Link analysis for
fraud detection

In a nutshell, link analysis is a technique used to assess and evaluate connections between data. This is much easier and faster when the data is shown in a graph network, so sometimes link analysis is called network visualization.

Link analysis is easier and faster with graph networks

A graph network is a way of visualising connections between various types of information.

These networks are stored in graph databases.

Graph networks contain:

How is a graph database different to a traditional database?

Traditional databases allow you to see blocks of facts - but if you want to find out how they’re connected, you need to work harder to do some analysis. If you’re dealing with a large amount of data this can take significant time and effort. Let’s look at example using an online bookshop...

Traditional database

Graph database

In a graph database, all the information about a customer’s account, email, shipping address, order details and payment information is connected and visible at the same time.

You can see every order each customer has ever made on the site, how they’ve paid and where they’ve had them shipped. There are no limits on adding nodes and edges - such as the device used for the transaction, additional payment methods, shipping addresses and more.

In any crime drama, there’s always a scene where the detective has a wall full of pictures with string all over it - connecting locations with suspects and dates. The detective often stares at the wall and pieces together what happened using all the evidence.

Link analysis is the detective work behind fraud, and a graph network is like the detective’s wall. It shows you all the evidence across all your customers in a simple format, so you can join the dots between fraudster networks and prevent future fraud.

Yes! Fraudsters are part of a complex underground community, they are constantly talking and trading with each other. There are countless ‘how to’ tutorials for hacking and fraud on the dark web. Although perhaps as is to be expected, it was recently revealed that many payment fraud guides are actually defrauding would-be fraudsters with incomplete information and out-of-date techniques.

Card details can easily be faked or blocked, so fraudsters buy card details in the thousands. This means you might see multiple credit cards being added to an account to make new orders. Or you could notice the same device being used to open lots of new accounts quickly, with slight variants of the same email address.

Fraudsters often alert each other to share lucrative opportunities and cooperate with each other. We often seen fraudsters post on forums inviting people to make requests for an /order, with a prepared secure pick-up location address.

Imagine your online bookshop is being targeted by a group of fraudsters, you might see a sudden influx of new accounts making orders for a highly desirable new book. Looking closer, you see that they are all being shipped to a known hot-spot for dropping off illegal goods for distribution.

This exact scenario happened to one of our clients - our intelligence team noticed strange activity on multiple accounts shipping lots of the same item to the same place. With a little extra digging we found a forum where other fraudsters were advertising the stolen goods at heavily reduced prices in a nearby area.

Networks growing bigger quickly

There are some cases of small networks of genuine users - a family sharing a device or a team using a corporate credit card. But these networks remain static and rarely grow any bigger, or if they do it happens slowly. A fast growing network is almost always due to fraud.

Lots of widely shared cards, devices or email addresses

It’s very rare for genuine customers to share a device, card or email address. We’ve seen fraud networks with over 800 accounts sharing a single payment method, and networks showing account takeover where over 10,000 customers appear to be sharing one single device.

Lots of chargebacks in the network

We allow our clients to disregard any genuine chargebacks when they upload their data to Ravelin Connect, so we use a chargeback node as an indicator of fraud. This means if there are any chargebacks in a network, all the network’s users are fraudsters.

Fraud rings

Fraud rings are groups of criminals working together – like the example above. where multiple accounts were purchasing the same item and sending it to a drop off location.

Fraud rings are often individuals who are part of the same gang or crime syndicate. The gang might buy a set of payment cards and start using these across different devices. In 2017-2018, there was a marked increase in fraud rings using more sophisticated methods including bots to automate attacks.

Synthetic Identities

Synthetic IDs are the fastest growing type of financial crime in the US. These are fictitious identities created from the combination of different real identities - fraudsters mix and match addresses, social security numbers and names to make up fake identities and then pump up the credit score of the false ID in order to extend its credit.

Fraud rings create thousands of synthetic IDs from a limited set - one of the largest cases included 7000 fake IDs used to steal over $200 million. In the US, fraudsters are increasingly using social security numbers which belong to children as they have no credit history.

Account Takeover

Account takeover happens when a fraudster gains control of an account that belongs to a genuine customer. Fraudsters use the customer’s good track record to make unauthorised transactions. This can be done with the good customer’s saved card details or with stolen card details purchased online. Learn more about this in our complete guide here.

Using Ravelin Connect, each customer is visible in full – including all the devices, addresses, payment methods and contact details associated with them.

We monitor customer’s every connection and how close they are to a known fraudster or chargeback - in other words how many edges, or degrees of separation there are between them and fraud. In Connect, we call these degrees of separation the "hops" to fraud.

We use two methods which complement each other - deterministic and probabilistic.

Deterministic

You can choose your company's risk appettite based on the number of hops to fraud you’re comfortable accepting customer payments from. For example, you can choose to block payments from customers who have five or less hops to fraud. More risk-averse businesses may choose to block customers with a higher number of hops to fraud.

On its own, this method is very effective as it shows whether a fraudster has been caught reusing the same details, or is part of a larger network of compromised credit cards.

Probabilistic

This is where the features of a network are fed into a machine learning model to predict how likely it is that the network is fraudulent. The model can assess the network before fraud happens, based on how similar it is to past fraudulent networks. Past networks are based on the individual business, which makes this a powerful customized tool.

Promotional and trial abuse

Genuine customers may set up multiple accounts to take advantage of one-time offers more than once. Using link analysis, you can identify these users through shared details and block them from setting up multiple new accounts to take advantage of the initial trial period. For example, food delivery offers going to the same address can be blocked from first-delivery offers.

Insurance fraud

Insurance fraud can come in the form of false quotes, false claims and "crash for cash" in the case of car insurance - globally, insurance fraud accounts for 3.58% of all claims. Using link analysis, you can detect suspicious claims which involve contacts, addresses or even vehicles which have appeared in previous quotes and/or claims. You can also identify and block users with the same or very similar attributes filing insurance claims.

Self exclusion situations

In the UK, gamblers can opt in to self exclusion to prevent themselves from excessive gambling. Link analysis can identify and block customers who are trying to reuse a website after opting into self exclusion. This is quite a rare use-case - but it shows that link analysis can be customised to be extremely useful in situations outside of payment fraud.

Ravelin’s graph database is called Connect, it allows you to create a graph of your customers using high-cardinality data points, such as emails, phone numbers, device IDs or payment methods. These are totally unique data points which are unlikely to change. When two customers share an attribute, they will be connected in the network.

Connect can be used to detect:

• Online payment fraud
• Account takeover (ATO)
• Voucher and promotions abuse
• Refund abuse
• Fraudulent insurance claims

Data points shown in Connect

Depending on the use case, Connect can display the below data points in the network:

The graph can be enhanced to show additional information about customers including chargebacks or manual reviews. Connect also allows you to add a tag to customers (for example VIPs), and the search for customers with specific tags.

It’s also very easy to add new unique, sharable data points, dependent on your business case - just ask us.

Example genuine customer in Connect

This is a snapshot of a genuine customer network and the numerical data behind it. The network is five years old.

The network is relatively small - there is a connection between two users in a shared card, but there are no other users. It’s also important to note that both users have several devices they use independently, rather than having few shared devices.

Using Connect to detect fraud and negative activity

Connect can be used to detect a range of fraudulent and negative user activity - here are some examples.

Online payment fraud

With typical online payment fraud, or card-not-present (CNP) fraud, fraudsters create new accounts to appear as new customers and use stolen credit card details to make purchases.

Card details can easily be blocked, so fraudsters often buy hundreds or even thousands of card details.

We commonly see:

• Users adding multiple credit cards to an account to make new orders.
• One device being used to open lots of new accounts in a short space of time.

Often fraudsters will have used the same device or email in another account previously, and so when they open a new account it will be linked to their past activity.

Account takeover

A steady stream of data breaches and the widespread tendency for customers to reuse passwords have led to an increase in account takeover (ATO) activity.

You can use Connect to identify ATO networks through searching for:

• Multiple existing accounts being accessed from the same device
• Multiple accounts existing accounts suddenly becoming linked by new details (address, phone number)

Connect allows you to see when an account joined a network, so that you can investigate genuine accounts so that they can be recovered for the customer quickly.

Promotion abuse

Merchants often offer vouchers, referral schemes or promotions to attract new customers, especially during expansion. Fraudsters, or even genuine customers, may abuse the voucher system by attempting to use the same voucher multiple times with new accounts.

Using Connect, we can assign each voucher an ID to enable you to:

• Set limits on the number of uses per voucher
• Configure how many vouchers within a set network distance counts as abuse
• Apply different levels of control for different voucher types

Even though this activity is not strictly fraud, it’s important that merchants can stay in control, otherwise the cost of running promotional schemes may end up being wasted on people who are already users, instead of attracting new customers.

Refund abuse

Similar to voucher abuse, refund abuse is not technically a form of fraud, however there are still some serial offenders. Fraudsters or genuine customers can request refunds on most of their orders - sometimes up to 80%. In many cases, this means the merchant is losing money through the customer.

Connect allows you to:

• Tag customers abusing your refund policy
• At time of score, check each customers network for the tag (within a set distance)
• Offer different terms and conditions to protect yourself from abuse, or block users in refund abuse networks

A fake account network

Claims abuse

Insurance firms can be vulnerable to claims abuse - for example car insurers. Customers either fake crashes or perform ‘crash for cash’ schemes and submit excessive claims. This activity is often repeated with the same actors, vehicles and locations involved.

Connect can help the insurance merchant to act on this by:

• Tagging customers with claims and checking a customer’s network for the tag (within a set distance)
• When a policy is requested, offer different terms and conditions, adapt the pricing, or investigate further before offering a quote

To learn more about Connect, download the guide here.