This guide supports policy alignment between Talent Acquisition (TA), Legal, and Security teams when using the fraud detection feature in Greenhouse Recruiting’s Real Talent suite.
The goal is to define a clear approach to actioning fraud signals that balances candidate experience with organizational security. By the end of these discussions, your organization should have clear answers to four questions:
- Which specific criteria (signal type, count, or role) mandate an official investigation?
- What investigative actions are allowed? What is the maximum duration of an investigation?
- Who has the final sign-off to determine a signal is a false positive and resolve it in Greenhouse Recruiting?
- What must be documented when resolving the signal?
Note: This document is intended as a reference for Greenhouse customers and their usage of Real Talent features. None of this is intended to be legal advice, neither are any of the answers provided intended to override or contradict the advice of your legal counsel.
Understanding fraud detection
Fraud Detection in the Real Talent suite automatically screens incoming applications using objective digital signals such as phone number, email, IP address, and location to help protect your organization from an individual's intent to deliberately misrepresent their identity to recruiters.
These results appear as a fraud report on the candidate’s profile. Recruiters review this report to assess the likelihood of fraudulent activity.
This feature does not use AI or automated scoring. It applies rules based on objective signals from the candidate’s application, device, and self-reported information to identify candidates who are potentially misrepresenting their identity.
Signal categories
Greenhouse screens for many different fraud signals are part of the Fraud Detection process. These signals are grouped into three primary categories:
- Signals verifying the candidate’s identity: Indicators that suggest the candidate is authentic and human, such as an email address older than one year.
- High-risk fraud signals: Signals strongly associated with fraud, such as an IP address linked to a data center rather than a residential location.
- Weak fraud signals: Signals with low or contextual correlation to fraud that may require review, such as a mismatch between device time zone and reported location.
If one or more high-risk signals are detected, an icon will be displayed next to the candidate’s name to indicate potential fraud.
Note: The complete list of specific fraud signals is accessible through Greenhouse’s Trust Portal.
Resolving signals and auditing results
When a candidate is confirmed to be authentic, recruiters may resolve the associated signals. Resolving removes the signals from the Security Screening tab but does not delete the underlying fraud report. Resolved signals can be restored if needed.
Additionally, the Activity Feed on the candidate’s profile displays an audit trail for accountability:
- The date and time the fraud report was run.
- The date and time fraud signals were resolved, and by which user.
- The date and time fraud signals were restored, and by which user.
Designing your fraud detection process
Your policy should define where fraud detection fits into the recruiting workflow and how recruiters act on different signal outcomes.
Key terms used below:
- Fraud signals: The results of the fraud report in which the candidate has one or more signals requiring review.
- An investigation: The process of reviewing signals and, if appropriate, following up with the candidate to make a determination about their identity or authenticity.
Remember, fraud signals are not a definitive assessment of a candidate’s authenticity. Your organization must use them alongside its internal security guidance and together with other available candidate information when making a final decision.
1. Define when an investigation starts
Your team will need guidance to understand when they should pause in their workflow and flag a potentially fraudulent candidate.
Greenhouse recommends conducting fraud investigations after an initial skills and qualifications screen. This limits the investigation effort to candidates who are otherwise viable.
Key Question: Which specific criteria (signal type, count, or role) mandate an official investigation?
| Example standard | How it might be implemented |
| Specific signals | Investigate any high-risk signal, or specific weak signal types |
| Specific amount of fraud signals | Investigate when a defined number of weak signals are present |
| Role-based standards | Apply stricter standards for roles with elevated security or data access |
Recommendation: Weak signals can often be explained by legitimate factors such as travel, remote work, or data entry errors. Policies should minimize false positives and support fair candidate assessment.
2. Define how investigations are handled by your team
Your policy should specify the permitted, legally approved actions recruiters may take to verify identity, along with time limits for resolution.
Key Question: What investigative actions are allowed? What is the maximum duration of an investigation?
| Example standard | How it might be implemented |
| Self-review | Recruiter validates signals using existing application materials |
| Verbal clarification | Recruiter asks objective, pre-approved questions during a scheduled call. For example, "Can you clarify your current time zone?" |
| Manager escalation | Recruiter reviews findings with management before proceeding |
| Further identity verification using CLEAR | The recruiter takes additional action to verify the candidate’s identity, like requesting an identity verification with CLEAR. |
| Security team handoff | Recruiter transfers the profile to their Security or Compliance teams for decision before proceeding further. |
3. Establish decision-making frameworks
Based on your investigation criteria and process, define who has final authority to resolve signals or reject a candidate.
Key Question: Who has the final sign-off to determine a signal is a false positive and resolve it in Greenhouse Recruiting?
| Example standard | How it might be implemented |
| Recruiter discretion | Frontline recruiter is authorized to resolve weak signals and log the finding. |
| Manager approval | Resolving any signals requires management approval. |
| Shared authority | Resolution requires the Recruiter plus a consult/email approval from a designated Security or HR partner. |
4. Define how investigations are documented
Your policy should require documentation showing that verification steps were completed before resolution. While Greenhouse allows users to record a rejection reason when rejecting a candidate based on a security concern, your organization can decide if additional detail is necessary.
Key Question: What must be documented when resolving the signal?
| Example standard | How it might be implemented |
| In-product | Resolved signals are documented when resolving the signals in the Security Screening tab. |
| Manager | Resolution requires a Recruiter Manager's digital sign-off. |
| External | External security log with reference ID noted in Greenhouse |
Candidate experience and communication
This policy also governs external communication. It sets expectations for consistency, objectivity, and protecting the organization’s legal position. Recruiters should use these standards when responding to candidate outreach.
Potential discussion topics:
- What is the maximum information a recruiter can request to resolve a signal, and what topics are strictly prohibited?
- If the process is paused for investigation, what is the reason the recruiter can give to the candidate for the delay?
- If a candidate is rejected due to fraud, what is the reason for rejection the recruiter can give to the candidate?
- If a rejected candidate asks for the specific reason (and the reason is fraud), what is the official policy on disclosing the fraud finding?