The model draws on signals from several sources rather than relying on a single anomaly. These include documents, geolocation, IP address, device data, facial biometrics and verification information checked across multiple users to identify suspected fraudulent network activity.