docs Fraud investigation
Launch Nametag Get help

Fraud investigation using Nametag data

When the Nametag automated system flags a verification attempt as potentially fraudulent, a trained Nametag reviewer evaluates it and determines one of three outcomes:

  1. Not fraudulent – the automated system was being cautious. The reviewer completes processing and notifies the end user (and the help desk agent, if applicable) that verification is complete.

  2. Insufficient data – the attempt isn’t fraudulent, but the data isn’t sufficient to validate identity. Nametag asks the end user to try again, and the request stays in “Pending” state. Optionally, email notifications can be sent to the request initiator and your Nametag Owners/Admins.

  3. Confirmed fraud – the end user is not notified, but the agent is informed the request was rejected for fraud. Optionally, email notifications can be sent to the request initiator and your Nametag Owners/Admins.

After you become aware of an attempt at fraud, Nametag recommends the following investigative steps. Some of these steps may not be applicable depending on your use of Nametag.

Agent communication

If possible, coordinate with the agent who initiated the request to contact the end-user and collect information about the expected results and the goal of the end-user.

Gathering Information from the Nametag console

With the “User” privilege level or above, view the detailed information in the Nametag console, noting the information about the device, collected information, and, if collected, the location information.

If you use the labels in Nametag Copilot to relate to service desk ticket IDs, you should search for other requests with the same label and collect data from them as well. This will help you develop a complete picture of the events around the attempted fraud.

Collecting information sent to your SIEM system from Nametag

Nametag offers a configuration to send detailed logs via webhooks to a data collection system, typically a SIEM or other log collection and analysis platform. These logs contain detailed information that you can correlate with logs from authentication systems (Okta, Entra ID, etc.), website access logs, and firewall logs. The logs from Nametag should integrate into your existing security processes.

The documentation for this is available to all customers with an NDA in place. Contact help@nametag.co for more information.

Using data from your SIEM (including the data from Nametag), there are a few steps you should take to add to the picture of the events around the attempted fraud:

  • look for the IP addresses from Nametag (both the device IP address and the browser IP address) in data from other logs
  • look for the user agent from Nametag in data from other logs; sometimes user agents can be unique
  • look for the device ID and device fingerprint from Nametag in other Nametag logs in your SIEM; if you find it, collect the IP address and user agent from that device and go to the first step and repeat the investigation

After you have as complete a picture as you can develop, you can now start taking defensive steps or further investigative steps.

Contacting Nametag

In the event you need more information than is provided to you by Nametag, you can contact us at security@nametag.co and we are happy to partner with you in your investigation using system logs from Nametag. We expunge logs older than 60 days.