Managing fraud

with link analysis and

timeline visualization
Contents
Contents
About fraud management 4
What is link analysis? 4
What is timeline visualization? 5
Known and unknown fraud 5
Investigating known fraud 6
Detecting unknown fraud 8
Fraud investigations over time 11
About us 14
About fraud management
Fraud is an expensive and complicated problem. Every year in the US
alone it impacts an estimated 30 million individuals and around 50% of
businesses. It’s so common that most cases are never even reported.
We increasingly rely on new digital technologies and online services. This gives criminals greater
opportunities to commit fraud quickly, remotely and using more complex methods. To stop it, analysts
need the tools to understand a lot of data, fast.

This white paper explores how analysts make sense of fraud data with link analysis and timeline
visualization tools. The examples shown use simplified and synthesized data, but follow real fraud
management workflows. We’ve focused on specific types of fraud, but the techniques apply to any kind of
fraud detection and investigation.

For more examples of how our tools help organizations manage fraud, take a look at our blog.

What is link analysis?

Link analysis is a technique for visually exploring connections and relationships.

Whenever an event occurs - a financial transaction, an insurance claim, a login to an online banking
system - it creates a digital footprint. Using link analysis, fraud analysts can visually connect those
footprints, uncovering unusual patterns and detecting fraudulent activity.

Link analysis helps analysts to interpret and understand huge volumes of data, fast

Link analysis isn’t new. Law enforcement and financial services organizations have used the technique
for decades. Link analysis tools, however, have improved significantly over time. Growing data volumes,
evolving fraud methods, and distributed analyst teams have resulted in a new generation of web-based,
fully customizable tools.

4
What is timeline visualization?
Timeline visualizations show those digital footprints in an interactive and scaleable format timeline.
Whether combined with a link analysis chart or used as a stand-alone tool, timelines give analysts an
insight into when events happened, and how they were linked.

An example of a timeline visualization, showing events over time

Investigating known fraud and detecting unknown fraud

Broadly, we can define two categories of fraud: known fraud and unknown fraud.

Known fraud is fraudulent activity that’s been seen before. We can define the behavior patterns and find
them with rule-scoring and pattern-matching. When an analyst looks for known fraud, link analysis and
timeline visualization act as investigation tools for cases that cannot be managed automatically.

Unknown fraud is fraudulent activity that an analyst doesn’t recognize, and that automated processes
won’t spot. It requires a human to identify new or unusual patterns. Here, link analysis and timeline
visualization becomes a detection tool.

Insight from unknown fraud detection feeds directly into known fraud investigation processes

As unknown fraud becomes known fraud, we add new parameters to the automated processes,
improving rule-scoring and filtering as the criminal activity evolves.

5
Investigating known fraud
Most known fraud systems work in a similar way. Transaction data is collated at scale then rule-scored
and sorted into three categories: fraud, not fraud and unsure. The ‘unsures’ get manually reviewed - an
investigation process that needs to balance speed with accuracy.

Here’s a link analysis chart showing vehicle insurance claim data. Nodes represent claims, vehicles,
people, and addresses. An automatic hierarchy layout makes it easy to spot dependencies.

As the analyst explores this link analysis chart, they can call back to the database to find matches. This
returns all other claims with shared attributes, and adds them to the chart:

Here we’re looking for connections to other claims that we know are fraudulent, or that could indicate
fraud. If we combine identical nodes, it makes those connections stand out:

6
The chart highlights two claimants living in the same Colnbrook Street address. Their shared surname
suggests a family relationship, which isn’t unusual.

Elsewhere in the chart, there’s a more suspicious connection. One of the vehicles in the original claim,
registration number DA53 RMX, was involved in a separate claim just six months before. At this point, the
analyst can decide to submit this case for further investigation:

Known fraud detection is about volume and speed. Analysts often need to approve or deny cases in
minutes, or sometimes seconds. The ability to make fast decisions with confidence is essential.

Link analysis gives the fraud analyst the at-a-glance view that makes this possible.

7
Detecting unknown fraud
Analysts use specialist skills to uncover unknown fraud. They need domain knowledge and experience to
think like a criminal. They must anticipate new tactics to commit fraud and hide it from authorities. Graph
visualization helps with this.

Investigating known fraud takes a case-centric (or local) approach - starting from a specific point and
working outwards. Detecting unknown fraud takes a global approach - taking an overview of a large
amount of data to find anomalies.

The global approach to unknown fraud detection: visualizing data in volumes to scan for outliers

The next example is from another vehicle insurance fraud use case. The fictional but typical dataset
includes links between nodes representing policies, policyholder details, insurance claims, vehicle damage,
doctors, witnesses, and mechanics.

8
Visualizing many cases in one chart makes it easy to spot ordinary claims (the Y-shaped structures dotted
around the chart) and highlights more complex, or potentially fraudulent claims:

This claim on a single policy contains nine separate damage claims

Spotting unknown fraud relies on the analyst’s domain knowledge and powers of investigation, enhanced
by advanced link analysis techniques.

For example, we can simplify the view above to show people who share 1st or 2nd-degree connections
through claims and policies. This reveals people involved in multiple claims. At the same time, we apply
a social network analysis centrality measure to highlight the most well-connected people. This reveals
Neville Cameron as a person of interest:

Larger nodes represent individuals linked to multiple insurance claims – legitimate or fraudulent

9
Alternatively, we can take a closer look at the types of damage listed in a claim. Some types of vehicle
damage are more common than others. One mechanic fixing a disproportionately high number of similar
issues could be a sign of claim inflation - a common fraud tactic where policyholders claim for more
damage than actually occurred.

Here we’ve grouped damage claims by type, showing a high number of off-side rear door fixes happening
at Fraser’s Garage. Let’s plot this suspicious activity on a map to see how policyholders are connected to
the garages listed in their claims:

From our analysis of damage types, we know Fraser’s mechanics was associated with an unusually high
number of claims involving one specific vehicle body part. This map view shows that several claimants
traveled significant distances for repairs at Fraser’s, even though there were shops much closer to home.
Could Fraser’s be involved in an organized scam?

We can see how flexible link analysis drives this investigative approach, so analysts can follow their
instincts when detecting unknown fraud.

10
Fraud investigations with timeline visualization
The previous examples show how link analysis helps answer the ‘who’, ‘what’, ‘where’, ‘why’ and ‘how’
questions in a fraud management process. But often fraud analysts also need to understand the ‘when’.

Here, for example, we can see a link analysis chart showing a credit card activity. Merchants are
represented by cart icons, and card holders by people icons. The links represent transactions - green is
approved, red is disputed.

This dataset is adapted from a Neo4j GraphGist.

With so many connected disputed transactions, an analyst might assume a card cloning scam is
happening somewhere.

While the link analysis shows us the transactions and their value, the analyst needs to see the activity
chronologically to uncover where the cards might have been cloned. Which disputed transaction
happened first? Where Marc did use his card before that first transaction? We need a timeline
visualization to answer these questions.

Let’s investigate Marc’s disputed transactions, for example, and make him the focus of our timeline.

11
Along the top and bottom, a scale shows the timeframe of the activity we’re investigating. The entities in
our data – cardholders and merchants – are on the left-hand side. The events connecting those entities
represent transactions, shown in grey or red depending on whether or not they were disputed.

With this view, we can quickly spot that the first disputed transaction was at Walgreens. We’ll pin that to
our timeline, and add more data.

Now, to focus on the most interesting data, we’ll filter to show only cardholders with disputed transactions.

Combining Marc’s card data with other cardholder information, we spot Paul with a strikingly similar
transaction history. Both have high-value disputed transactions at Walgreens at around the same time.
They also both visited a Walmart store a week or two before their first disputed transactions. Were their
cards cloned at Walmart?

12
This simple example shows how timeline visualization provides a different perspective on connected fraud
data, revealing patterns in time that would otherwise be impossible to unravel.

13
About us
At Cambridge Intelligence, we build data visualization tools that make the world a safer place.

From law enforcement to cybersecurity and fraud detection, every day, thousands of analysts around the
world rely on our software to ‘join the dots’ in data and uncover hidden threats.

Hundreds of organizations have already deployed applications built with our toolkits to detect and
investigate fraud, including Fico, Aviva, Visa, JP Morgan Chase, Western Union, Allianz and BAE Systems.

Learn more or register for a free trial on our website.

KeyLines ReGraph KronoGraph

is a graph visualization toolkit is a graph visualization toolkit is a toolkit for building timelines
for JavaScript developers for React developers that drive investigations.

Add graph visualization to your ReGraph’s data-driven API makes With KronoGraph it’s easy to build
applications that work anywhere, it quick and easy to add graph interactive, scalable timelines to
as part of any stack. visualizations to your React explore evolving relationships and
applications. unfolding events.

cambridge-intelligence.com USA +1 (775) 842-6665 UK +44 (0)1223 362 000

Cambridge Intelligence Ltd, 6-8 Hills Road, Cambridge, CB2 1JP