Link analysis for
fraud detection

In a nutshell, link analysis is a technique used to assess and evaluate connections between data. This is much easier and faster when the data is shown in a graph network, so sometimes link analysis is called network visualization.

Link analysis is easier and faster with graph networks

A graph network is a way of visualising connections between various types of information.

These networks are stored in graph databases.

Graph networks contain:

How is a graph database different to a traditional database?

Traditional databases allow you to see blocks of facts - but if you want to find out how they’re connected, you need to work harder to do some analysis. If you’re dealing with a large amount of data this can take significant time and effort. Let’s look at example using an online bookshop...

Traditional database

Graph database

In a graph database, all the information about a customer’s account, email, shipping address, order details and payment information is connected and visible at the same time.

You can see every order each customer has ever made on the site, how they’ve paid and where they’ve had them shipped. There are no limits on adding nodes and edges - such as the device used for the transaction, additional payment methods, shipping addresses and more.

In any crime drama, there’s always a scene where the detective has a wall full of pictures with string all over it - connecting locations with suspects and dates. The detective often stares at the wall and pieces together what happened using all the evidence.

Link analysis is the detective work behind fraud, and a graph network is like the detective’s wall. It shows you all the evidence across all your customers in a simple format, so you can join the dots between fraudster networks and prevent future fraud.

Yes! Fraudsters are part of a complex underground community, they are constantly talking and trading with each other. There are countless ‘how to’ tutorials for hacking and fraud on the dark web. Although perhaps as is to be expected, it was recently revealed that many payment fraud guides are actually defrauding would-be fraudsters  with incomplete information and out-of-date techniques.

Card details can easily be faked or blocked, so fraudsters buy card details in the thousands. This means you might see multiple credit cards being added to an account to make new orders. Or you could notice the same device being used to open lots of new accounts quickly, with slight variants of the same email address.

Fraudsters often alert each other to share lucrative opportunities and cooperate with each other. We often seen fraudsters post on forums inviting people to make requests for an /order, with a prepared secure pick-up location address.

Imagine your online bookshop is being targeted by a group of fraudsters, you might see a sudden influx of new accounts making orders for a highly desirable new book. Looking closer, you see that they are all being shipped to a known hot-spot for dropping off illegal goods for distribution.

This exact scenario happened to one of our clients - our intelligence team noticed strange activity on multiple accounts shipping lots of the same item to the same place. With a little extra digging we found a forum where other fraudsters were advertising the stolen goods at heavily reduced prices in a nearby area.

Networks growing bigger quickly

There are some cases of small networks of genuine users - a family sharing a device or a team using a corporate credit card. But these networks remain static and rarely grow any bigger, or if they do it happens slowly. A fast growing network is almost always due to fraud.

Lots of widely shared cards, devices or email addresses

It’s very rare for genuine customers to share a device, card or email address. We’ve seen fraud networks with over 800 accounts sharing a single payment method, and networks showing account takeover where over 10,000 customers appear to be sharing one single device.

Lots of chargebacks in the network

We allow our clients to disregard any genuine chargebacks when they upload their data to Ravelin Connect, so we use a chargeback node as an indicator of fraud. This means if there are any chargebacks in a network, all the network’s users are fraudsters.

Fraud rings

Fraud rings are groups of criminals working together - like the example above where multiple accounts were purchasing the same item and sending it to a drop off location.

Fraud rings are often individuals who are part of the same gang or crime syndicate. The gang might buy a set of payment cards and start using these across different devices. In 2017-2018, there was a marked increase in fraud rings using more sophisticated methods including bots to automate attacks.

Synthetic Identities

Synthetic IDs are the fastest growing type of financial crime in the US. These are fictitious identities created from the combination of different real identities - fraudsters mix and match addresses, social security numbers and names to make up fake identities and then pump up the credit score of the false ID in order to extend its credit.

Fraud rings create thousands of synthetic IDs from a limited set - one of the largest cases included 7000 fake IDs used to steal over $200 million. In the US, fraudsters are increasingly using social security numbers which belong to children as they have no credit history.

Account Takeover

Account takeover happens when a fraudster gains control of an account that belongs to a genuine customer. Fraudsters use the customer’s good track record to make unauthorised transactions. This can be done with the good customer’s saved card details or with stolen card details purchased online. Learn more about this in our complete guide here.

Using Ravelin Connect, each customer is visible in full - including all the devices, addresses, payment methods and contact details associated with them.

We monitor customer’s every connection and how close they are to a known fraudster or chargeback - in other words how many edges, or degrees of separation there are between them and fraud. In Connect, we call these degrees of separation the ‘hops’ to fraud.

We use two methods which complement each other - deterministic and probabilistic.

Deterministic

You can choose your business’ risk level based on the number of hops to fraud you’re comfortable accepting customer payments from. For example, you can choose to block payments from customers who have five or less hops to fraud. More risk-averse businesses may choose to block customers with a higher number of hops to fraud.

On its own, this method is very effective as it shows whether a fraudster has been caught reusing the same details, or is part of a larger network of compromised credit cards.

Probabilistic

This is where the features of a network are fed into a machine learning model to predict how likely it is that the network is fraudulent. The model can assess the network before fraud happens, based on how similar it is to past fraudulent networks. Past networks are based on the individual business, which makes this a powerful customised tool.

Promotional and trial abuse

Genuine customers may set up multiple accounts to take advantage of one-time offers more than once. Using link analysis, you can identify these users through shared details and block them from setting up multiple new accounts to take advantage of the initial trial period. For example, food delivery offers going to the same address can be blocked from first-delivery offers.

Insurance fraud

Insurance fraud can come in the form of false quotes, false claims and ‘crash for cash’ in the case of car insurance - globally insurance fraud accounts for 3.58% of all claims. Using link analysis, you can detect suspicious claims which involve contacts, addresses or even vehicles which have appeared in previous quotes and/or claims. You can also identify and block users with the same or very similar attributes filing insurance claims.

Self exclusion situations 

In the UK, gamblers can opt-in to self exclusion to prevent themselves from excessive gambling. Link analysis can identify and block customers who are trying to reuse a website after opting into self exclusion. This is quite a rare use-case - but it shows that link analysis can be customised to be extremely useful in situations outside of payment fraud.

We’ve designed our graph database to be super fast by using only six data points as a baseline.

Having a limited number of datapoints means the database reacts super quickly and updates in real-time as payments happen and connections are made.

Even though we start with a lower number of data points, you can still add in more which are specific to your business - for example, an insurance company may add driving licenses to validate policies and check for claims fraud. Learn more about Connect and how it can work for your business here.