ShieldLabs
Back to blog

IP fraud scores explained: Talos, Scamalytics, and IPQS

An IP address feeding a 0 to 100 fraud score, with the raw score alone shown as an incomplete read of the device and connection behind it

Last updated on July 2, 2026 · 9 min read

About 32% of U.S. adults use a VPN, and switching one on is one of the fastest ways to push an IP fraud score into the red, through no fault of the person behind it. That is the confusing thing about IP fraud scores: a high number often says more about the address than the visitor. If you have looked up your own IP on a tool like Cisco Talos, Scamalytics, or IPQualityScore and been surprised by the result, this explains what these scores actually mean.

An IP fraud score condenses everything known about an IP address into one number or rating. It is genuinely useful as a fast first-pass filter, and genuinely misleading if you treat it as a verdict. This guide covers what each of the main scores means, how they are calculated, why yours can be high even when you have done nothing wrong, and the one thing no IP score can tell you: who is actually behind the connection.

Key takeaways

  • An IP fraud score rates how risky an IP address looks based on its history and characteristics, usually on a 0 to 100 scale or a Good to Poor rating.
  • The main services score the same address differently: Cisco Talos rates reputation for threats and spam, while Scamalytics and IPQualityScore focus on a fraud-risk number.
  • A high score is often not about you. Shared carrier IPs, VPNs, proxies, datacenter ranges, and past abuse on a recycled address all raise the number for innocent visitors.
  • An IP score describes an address, not the person or device using it, so it works best as one input weighed with the device and the rest of the session, never as a standalone decision.

What is an IP fraud score?

An IP fraud score is a rating that estimates how likely traffic from a given IP address is to be fraudulent or abusive, based on the address's history and characteristics. Most services express it as a number from 0 to 100, where a higher number means higher risk, though the scale and direction vary by provider. It is the commercial cousin of IP reputation: reputation describes the address, and the fraud score packages that reputation into a single risk figure a system can act on.

The inputs are broadly the same wherever you look. A score is built from blocklist and abuse-report history, whether the address is a known VPN, proxy, or Tor exit, how the address is classified (home ISP versus datacenter or hosting), and the volume and pattern of past flagged activity tied to it. What differs between tools is the emphasis and the label, which is why the same address can score clean on one service and risky on another.

There is no universal "good" score, because the right threshold depends on what you are doing. A payment flow and a content site read the same number for very different reasons. Treat the score as a starting point that tells you where to look, not a pass or fail.

What a Cisco Talos IP reputation score means

Cisco Talos publishes an IP and domain reputation aimed mainly at email and threat filtering rather than payment fraud. Instead of a 0 to 100 fraud number, Talos assigns a reputation disposition, typically Good, Neutral, or Poor, alongside a separate email or spam reputation for the same address. A Poor rating means the address has a history tied to spam, malware, or attack traffic that Cisco's telemetry has observed.

Because Talos is built for security and email deliverability, a Poor score there is about whether an address is a source of threats, not specifically whether a shopper is likely to file a chargeback. It is a strong signal for blocking obvious abuse at the network edge, and a weaker one for judging an individual customer at checkout.

What a Scamalytics fraud score means

Scamalytics gives an IP a fraud score from 0 to 100, where a lower number is lower risk and a higher number is higher risk, and it groups the result into risk bands from low to very high. The service leans heavily on whether an address is a proxy, VPN, or part of a hosting or anonymizing network, since those are strongly associated with fraud attempts.

The important nuance, which the service itself is clear about, is that the score reflects the address, not the individual. A high Scamalytics score on your own IP usually means your connection shares characteristics with addresses that have been abused, for example a VPN exit or a shared carrier range, not that you personally have done anything.

What an IPQualityScore (IPQS) score means

IPQualityScore, often shortened to IPQS, returns a fraud score from 0 to 100 for an IP address along with flags for proxy, VPN, Tor, bot activity, and recent abusive behavior. Like Scamalytics, higher means riskier, and the number blends the address's classification with its recent history into a single figure.

IPQS is oriented toward real-time fraud decisions, so its score is designed to be read at the moment of a signup or a payment. The same caution applies: the flags describe the connection, so a VPN or a recycled residential address can push the number up for an ordinary visitor, which is exactly why a score is meant to inform a decision rather than make it.

Why your IP fraud score is high, even if you did nothing

This is the question most people arrive with, and the answer is almost always about the address rather than the person. An IP fraud score can be high for reasons entirely outside your control:

  • You are on a VPN or proxy. Anonymizing connections are the single biggest driver of a high score, because fraud runs through them so often. Turn on a VPN and your score jumps, regardless of why you are using it.
  • You share a carrier IP. Carrier-grade NAT, standardized in RFC 6598, routes many mobile and home subscribers through a few public addresses. If anyone behind that shared IP misbehaved, the whole address inherits the reputation.
  • Your address was recycled. ISPs reassign addresses over time. A flag an address earned from a previous holder can still cling to it when it lands with you.
  • You are on a datacenter or hosting range. Traffic from cloud and hosting IPs looks automated by default, so those ranges carry higher baseline risk than a home connection.
  • The address sits behind a residential proxy pool. Residential proxy networks route strangers' traffic through real home IPs, so a clean home address can pick up risk from the pool it was pulled into.

None of these mean the person is a fraudster. They mean the address is ambiguous, which is the core limitation of scoring an IP at all.

What an IP fraud score cannot tell you

An IP fraud score answers a question about an address. Fraud is committed by a person or a script, and the link between the two is weaker than the number suggests. The same properties that make a score easy to game also make it easy to misread: it lags behind fresh abuse, it is blind to how many accounts are signing up or logging in from that address right now, it is shared across everyone behind one address, and it resets the moment someone rotates to a new IP.

That gap runs both ways. A fraudster on a fresh residential proxy gets a clean score, while a real customer on a work VPN gets a suspicious one. Deciding on the IP alone means waving through the first and blocking the second. To tell them apart you have to read something the address cannot give you: whether the same device is behind the session, and whether the rest of the connection agrees with where it claims to be.

Reading the device behind an IP score with ShieldLabs

ShieldLabs reads the layer an IP fraud score cannot: the device and the anonymity signals behind the connection. You add one JavaScript snippet, and each visit returns a persistent device identifier and a risk score from 0 to 100 with the named signals behind it, including the anonymity signals, a VPN, proxy, Tor, or anti-detect browser, that a raw IP score can only guess at from the address.

That turns "this IP looks risky" into "this is a returning device on a masked connection" or "this is a familiar customer who happens to be on a VPN." When the address shows up on abuse lists, ShieldLabs surfaces that as a named abuser signal and folds it into the risk score alongside the datacenter, proxy, and anonymity flags on the same session. That IP read is one of several network signals, cross-checked against the device and the connection rather than trusted on its own. You read the score and the named signals through the API and webhooks and decide, by your own rules, what a given address is worth in context. ShieldLabs is the device and anonymity layer that sits alongside an IP score and hands its read to your payment or risk stack, and the free tier covers your first 5,000 identifications.

Frequently asked questions

Why is my IP fraud score so high?
Almost always because of the address, not you. The most common reasons are a VPN or proxy, a shared carrier IP where someone else behind the same address misbehaved, a recycled address that kept a previous holder's flags, or a datacenter or residential-proxy range. Each of these raises the score for ordinary visitors, which is why a high number on your own IP usually reflects the connection's characteristics rather than anything you have done.
What is a good IP fraud score?
On a 0 to 100 scale a lower number is lower risk, but there is no universal cutoff, because the right threshold depends on what you are protecting. A payment flow may treat a mid-range score as worth a second check, while a content site ignores the same number. A good score is not a green light either, since a freshly rotated or residential-proxy address can score low and still belong to an attacker. Read it as one input among several.
How do I check my IP reputation?
You look the address up against reputation and fraud-scoring services, several of which offer a free lookup that returns whether the IP appears on abuse lists, how it is classified, and whether it is a proxy, VPN, or Tor node. A lookup is a useful spot check, but it only reflects recorded history for the address, so a clean result does not prove the current request is safe, and a poor one does not prove the visitor is a fraudster.
Is Scamalytics legit?
Yes, Scamalytics is a real IP fraud-scoring service, and services like it, IPQualityScore, and Cisco Talos are widely used for a first-pass read on an address. The thing to keep in mind is what the score is: a signal about the IP, not a verdict about the person. A high score is a reason to look closer, and these services generally say as much themselves, not a reason to block a visitor outright.
Does ShieldLabs replace an IP fraud score?
No. ShieldLabs is the device and anonymity layer that reads what an IP score cannot, whether the same device is behind the session and which anonymity signals are present. When the address is on abuse lists it surfaces that as a named abuser flag and weighs it, with the datacenter, proxy, and anonymity signals, alongside the device and the rest of the session. You get a persistent device identifier and a risk score with the named signals through the API, and your rules decide, so the verdict stays in your application. The free tier covers your first 5,000 identifications.

Related articles