Rewarded Fraud Reports help you detect and investigate fraudulent activity among your rewarded users. The suite includes four specialised reports, each targeting a different fraud pattern.
Go to Rewarded Users → Fraud Detection.
Getting started
All four reports share a common set of settings.
Required:
Setting | What it does |
Date Range | Select the time period you want to analyse |
User Identifier | Choose how users are identified: Rewarded User ID (user identifier, shows nickname when available) or Publisher Click ID (the click ID provided by the publisher) |
Rules | Violated rules: Action to action time, Banned User, Enforce Event Setting. More about rules here. |
Optional filters:
Filter | What it does |
Offers | Narrow results to specific offers |
Publishers | Narrow results to specific publishers |
ℹ️ All reports can be sorted by any column and exported to CSV. Exports support up to 1,000,000 rows and use the same filters and sort order you've configured.
1. Rule Violation Report
Surfaces users whose conversions triggered one or more fraud evaluation rules.
Column | What it means |
User ID | User ID |
User Name | User Nickname |
Offer / Advertiser / Publisher | Where the activity occurred |
Failed Rules | Which fraud rules were triggered (e.g. Action-to-Action Time, Banned User, Enforce Event Settings). More about the rules here. |
Revenue / Cost | Financial impact (WeGet / TheyGet) |
Total | Total conversions from this user |
Failed | How many conversions triggered a fraud rule |
Failed (Non-Banned) | Failed conversions excluding those flagged only because the user is banned - gives a cleaner view of active rule violations |
Violation Rate | Percentage of conversions that triggered a non-ban rule violation |
How to use it: Sort by Violation Rate to find users with the highest proportion of fraudulent conversions, or sort by Revenue to prioritise the most costly fraud. Use the Failed Rules column to understand which rules are being triggered most often.
ℹ️ Default rules checked: Action-to-Action Time, Banned User, and Enforce Event Settings. You can customise which rules to include using the Rules filter.
2. Multi-Accounting Detection Report
Identifies groups of users operating from the same device or IP address - a common indicator of one person running multiple fake accounts.
Select a grouping method:
Device - groups users sharing the same device make, model, OS version, and language
IP Address - groups users sharing the same IP address
Column | What it means |
Fingerprint | The shared device signature or IP address |
User IDs | The users sharing this fingerprint (up to 50 shown) |
User Count | How many distinct users share this fingerprint |
Offer / Advertiser / Publisher | Where the activity occurred |
Total Postbacks | Combined conversions from all users in the cluster |
Revenue / Cost | Combined financial impact |
How to use it: Look for clusters with high user counts - these likely represent a single person or bot farm operating many accounts. Sort by User Count to find the largest clusters, or by Revenue to find the most expensive ones.
ℹ️ Only clusters with 2 or more users are displayed.
3. Time-of-Day Anomaly Report
Flags users whose conversions are abnormally concentrated in a single hour of the day. Legitimate users typically convert across varied hours - bots and fraudsters often operate in tight time windows.
Additional setting:
Minimum Postbacks (default: 10) - Only users with at least this many conversions are included - prevents false positives from low-activity users
Column | What it means |
User ID/Name | User ID and nickname |
Offer / Advertiser / Publisher | Where the activity occurred |
Peak Hour | The hour of day (0–23) with the most conversions |
Peak Hour Postbacks | Number of conversions during the peak hour |
Peak Hour Rate | Percentage of all conversions that occurred in the peak hour |
Peak/Total Postbacks | Peak/Total conversions in the selected period |
Hour Distribution | Breakdown of conversion counts across all 24 hours |
Revenue / Cost | Financial impact |
How to use it: A high Peak Hour Rate (e.g. above 70%) combined with a high postback count is a strong fraud signal.
ℹ️ Review the Hour Distribution to see the full pattern - legitimate users typically show activity spread across multiple hours.
4. Timing Cluster Report
Detects groups of users who complete events in identical sequences and at nearly identical speeds - a hallmark of bot networks or scripted fraud.
Additional setting:
Rounding (seconds) (default: 5) - Controls how precisely timing is compared. A value of 5 means two events are considered "same speed" if they occur within 5 seconds of each other. Lower values require more exact matches; higher values cast a wider net.
Column | What it means |
Timing Fingerprint | The shared event sequence and timing - e.g. |
User IDs | Users who matched this exact pattern (up to 50 shown) |
User Count | How many distinct users share this pattern |
Offer / Advertiser / Publisher | Where the activity occurred |
Total Postbacks | Combined conversions from all matched users |
Revenue / Cost | Combined financial impact |
How to use it: Large clusters of users completing the same events at the same speed strongly suggest automated or scripted behavior. Sort by User Count to find the largest bot clusters. If you're getting too many or too few results, adjust the Rounding setting - lower values (e.g. 1–2 seconds) find only very precise matches, while higher values (e.g. 10+ seconds) surface broader patterns.
ℹ️ Only patterns shared by 2 or more users are displayed.