Threat Inbox
The Threat Inbox is where email detections land. This section explains how the risk score is produced, what the threshold bands mean, and how to report a false positive.
How scoring works
Every scanned email gets a single risk score from 0 to 100. That score is produced by an ensemble that fuses several signals in one place:
- The machine-learning email model (a three-component ensemble: a transformer text classifier, a TF-IDF + LinearSVC classifier, and a deterministic rule engine).
- Email-header analysis (SPF/authentication, reply-to mismatches).
- URL-threat analysis on links found in the message.
- Vendor-impersonation, "boss scam"/executive-impersonation, and fake-government-notice signals.
Strong signals apply "floors" and "boosts" that raise the score — for example, a suspicious header can force the score to a high floor, while a URL threat boosts it. A trusted/known-good sender domain applies a downward modifier. The fused number is then banded (below).
Threshold bands
The canonical risk banding (0–100 scale) is:
| Band | Score | Meaning |
|---|---|---|
| Low | ≤ 30 | Safe |
| Medium | 31–60 | Caution |
| High | > 60 | Danger |
Two things happen at specific scores in the email pipeline:
- ≥ 60 — the detection is persisted as a
Threatand Gmail labels are applied. - Email threat alerts use their own thresholds: a score ≥ 50 creates an alert; a score ≥ 75 creates an alert *and* sends you a warning email. Anything below 50, or anything classified as Legitimate (CAT-08), never raises an alert.
Fraud categories
Detections are tagged with a category code. The backend recognises:
| Code | Category |
|---|---|
| CAT-01 | GSTN impersonation |
| CAT-02 | UPI fraud |
| CAT-03 | Digital arrest scam |
| CAT-04 | Income-tax impersonation |
| CAT-05 | Fake loan / KYC |
| CAT-06 | Lottery / prize scam |
| CAT-07 | Job-offer scam |
| CAT-08 | Legitimate |
| CAT-09 | Investment / stock-tip fraud |
| CAT-10 | Boss scam / executive impersonation |
| CAT-11 | Fake government notice |
Note: The backend models cover categories through CAT-11. The customer portal's display map currently labels codes through CAT-09, so CAT-10 and CAT-11 may appear with their raw code in some portal views until the display map is extended.
Threat statuses
A threat moves through these statuses: detected (new), reviewed, confirmed, and false_positive. Updating the status stamps a resolution time.
Reporting a false positive
If a detection is wrong, report it — this both corrects your inbox and improves the model:
- Open the threat and submit feedback. Accepted values are confirmed (it really was a threat) or false positive; you can also mark a threat unsure.
- Your feedback is recorded and the threat's status/label is updated to match.
- In the background, ScamShield AI creates a DPDP-safe training record — it stores only a short subject snippet, the sender's domain, the predicted category and score, and your correct label. No message body or PII is kept.
How feedback improves detection
A nightly job retrains Component B (the TF-IDF + LinearSVC classifier) from accumulated feedback. It only runs when there are at least 10 new feedback records since the last run. The transformer model (Component A) is not retrained this way. Each retrain is logged as a run you can audit.
Note: Feedback improves the classical classifier over time; it is not an instant allow/deny list. To immediately stop flagging a known-good sender, use trusted-sender / trusted-vendor settings where available.