Fraud Detection
On this page
Prerequisites
Before building detection, understand:
- Fraud types you're protecting against
- Risk appetite and tolerance thresholds
- Fraud metrics to measure success
TL;DR
- Signals = Data points indicating risk (device, velocity, behavior, identity)
- Rules = Fast, explainable, good for known patterns
- ML models = Find new patterns, but need training data
- Stack by stage: Starter (rules + AVS) → Intermediate (+ device ID + ML) → Advanced (+ behavioral)
- Detection is layered - no single tool catches everything
How to identify fraud across the customer lifecycle.
How Detection Works
| Component | Purpose | Example |
|---|---|---|
| Signals | Raw data points | Device ID, IP, velocity, AVS result |
| Rules | Known-pattern matching | "Block if >5 cards in 1 hour" |
| ML Models | Pattern discovery | Anomaly score from transaction features |
| Review | Human judgment | Edge cases, high-value orders |
Core Topics
Evidence Framework
The Tier 1/Tier 2 indicator system for classifying fraud signals:
- Tier 1: High confidence, standalone indicators
- Tier 2: Supporting evidence, combine for confidence
Rules vs. ML
Choosing the right approach:
- When rules work best
- When ML excels
- Hybrid approaches
Detection Methods
| Method | Coverage | Use Case |
|---|---|---|
| Velocity Rules | Transaction patterns | Real-time decisioning |
| Data Enrichment | IP, email, phone signals | Enriching transaction data |
| Building Fraud Rules | Rule sets, allow/block lists | Day-one setup and lifecycle |
| Fraud Model Feedback | ML feedback loops | Model accuracy and monitoring |
| Device Fingerprinting | Device/browser attributes | Account-level linking |
| Behavioral Analytics | User behavior patterns | ATO, bot detection |
| Identity Verification | Identity confirmation | Application, step-up |
| Manual Review | Complex/edge cases | High-value decisions |
Building Your Detection Stack
Starter Stack
- Basic velocity rules
- AVS/CVV verification
- Simple device ID
- Manual review queue
Intermediate Stack
- Advanced velocity rules
- Device fingerprinting service
- Data enrichment (IP, email, phone intelligence)
- ML scoring (vendor or custom)
- Fraud rule lifecycle management (shadow mode, allow/block lists)
- Case management system
A full-stack fraud platform (Sift, Sardine, Kount, etc.) bundles items 2-4 into one integration. You can build the same stack from individual vendors, but the platform route is less integration work. See Fraud Vendors for when each approach makes sense.
Advanced Stack
- Real-time ML models
- Behavioral biometrics
- Network analysis
- Custom feature engineering
- Automated decision engine
- ML feedback loops and model monitoring
- Operational cadence (daily/weekly/monthly reviews)
When to Escalate
See the Evidence Framework for Tier 1/Tier 2 indicators and escalation guidance.
Popular in This Section
- Evidence Framework - Tier 1/Tier 2 indicator system
- Velocity Rules - Real-time transaction limits
- Device Fingerprinting - Identifying devices across sessions
- Manual Review - When humans beat algorithms
Related Topics
- Fraud Types - Know what you're detecting
- Prevention Strategies - Stop fraud before it happens
- Fraud Metrics - Measure detection effectiveness
- Risk Appetite - Tolerance thresholds
- Fraud Economics - Cost of fraud decisions
- Processor Rules Configuration - Native fraud tools
- Fraud Vendor Landscape - Third-party tools
- Running Fraud Operations - Operational cadence playbook
- Chargeback Alerts - Deflection before dispute
- Compelling Evidence - Evidence for representment
- Network Programs - Monitoring thresholds
- Benchmarks - Industry comparisons
- 3D Secure - Authentication layer