.. index::
    single: Operator Procedures

.. _operator-procedures:

Operator Procedures
===================

Since each digital platform has its own special needs, the approaches to
the :ref:`console <console>` utilization for the information analysis
may vary.

The main goal of this chapter is to provide an overview of several common
(elementary and more advanced) techniques and give advice on how to use
them for building a daily :term:`operator`’s routine from scratch. With
time, the described methods can be adapted more precisely to the
observable needs of a platform.

From this perspective, we discern two major groups of techniques an
:term:`operator` can employ while putting gathered intelligence under
scrutiny. That is:

#. :ref:`User score review <user-score-review>`
#. :ref:`Supplemental investigation <supplemental-investigation>`

   * :ref:`Rules review <rules-review>`
   * :ref:`IP address signals <ip-address-signals>`

All the techniques in these groups mostly differ in the initially
observed signals. At the subsequent stages of the inspection, they tend
to intertwine, such that an attentive tracing of any signal may lead to
uncovering illicit pathways across different entities.

However, we generally recommend starting an :term:`operator`’s daily
routine with the first group of techniques and using the second group
(more specifically, :ref:`rules review <rules-review>`) for further
investigation of particular use cases.

.. index::
    single: User Score Review

.. _user-score-review:

User Score Review
-----------------

On a day-to-day basis, we suggest beginning an :term:`operator`’s
session by proceeding to the :ref:`Review queue <review-queue>` page of
a :term:`console`. This page displays :term:`users<user>` with the
lowest :term:`trust scores<trust score>`. Here, inspecting data in each
row of the queue table, an :term:`operator` has a choice of either:

- Setting :term:`user<user>` status right in the table’s row.

- First opening a page with more detailed :term:`user` information by
  clicking on a :term:`user` email.

In the latter case, on a :term:`user` page, note the matched
:term:`rules<rule>`, :term:`warning signals<warning signal>`, and the
overall activity of a :term:`user`. The more abnormalities an
:term:`operator` discovers, the higher the chance this is a fraudulent
account. The status can be set on this page (see the upper-right corner)
without getting back to the queue.

To set the status of a :term:`user<user>`, click the ``Not reviewed``
button and then choose an applicable action: ``Whitelist`` or
``Blacklist``. Both actions remove a :term:`user` from the :ref:`review
queue <review-queue>`. Additionally, clicking the ``Blacklist`` button
triggers the move of all tracked :term:`user`
:term:`identities<identity>` onto a :ref:`blacklist <blacklist>`.

A similar sequence of actions can be performed starting from the
:ref:`Users <users>` page. This page gives access to all the
:term:`users<user>`, not just the ones with low :term:`trust
scores<trust score>`, which can sometimes be a preferred approach for
getting a bigger picture of the user base.

.. index::
    single: Supplemental Investigation

.. _supplemental-investigation:

Supplemental Investigation
--------------------------

A supplemental investigation implies an analysis of the additional
:term:`warning signals<warning signal>`. And since any characteristic
that looks even vaguely unusual can be interpreted as a :term:`warning
signal`, in this section we specify the things to focus on in the first
place.

Predominantly, an :term:`operator` may undertake this part of the
analysis by concentrating on such straightforward signals such as:

- Risky email addresses.
- :ref:`Blacklisted <blacklist>` entities.
- TOR network usage.
- VPN detection.
- Shared entities.

We look at each in greater detail in the ensuing subsections.

.. index::
    single: Rules Review

.. _rules-review:

Rules Review
^^^^^^^^^^^^^

We advise beginning a supplemental investigation with the
:term:`rules<rule>` review.

The foundational instructions on the :term:`rules engine` utilization
are laid out in the :ref:`Rules <rules>` section. In the context of the
supplemental investigation, use the second of the described methods.
Namely,

#. Trigger :term:`rules<rule>` manually to get a list of matching
   :term:`users<user>`.

#. Proceed with scrutinizing the :term:`user`’s
   :term:`identities<identity>` and activity.

Alternatively, open the :ref:`Users <users>` page. On the page, note the
:term:`rules<rule>` filter at the top part of the *Users* table. This
filter enables the selection of :term:`users<user>` with matching
:term:`rules<rule>`, thus easing access to the records that require an
:term:`operator`’s attention.

Below, see efficient :term:`rules<rule>` that proved to be useful in
common practice.

.. index::
    single: Email Address Rules

.. _email-address-rules:

Email Address Rules
""""""""""""""""""""

E13 New email domain
   It is unconventional for ordinary :term:`users<user>` to have a
   recently registered email’s domain name.

R02 Email is on a blacklist
    Being put on a :ref:`blacklist <blacklist>` is a high-alert signal.

E01 Invalid email format
    An email address has an invalid format. An expected format is
    *username@example.com*.

E02 New domain, no profiles, no breaches
    A higher risk is signalled due to a lack of an email address authenticity.
    The lack of authenticity is identified by three factors:

      - An email address belongs to a recently created domain.
      - Online profiles associated with an email were not found.
      - The address does not appear in data breaches. (Unfortunately, it
        is quite typical for authentic email addresses to be
        compromised.)


E11 Disposable email
    Malicious accounts are often created through the use of throwaway
    mailboxes.

E14 No MX record
    An email’s domain name has no MX record, which means this domain
    cannot have any mailboxes. It is a sign of a fake mailbox.

E17 Free email and spam
    An email address is on a spam list and is registered by a provider
    that offers free accounts. This signals a higher risk of spamming.

E19 Multiple emails changed
    Changing email addresses associated with an account is a marker of a
    suspicious behaviour.

.. index::
    single: IP Address Rules

.. _ip-address-rules:

IP Address Rules
"""""""""""""""""

IP address analysis provides many opportunities for fraud detection.
Commonly, we suggest running the following :term:`rules<rule>`:

R01 IP is on a blacklist
    An IP address on a :ref:`blacklist <blacklist>` is a high-alert signal.

I01 IP belongs to TOR
    An IP address is assigned to The Onion Router network (TOR). TOR is
    used by a limited number of people for anonymisation purposes.

I03 IP appears on a spam list
    An IP address is found on a spam list. This signals a possible
    adversarial activity (such as sending spam).

I04 Shared IP
    Detection of several :term:`users<user>` with the same IP address
    indicates a high risk of multi-accounting.

.. index::
    single: VPN Usage Rules

.. _vpn-usage-rules:

VPN Usage Rules
""""""""""""""""

A Virtual Private Network (VPN) usage marks an attempt to hide a real
identity, including for fraudulent purposes. To detect VPN usage,
trigger the following :term:`rules<rule>`:

I05 IP belongs to a commercial VPN
    A :term:`user` prefers to conceal their location or bypass regional
    blocking.

I06 IP belongs to a datacenter
    This may indicate VPN usage for anonymisation, but it can also be a
    marker of a bot (a script that performs pre-programmed actions with
    varying goals).

.. index::
    single: IP Address Signals

.. _ip-address-signals:

IP Address Signals
^^^^^^^^^^^^^^^^^^^

:ref:`Rules review<rules-review>` is not the only type of supplemental
investigation. In this subsection, we describe one more way to begin the
examination.

Open the :ref:`Dashboard <dashboard>` page. Here, have a look at the
bottom row of the widgets. Observe the following indications:

Shared IP addresses
    Several :term:`users<user>` with the same IP address can be a sign
    of a cyber-threat.

IP belongs to TOR
    TOR is a tool that enables :term:`users<user>` to establish
    anonymous communication with digital platforms. Since the TOR
    network makes it more difficult to trace a :term:`user`’s activity,
    it might be used to cover felonious actions.

Multiple IP addresses
    It is typical for cybercriminals to hide their actual location and
    identity behind different IP addresses. The higher the number of IP
    addresses used, the more attention should be given to the
    examination of the corresponding :term:`user` behaviour.

.. index::
    single: Procedures Outline

.. _procedures-outline:

Procedures Outline
------------------

Consider the below action plan as the foundation of an
:term:`operator`’s routine.

1. :ref:`User score review <user-score-review>`

   A. Open the *Review queue* page.

      .. _procedures-outline-1-A:

      * Either assign a fitting status to each :term:`user` in the queue
        table.
      * Or open a user page by clicking on an email address.

         - Examine information presented on the page.
         - Set :term:`user` status in the upper-right corner.

   B. Alternatively, open the *Users* page.

      - Apply the steps in :ref:`1.A. <procedures-outline-1-A>` to the
        rows marked as ``Not reviewed``.


2. :ref:`Supplemental investigation <supplemental-investigation>`

   A. Open the *Rules* page.

      * Click ``Action`` button to get a list of :term:`users<user>`
        matching the :term:`rule`.
      * Open each matched user page for inspection.

         - Examine information presented on the page.
         - Set :term:`user` status in the upper-right corner.

   B. Open the *Dashboard* page.

      * Set a time period in the upper-right corner of the page.
      * Scrutinize entities in the top rows of the following widgets:

         - Shared IP addresses
         - IP belongs to TOR
         - Multiple IP addresses