Skip to main content
Splunk Lantern

Detecting consumer bank account takeovers


Working as part of a fraud detection team, you need to be able to quickly identify when a customer’s account is taken over by a fraudster.

The types of indicators you look for when detecting account takeover include:

  • Password guessing
  • Multiple IP addresses accessing an account
  • Multiple accounts being accessed by a single IP address
  • Unusual IP addresses accessing an account (for example a foreign country, TOR node, or proxy)
  • Unusual account behaviour (for example a password change and email change, followed by money movement, since fraudsters often change password or email after gaining access to prevent the legitimate user from getting back in, then they steal money)
  • Unusual browser type (or user agent)
  • Browser language not matching customer locale (for example the Russian language used by a USA user)

Required data

Business service data for banking transactions

How to use Splunk software for this use case

The Splunk App for Fraud Analytics comes with correlation searches out of the box to help you find incidents such as these. Depending on your environment and requirements, you might find it useful to look for some or all of the following: 

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.