Are fraudsters really so closely connected?
Yes! Fraudsters are part of a complex underground community, they are constantly talking and trading with each other. There are countless ‘how to’ tutorials for hacking and fraud on the dark web. Although perhaps as is to be expected, it was recently revealed that many payment fraud guides are actually defrauding would-be fraudsters with incomplete information and out-of-date techniques.
Card details can easily be faked or blocked, so fraudsters buy card details in the thousands. This means you might see multiple credit cards being added to an account to make new orders. Or you could notice the same device being used to open lots of new accounts quickly, with slight variants of the same email address.
Fraudsters often alert each other to share lucrative opportunities and cooperate with each other. We often seen fraudsters post on forums inviting people to make requests for an /order, with a prepared secure pick-up location address.
Imagine your online bookshop is being targeted by a group of fraudsters, you might see a sudden influx of new accounts making orders for a highly desirable new book. Looking closer, you see that they are all being shipped to a known hot-spot for dropping off illegal goods for distribution.
This exact scenario happened to one of our clients - our intelligence team noticed strange activity on multiple accounts shipping lots of the same item to the same place. With a little extra digging we found a forum where other fraudsters were advertising the stolen goods at heavily reduced prices in a nearby area.
How to spot a fraudy network
Networks growing bigger quickly
There are some cases of small networks of genuine users - a family sharing a device or a team using a corporate credit card. But these networks remain static and rarely grow any bigger, or if they do it happens slowly. A fast growing network is almost always due to fraud.
Lots of widely shared cards, devices or email addresses
It’s very rare for genuine customers to share a device, card or email address. We’ve seen fraud networks with over 800 accounts sharing a single payment method, and networks showing account takeover where over 10,000 customers appear to be sharing one single device.
Lots of chargebacks in the network
We allow our clients to disregard any genuine chargebacks when they upload their data to Ravelin Connect, so we use a chargeback node as an indicator of fraud. This means if there are any chargebacks in a network, all the network’s users are fraudsters.
How to stop fraudster networks using a graph database
Using Ravelin Connect, each customer is visible in full - including all the devices, addresses, payment methods and contact details associated with them.
We monitor customer’s every connection and how close they are to a known fraudster or chargeback - in other words how many edges, or degrees of separation there are between them and fraud. In Connect, we call these degrees of separation the ‘hops’ to fraud.
We use two methods which complement each other - deterministic and probabilistic.
You can choose your business’ risk level based on the number of hops to fraud you’re comfortable accepting customer payments from. For example, you can choose to block payments from customers who have five or less hops to fraud. More risk-averse businesses may choose to block customers with a higher number of hops to fraud.
On its own, this method is very effective as it shows whether a fraudster has been caught reusing the same details, or is part of a larger network of compromised credit cards.
This is where the features of a network are fed into a machine learning model to predict how likely it is that the network is fraudulent. The model can assess the network before fraud happens, based on how similar it is to past fraudulent networks. Past networks are based on the individual business, which makes this a powerful customised tool.
Why our graph database is engineered for speed
We’ve designed our graph database to be super fast by using only six data points as a baseline.
Having a limited number of datapoints means the database reacts super quickly and updates in real-time as payments happen and connections are made.
Even though we start with a lower number of data points, you can still add in more which are specific to your business - for example, an insurance company may add driving licenses to validate policies and check for claims fraud. Learn more about Connect and how it can work for your business here.