Fraud-intelligence · Jan 13, 2026 · 13 minute read

Geo-Velocity Fraud Triage: Impossible Travel Between Logins

Geo-velocity signals are only useful if they are tied to ownership, SLAs, and defensible evidence. This briefing turns "impossible travel" into an instrumented control.

IntegrityLens alternate logo

Michael O’Connell

Head of Trust & Safety

Michael runs red teams and fraud defense strategy for high-stakes hiring pipelines.

Geo-velocity is not a verdict. It is a step-up verification trigger that only matters if it produces an evidence pack and a time-stamped decision.
Back to all posts

1) Hook: Real hiring problem

A geo-velocity anomaly is simple on paper: two events for the same candidate appear from locations that imply impossible travel in the time between them. In practice, it becomes a defensibility incident when you cannot prove whether the person who took the assessment is the person who joined the interview. The failure mode looks like this: a candidate is advanced quickly to protect time-to-offer, then a late integrity check flags "impossible travel." Recruiting Ops pauses the funnel, Security asks for logs, and the Hiring Manager wants to proceed anyway because feedback was strong. Without a single evidence pack, you end up with a decision made in a war room with partial data. People Analytics gets pulled in last, asked to answer questions your dataset cannot support: Which events were considered? Which thresholds were used? How many similar cases were ignored? If Legal asked you to prove who approved this candidate, can you retrieve it?

  • Operational risk: review queues clog and SLAs break because anomalies are handled ad hoc.

  • Legal exposure: inconsistent handling creates claims of arbitrary treatment when candidates dispute decisions.

  • Cost of mis-hire: every fraudulent pass-through wastes interview loops and can compound into replacement cost exposure (role-dependent).

  • Audit readiness: if it is not logged, it is not defensible.

2) Why legacy tools fail

Geo-velocity requires cross-tool correlation and timestamp integrity. Legacy hiring stacks typically cannot do that because events are not normalized, and identity is not treated as a gate before access. Three systemic gaps drive failure: This is why shadow workflows appear: recruiters paste IP data into spreadsheets, Security asks for exports, and People Analytics tries to backfill a dataset after the fact. The result is slow, inconsistent, and hard to defend.

  1. Sequential checks instead of parallelized checks. Verification happens after the candidate has already touched privileged steps like assessments and live interviews.

  2. No immutable event log. Tools store their own timestamps, but you cannot create a single timeline that survives disputes.

  3. No unified evidence packs. Reviewers are forced into screenshots and manual notes, which creates audit liabilities and inconsistent outcomes.

  • ATS: stage tracking without integrity signals and without tamper-resistant evidence attachments.

  • Background checks: identity events are not sequenced against interview and assessment access.

  • Coding and interview platforms: high-fidelity telemetry but no governance model for adjudication SLAs.

3) Ownership and accountability matrix

  • Security: defines policy thresholds, step-up verification requirements, and override permissions.

  • Hiring Manager: owns rubric discipline and whether a re-interview is required after re-auth.

  • People Analytics: owns measurement, dashboards, and false positive management reporting. A practical rule: People Analytics should not be the adjudicator. Your job is to make the system measurable and defensible, not to personally decide which candidates are fraudulent.

  • Candidate ID and ATS stage at time of alert.

  • Event timeline with timestamps for login, assessment start, interview join.

  • Geo-velocity computation inputs (locations, distance estimate method, time delta).

  • Any corroborating signals used (for example: device fingerprint change, liveness result, voice mismatch, proxy interview detection flags).

  • Reviewer identity, decision, and timestamp.

4) Modern operating model

  • Event-based triggers. Each candidate action emits an event that can be evaluated in near real time.

  • Automated evidence capture. Build an evidence pack as the funnel progresses, not after an incident.

  • Risk-tiered funnel with step-up verification. Geo-velocity moves a candidate into a higher risk tier that requires additional proof, not an automatic rejection.

  • Segmented risk dashboards. People Analytics tracks time-to-event, review queue load, false positive rates, and where anomalies cluster (role, region, source, stage). This model also protects against false accusations. Geo-velocity can be caused by VPNs, corporate travel, mobile carrier routing, or shared devices. The control must be built to ask for more evidence, not to "catch" people.

IntegrityLens promo

  • Low risk: minor geo mismatch with consistent device and successful liveness. Proceed, log only.

  • Medium risk: geo-velocity plus device change or network anomaly. Trigger step-up verification before next stage.

  • High risk: geo-velocity plus deepfake or proxy interview detection signals. Freeze stage progression until Security adjudication.

5) Where IntegrityLens fits

  • Multi-layered fraud prevention signals including deepfake detection, proxy interview detection, behavioral signals, and device fingerprinting, so geo-velocity is corroborated instead of acted on alone.

  • AI-powered screening interviews available 24/7 with structured rubrics, making it easier to standardize scoring and tie feedback to verified identity.

  • Immutable evidence packs and ATS-anchored audit trails, so every alert has a time-stamped decision path.

  • Risk-tiered funnel controls with step-up verification, so Recruiting Ops can keep time-to-offer moving while Security gets defensible gates.

  • Time-to-event instrumentation across verify-interview-assess-offer.

  • Segmented dashboards for anomaly rates by source, region, and stage.

  • A repeatable dataset for measuring false positives and reviewer consistency.

6) Anti-patterns that make fraud worse

  • Treating geo-velocity as automatic disqualification. You will spike false positives and create legal exposure when candidates dispute decisions without a corroborated evidence pack. - Letting reviewers "investigate in Slack." Shadow workflows are integrity liabilities and destroy timestamp fidelity. - Waiting until post-interview to verify identity. Time delays cluster at moments where identity is unverified, and you waste the most expensive resource first: interviewer time.

  • They remove controlled escalation paths and replace them with opinions.

  • They make it impossible to prove consistent treatment across candidates.

  • They hide workload until the queue breaks and SLAs become unmanageable.

7) Implementation runbook

1

Define the geo-velocity policy

  • Owner: Security (thresholds) + People Analytics (measurement definitions)
  • SLA: 5 business days to publish v1 policy
  • Logged: policy version, thresholds, approved reviewers, escalation path
2

Instrument events across the funnel

  • Owner: Recruiting Ops (workflow) + People Analytics (event schema)
  • SLA: 10 business days
  • Logged: candidate_id, event_type, timestamp, location estimate source, device fingerprint hash, verification status
3

Compute geo-velocity at every privileged event boundary

  • Owner: Security
  • SLA: real-time evaluation at event ingest
  • Logged: prior_event_id, current_event_id, time_delta, distance_estimate, risk_tier
4

Risk-tier routing with review queue

  • Owner: Recruiting Ops
  • SLA: Low risk auto-advance. Medium risk review within 4 business hours. High risk review within 1 business hour.
  • Logged: queue entry time, reviewer assignment, SLA breach flag
5

Step-up verification before next access

  • Owner: Recruiting Ops triggers, Security defines required checks
  • SLA: candidate completes within 24 hours or auto-expire access by default
  • Logged: liveness result, face match result, document auth result, any voice or behavioral mismatch indicators
6

Adjudication and decision write-back

  • Owner: Security adjudicates medium-high. Hiring Manager re-interviews if required.
  • SLA: decision recorded within 1 business day of step-up completion
  • Logged: decision code, rationale, approver identity, timestamp, evidence pack link in ATS
7

Weekly control effectiveness review

  • Owner: People Analytics
  • SLA: weekly
  • Logged: anomaly rate by stage, false positive rate proxy (step-up pass rate), time-to-resolution, SLA breach rate, downstream outcomes (offer accepted, start, termination in probation window where allowed).

8) Sources

  • Use external stats only to justify that the risk is real.

  • Use your own timestamps and queue data to justify headcount, tooling, and SLA design.

9) Close: Implementation checklist

  • Require an identity gate before assessments and live interviews for roles with privileged access risk.

  • Stand up a review queue with SLAs (4 hours medium, 1 hour high) owned by Recruiting Ops.

  • Enforce "corroboration required" before adverse action: geo-velocity plus at least one additional signal.

  • Auto-expire candidate access when step-up verification is pending beyond 24 hours.

  • Attach an evidence pack link to every adjudicated case inside the ATS.

  • Build a People Analytics dashboard: time-to-resolution, SLA breach rate, step-up pass rate, anomaly clustering by source and stage.

  • Run a weekly control review with Recruiting Ops and Security and revise thresholds based on false positive management. The goal is not to catch every attacker. The goal is a measurable, reviewable control that holds up when someone asks for proof.

  • Cycle-time: fewer late-stage pauses and rework because anomalies are handled at defined gates.

  • Defensibility: every decision is tied to timestamps, owners, and an evidence pack.

  • Fraud exposure: step-up verification concentrates effort where risk is highest.

  • Consistency: standardized rubrics and logged adjudication reduce reviewer variance.

Related Resources

Key takeaways

  • Geo-velocity is a triage signal, not a verdict. Treat it as a step-up verification trigger tied to an evidence pack.
  • Triangulate across events (ATS stage change, interview join, assessment start) to reduce false positives and protect against wrongful accusations.
  • Assign explicit ownership: Recruiting Ops runs the workflow, Security owns thresholds and access policy, Hiring Managers own rubric discipline.
  • Instrument everything with timestamps. If it is not logged, it is not defensible.
  • Use parallelized checks instead of waterfall workflows to protect time-to-offer while increasing integrity coverage.
Geo-Velocity Triangulation Policy (v1)YAML policy

Use this policy to standardize thresholds, require corroboration, and enforce review-bound SLAs.

Designed for People Analytics to measure effectiveness without becoming the adjudicator.

Attach the policy version to every evidence pack for audit readiness.

geo_velocity_policy:
  version: "1.0"
  scope:
    events:
      - candidate_login
      - assessment_start
      - interview_join
      - verification_attempt
    privileged_boundaries:
      - assessment_start
      - interview_join
  computation:
    distance_method: "haversine_km"
    location_sources_allowed:
      - ip_geolocation
      - device_gps_if_consented
    ignore_if:
      - location_confidence_lt: 0.6
      - known_corporate_vpn: true
  thresholds:
    low:
      max_kmh: 900
      action: "log_only"
    medium:
      max_kmh: 900
      plus_any_signal_required:
        - device_fingerprint_changed
        - network_anonymizer_detected
      action: "step_up_verification"
    high:
      max_kmh: 900
      plus_any_signal_required:
        - proxy_interview_signal
        - deepfake_signal
        - liveness_failed
      action: "freeze_stage_and_security_review"
  slas:
    medium_review_within_hours: 4
    high_review_within_hours: 1
    step_up_completion_within_hours: 24
  corroboration_rule:
    adverse_action_requires:
      - "geo_velocity_threshold_breached"
      - "at_least_one_additional_signal"
  evidence_pack:
    required_fields:
      - candidate_id
      - ats_stage
      - policy_version
      - prior_event_timestamp
      - current_event_timestamp
      - distance_km
      - time_delta_minutes
      - computed_kmh
      - corroborating_signals
      - reviewer_id
      - decision
      - decision_timestamp
    storage:
      tamper_resistant_log: true
      ats_link_required: true
  overrides:
    allowed_roles:
      - security_reviewer
    require_reason_code: true
    require_second_approver_for_high: true

Outcome proof: What changes

Before

Geo anomalies were discovered late via manual screenshots from interview and assessment tools, causing stage pauses with no consistent documentation. Security could not reconstruct who approved exceptions.

After

Geo-velocity became an event-based step-up trigger at assessment start and interview join, with a review queue, defined SLAs, and evidence packs linked in the ATS.

Governance Notes: Security signed off because the control uses corroboration and step-up verification rather than automatic rejection, reducing false accusation risk. Legal approved the evidence pack format because it captures consistent decision rationale, reviewer identity, timestamps, and policy version, supporting defensibility in disputes.

Implementation checklist

  • Define what constitutes "impossible travel" for your funnel events (login, interview join, assessment start).
  • Set risk tiers and step-up verification actions per tier.
  • Implement a review-bound SLA queue with clear owners and escalation.
  • Require corroboration from at least one additional signal before actioning a geo-velocity alert.
  • Package every decision into an immutable evidence pack linked to the ATS candidate record.

Questions we hear from teams

Is geo-velocity alone enough to reject a candidate?
No. Treat it as a triage signal. Require corroboration from at least one additional signal and record the decision path in an evidence pack to avoid false accusation risk.
How do we avoid penalizing candidates on VPNs or while traveling?
Use confidence thresholds, maintain an allowlist for known corporate VPNs where appropriate, and rely on step-up verification (liveness, face match, document auth) instead of adverse action on geo alone.
What should People Analytics measure to prove the control works?
Time-to-resolution, SLA breach rate, step-up completion rate, step-up pass rate (as a proxy for false positives), anomaly clustering by source and stage, and downstream funnel impact (offer acceptance and start rates by risk tier).
Where should the evidence live for audits?
Anchor the decision in the ATS with a link to a tamper-resistant evidence pack that contains the event timeline, policy version, reviewer identity, and decision rationale.

Ready to secure your hiring pipeline?

Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.

Try it free Book a demo

Watch IntegrityLens in action

See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.

Related resources