Common questions about how Fidro scores users and what to do when the score doesn't match your expectations.
Why is a legitimate user getting a high score?
Several things can cause false positives:
- VPN usage — Many privacy-conscious users run VPNs. This adds 10–20 points to the score depending on the provider.
- Free email + VPN — A Gmail address from a VPN IP combines two medium signals into a higher score.
- New domain — If the user's company just registered their domain, the
domain_agecheck triggers. - Country mismatch — A user travelling abroad will have an IP in a different country than their billing address.
What to do: Check the data.checks array to see which specific checks triggered. If VPN is the primary cause, you may want to raise your review threshold or handle VPN users separately in your logic.
Why is a fraudulent user getting a low score?
No fraud detection system catches 100% of fraud. Some common reasons:
- Established email provider — The fraudster used an old, legitimate email address (possibly compromised).
- Residential IP — They're not using a VPN or proxy.
- Clean history — They haven't appeared on any blocklist yet.
What to do: Add the email/domain/IP to your custom blocklist so future attempts are caught. Over time, your blocklist becomes a powerful supplement to Fidro's built-in detection.
Can I change the scoring thresholds?
Yes, if you're on the Pro plan. Go to Account Settings → Chargeback Prevention and adjust:
- Refund threshold — Score at or above this = "refund" recommendation (default: 71)
- Review threshold — Score at or above this = "review" recommendation (default: 41)
These thresholds affect both the recommendation in API responses and auto-refund behaviour for Stripe transactions.
Does the score change over time?
No — the score is calculated once at validation time and stored. If you validate the same email/IP combination later, the score may differ because:
- The IP may now be on a blocklist
- The email domain may have been added to disposable lists
- Your custom blocklist may have new entries
How accurate is the scoring?
Fidro's scoring model is calibrated on real-world fraud data. The default thresholds (41 for review, 71 for block) are designed to balance false positives and false negatives for typical SaaS products.
Your specific false positive rate depends on your user base. A B2B enterprise product with corporate email users will see very few false positives. A consumer product where many users have Gmail + VPN will see more.
Recommendation: Start with the defaults, monitor your review queue for a week, and adjust based on what you see.
Why does the same email get different scores?
If only the email is passed (no IP), the score reflects email signals only. If both email and IP are passed, additional network checks run and the score is usually higher.
Also, if you added a blocklist entry between the two requests, the custom_blocklist check will trigger on the second request.
What's the difference between the API risk score and the chargeback risk score?
- API risk score (from
/api/validate) — Scores signup/login fraud based on email and IP signals - Chargeback risk score (from Stripe webhooks) — Scores payment fraud based on transaction, card, and customer signals
They use different check sets because the fraud vectors are different. A user might pass signup validation but still commit chargeback fraud later.