Skip to main content

​
Introduction

gu1’s transaction monitoring enables you to detect and prevent fraud in real-time. This guide covers the most common fraud patterns and provides production-ready rules you can implement immediately.

​
Detectable Fraud Types

Card Testing

Detection of stolen card validation attempts

Account Takeover

Identification of compromised accounts

Transaction Velocity

Unusual transaction frequency patterns

Impossible Travel

Transactions from impossible geographic locations

First Transaction Fraud

High-risk first purchases

Friendly Fraud

Legitimate purchases followed by chargebacks

​
Risk Indicators

​
High Risk

  • Multiple failed transactions in short time
  • Transaction from sanctioned country
  • Impossible geographic travel
  • New user with high amount
  • Mismatch between billing and shipping

​
Medium Risk

  • Unusual transaction frequency
  • Transaction outside normal hours
  • New device or IP
  • High-risk merchant category
  • Multiple cards from same device

​
Low Risk

  • Transaction within normal patterns
  • Verified user and device
  • Low amount
  • Domestic transaction
  • Standard merchant category

​
Production-Ready Rules

​
1. Card Testing Detection

Blocks automated stolen card validation attempts. 
{
  "name": "Card Testing Detection - BLOCK",
  "category": "fraud",
  "priority": 950,
  "enabled": true,
  "evaluationMode": "sync",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "origin.paymentMethod",
        "operator": "EQUALS",
        "value": "CARD"
      },
      {
        "field": "metadata.cardFailedAttempts1h",
        "operator": "GREATER_THAN",
        "value": 3
      },
      {
        "field": "amount",
        "operator": "LESS_THAN",
        "value": 10
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "critical",
        "type": "card_testing",
        "message": "Card {{origin.accountId}} has {{metadata.cardFailedAttempts1h}} failed attempts in last hour"
      }
    },
    {
      "type": "set_decision",
      "config": {
        "decision": "REJECT",
        "reason": "Card testing pattern detected"
      }
    }
  ]
}
When it triggers:
  • Card has 3+ failed attempts in last hour
  • Transaction amount is less than $10
  • Payment method is card
Recommended action: REJECT

​
2. First Transaction High Amount

Requires additional verification for high first transactions. 
{
  "name": "First Transaction - High Amount Review",
  "category": "fraud",
  "priority": 900,
  "enabled": true,
  "evaluationMode": "sync",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "metadata.userTransactionCount",
        "operator": "EQUALS",
        "value": 0
      },
      {
        "field": "amount",
        "operator": "GREATER_THAN",
        "value": 500
      },
      {
        "field": "metadata.userVerificationLevel",
        "operator": "IN",
        "value": ["none", "basic"]
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "high",
        "type": "first_transaction_high_amount",
        "message": "First transaction for ${{amount}} from unverified user {{originEntityId}}"
      }
    },
    {
      "type": "set_decision",
      "config": {
        "decision": "ADDITIONAL_AUTH_REQUIRED",
        "reason": "High amount first transaction - require 3DS authentication"
      }
    }
  ]
}
When it triggers:
  • User’s first transaction
  • Amount greater than $500
  • User not fully verified
Recommended action: ADDITIONAL_AUTH_REQUIRED (3DS)

​
3. Impossible Travel Detection

Detects transactions from geographically impossible locations. 
{
  "name": "Impossible Travel Detection",
  "category": "fraud",
  "priority": 900,
  "enabled": true,
  "evaluationMode": "sync",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "metadata.lastTransactionCountry",
        "operator": "NOT_EQUALS",
        "value": "{{originDeviceData.location.country}}"
      },
      {
        "field": "metadata.timeSinceLastTransaction",
        "operator": "LESS_THAN",
        "value": 3600
      },
      {
        "field": "metadata.distanceFromLastTransaction",
        "operator": "GREATER_THAN",
        "value": 1000
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "critical",
        "type": "impossible_travel",
        "message": "User transaction from {{originDeviceData.location.country}} - {{metadata.distanceFromLastTransaction}}km from last transaction {{metadata.timeSinceLastTransaction}} seconds ago"
      }
    },
    {
      "type": "set_decision",
      "config": {
        "decision": "HOLD",
        "reason": "Impossible travel detected - manual review required"
      }
    }
  ]
}
When it triggers:
  • Transaction from different country than previous
  • Less than 1 hour since last transaction
  • More than 1000km distance
Recommended action: HOLD

​
4. Transaction Velocity - High Risk

Monitors unusual transaction frequency. 
{
  "name": "Transaction Velocity - High Risk",
  "category": "fraud",
  "priority": 850,
  "enabled": true,
  "evaluationMode": "async",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "OR",
    "conditions": [
      {
        "operator": "AND",
        "conditions": [
          {
            "field": "metadata.userTransactionCount1h",
            "operator": "GREATER_THAN",
            "value": 10
          },
          {
            "field": "amount",
            "operator": "GREATER_THAN",
            "value": 100
          }
        ]
      },
      {
        "operator": "AND",
        "conditions": [
          {
            "field": "metadata.userTransactionCount24h",
            "operator": "GREATER_THAN",
            "value": 50
          },
          {
            "field": "metadata.userAverageTransactionsPerDay",
            "operator": "LESS_THAN",
            "value": 10
          }
        ]
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "high",
        "type": "velocity_anomaly",
        "message": "User {{originEntityId}} has abnormal transaction velocity: {{metadata.userTransactionCount1h}} in last hour, {{metadata.userTransactionCount24h}} in last 24h (average: {{metadata.userAverageTransactionsPerDay}}/day)"
      }
    },
    {
      "type": "create_investigation",
      "config": {
        "priority": "high",
        "assignToTeam": "fraud_prevention"
      }
    }
  ]
}
When it triggers:
  • More than 10 transactions in 1 hour with amount > $100, OR
  • More than 50 transactions in 24h when average is < 10/day
Recommended action: Generate alert for investigation

​
5. High-Risk IP Detection

Blocks transactions from known fraud IPs. 
{
  "name": "High-Risk IP - Block",
  "category": "fraud",
  "priority": 900,
  "enabled": true,
  "evaluationMode": "sync",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "OR",
    "conditions": [
      {
        "field": "metadata.ipRiskScore",
        "operator": "GREATER_THAN",
        "value": 80
      },
      {
        "field": "metadata.ipIsTor",
        "operator": "EQUALS",
        "value": true
      },
      {
        "field": "metadata.ipIsProxy",
        "operator": "EQUALS",
        "value": true
      },
      {
        "field": "metadata.ipIsVpn",
        "operator": "EQUALS",
        "value": true
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "high",
        "type": "high_risk_ip",
        "message": "Transaction from high-risk IP {{originDeviceData.ipAddress}} - Risk Score: {{metadata.ipRiskScore}}, Tor: {{metadata.ipIsTor}}, Proxy: {{metadata.ipIsProxy}}, VPN: {{metadata.ipIsVpn}}"
      }
    },
    {
      "type": "set_decision",
      "config": {
        "decision": "REVIEW_REQUIRED",
        "reason": "Transaction from high-risk IP or anonymization service"
      }
    }
  ]
}
When it triggers:
  • IP risk score > 80, OR
  • IP is Tor exit node, OR
  • IP is proxy/VPN
Recommended action: REVIEW_REQUIRED

​
6. Friendly Fraud Pattern

Detects patterns of legitimate purchases followed by chargebacks. 
{
  "name": "Friendly Fraud Pattern Detection",
  "category": "fraud",
  "priority": 800,
  "enabled": true,
  "evaluationMode": "async",
  "targetEntityTypes": ["transaction"],
  "conditions": {
    "operator": "AND",
    "conditions": [
      {
        "field": "metadata.userChargebackCount90d",
        "operator": "GREATER_THAN",
        "value": 2
      },
      {
        "field": "metadata.userChargebackRate90d",
        "operator": "GREATER_THAN",
        "value": 0.1
      },
      {
        "field": "amount",
        "operator": "GREATER_THAN",
        "value": 200
      },
      {
        "field": "type",
        "operator": "EQUALS",
        "value": "PAYMENT"
      }
    ]
  },
  "actions": [
    {
      "type": "generate_alert",
      "config": {
        "severity": "medium",
        "type": "friendly_fraud_risk",
        "message": "User {{originEntityId}} has {{metadata.userChargebackCount90d}} chargebacks in 90 days ({{metadata.userChargebackRate90d}}% rate) - new ${{amount}} transaction"
      }
    }
  ]
}
When it triggers:
  • User has 2+ chargebacks in 90 days
  • Chargeback rate > 10%
  • New payment transaction > $200
Recommended action: Monitor and collect evidence

​
Layered Protection Strategy

​
Configuration by Industry

​
E-commerce

{
  "fraudDetection": {
    "focus": ["card_testing", "first_transaction", "billing_shipping_mismatch"],
    "riskThreshold": "medium",
    "require3DS": {
      "enabled": true,
      "minAmount": 100,
      "triggers": ["new_card", "high_risk_country", "unusual_amount"]
    },
    "velocityLimits": {
      "transactionsPerHour": 5,
      "transactionsPerDay": 20,
      "amountPerDay": 5000
    }
  }
}

​
Fintech/Payments

{
  "fraudDetection": {
    "focus": ["account_takeover", "velocity", "impossible_travel", "device_fingerprinting"],
    "riskThreshold": "high",
    "deviceFingerprinting": {
      "enabled": true,
      "blockNewDevices": false,
      "requireAuthForNewDevice": true
    },
    "velocityLimits": {
      "transactionsPerHour": 10,
      "transactionsPerDay": 50,
      "amountPerDay": 10000
    },
    "geoRestrictions": {
      "enabled": true,
      "allowedCountries": ["US", "CA", "GB", "EU"],
      "blockVPN": true
    }
  }
}

​
KPIs and Metrics

​
Fraud Prevention Metrics

{
  "fraudMetrics": {
    "fraudAttemptsPrevented": 1247,
    "estimatedLossesPrevented": 523000.00,
    "truePositiveRate": 0.87,
    "falsePositiveRate": 0.13,
    "averageTimeToDetection": "2.3 minutes",
    "chargebackRate": 0.004
  }
}

​
Rule Effectiveness

-- Top performing fraud detection rules
SELECT
  rule_name,
  COUNT(*) as triggers,
  SUM(CASE WHEN confirmed_fraud THEN 1 ELSE 0 END) as true_positives,
  SUM(CASE WHEN confirmed_fraud THEN amount ELSE 0 END) as value_prevented,
  AVG(CASE WHEN confirmed_fraud THEN 1.0 ELSE 0.0 END) as precision
FROM fraud_alerts
WHERE created_at > NOW() - INTERVAL '30 days'
GROUP BY rule_name
ORDER BY value_prevented DESC;

​
Chargeback Monitoring

-- Chargeback rate by card type
SELECT
  card_brand,
  COUNT(*) as total_transactions,
  SUM(CASE WHEN has_chargeback THEN 1 ELSE 0 END) as chargebacks,
  ROUND(100.0 * SUM(CASE WHEN has_chargeback THEN 1 ELSE 0 END) / COUNT(*), 2) as chargeback_rate
FROM transactions
WHERE created_at > NOW() - INTERVAL '90 days'
  AND origin_payment_method = 'CARD'
GROUP BY card_brand;

​
Best Practices

​
βœ… DO

  1. Start with HOLD instead of REJECT
    • Allows manual review
    • Reduces customer friction
    • Improves false positive handling
  2. Use layered approach
    • Multiple rules at different thresholds
    • Combine SYNC and ASYNC rules
    • Progressive authentication
  3. Monitor and adjust
    • Track false positive rate
    • Adjust thresholds based on data
    • Seasonal adjustments
  4. Collect device data
    • IP address and geolocation
    • Device fingerprinting
    • Browser/app information
  5. Implement 3DS for high-risk
    • New cards
    • High amounts
    • Suspicious patterns
    • Shifts liability to issuer

​
❌ Common Mistakes

  1. Over-blocking legitimate customers
    • Start conservative
    • Monitor customer complaints
    • Provide clear feedback
  2. Ignoring false positives
    • Track all blocks
    • Review rejected transactions
    • Adjust rules regularly
  3. Static thresholds
    • Use dynamic limits
    • Adapt to user behavior
    • Consider context
  4. Not collecting evidence
    • Save device data
    • Store IP information
    • Document decisions
    • Required for chargeback disputes

​
Integration with Intelligence Dashboard

All fraud alerts automatically flow into Intelligence:
  • Consolidated View: All alerts for an entity in one place
  • Risk Timeline: Chronological view of suspicious activity
  • Collaboration: Teams can work together on complex cases
  • Actions: Accept, escalate, block user, mark false positive
  • Audit Trail: Complete history of decisions

​
Next Steps

AML Monitoring

Anti-money laundering compliance

Merchant Monitoring

Monitor merchants for acquirers

Rules Configuration

Learn to configure rules

API Reference

Complete API documentation