Skip to main content
Do you build apps on Splunk or are a Splunk admin? If so, we want to hear from you. Help shape the future of Splunk and win a $35 gift card!
 
 
Splunk Lantern

Detecting credit card fraud

 

You work for a credit card provider and need to monitor consumer transactions to prevent fraud. You are aware of various indicators of credit card fraud, and you need to analyze transactions as they occur to monitor for these indicators and surface them as suspicious through regular reporting. The Splunk platform can help increase your operational intelligence and efficiency within the financial services industry. Since the Splunk platform collects and indexes machine data in near real time, most of the searches provided here can be run in near real time, giving you a business advantage over other solutions.

Data required

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.

Detect large and rapid credit card spending

A common sign of fraud is when a card is used to make a lot of purchases in a short time span, especially when the purchases are for large dollar amounts.

sourcetype=<business service data>
| streamstats earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions sum(amount) AS total_spent BY customer
| where ((total_spent > 5000) AND (num_transactions >= 5))
| eval latest_time=strftime(latest_time,"%Y/%m/%d %H:%M:%S"), total_spent=tostring(round(total_spent,2),"commas")
| table customer, _time, latest_time, num_transactions, total_spent, category

Detect outlier credit card spending by category

A common sign of fraud is when a customer starts spending large amounts of money in categories they don't usually shop in. For example, if a customer never uses their card for travel but suddenly buys a $2,000 airplane ticket, you would be concerned.

sourcetype=<business service data>
| lookup <name of lookup file of categorized spending>
| streamstats window=1 list(category) AS category BY customer
| where (amount > 1000)
| makemv delim="|" categories
| eval match=if(match(categories,category),1,0)
| where (match == 0)
| eval amount=tostring(round(amount,2),"commas")
| table customer, _time, amount, categories, category, action

Detect outlier credit card spending by value

A common sign of fraud with a stolen card is rarely using a card and suddenly spending a large amount.

sourcetype=<customer information data source>
| stats sum(amount) AS total_spent first(_time) AS _time first(previous_tx_date) AS previous_date BY customer
| where (('_time' > relative_time(strptime(previous_date,"%m/%d/%Y %H:%M:%S"),"+6mon")) AND (total_spent > 3000))
| eval total_spent=tostring(round(total_spent,2),"commas")

Detect an excessive number of credit card transactions in a short period

A common sign of fraud with a stolen card is a large number of transactions in a short time period.

sourcetype=<customer information data source>
| streamstats earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions BY customer
| where (num_transactions >= 10)
| eval latest_time=strftime(latest_time,"%Y-%m-%d %H:%M:%S")
| dedup customer
| table customer, _time, latest_time, num_transactions, category

Detect credit card test purchases

A common sign of fraud is when a credit card is used to make a small purchase, immediately followed by a large purchase.

sourcetype=<customer information data source>
| streamstats earliest(amount) AS first_amount latest(amount) AS last_amount earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions by customer
| where (((first_amount < 20) AND (last_amount > 3000)) AND (num_transactions >= 2))
| eval first_amount=tostring(round(first_amount,2),"commas"), last_amount=tostring(round(last_amount,2),"commas"), latest_time=strftime(latest_time,"%Y/%m/%d %H:%M:%S")
| table customer, _time, latest_time, num_transactions, first_amount, last_amount

Results

Analysts can investigate possible fraudulent activity and take the appropriate steps to notify the customer. This often includes alerting the customer right away to prevent further fraud since the activity could be conducted on a bot or a stolen credit card.

Next steps

The Splunk Essentials for the Financial Services Industry app helps you automate the searches provided in this article. The app also provides more insight on how they can be applied in your environment, how they work, the difficulty level, and what data can be valuable to run them successfully. In addition, the Splunk Essentials for the Financial Services Industry app provides a number of other monitoring and reporting solutions for banking services:

These additional Splunk resources might help you understand and implement this use case:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.