged in geospoofing, or exhibited repeated fraudulent activity occurring in rapid succession. One particular device was engaged in over 400 retail and return fraud scams. This device leveraged pictures of screens, geolocation spoofing, and rotating identification information necessary for the retail transaction, such as addresses, emails, or phone numbers. This means that one phone, operated by a single person or a ring of people, repeatedly submitted fraudulent requests to an enterprise using sophisticated tactics to mask its deception. 

To the retailer, each individual submission would have appeared net-new and thus likely passed initial checks without Truepic’s technology. For example, the fraud may appear as such: 

• On November 1, John Smith, with a unique email, phone, and address submits a form for return or exchange associated with the manufacturer, and visual (photographs or videos) evidence of the defective or exchanged product. In this case, an actual image was taken with no photo fraud associated. 
• On November 2, Jane Doe, with another unique email and address submits a form for return or exchange associated with the manufacturer and visual (photographs or videos) evidence of the defective or exchanged product. The image is also authentic, but was captured only meters from the photo on November 1, from the same vantage point and with the same device.

In this specific case, a bad actor used this technique over 400 times with the same device and behavior patterns. Other devices also operated the same way, resulting in more than 2,000 fraudulent claims through at least eight fraud rings across the United States. We estimate the total of avoided fraud to be more than $1 million.

‍

How the Risk Network identified fraud rings 

The Truepic Risk Network surfaced these rings and patterns by cross-checking more than 40 million data points across the entire Truepic ecosystem, revealing anomalies and recurring behaviors. In this case, it detected the repeated use of the same devices even though the fraud ring continually changed the associated names, email addresses, and phone numbers. It also recognized that the fraudulent submissions clustered in narrow geographic areas, despite repeated attempts by the rings to shift locations and spoof their coordinates. When visualized, the network identified sets of devices that were interrelated by geographic location, repeated fraudulent behavior, and use across multiple, at times hundreds, of inspections.

Other patterns began to surface as the rings revealed their operating behaviors. Tactics such as using fake serial numbers to mask the reuse of the same object, image capture from the same exact vantage point across hundreds of claims, and rapid-fire submissions only meters apart in geolocation but with the same general patterns. 

This type of intelligence helped save one client from significant fraud while also empowering and better protecting other enterprises. It transforms isolated incidents into actionable insights, allowing organizations to anticipate emerging threats rather than react to them. It also strengthens industry-wide defenses by exposing the shared techniques and vulnerabilities on which these fraud rings rely.

‍

Types of fraud signals

Truepic Vision performs over 50 fraud detection tests on every device and the content it captures, then immediately transmits the results to the Risk Network. These tests help explain how a device behaves while using the Vision platform and whether its use is authentic and transparent, or meant to deceive the content consumer making decisions about that media. These tests assess the level of visual risk associated with the device, the image, and the accompanying metadata. 

A core part of this evaluation is confirming that the device’s operating system is secure, it is generating truthful sensor data, and the metadata is cryptographically sealed to preserve its integrity. The tests examine indicators such as signs of rooting or tampering, irregular sensor behavior, inconsistencies in location data, or images that appear to be captured from a screen rather than from the physical world. With a verified creation system and authentic metadata, additional tests are run to ensure visual deception is not taking place through rebroadcast attacks or the reuse of past images. Ensuring that images are net-new and not captured from screens or reused objects provides additional fraud-prevention signals for the Risk Network to analyze.

The Risk Network uses the results of these tests to begin pattern matching, tying millions of data points across the entire Truepic ecosystem to identify recurring trends. The network also layers in the repeated use of devices for fraud over time and across clients. The result is a detailed, interconnected view of digital activity that highlights emerging risks and coordinated behavior. All information remains anonymized and privacy is preserved. No client’s data or PII will be passed or shared across the network. Rather, the network delivers clear fraud warnings back to participating clients so they can better protect their operations in real time. Clients will not know who, why, or what, but will know that a device was associated with past suspicious activity. 

Truepic’s technology flags fraudulent devices and continuously monitors its ecosystem to proactively alert clients when a flagged device enters their workflow.

By the numbers 

In its first two months of operation, the Risk Network has been available to all clients interested in this analysis and it runs continuously. It ingests the raw data signals described above and uses them to continuously monitor the Truepic ecosystem for signs of fraud or emerging risk. When the system detects suspicious activity or devices, it flags them through the Vision dashboard. These flags can then alert other clients across the Truepic network when the same suspicious devices enter their business operations.

A sample of 350,000 devices using Truepic’s technology in 2025 showed that nearly 16% (57,400 devices) were involved in more than one inspection on the Vision platform. This indicates that a substantial portion of devices were used repeatedly to capture and submit images to the enterprises served, particularly financial services, insurance, and banking firms. This repeated use is not inherently problematic. Many of Truepic’s construction and field-services clients, for example, routinely use the same devices to document multiple projects for confirmations, audits, or fund releases. In these cases, repeat submissions are expected and reflect normal business activity.

The data also showed that of those 57,400 devices, 18% (10,347) were used to submit documentation to more than one Truepic client. This, too, is not by itself a sign of fraud, but it reveals an important insight: users and their devices often move across industries, especially within financial services. If a device has submitted more than one piece of visual documentation to an enterprise, there is a meaningful likelihood, nearly 20% in this sample, that it is also doing the same for another institution. This insight becomes especially powerful when fraud-related signals can be shared across an industry.

‍

Image and data authenticity: A collective defense 

Truepic has long believed that image and data authenticity is essential to enterprise security and beyond. Businesses cannot digitally transform without trust and authenticity in the content that informs their decisions. By developing a shared and authentic ecosystem capable of identifying visual risk, it introduces an added and critical feature of shared intelligence. 

This networked approach turns individual insights into collective defense, exposing coordinated fraud that would otherwise be invisible. As AI-driven fraud accelerates in speed and sophistication, image and data authenticity and shared intelligence become not just an advantage, but a necessity. This case study illustrates how these concepts will power enterprise security and best practices in the AI age.