Fraud Fighting: How to Spot Patterns and Stay Ahead of Attacks

Fraud is always happening—you just can’t always see it. That’s the hard truth I’ve learned after years of chasing fraudsters through payment systems, customer accounts, and even fake reviews. If you’re a fraud fighter, you’ve probably seen it too. The attack may start small—a couple of chargebacks or a few account takeovers—but it doesn’t stay small for long.

Take it from me: I once spotted the first two confirmed account takeovers (ATO) at one business. They both happened in a single month’s span. Every month, the numbers doubled, tripled, quadrupled and more. Within less than a year, those numbers ballooned to over 300 per day. The fraudsters weren’t stopping because they knew they could get away with it. And, like within many companies, the fraud team wasn’t able to act fast enough because the losses hadn’t yet hit a breaking point to be made a priority by the business until it was an “all-hands-on-deck” fire, even though the business was aware of the issue.

In this post, I’m walking you through some of the investigation processes I use to spot fraud early, identify patterns, and build defenses that stop attacks in their tracks. Let’s dive in.

Step 1: Think Like a Fraudster (Thanks, Alex)

Fraud investigations start with a simple mindset: If you think it’s happening, it probably is.

You know your company’s weaknesses and fraud. So, start by asking yourself: What would I do if I were going to try and rip off my company?

Fraudsters are often incredibly resourceful, and they count on companies skipping basic verifications. For example, many businesses don’t validate phone numbers, addresses, or even payment details. Fraudsters exploit this lack of data hygiene, knowing their bogus information will pass unnoticed.

One of the best pieces of advice I’ve received came from Alexander Hall from Sift: “Think like a fraudster.” By understanding their tactics, you can anticipate where they’ll strike next.

Step 2: Start with the Data

Even without advanced tools, your first move should always be to dive into the data. At Spec, we refer to this as reviewing "entities". Some examples would be: account details, device data, or payment information that can help paint a picture of what’s happening.

Here’s my go-to approach:

1. Aggregate and Analyze:
   Run queries to gather and aggregate your data. Get counts on everything where you can think a velocity might be risky. Export the data into a spreadsheet (Google Docs or Excel works fine) to uncover patterns:some text
   • How many accounts share the same payment method or device?
   • Are there spikes in refund claims or chargebacks?
2. Highlight Risks:
   Use conditional formatting to flag high-risk entries. Start filtering and sorting to focus on suspicious patterns. The activities that have the most risky indications become your primary focus and you can determine their patterns at this point, looking further to get micro to the fraud and rule out potential false positives.
3. Review Personally Identifiable Information (PII):
   Look at how customers are entering emails, addresses, phone numbers, or other identifiers. For example, Google mapping used to allow addresses to be entered in seven different accepted ways. Above potentially receiving one of those seven formats, there are many workarounds used like adding extra or special characters and ordering to a neighbor, that can further dilute your ability to use that information as entered, but you can spot them. Emails, names and other customer entered details easily mask identities and connections but they often contain repetitious character combinations that are like signatures. Patterns like these can help you identify inconsistencies or potential fraud.

Step 3: Dig Deeper for Patterns

When fraudsters strike, they rarely leave just one clue. Often, you’ll see clusters of related activity if you know where to look.

• Find Common Denominators:
  Once I’ve flagged risks, I narrow my focus. For instance, in one of our customer cases, we found that nearly every fraudulent transaction came from the same ISP that was not seen used by genuine customers. From there, we took some additional risky behaviours and built criteria to block fraud while minimizing false positives.
• Test for False Positives:
  Fraud fighters walk a fine line between catching bad actors and frustrating good customers. Businesses hate false positives—and for good reason. Accuracy above 90% in fraud prevention efforts is the goal, so you have to get micro and detailed to filter out genuine users from your defenses. When there is a fire, there can be more opportunity and appetite to allow some false positives, but once that fire is out, revisit the data to find ways of reducing them and getting your efficacy back up.

Step 4: Be Proactive, Not Reactive

Too many companies wait for alarm bells—whether it’s significant financial loss, customer complaints, or a PR nightmare—before addressing fraud. By then, the damage is already done.

If you can spot fraud in its early stages, you can save your company from the worst outcomes. That’s why I recommend:

• Regularly analyzing data for anomalies, even when everything seems fine.
• Investing in tools that make investigations intuitive, fast, and actionable.
• Building workflows that allow fraud teams to act quickly without waiting on engineering.

Step 5: Build Defenses That Last

Fraudsters are persistent because they know how much companies hate change. They’ll exploit gaps in your systems as long as those gaps exist. To outsmart them, you need systems that adapt as quickly as they do.

Personally, I like to use three risk indicators, minimum, to confidently classify something as fraud. At Spec, combining device data, payment types, and other behavioral patterns, I’ve been able to stop attacks before they spiral out of control. The key is to make sure your data tells a story you can act on—fast.

Final Thoughts

Fraud fighting is hard work. Most teams are working with limited resources and tools, trying to stay afloat while fraudsters innovate faster than ever. But with the right mindset, processes, and technology, you can stay ahead.

If you’re investigating fraud today, start with your data. Think like a fraudster (thank you, Alex), look for patterns, connect sessions, behaviours and accounts, and don’t stop until you’ve found the story hiding in the noise. Because one thing’s for sure: the fraud is there. The question really is, “Can you catch it?”

Yes, you can!

Would you like to hear more investigation tips or share your own war stories? Let’s connect. Together, we can push fraud out of the shadows.

Let’s Rock’n’Ruin!