Graph visualization

techniques for
managing fraud
Contents
The fraud challenge 3

AI as a tool for fraud and anti-fraud 4

Visual graph analytics 6

Visual timeline analytics 7

Detecting fraud 8

Investigating fraud 10

Preventing fraud 19

Try our software development toolkits 20

The fraud challenge
Fraud management has changed massively in recent years,
with the advance of digital technologies and AI creating new
opportunities and techniques for fraudsters to commit crime faster,
and with more agility.

Surging fraud volumes and sophisticated AI tools have changed the dynamics for anti-fraud teams. And
while it has always been a data-intensive process, fraud management today is more complex and more
important than ever before.

To detect, investigate and prevent it, you need to see connections between people, accounts,
transactions, and dates – and understand complex sequences of events. In this paper, we’ll explore the
evolving role of visual analysis in fraud management, and how AI is making an impact on both sides of
the equation.

Using demos created with our data visualization tools, we’ve represented real fraud management
workflows using simplified and synthesized data. You’ll see a range of specific use cases, but the
techniques in each example apply to any scenario where individuals need to understand transactions
and activity over time.

3
AI as a tool for fraud and anti-fraud

How fraudsters use AI

Research by anti-fraud firm Sift points to a 68% increase in scams and spam in the six months since
ChatGPT’s initial launch. Fraud often relies on social engineering, impersonation or brute-force tactics.
Generative AI tools can convincingly mimic human communication and behavior, in real time and on
a massive scale - so their association with a rise in fraud is no surprise. For organizations, AI means a
greater risk of fraud activity through:

• Automated phishing campaigns, using vast amounts of source material

• More convincing social engineering campaigns
• Synthetic identities based on bot-generated content and imagery, or even deep-fake video
• Credential-stuffing, orchestrated to mimic human activity patterns

Faced with this increased risk, fraud management platforms are fighting back with integrated
automation and AI models.

An AI-powered fightback?
Automation is nothing new in fraud management. For years, teams have used rule-scoring and pattern-
matching mechanisms to identify fraud.

But AI and machine learning has emerged as a game changer for anti-fraud platforms. Implemented
well, it identifies complex patterns and subtle signals better than other automated methods. It also
analyzes behavior, biometric profiles and complex patterns at scale, in real-time, 24/7. Crucially, it also
trains itself – constantly updating rules to stop threats faster than standard fraud detection methods.

But for now, an unsupervised and purely AI-driven fraud management program is an unlikely strategy.
While many organizations might want to reduce, or even eliminate human intervention, ceding control
would introduce significant risks:

• Black boxes - AI systems often have internal workings that are invisible to the user
• Reduced visibility of wider threats and new trends
• Potential for mistakes - AI is prone to bias and hallucination
• Lack of cognition - AI isn’t yet capable of original thought

Download our guide to graph visualization & AI

Find out how artificial intelligence techniques are revolutionizing graph
analysis and visualization.

4
The visualization-AI intelligence cycle
A successful fraud investigation follows the visualization-AI
intelligence cycle, combining the different strengths of visual
analytics, AI and human reasoning:

Detection

AI software gathers, cleans and structures data from disparate sources and silos. It uses machine
learning and pattern recognition to make recommendations and raise alerts.

Investigation

When fraudsters use new techniques, automated processes won’t necessarily spot them. It takes human
intervention to identify new or unusual patterns, or to make a call on borderline cases.

Interactive graph visualization presents these insights in a way that’s easy for investigators to navigate
and analyze, turning them into actionable intelligence.

Prevention

Investigators use what they’ve learned to inform the next set of queries and rules they feed into the
system - perhaps using natural language prompts to speed up the process.

5
Visual graph analytics
An interactive data visualization technique for
making sense of connections and relationships
When an event occurs - a financial transaction, an insurance claim, a login to an online banking system
- it creates a digital footprint. Using visual graph analysis (often known as link analysis), fraud analysts
and investigators connect those footprints as nodes and links, uncovering unusual patterns that indicate
fraudulent activity.

Visual graph analysis isn’t new. Law enforcement and financial services organizations have used the
technique for decades. But the tools available have greatly improved over time. Growing data volumes,
changing fraud methods, and increasingly distributed analyst teams have driven a new generation of
web-based, fully customizable visual graph analysis technologies.

6
Visual timeline analytics
A data visualization technique for exploring the
evolution of events and activities over time
Timeline charts show digital footprints over time in a scalable and interactive way, revealing sequences
of events or changing behavior patterns. They can be combined with visual graph analysis charts, or
used stand-alone. In either case, they show analysts when events happened, and how they were linked.

Using a timeline to detect insider trading

Even the simplest descriptions of insider trading can’t help but invoke a timeline. “Trading stock based
on knowledge that is not yet available to the public” – that “yet” is the key word. Understanding the
sequence of events in context is crucial to determining the legality of a trade.

This aggregated heatmap timeline shows the pattern of stock trading around the time important news
events took place. It’s normal that in the run-up to good or bad news, there might be a general market
sentiment that causes buying or selling, so it’s not enough to say that buying stock the day before good
news is illegal.

But overlaying communications data, and focusing on individual trades in the run-up to news, brings
fresh perspective. An analyst can drill down into this timeline to find or illustrate suspicious trading
activity:

7
Detecting fraud
Let’s look at how visual analytics can help with fraud detection. As discussed above, detection is an
increasingly automated process, as analysts are often looking for familiar and identifiable patterns of
activity. But what about fraud that goes under the radar, using tactics previously unobserved? To identify
that, fraud teams use their domain knowledge and experience to spot suspicious activity.

When an investigator looks for known fraud patterns,

they automatically score each case or transaction, and
assign it to a category - often using machine learning to
process events. This leads to three possible outcomes:

• Everything seems normal, no action is needed.

• The AI is unsure and suspects potential fraud; the
activity is flagged for human review.
• The AI detects fraud with high level of certainty, and
the activity is blocked and flagged.

While machines can identify legitimate and fraudulent

transactions better than ever, the increase in scams
means a higher volume of alerts fall into the ‘unsure’
category. No matter how advanced automated fraud
detection is today, a flagged transaction needs analytical
expertise from a human investigator.

When reviewing flagged transactions, analysts need to

act quickly. For some online transactions, a few minutes
can make all the difference for the customer.

Analysts need to understand the situation, make an

assessment, and close or escalate the case quickly
without letting fraud slip through. Visual graph and
timeline analysis makes that possible.

Here’s a visual graph analysis chart showing a vehicle

insurance claim that’s been flagged for review. Nodes
represent claims, vehicles, people, and addresses.
An automatic hierarchy layout makes it easy to spot
dependencies.

8
Using a quick database call, we find two more claims that have shared attributes with the first one.
What interesting links have appeared on the chart? We can see a blue ‘doctor’ node connecting two
claimants - nothing especially unusual there. We also see that two claimants live at the same Colnbrook
Street address. Their shared surname suggests a family relationship. Again, this isn’t unusual in itself.

But we also see a vehicle - registration number DA53 RMX - is connected to two claims just 6 months
apart. For one vehicle to be involved in two claims in such a short space of time is unusual, so it’s flagged
for further investigation. The red claim icon features a context menu which we can use to choose the
next action to take.

To make fast decisions, fraud analysts need to

follow efficient workflows. With our graph and
timeline software development kits (SDKs),
developers can create visualization components
that are fully customized for a specific workflow,
and embed them directly into existing products
and platforms.

The result: analysts get advanced visualization

without switching tools or disrupting their flow.
9
Investigating fraud
More complex cases, for example those that might involve coordinated fraud rings and organized
crime, require more complex human involvement. Here, link analysis and timeline visualizations are
investigation tools. They present larger volumes of data for investigators to navigate and turn into
actionable intelligence.

Let’s look at a different way of tackling vehicle insurance fraud. This fictional but typical dataset includes
links between nodes representing policies, policyholder details, insurance claims, vehicle damage,
doctors, witnesses, and mechanics.

When you visualize a lot of cases at once, it’s easy to pick out ordinary claims - they’re the Y-shaped
structures dotted around the chart - from the more complex, potentially fraudulent claims. Spotting
new types of fraud relies on the analyst’s domain knowledge and investigative skills, which are both
enhanced with visual analysis.

10
Zooming in on one of the more heavily connected nodes shows a policy linked to an unusually high
number of damage claims:

Choosing a different view of the same data, we can visualize people who share first or second-degree
connections through claims and policies. This reveals people involved in multiple claims. At the same
time, we can apply a social network analysis centrality measure to highlight the most well-connected
people. Larger nodes represent individuals linked to multiple insurance claims – legitimate or fraudulent.
One of them instantly reveals Neville Cameron as a person of interest:

Find out more about social network analysis

11
Let’s use yet another view to investigate the damage repairs listed in a single claim. Some types of
vehicle damage are more common than others. One mechanic fixing a disproportionately high number of
similar issues could indicate claim inflation - a common fraud tactic where policyholders claim for more
damage than actually occurred. Here we’ve grouped damage claims by type, and straight away we’re
hit with an interesting pattern. A high number of off-side rear door repairs have all been carried out at
the same mechanic:

As fraud investigations grow, investigators

quickly become overwhelmed by data.

Our SDKs offer powerful filtering, automated

layouts, smart node grouping, graph analysis
and other tools to help them eliminate noise
and find the answers they need.

12
 Let’s plot this suspicious activity on a map, to see how policyholders are connected to the mechanics
listed in their claims:

This map view shows that several claimants traveled significant distances for repairs at Fraser’s, even
though there were mechanics much closer to home. Could Fraser’s be involved in an organized scam?

Flexible visual graph analysis drives this investigative approach, so analysts can follow their instincts
when detecting unknown fraud.

Intelligence dissemination is a key stage in a fraud management workflow:

sharing the right information with the right people at the right time.
Crim
Frauindal investig
All our SDKs make dissemination easy. Users can share their CON
inves ation re
tigati port CO
on re NFIDE
port NTIA
FIDEN L
TIAL
visualizations, either as interactive charts for colleagues, or as
static images or PDFs to submit as evidence.

13
Revealing suspicious credit card activities
This visualization shows a set of credit card
transactions, some of which have been flagged as
suspicious. We need to understand what happened,
and make fast decisions about the next steps.

In our visual data model, nodes represent people

and merchants, linked by transactions. We’ve
highlighted suspicious transactions in red.

The visualization is fully interactive, so we can dig

deeper into those transactions to understand what
happened.

An experienced analyst would suspect an employee

at one of these merchants of skimming credit cards.
But which merchant?

Skimming, sometimes called cloning, is when a

fraudster copies credit card information at the point
of sale or ATM, usually with a specialized device.

The first step is to filter out the noise. Fraud data

is usually big, noisy and complex, so our toolkits
support flexible filtering based on any logic you
choose. Here, we’ll use foregrounding to highlight
people connected to disputed transactions.

The Walmart node is interesting. We can see all 4

cardholders spent money at Walmart, but none of
those transactions were disputed. Could that be We’re using fake data from this neo4j tutorial
where the cards were cloned?

14
Time-based analysis for better insights

To reach a more conclusive answer, we need to see when these suspicious transactions happened. The
histogram at the bottom of the chart below shows the total dollar value of transactions over time, with
red blocks representing the relative amounts from suspicious transactions. Green and red lines show
trends for undisputed and disputed transactions.

Filtering to focus on the original disputed transaction in early April shows us both Marc and Paul’s first
suspicious transactions were at Walgreens that month:

Next we need to find out where they used their card before Walgreens. To do that, we’ll switch to our
timeline view, which displays the transactions as an interactive timeline running from left to right:

Visualizing the same credit card data set, we’ve ‘pinned’ Mark and Paul’s event timelines. Now we can
see their credit card activity in the timeline visualization, and filter out the rest.

Just before the red-flagged transactions at Walgreens, both credit cards were used at Walmart. To
an analyst, this is a pretty clear indication: someone is skimming cards at Walmart. Now we have the
evidence we need to alert customers and stop the skimmed cards.

15
Unpicking fraud rings

Sometimes fraud cases are one-off crimes, committed by individuals looking for quick cash. But they’re
often part of a wider pattern of organized crime. In fraud rings, criminals use multiple accounts to bury
fraudulent transactions in a complex network of monetary exchanges, blurring the distinction between
legitimate and illegitimate activity. Failure to spot those fraud rings leaves organizations vulnerable to
escalating losses.

Let’s see how visual graph and timeline analysis helps investigators unpick fraud rings, with a ‘follow the
money’ investigation.

The timeline, on the left, shows a set of fiscal exchanges within a certain timeframe. The graph on
the right shows the transactions moving through the accounts. These two views are integrated - so
selecting an entity or payment in the timeline highlights its counterpart in the graph, and vice versa.

Forensic accountants who use data visualization for anti-money laundering (AML) can also use rules-
based algorithms to reveal suspicious activity. It helps them to focus on specific issues, and make fast
decisions about which accounts need further investigation.

We’ve designed this visualization to flag transactions in red if they involve larger amounts than normal,
or accounts that have previously been associated with criminal activity:

16
 Look at what this visualization reveals about Woody Rutledge’s activities. He moved $7500 from a
Dragon Casino business account into his personal checking account over three transactions in quick
succession...

... then used further transactions to move it to a ShareInt Trading account before moving it back again.

Suspicious.

17
Later, he transfers the funds to Ned Rubio, who moves them into an offshore account. The final stage is
integration, where Ned transfers the dirty money into a legal entity: Genesis Property Holdings.

Ned and Woody have a history of transactions, and Ned regularly transfers money to this offshore
account. With these carefully-curated ‘low risk’ profiles, Ned and Woody’s transactions don’t at first look
unusual. But thanks to the graph and timeline view, we can see these individual transactions in context,
and expose a wide and fraudulent web.

18
Preventing fraud
The third stage of the visualization-AI intelligence cycle is prevention – where data science teams use
new information to train their models. Human investigators can teach their AI tools to recognize and
pre-empt the new types of fraud that they’ve identified during their investigation. This is where the
investigation model can be reviewed and improved - and it’s also an opportunity to close loopholes or
vulnerabilities in the system.

This stage of the cycle might prompt larger-scale data mining, to gain insights on wider trends from
multiple investigations. Here, again, visual analytics offer a way to combine data from multiple silos into
a single, clear view that makes trends or patterns stand out.

Using visual analytics in an OSINT investigation

Whether you’re vetting a new employee or examining financial records for a money laundering case, due
diligence investigations always involve a lot of complex and diverse data. The process is gradual and
unpredictable, and investigators often uncover connections in surprising places.

Most successful investigators bring data visualization into their due diligence workflow. Graph
visualization and ‘pattern-of-life’ timelines are essential for compliance because they put users in control
of the investigation, allowing them to combine data from multiple silos into a single, intuitive view.

And data visualization communicates insights in a way that’s easy for anyone to understand, ready to
drop into an internal report, Suspicious Activity Report or prosecution case.

See this demo in action

19
About Cambridge Intelligence
From law enforcement to cybersecurity and fraud detection, every
day, thousands of analysts around the world rely on our software to
‘join the dots’ in data and uncover hidden threats.
Hundreds of organizations have already deployed applications built with our toolkits to
detect and investigate fraud.

Learn more or register for a free trial on our website: cambridge-intelligence.com/try/

KeyLines ReGraph KronoGraph

is a graph visualization toolkit is a graph visualization toolkit is a toolkit for building timelines
for JavaScript developers for React developers that drive investigations.

Add graph visualizations to your ReGraph’s data-driven API makes With KronoGraph it’s easy to build
applications that work anywhere, it quick and easy to add graph interactive, scalable timelines to
as part of any stack. visualizations to your React explore evolving relationships and
applications. unfolding events.

cambridge-intelligence.com USA +1 (775) 842-6665 UK +44 (0)1223 362 000

Cambridge Intelligence Ltd, 6-8 Hills Road, Cambridge, CB2 1JP