Enterprise fraud management is a complex, data-intensive challenge. We’ve written about fraud detection as a connected data problem before. We’ve shown how the key to fraud insight lies in relationships between people, accounts, transactions and events.
Fraud analysts present these relationships using link analysis techniques to help them interpret huge volumes of data much faster. In this way, finding fraud becomes a simpler visual task.

In this blog post I’ll discuss how link analysis fits into two core enterprise fraud management tasks: fraud investigation and fraud detection.
Enterprise fraud management – known vs unknown fraud
In a recent webinar this webinar, I talked about two types of enterprise fraud: known fraud and unknown fraud. Understanding the difference is key to enterprise fraud management.
Known fraud is fraudulent activity we have encountered before. We can define the behavior patterns involved, which means we can use rule scoring and pattern matching to find it. Most of the work is automated and only outliers and edge-cases require further effort. When looking for known fraud, link analysis is used as a investigation tool.
Unknown fraud is the opposite. We have not previously encountered the behavior, so our automated processes will not find it. It requires analysts with experience of fraud management who can understand and spot potential fraud MOs and patterns. Link analysis is a detection tool used by analysts to uncover fraud that would otherwise go unnoticed.
As unknown fraud becomes known fraud, new parameters are added to the automated rule-scoring process. This improves fraud detection and helps analysts keep up with fraudsters’ methods.

Investigating known fraud with link analysis
There are two priorities when you work with known fraud: 1) speed and 2) accuracy.
Analysts looking for known fraud must process their cases quickly. An analyst receives a case and needs to approve or deny it in minutes, or sometimes seconds. Taking fast decisions with confidence is essential. Link analysis is the ideal tool for this kind of review. At a glance, a fraud analyst sees the information they need to make a decision, with full context.
For example, here’s an insurance claim one of our customers investigated with their KeyLines component (the data is redacted):

Here the customer uses a red glyph for claims that have already been dismissed as fraudulent. People, vehicles and addresses connected to that claim are highlighted with an orange halo.
We can see the Policyholder on the right-hand side shares an email address and residential address with the known fraudster. Their latest claim should be investigated further before payments are approved.
Here’s another example from the same link analysis tool. This time, we’re looking at unusual connections between third parties:

There are two third parties, on the left-hand side of the chart, with two Claim Reference Numbers. These may be legitimate claims, but we should analyze them further. KeyLines has useful features to make this analysis easier and more intuitive:
- Automated graph layouts – in both examples we’ve used the standard layout, which spreads out nodes and reduces link overlap. The sequential layout is also useful in these cases.
- Smart node and link grouping (combos) – allows the user to combine nodes, reducing clutter and making multiple connections more explicit.
- An interactive time Bar – can help the analyst understand the evolution of events, or see peaks or troughs in activity.

Detecting unknown fraud with KeyLines
Analysts need a different set of skills to uncover unknown fraud. They must use domain knowledge and experience to think like a fraudster. They need to anticipate new tactics to commit fraud and conceal it from authorities.
Link analysis helps with this.
Investigation of known fraud takes a case-centric approach – sometimes called the local approach – starting from a small point and working outwards. Detection of unknown fraud takes a global approach – taking an overview of a large amount of data to find anomalies.
This is another example taken from an insurance fraud use case that shows the insurance claims made in a single day. Just displaying this data using a link analysis chart reveals patterns:

The majority of our data shows a business as usual scenario. A standard claim has a star shape – with a central case with a small number of policies, individuals and other identifiers.
However, we can also see areas (in the top left) that show unusual connectivity. An analyst would explore this in more detail, using investigative techniques to understand the behaviors involved and whether or not it conceals fraud.

Try it for yourself
These two techniques – investigation and detection – are used in all enterprise fraud management functions. In combination with powerful link analysis tools they help build a robust fraud process.
The examples in this blog post have been simplified and anonymized, but you’re welcome to try KeyLines with your own data. Request a trial account or get in touch for more information.