arrow left facebook twitter linkedin medium menu play circle
August 14, 2018 - David Ting

Detecting New and Evolving Fraud Patterns in Digital Commerce

While organizations actively invest in designing better digital experiences to attract and retain customers, the simplicity and ease of use of online channels have opened up new ways for fraudsters to commit fraud. And it’s no surprise that fraudsters are getting more creative and have access to advanced technologies to execute sophisticated fraud attacks. As attacks grow in scale and velocity, businesses are forced to evolve their fraud detection methods from manual detection involving blacklists and rule engines to machine learning algorithms that can detect known and emerging types of fraud. Adoption of unsupervised machine learning that can provide early detection of unknown fraud has been growing steadily. According to Gartner, 50% of companies will use unsupervised machine learning by 2021. So why is unsupervised machine learning becoming a sought-after technology for fraud detection? This article highlights why existing fraud detection methods have limitations and more importantly a few reasons why unsupervised machine learning is gaining traction.

1. Blacklists

The simplest fraud detection method is blacklisting, which essentially acts as a filter. Although blacklists are easy to implement, they are also the most error-prone and are slow to react to new fraud attacks.  An example of a blacklist for banks is using FICO scores to determine the risk levels of credit card applicants.

The advantages and disadvantages of blacklist are obvious. The advantage is that it is simple, convenient, and can be applied to many scenarios. The downside is that it cannot cope with emerging fraud patterns.

2. Rules Engines

The upgraded version of a blacklist is a rules engine. Rule engines can often be used with blacklists, and fraudsters caught by rule engines are blacklisted. It’s easier to understand how a rules engine works by walking through an example:

An insurance company uses a set of rules to decide who can buy purchase protection insurance. Through experience, an insurance company determines that users with a return ratio of more than 80% or users who returned goods more than five times in a row are likely to return goods again. As a result, the insurance company set a threshold, with the following rules:

  • Users who have returned goods 5 times in a row cannot buy purchase protection;
  • If a user’s return ratio exceeds 80%, they cannot buy purchase protection;

As long as one of these two rules is met, the purchase of insurance will be rejected by the insurance company. Compared with blacklists, this method can detect more fraudsters and increase coverage. However, the rules engine still cannot actively detect new fraud patterns. Many fraudsters discover the rules’ thresholds by constantly testing the rules. They will change the return rate to 79% or below and continue to cheat.   The biggest problem with rules engines is that it relies on human intervention. It is a very labor-intensive process, and even those with experience can make mistakes. For example, judging from previous experience, users are considered fraudulent if their return ratio exceeds 80%. However, a new user will have a 100% return rate if they purchase clothes for the first time and return them because they do not fit. Because of the uncertainty, rules engines require resource and time commitment to maintain especially when initial rules decay and result in a large number of false positives. 3. Supervised Machine Learning Supervised machine learning is currently a widely understood fraud detection method. Supervised learning models take a large amount of labeled fraud data for train and provide a score based on historical patterns. Take spam email as an example. A fraud team that uses supervised learning will start by manually reviewing and categorizing 5,000 emails as spam or not. The model analyzes the 5,000 training emails, and after training, will be able to identify spam mail when new uncategorized mail is provided. For example:If the word “benefit” is in the title, there is a 90% chance that the email is spam;If the phrase “account number: xxxxxx” is in the content, there is a 10% chance that the email is spam;If more than 200 emails are sent from one source at a time, there is a 60% chance that they are spam;For accounts with a response rate of less than 10%, there is a 70% chance of spam. Here, the percentage is called weight. When the model processes a new email, it detects each of the above attributes and adds the weights of each attribute. A score is then obtained. If an email meets all of the requirements above, there is an 80% chance that it is spam. One of the most important steps of supervised learning is to continuously calculate the weight value that each fraud signal should be assigned through continuous iteration. When the weight value is calculated, it can be said that the model is trained. The benefits of supervised learning are also obvious, as it can help analyze hidden relationships. Rules are manually produced by human experience, but when faced with a large number of data fields, it no longer becomes feasible to operate efficiently by a human. At this point, supervised machine learning can deliver better results than just relying on rules. However, there are obvious disadvantages the most important one being that the models require a large amount of training data and can only detect previously identified fraud patterns. Training a model is time consuming, and fraudsters have caused damage even before the model has been properly trained. 4. Unsupervised Machine Learning Unsupervised learning is growing traction as a way to proactively detect and stop fraud. The main approaches used in unsupervised learning are clustering and graph analysis.  Unsupervised machine learning does not require any training data or labels, and fraud is detected by analyzing the users’ common behavior and the relationships between users.

Figure 1: Clustering

Consider a set of registration events from a group of users. Through clustering, several small groups have correlated activities such as having similar attributes such as registration time, operating system, browser version, etc.. When analyzed one at a time, the users appear to be normal, but interestingly, their registrations are suspiciously consistent. For example, a group of people signs up for the same product using Google Chrome between 2 am and 3 am with GPS locations within a mile of each other, followed by both nickname and gender modifications after registration. If only one user’s registration had these details, there would be no problem. However, it is abnormal for a group of people to have such similar registration pattern.

Unsupervised machine learning can also be used to identify spam emails. One method to identify spam may be to analyze the types of emails that users delete. Another common method to determine the type of spam is by analyzing the reply rate.

Figure 2: Naive vs coordinated spam attacks

As shown in the figure, the lower left corner shows a naive attacker who simply sends a lot of spam emails, and the reply rate is close to 0. A fraud detection system can easily categorize this as spam. The group in the lower right corner is much smarter. They increase their response rate by sending emails to and from each other. These accounts usually add friends and exchange emails to disguise themselves as normal users. Unsupervised learning can discover this type of coordinated activity and reveal fraudulent behavior.

Unsupervised algorithms applied to fraud detection usually have the advantage of early warning. Today’s fraudulent users often have an incubation period before conducting any fraud to avoid detection. But because their behavior during the incubation period conforms to certain standard process and has consistency, they can still be captured by unsupervised algorithms. The detection of suspicious behaviors before an attack occurs is hardly possible with other methods. This is one of the most important reasons why unsupervised machine learning is starting to play a bigger role in fraud detection.

To learn more about how unsupervised machine learning works, visit

about David Ting
With over 20 years of leadership experience at leading technology companies such as Yahoo, NetEase, and IGN. On the technology front, David has held key executive positions at Yahoo, IBM, IGN, AltaVista and is a big believer in combining cutting-edge innovation with scalability, simplicity, and quick time-to-market. He holds 6 patents and won 2 IBM Outstanding Achievement awards and AltaVista Employee of the Year.
about David Ting
With over 20 years of leadership experience at leading technology companies such as Yahoo, NetEase, and IGN. On the technology front, David has held key executive positions at Yahoo, IBM, IGN, AltaVista and is a big believer in combining cutting-edge innovation with scalability, simplicity, and quick time-to-market. He holds 6 patents and won 2 IBM Outstanding Achievement awards and AltaVista Employee of the Year.