Business logic of the Ford: what is behind the anomalous transaction
The scale is specific. According to AFP Payments Fraud and Control Survey, fraudulent actions affect about 80% of organizations each year. According to Juniper Research estimates, the total losses from online stuff in payments between 2023 and 2028 could amount to about $362 billion. And leaks of these fintech companies only add oil: in March 2026, Colombian fintech Addi leaked data leaks of 34.5 million users, including credit speeds and government identifiers (according to Have I Been Pwn). Leakage of credit speeds is a ready-made tool for targeted fraud. The attacker knows in advance the solvency of the victim and selects the scenario of the attack under a specific wallet.
The financial context for the bank: chargeback according to the rules of Visa and Mastercard bears direct costs - the amount of the transaction, the commission for the debate (from 20 to 100 dollars per case), plus reputational losses. If the targetback ratio of the merchant exceeds the thresholds (Visa VAMP from 2025: 0.5% - early warning, 0.9% - excessive; Mastercard ECP: 1-1.5%), the payment system introduces a monitoring program with fines. For the acquirer, this is tens of thousands of dollars a month even before accounting for regulatory risks. The anti-fraud of the transaction analyst is not a task “for safetyes”, but a business function with a direct impact on P&L.
A separate story is an insider. An employee with access to processing or CRM can create fictitious returns, approve suspicious transactions, or drain card data. The pattern here is different: the anomalies are not tied to the client’s card or device, but to the operator – atypical working hours, mass approvals bypassing scoring, refund-operation without prior purchase. An anti-fraud system that only looks at the client side and ignores the behavior of operators is blind to a whole class of threats. Namely, this class is most often found after the fact - when the damage is already six-figure.
Signs of frod patterns in transactions
Velocity anomalies and mass overboard maps
Velocity is the most “loud” sign. The attacker checks a pack of cards: a series of transactions from one device or IP, a minimum interval, a brute force of amounts or merchants. What to record in the anti-fraud system:
• Number of transactions per card_hashfor a fixed window (5 minutes, 1 hour, 24 hours)
• Number of unique cards with one device_idfor the same period
• Distribution of amounts: if the spread is suspiciously narrow (all transactions in the range of 900-1000 rubles - a classic "limit check"), or vice versa - alternation of micropayments (10-50 rubles) with large amounts
• The interval between transactions: a person physically can not make a purchase faster than 15-20 seconds. Interval less than 10 seconds - a sign of automation, there is nothing to think
The Velocity rule is the first line of defense, but in its pure form they give a lot of false positives. A corporate card, which the accountinger pays for 15 subscriptions in a row, will look like a card. Therefore, velocity works as one of the signals in the scoring model, and not as the only blocking trigger. About this below.
Geolocation inconsistencies and change of device fingerprint
Geolocation signal - a comparison of three parameters: the country / region of IP-addresses, the country of the BIN card (the first 6-8 digits determine the issuer) and the country of the merchant. If the IP indicates one jurisdiction, BIN to another, and the mercant to the third, the scoring score should grow.
But even stronger signal is the change of the fingerprint device right before a major transaction. Typical account takeover patch: the attacker gets access to the account (through the password leak, SIM-swap or phishing), enters from the new device and immediately initiates the translation. A normal client changes the device every 1-2 years; if device_id first appeared less than 24 hours ago, and the transaction amount exceeds the average customer’s check by 3+ times – this is the red flag.
The context is appropriate OWASP A07:2021 (Identification and Authentication Failures): Weak authentication and lack of dating linking to the device make account takeover trivial. A OWASP A09:2021 (Security Logging and Monitoring Failures) explains why many organizations do not notice such incidents: authentication events and device change are simply not logged at a level sufficient to correlate. There are logs, but there are no correlations.
Behavioral analysis of payments: deviations from baseline
Each client has a behavioral baseline: typical amounts, typical transaction time, typical categories of merchant, frequency of purchases. Deviation from baseline is not a free on its own, but a signal for boosting scoring.
Specific behavioral abnormalities that should be tracked:
• Transaction at 03:00, if the client for the last 6 months has never paid between 00:00 and 06:00
• The first purchase in the category of "electronics" in the amount of more than 50 000 rubles from the client, who usually spends on food and transport
• Sharp increase in the number of transactions: average frequency - 2-3 per day, suddenly - 15+ per hour
• The series of purchases of gift-cards - a classic of cashing after account hostover. If you see three gift cards in a row from a new device - you can not even count quickly
Baseline is built on historical data in 30-90 days. Without baseline, any scoring rule will be either too rough (a lot of false positive) or too soft (pass of a real from). There is no middle ground without data.
Skating rules antifraud: from statics to weight model
Static Rules for Filtering Transactions
A statistical rule is the basic if/then: if the condition is met, the action works unconditionally. According to SEON, historically, the first static rules were tied to IP addresses: IP on a blacklist – the transaction is blocked. Another example: the country of the BIN card does not coincide with the country of IP - block.
Therefore, static rules in the mature anti-fraud system are used only for absolute locks: a map from the sanctions list, IP confirmed with fancy history, BIN from the blocked range. Everything else is through scoring.
Antifragrosing with rapids and weights
The scoring model assigns weight to each basis, sums up points and makes a decision based on threshold values. This is the kernel of the fraud scoring model. Example of a table of decisions:
Threshold values (example for e-commerce):
• 0-20 points → APPROVE (automatic approval)
• 21-50 points → REVIEW (manual audit by analyst)
• 51+ points → DECLINE (automatic failure)
The thresholds are not a constant. They are calibrated monthly by two metrics: false positive rate (FPR) and fraud detection rate (FDR). The DECLINE threshold moved from 51 to 40 - caught more than a Ford, but blocked more legitimate customers. They moved back by 60 - customers are satisfied, but missed three card games. The balance is sought herein, on historical data. There is no universal threshold - each processing has its own traffic profile.
Velocity check antifraud: advanced rule level
Velocity check is not just “calculate transactions in an hour.” The mature velocity approach assesses the dynamics of behavior: the growth of spending by 200%+ in 24 hours, an increase in the number of unique merchants by 5 times compared to the baseline, a sharp change in the geography of transactions.
According to SEON and Focal AI, the velocity rule is especially effective in two scenarios: counteraction to account takeover (when the attacker tries to withdraw the maximum funds in the minimum time) and AML-monitoring (when the movement of funds is distributed across many recipients to bypass the reporting thresholds). In both cases, the key is the speed of changes relative to baseline, not absolute numbers.
Here rolling_cnt - a sliding number of transactions on the device. If the device dials 5 or more consecutive transactions with a geo-inconsistency (the request counts count only among the transactions that have passed the filter bin_country != ip_country), it is a strong signal for translation to REVIEW or DECLINE. To count the window by all transactions of the device and then filter via geo-mismatch, take the window function to the CTE/supply.
In practice, these queries are not manually launched. They are embedded in the pipeline anti-fraud system - whether it's FICO Falcon, Featurespace, a self-written engine or even SIEM with transaction logs. The task of the analyst is to write a rule, test it on historical data (how many legitimate transactions it would have blocked last month), calibrate the thresholds and run into the product. Without a backb test on real data - no rule goes on sale.
Checklist for antifraud system
A ready set of correlation rules that can be adapted for specific processing:
1. Velocity on the card : more than N transactions with one card_hashfor M minutes → boost of the amplification by 15 (start with N=5, M=60, Calibulate by FPR)
2. Velocity on device : more than 3 unique cards with one device_idfor an hour → chop +20 and analt analyst
3. Geo-inconsistency : IP is different from the country BIN and from the country of merchant → chor +20
4. Shift device : new device_id(first_sen less than 24 h) + sum above 3x from the average customer check → sklow +25
5. Test micropayments : transaction less than 100 rubles, which for 30 minutes is followed by a transaction of more than 5 000 rubles. with the same card_hash → spar +30
6. Night anomaly : transaction at 02:00-05:00 from the client without night history in 90 days → shor +10
7. BIN-concentration : more than 5 cards from one BIN-band (first 6 digits) on one device per day → shor +15
8. Refund-pattern : more than 3 refunds in 7 days with a total amount of purchases less than 5 → spar + + check of the operator who issued the return
9. Email-age : email registration less than 7 days ago + first transaction above 10 000 rub. → chor +15
10. Automation : time from authorization in the personal account to payment less than 30 seconds → chord +10 (sign of script search)
11. Insideric pattern: the operator draws out more than 10 refunds for the change with an average indicator of the department of less than 3 → an altre to the head and freezing of the operator's account
Each rule of this checklist requires calibration on the real data of a particular bank or payment service. The weight and rapids here is the starting point, not the final values. The first month after the introduction of the new rule is mandatory manual control of the work. Without this, you will not know whether the Ford rules catches or terrorizes accounting.
Balance between FPR and frod pass
The main error of the novice anti-fraud analyst is to optimize only fraud detection rate without looking back at the positive positive rate. Catching 99% of the Ford is not difficult: block all transactions over 1 000 rubles from new devices. Fraud detection will be great. The business will die.
The Right Meter - Cade-recover trade-off on specific data. For each new rule, you think how many fraudulent transactions it would have caught in the last 30 days (reall) and how many legitimate ones would block (1-curd). If the rule catches 50 fraudulent transactions for 2 000 rubles. each (100 000 rubles. prevented losses), but blocks 500 legitimate by 5 000 rubles. each (2 500 000 rubles. lost revenue) - the rule is unprofitable. The arithmetic is cruel, but without it, the anti-fraud turns into an anti-business.
In practice, mature anti-fraud systems work in three lanes: automatic approval (green), manual check (yellow) and automatic failure (red). The yellow stripe is a buffer that allows you not to lose customers at high uncertainty. The more accurate the scoring model, the already yellow stripe and the less the load on the manual dismantling team.
For a year and a half of working with transactional data in processing, I was convinced of one thing: the main problem of anti-fragulation is not technology and not algorithms, but the lack of a systematic approach to calibration of rules. The teams implement dozens of rules, but do not revise the thresholds for months. Fred Patterns change in a week: attackers adapt amounts, timings, BIN-bands. The rule that caught the cardin in January, generates only false positive by March - and the real Ford goes along a new vector that no one tracks. I’ve seen it more than once: a beautiful dashboard, 47 rules, zero revisions for the quarter.
The scale is specific. According to AFP Payments Fraud and Control Survey, fraudulent actions affect about 80% of organizations each year. According to Juniper Research estimates, the total losses from online stuff in payments between 2023 and 2028 could amount to about $362 billion. And leaks of these fintech companies only add oil: in March 2026, Colombian fintech Addi leaked data leaks of 34.5 million users, including credit speeds and government identifiers (according to Have I Been Pwn). Leakage of credit speeds is a ready-made tool for targeted fraud. The attacker knows in advance the solvency of the victim and selects the scenario of the attack under a specific wallet.
The financial context for the bank: chargeback according to the rules of Visa and Mastercard bears direct costs - the amount of the transaction, the commission for the debate (from 20 to 100 dollars per case), plus reputational losses. If the targetback ratio of the merchant exceeds the thresholds (Visa VAMP from 2025: 0.5% - early warning, 0.9% - excessive; Mastercard ECP: 1-1.5%), the payment system introduces a monitoring program with fines. For the acquirer, this is tens of thousands of dollars a month even before accounting for regulatory risks. The anti-fraud of the transaction analyst is not a task “for safetyes”, but a business function with a direct impact on P&L.
A separate story is an insider. An employee with access to processing or CRM can create fictitious returns, approve suspicious transactions, or drain card data. The pattern here is different: the anomalies are not tied to the client’s card or device, but to the operator – atypical working hours, mass approvals bypassing scoring, refund-operation without prior purchase. An anti-fraud system that only looks at the client side and ignores the behavior of operators is blind to a whole class of threats. Namely, this class is most often found after the fact - when the damage is already six-figure.
Signs of frod patterns in transactions
Velocity anomalies and mass overboard maps
Velocity is the most “loud” sign. The attacker checks a pack of cards: a series of transactions from one device or IP, a minimum interval, a brute force of amounts or merchants. What to record in the anti-fraud system:
• Number of transactions per card_hashfor a fixed window (5 minutes, 1 hour, 24 hours)
• Number of unique cards with one device_idfor the same period
• Distribution of amounts: if the spread is suspiciously narrow (all transactions in the range of 900-1000 rubles - a classic "limit check"), or vice versa - alternation of micropayments (10-50 rubles) with large amounts
• The interval between transactions: a person physically can not make a purchase faster than 15-20 seconds. Interval less than 10 seconds - a sign of automation, there is nothing to think
The Velocity rule is the first line of defense, but in its pure form they give a lot of false positives. A corporate card, which the accountinger pays for 15 subscriptions in a row, will look like a card. Therefore, velocity works as one of the signals in the scoring model, and not as the only blocking trigger. About this below.
Geolocation inconsistencies and change of device fingerprint
Geolocation signal - a comparison of three parameters: the country / region of IP-addresses, the country of the BIN card (the first 6-8 digits determine the issuer) and the country of the merchant. If the IP indicates one jurisdiction, BIN to another, and the mercant to the third, the scoring score should grow.
But even stronger signal is the change of the fingerprint device right before a major transaction. Typical account takeover patch: the attacker gets access to the account (through the password leak, SIM-swap or phishing), enters from the new device and immediately initiates the translation. A normal client changes the device every 1-2 years; if device_id first appeared less than 24 hours ago, and the transaction amount exceeds the average customer’s check by 3+ times – this is the red flag.
The context is appropriate OWASP A07:2021 (Identification and Authentication Failures): Weak authentication and lack of dating linking to the device make account takeover trivial. A OWASP A09:2021 (Security Logging and Monitoring Failures) explains why many organizations do not notice such incidents: authentication events and device change are simply not logged at a level sufficient to correlate. There are logs, but there are no correlations.
Behavioral analysis of payments: deviations from baseline
Each client has a behavioral baseline: typical amounts, typical transaction time, typical categories of merchant, frequency of purchases. Deviation from baseline is not a free on its own, but a signal for boosting scoring.
Specific behavioral abnormalities that should be tracked:
• Transaction at 03:00, if the client for the last 6 months has never paid between 00:00 and 06:00
• The first purchase in the category of "electronics" in the amount of more than 50 000 rubles from the client, who usually spends on food and transport
• Sharp increase in the number of transactions: average frequency - 2-3 per day, suddenly - 15+ per hour
• The series of purchases of gift-cards - a classic of cashing after account hostover. If you see three gift cards in a row from a new device - you can not even count quickly
Baseline is built on historical data in 30-90 days. Without baseline, any scoring rule will be either too rough (a lot of false positive) or too soft (pass of a real from). There is no middle ground without data.
Skating rules antifraud: from statics to weight model
Static Rules for Filtering Transactions
A statistical rule is the basic if/then: if the condition is met, the action works unconditionally. According to SEON, historically, the first static rules were tied to IP addresses: IP on a blacklist – the transaction is blocked. Another example: the country of the BIN card does not coincide with the country of IP - block.
Therefore, static rules in the mature anti-fraud system are used only for absolute locks: a map from the sanctions list, IP confirmed with fancy history, BIN from the blocked range. Everything else is through scoring.
Antifragrosing with rapids and weights
The scoring model assigns weight to each basis, sums up points and makes a decision based on threshold values. This is the kernel of the fraud scoring model. Example of a table of decisions:
Threshold values (example for e-commerce):
• 0-20 points → APPROVE (automatic approval)
• 21-50 points → REVIEW (manual audit by analyst)
• 51+ points → DECLINE (automatic failure)
The thresholds are not a constant. They are calibrated monthly by two metrics: false positive rate (FPR) and fraud detection rate (FDR). The DECLINE threshold moved from 51 to 40 - caught more than a Ford, but blocked more legitimate customers. They moved back by 60 - customers are satisfied, but missed three card games. The balance is sought herein, on historical data. There is no universal threshold - each processing has its own traffic profile.
Velocity check antifraud: advanced rule level
Velocity check is not just “calculate transactions in an hour.” The mature velocity approach assesses the dynamics of behavior: the growth of spending by 200%+ in 24 hours, an increase in the number of unique merchants by 5 times compared to the baseline, a sharp change in the geography of transactions.
According to SEON and Focal AI, the velocity rule is especially effective in two scenarios: counteraction to account takeover (when the attacker tries to withdraw the maximum funds in the minimum time) and AML-monitoring (when the movement of funds is distributed across many recipients to bypass the reporting thresholds). In both cases, the key is the speed of changes relative to baseline, not absolute numbers.
Here rolling_cnt - a sliding number of transactions on the device. If the device dials 5 or more consecutive transactions with a geo-inconsistency (the request counts count only among the transactions that have passed the filter bin_country != ip_country), it is a strong signal for translation to REVIEW or DECLINE. To count the window by all transactions of the device and then filter via geo-mismatch, take the window function to the CTE/supply.
In practice, these queries are not manually launched. They are embedded in the pipeline anti-fraud system - whether it's FICO Falcon, Featurespace, a self-written engine or even SIEM with transaction logs. The task of the analyst is to write a rule, test it on historical data (how many legitimate transactions it would have blocked last month), calibrate the thresholds and run into the product. Without a backb test on real data - no rule goes on sale.
Checklist for antifraud system
A ready set of correlation rules that can be adapted for specific processing:
1. Velocity on the card : more than N transactions with one card_hashfor M minutes → boost of the amplification by 15 (start with N=5, M=60, Calibulate by FPR)
2. Velocity on device : more than 3 unique cards with one device_idfor an hour → chop +20 and analt analyst
3. Geo-inconsistency : IP is different from the country BIN and from the country of merchant → chor +20
4. Shift device : new device_id(first_sen less than 24 h) + sum above 3x from the average customer check → sklow +25
5. Test micropayments : transaction less than 100 rubles, which for 30 minutes is followed by a transaction of more than 5 000 rubles. with the same card_hash → spar +30
6. Night anomaly : transaction at 02:00-05:00 from the client without night history in 90 days → shor +10
7. BIN-concentration : more than 5 cards from one BIN-band (first 6 digits) on one device per day → shor +15
8. Refund-pattern : more than 3 refunds in 7 days with a total amount of purchases less than 5 → spar + + check of the operator who issued the return
9. Email-age : email registration less than 7 days ago + first transaction above 10 000 rub. → chor +15
10. Automation : time from authorization in the personal account to payment less than 30 seconds → chord +10 (sign of script search)
11. Insideric pattern: the operator draws out more than 10 refunds for the change with an average indicator of the department of less than 3 → an altre to the head and freezing of the operator's account
Each rule of this checklist requires calibration on the real data of a particular bank or payment service. The weight and rapids here is the starting point, not the final values. The first month after the introduction of the new rule is mandatory manual control of the work. Without this, you will not know whether the Ford rules catches or terrorizes accounting.
Balance between FPR and frod pass
The main error of the novice anti-fraud analyst is to optimize only fraud detection rate without looking back at the positive positive rate. Catching 99% of the Ford is not difficult: block all transactions over 1 000 rubles from new devices. Fraud detection will be great. The business will die.
The Right Meter - Cade-recover trade-off on specific data. For each new rule, you think how many fraudulent transactions it would have caught in the last 30 days (reall) and how many legitimate ones would block (1-curd). If the rule catches 50 fraudulent transactions for 2 000 rubles. each (100 000 rubles. prevented losses), but blocks 500 legitimate by 5 000 rubles. each (2 500 000 rubles. lost revenue) - the rule is unprofitable. The arithmetic is cruel, but without it, the anti-fraud turns into an anti-business.
In practice, mature anti-fraud systems work in three lanes: automatic approval (green), manual check (yellow) and automatic failure (red). The yellow stripe is a buffer that allows you not to lose customers at high uncertainty. The more accurate the scoring model, the already yellow stripe and the less the load on the manual dismantling team.
For a year and a half of working with transactional data in processing, I was convinced of one thing: the main problem of anti-fragulation is not technology and not algorithms, but the lack of a systematic approach to calibration of rules. The teams implement dozens of rules, but do not revise the thresholds for months. Fred Patterns change in a week: attackers adapt amounts, timings, BIN-bands. The rule that caught the cardin in January, generates only false positive by March - and the real Ford goes along a new vector that no one tracks. I’ve seen it more than once: a beautiful dashboard, 47 rules, zero revisions for the quarter.
