This page describes how LMS investigates suspicious activity, how cases progress through the fraud workflow and what partners can expect at each stage.
It explains how a case is opened, how suspicion levels are determined, which timelines apply and how we coordinate actions such as blocking cards, requesting clarification or performing deeper analysis.
These guidelines ensure that all cases are handled consistently, securely and efficiently, with clear partner involvement at the right moments.
Opening a Fraud Case
A fraud case is opened when LMS identifies activity that cannot be immediately reconciled with normal charging behavior and therefore requires further investigation. This may follow from our own monitoring and analysis, or from information provided by a partner.
Cases are only created when there is a clear, objective reason to do so; routine fluctuations or isolated irregularities are not classified as fraud by default. Each signal is first reviewed to confirm that a structured assessment is appropriate.
In addition to internally detected signals, partners may also initiate a fraud case themselves. If you observe unusual behavior, or if a customer reports activity that appears inconsistent or unexplained, you can notify us directly via fraudprotection@lastmilesolutions.com. Partner-initiated cases follow the same structured process, timelines and verification steps as all other cases.
More information on how you as a partner can detect possible suspicious and fraudulent accounts and behaviors can be found here.
Opening a fraud case does not mean that fraud has been confirmed; it simply indicates that further assessment is required based on clear, objective signals.
Once a case is opened, the partner is notified and partner verification becomes an essential part of the process.
Partner Involvement in Case Handling
When a case involves your customer or network, you are actively involved in the process:
- Notification: You receive an automatic notification via Salesforce when a case is opened that concerns your organization.
- Case Status & Reminders: You are kept informed of the progress of each case via email notifications. Whenever action or a response is required from your side, you will receive a reminder indicating what is expected.
- Interaction: You can always respond, provide additional information, or request a case to be reopened if new facts arise.
- Resolution: In cases of confirmed fraud or critical threat, we take immediate action and inform you of the outcome. For less severe cases, you have the opportunity to clarify or resolve the issue before any measures are taken.
The level of involvement expected from the partner depends on the applicable suspicion level, but the requirement to verify end-user context applies in every case.
If a partner does not respond within the expected timeframe, the case will continue or close based on the information available at that moment; LMS will proceed based on risk.
An overview of partner responsibilities is provided on the Fraud Protection Process page.
We ask you to avoid reactivating affected assets without contacting fraudprotection@lastmilesolutions.com through the relevant ticket, as doing so may influence the outcome and transfer transfer financial exposure to your organisation. Clear coordination helps ensure that risks are properly managed on both sides.
Fraud Case Workflow (Visual Overview)
The diagrams below summarize how LMS detects, evaluates, and handles potential fraud. They provide a visual representation of how signals enter the process, how cases move between suspicion levels, and which actions correspond to each stage. These visuals are intended to complement the written description, giving partners a clear and accessible overview of the end-to-end process.
This diagram provides a high-level overview of how potential fraud is detected, assessed, and handled within the LMS platform.
Fraud signals may originate from multiple sources, including monitoring tools, dashboards, platform data, and partner notifications. All signals are centrally assessed by the LMS Fraud Team and registered for audit and follow-up purposes.
Based on internal triage, cases are classified into different levels of suspicion. Depending on the outcome, actions may range from continued monitoring and partner consultation to immediate blocking and escalation.
Throughout the process, transparency, traceability, and timely coordination with partners are key to ensuring appropriate risk management and resolution.
This overview illustrates how LMS applies a structured approach to fraud handling using five defined levels of suspicion.
For each level, the diagram shows the expected activities across monitoring, detection, validation, action, and registration. As the level of suspicion increases, the response becomes more targeted, time-sensitive, and escalated.
Lower levels focus on verification and monitoring in close coordination with the partner, while higher levels trigger immediate protective measures and internal escalation. Movement between levels is possible based on new information or partner feedback.
This framework ensures proportional action while maintaining platform integrity and financial risk control.
These visuals complement the conceptual framework introduced on the Fraud Protection Process page.
Suspicion Levels and Their Meaning
LMS applies a structured, risk-based approach to fraud detection. Irregular usage does not automatically imply fraud, but every deviation is assessed consistently using predefined suspicion levels. Each level determines the expected actions, your involvement, and response timelines. These levels are based on the principles of risk assessment described on the Fraud Protection Process page.
Cases may move between levels as new information becomes available, in line with the flexible MDMAR matrix approach.
Level 1 – Low Suspicion
Minor deviations from expected usage patterns that may have a legitimate explanation.
No intervention by LMS.
The asset remains fully active.
The partner is requested to perform a basic verification with the end user.
Purpose: early validation without operational impact.
Level 2 – Moderate Suspicion
Clear irregularities that fall outside normal usage and require confirmation.
No blocking or restriction is applied.
Partner verification with the end user is required.
Findings determine whether monitoring can stop or escalation is needed.
Purpose: confirmation of legitimacy or escalation.
Level 3 – Clear Irregularity
Significant anomalies indicating increased risk, but without sufficient certainty to justify immediate deactivation.
The asset remains active.
Enhanced monitoring is applied by LMS.
The partner is required to contact the end user and provide a formal explanation or clarification.
Purpose: obtain validated explanation while closely monitoring risk.
Level 4 – Evident Fraud
Fraudulent activity is confirmed based on validated indicators, repeated irregularities, or partner confirmation.
The asset is deactivated to prevent further misuse.
Urgent partner investigation is required.
Customer Success Manager is informed.
Follow-up actions are coordinated with LMS.
Level 5 – Critical Threat
Severe fraud with substantial financial or operational impact.
Immediate containment measures are applied.
Senior management escalation.
Close coordination between LMS and the partner.
Case Timelines and Response Expectations
Each level determines not only your expected involvement but also the speed at which the case progresses. The timelines below clarify when reminders are sent and how long a case remains open before further action is taken. For context on why certain cases require faster escalation, see the risk assessment section on the Fraud Protection Process page.
Level 1 – Low Suspicion
Reminder after 7 calendar days
Second reminder after 14 calendar days
Case update to status No Response after 21 days
No response may result in closure or escalation based on reassessment
Level 2 – Moderate Suspicion
Reminder after 5 calendar days
Second reminder after 10 calendar days
Case update to status No Response after 15 days
No response may result in closure or escalation based on reassessment
Level 3 – Clear Irregularity
Reminder after 4 calendar days
Second reminder after 8 calendar days
Case update to status No Response after 15 days
No response may result in closure or escalation based on reassessment
Level 4 cases – Evident Fraud
Upon confirmation, LMS takes immediate steps to restrict or deactivate the affected asset to prevent further misuse.
Close coordination continues until the case is formally resolved.
Level 5 – Critical Threat
LMS acts without delay to contain the incident, including immediate asset intervention and internal escalation.
Close coordination continues until the case is formally resolved.
Level 4 and Level 5 cases do not generate reminders or a “No Response” status. These cases require immediate action and are therefore not dependent on partner follow up. Level 5 cases are also escalated to senior management immediately.
Timelines ensure that cases progress consistently and that risk is contained in a timely manner, regardless of your involvement.
These timelines apply uniformly across the LMS ecosystem and are designed to balance investigation time with risk mitigation.
If a case is reopened after closure, the timeline logic begins again based on the newly assigned suspicion level.
Post-Case Actions and Follow-Up
Every fraud case handled by LMS concludes with a clear determination based on the evidence available at the time of closure. For context on how these outcomes relate to broader fraud scenarios, refer to the Fraud Protection Process page.
Depending on the findings, one of two outcomes is applied:
Confirmed Fraud
If the activity is assessed as fraudulent, LMS will take the appropriate action — such as deactivation of the asset — and coordinate next steps with the partner.
Financial or operational follow-up may be required depending on the nature of the incident.
No Fraud Detected
If the activity is validated as legitimate, or if partner verification provides a clear explanation, the case is closed without intervention and monitoring ends.
Financial Handling After Fraud Cases
In cases where fraudulent activity is confirmed, LMS ensures that the affected end user is not financially disadvantaged. If charges resulting from fraudulent use have already been invoiced, these will be corrected accordingly. If the transactions have not yet been invoiced, they will be excluded from billing altogether.
The financial follow-up depends on which party is responsible under the partner agreement. Costs related to confirmed fraud are either absorbed by the responsible party or reassigned accordingly, ensuring that legitimate users are protected and that fraudulent consumption is not recovered from the end user.
After a case is closed — regardless of the outcome — all actions, communication, and findings remain fully traceable in our ticket system.
The distinction between fraud and payment defaults is explained on the Fraud Protection Process page.
Final Notes
The procedures described on this page are designed to ensure that fraud cases are handled quickly, consistently and with the right level of security. Although each situation may differ, following this structured workflow helps all parties resolve cases efficiently and minimise risk for customers and networks. If additional information is required or a case demands escalated action, LMS will always communicate this clearly so partners know what to expect at every step.