ScamShield AI ScamShield AI
Platform How it works Pricing Docs Blog Contact
Contact us Start free trial
Documentation
  • Overview
  • Getting Started
  • Integrations
  • Threat Inbox
  • Universal Scanner
  • Voice Analysis
  • Dark Web Monitoring
  • Training
  • DPDP Compliance
  • FAQ & Troubleshooting

Threat Inbox

The Threat Inbox is where email detections land. This section explains how the risk score is produced, what the threshold bands mean, and how to report a false positive.

How scoring works

Every scanned email gets a single risk score from 0 to 100. That score is produced by an ensemble that fuses several signals in one place:

  • The machine-learning email model (a three-component ensemble: a transformer text classifier, a TF-IDF + LinearSVC classifier, and a deterministic rule engine).
  • Email-header analysis (SPF/authentication, reply-to mismatches).
  • URL-threat analysis on links found in the message.
  • Vendor-impersonation, "boss scam"/executive-impersonation, and fake-government-notice signals.

Strong signals apply "floors" and "boosts" that raise the score — for example, a suspicious header can force the score to a high floor, while a URL threat boosts it. A trusted/known-good sender domain applies a downward modifier. The fused number is then banded (below).

Threshold bands

The canonical risk banding (0–100 scale) is:

Band Score Meaning
Low≤ 30Safe
Medium31–60Caution
High> 60Danger

Two things happen at specific scores in the email pipeline:

  • ≥ 60 — the detection is persisted as a Threat and Gmail labels are applied.
  • Email threat alerts use their own thresholds: a score ≥ 50 creates an alert; a score ≥ 75 creates an alert *and* sends you a warning email. Anything below 50, or anything classified as Legitimate (CAT-08), never raises an alert.

Fraud categories

Detections are tagged with a category code. The backend recognises:

Code Category
CAT-01GSTN impersonation
CAT-02UPI fraud
CAT-03Digital arrest scam
CAT-04Income-tax impersonation
CAT-05Fake loan / KYC
CAT-06Lottery / prize scam
CAT-07Job-offer scam
CAT-08Legitimate
CAT-09Investment / stock-tip fraud
CAT-10Boss scam / executive impersonation
CAT-11Fake government notice
Note: The backend models cover categories through CAT-11. The customer portal's display map currently labels codes through CAT-09, so CAT-10 and CAT-11 may appear with their raw code in some portal views until the display map is extended.

Threat statuses

A threat moves through these statuses: detected (new), reviewed, confirmed, and false_positive. Updating the status stamps a resolution time.

Reporting a false positive

If a detection is wrong, report it — this both corrects your inbox and improves the model:

  1. Open the threat and submit feedback. Accepted values are confirmed (it really was a threat) or false positive; you can also mark a threat unsure.
  2. Your feedback is recorded and the threat's status/label is updated to match.
  3. In the background, ScamShield AI creates a DPDP-safe training record — it stores only a short subject snippet, the sender's domain, the predicted category and score, and your correct label. No message body or PII is kept.

How feedback improves detection

A nightly job retrains Component B (the TF-IDF + LinearSVC classifier) from accumulated feedback. It only runs when there are at least 10 new feedback records since the last run. The transformer model (Component A) is not retrained this way. Each retrain is logged as a run you can audit.

Note: Feedback improves the classical classifier over time; it is not an instant allow/deny list. To immediately stop flagging a known-good sender, use trusted-sender / trusted-vendor settings where available.
ScamShield AI
Docs Privacy Policy Terms of Service Refund Policy SLA Blog
ScamShield AI Pvt Ltd, Ahmedabad, Gujarat, India
ScamShield AI Ltd, London, UK (Company No. 17092415)
© 2026 ScamShield AI · Made in India