DEV Community: Fixel Smith The latest articles on DEV Community by Fixel Smith (@fixelsmith). https://dev.to/fixelsmith https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3931917%2F9d88cc72-7f15-4358-98e4-9d5433bd2ffc.png DEV Community: Fixel Smith https://dev.to/fixelsmith en Detecting fraud rings: the social-graph problem in disguise Fixel Smith Thu, 28 May 2026 13:29:46 +0000 https://dev.to/fixelsmith/detecting-fraud-rings-the-social-graph-problem-in-disguise-24lm https://dev.to/fixelsmith/detecting-fraud-rings-the-social-graph-problem-in-disguise-24lm <p>Fraud at scale usually gives itself away through repetition. One phone number behind twelve identities. Same device fingerprint reused across signups. A shipping address that keeps showing up on accounts that supposedly have nothing to do with each other.</p> <p>At some point the accounts stop looking independent. They're a ring.</p> <p>Finding rings is a graph problem. Nodes are accounts, edges are shared attributes, and what you want is connected components.</p> <p>The usual recommendation is to throw the data into Neo4j and solve it there with Cypher queries. That absolutely works. It's also a lot of infrastructure for something your warehouse can often handle directly.</p> <p>This post is how to do it with regular SQL.</p> <p>If you work on AML or transaction monitoring, the same shape applies. KYC profile overlaps are graph problems too, just with different attribute labels on the nodes.</p> <h2> What a fraud ring looks like </h2> <p>Simple example:</p> <ul> <li>Account A and account B share a phone number at signup.</li> <li>Account B and account C share a shipping address.</li> <li>Account C and account D share a device fingerprint.</li> <li>Account E and account A share an IP at first transaction.</li> </ul> <p>A, B, C, D, and E are connected. Looked at individually they look like five separate customers. Together they're almost always one operator running cards or laundering accounts.</p> <p>Single shared attributes catch the obvious cases. The harder problem is following those connections outward and figuring out which accounts belong to the same cluster.</p> <h2> The data </h2> <p>Assume you have an accounts table and a shared_attributes table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- accounts</span> <span class="n">account_id</span> <span class="o">|</span> <span class="n">signup_date</span> <span class="o">|</span> <span class="n">status</span> <span class="c1">-----------|-------------|--------</span> <span class="mi">1</span> <span class="o">|</span> <span class="mi">2026</span><span class="o">-</span><span class="mi">01</span><span class="o">-</span><span class="mi">01</span> <span class="o">|</span> <span class="n">active</span> <span class="mi">2</span> <span class="o">|</span> <span class="mi">2026</span><span class="o">-</span><span class="mi">01</span><span class="o">-</span><span class="mi">02</span> <span class="o">|</span> <span class="n">active</span> <span class="p">...</span> <span class="c1">-- shared_attributes</span> <span class="n">account_a</span> <span class="o">|</span> <span class="n">account_b</span> <span class="o">|</span> <span class="n">attribute_type</span> <span class="o">|</span> <span class="n">attribute_value</span> <span class="c1">----------|-----------|----------------|----------------</span> <span class="mi">1</span> <span class="o">|</span> <span class="mi">7</span> <span class="o">|</span> <span class="n">phone</span> <span class="o">|</span> <span class="o">+</span><span class="mi">1</span><span class="o">-</span><span class="mi">555</span><span class="o">-</span><span class="mi">0100</span> <span class="mi">2</span> <span class="o">|</span> <span class="mi">14</span> <span class="o">|</span> <span class="n">shipping_address</span> <span class="o">|</span> <span class="mi">123</span> <span class="n">Main</span> <span class="n">St</span> <span class="p">...</span> </code></pre> </div> <p>The shared_attributes table has one row per pair of accounts that share at least one identifying attribute. The exact build step depends on what identifiers you have available. The recursive part below assumes it exists.</p> <p>If you don't have it pre-built, you can build it inline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">a1</span><span class="p">.</span><span class="n">account_id</span> <span class="k">AS</span> <span class="n">account_a</span><span class="p">,</span> <span class="n">a2</span><span class="p">.</span><span class="n">account_id</span> <span class="k">AS</span> <span class="n">account_b</span><span class="p">,</span> <span class="s1">'phone'</span> <span class="k">AS</span> <span class="n">attribute_type</span><span class="p">,</span> <span class="n">a1</span><span class="p">.</span><span class="n">phone</span> <span class="k">AS</span> <span class="n">attribute_value</span> <span class="k">FROM</span> <span class="n">accounts</span> <span class="n">a1</span> <span class="k">JOIN</span> <span class="n">accounts</span> <span class="n">a2</span> <span class="k">ON</span> <span class="n">a1</span><span class="p">.</span><span class="n">phone</span> <span class="o">=</span> <span class="n">a2</span><span class="p">.</span><span class="n">phone</span> <span class="k">AND</span> <span class="n">a1</span><span class="p">.</span><span class="n">account_id</span> <span class="o">&lt;</span> <span class="n">a2</span><span class="p">.</span><span class="n">account_id</span><span class="p">;</span> </code></pre> </div> <p>The <code>account_id &lt; account_id</code> predicate dedupes so you don't get both A-B and B-A. Repeat the shape for each attribute and UNION ALL the results. Materialize it as a table if it gets large.</p> <h2> Finding pairs (the easy part) </h2> <p>Pairs are just a SELECT against shared_attributes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">account_a</span><span class="p">,</span> <span class="n">account_b</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">shared_attribute_count</span> <span class="k">FROM</span> <span class="n">shared_attributes</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="k">HAVING</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">2</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">shared_attribute_count</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>Two shared attributes are usually a much stronger signal than one. Shared phone by itself might just be roommates or family. Shared phone plus device plus address is where things start getting interesting fast.</p> <h2> Finding clusters (the recursive part) </h2> <p>For clusters of arbitrary size you need a recursive CTE. Start from an account, follow every edge to find accounts connected to it, then follow every edge from those, and so on, until no new accounts get added.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="k">RECURSIVE</span> <span class="n">ring</span> <span class="k">AS</span> <span class="p">(</span> <span class="c1">-- Seed: pick a starting account</span> <span class="k">SELECT</span> <span class="n">account_a</span> <span class="k">AS</span> <span class="n">member</span><span class="p">,</span> <span class="mi">1</span> <span class="k">AS</span> <span class="n">depth</span> <span class="k">FROM</span> <span class="n">shared_attributes</span> <span class="k">WHERE</span> <span class="n">account_a</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">UNION</span> <span class="c1">-- Step: add accounts connected to any current ring member</span> <span class="k">SELECT</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">s</span><span class="p">.</span><span class="n">account_a</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">member</span> <span class="k">THEN</span> <span class="n">s</span><span class="p">.</span><span class="n">account_b</span> <span class="k">ELSE</span> <span class="n">s</span><span class="p">.</span><span class="n">account_a</span> <span class="k">END</span> <span class="k">AS</span> <span class="n">member</span><span class="p">,</span> <span class="n">r</span><span class="p">.</span><span class="n">depth</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">ring</span> <span class="n">r</span> <span class="k">JOIN</span> <span class="n">shared_attributes</span> <span class="n">s</span> <span class="k">ON</span> <span class="n">r</span><span class="p">.</span><span class="n">member</span> <span class="k">IN</span> <span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">account_a</span><span class="p">,</span> <span class="n">s</span><span class="p">.</span><span class="n">account_b</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">r</span><span class="p">.</span><span class="n">depth</span> <span class="o">&lt;</span> <span class="mi">10</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="k">DISTINCT</span> <span class="n">member</span> <span class="k">FROM</span> <span class="n">ring</span><span class="p">;</span> </code></pre> </div> <p>One easy mistake here is using <code>UNION ALL</code> instead of <code>UNION</code>.</p> <p>If A connects to B and B connects back to A, the recursion keeps walking the same loop forever unless duplicates get removed during each pass. Regular <code>UNION</code> handles that automatically.</p> <p>In practice most of the clusters I've seen are relatively small, so a depth cap like 10 is usually enough to keep runaway recursion under control. The cap is also there for the rare malformed shared_attributes table that would otherwise blow up the query.</p> <h2> A note on platform support </h2> <p>Recursive CTEs work in Postgres, Snowflake, BigQuery, SQL Server, MySQL 8+, and SQLite. The syntax above is close to ANSI standard SQL and runs in all of them with minor adjustments. Postgres tends to be the cleanest. Snowflake and BigQuery both handle it but you'll see different optimizer behavior.</p> <p>BigQuery's GoogleSQL graph queries went GA in 2025. If you're already on BigQuery and your rings are large enough that the recursive CTE feels slow, the native graph syntax is the cleaner path before you reach for an external graph database.</p> <h2> Finding all rings (not just one seed) </h2> <p>The query above starts from one account. To enumerate every distinct ring across your whole population you need a different approach: assign every account to a connected component.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="k">RECURSIVE</span> <span class="n">component</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">account_a</span> <span class="k">AS</span> <span class="n">member</span><span class="p">,</span> <span class="n">least</span><span class="p">(</span><span class="n">account_a</span><span class="p">,</span> <span class="n">account_b</span><span class="p">)</span> <span class="k">AS</span> <span class="n">component_id</span> <span class="k">FROM</span> <span class="n">shared_attributes</span> <span class="k">UNION</span> <span class="k">SELECT</span> <span class="n">s</span><span class="p">.</span><span class="n">account_b</span><span class="p">,</span> <span class="k">c</span><span class="p">.</span><span class="n">component_id</span> <span class="k">FROM</span> <span class="n">component</span> <span class="k">c</span> <span class="k">JOIN</span> <span class="n">shared_attributes</span> <span class="n">s</span> <span class="k">ON</span> <span class="n">s</span><span class="p">.</span><span class="n">account_a</span> <span class="o">=</span> <span class="k">c</span><span class="p">.</span><span class="n">member</span> <span class="k">WHERE</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">component</span> <span class="n">c2</span> <span class="k">WHERE</span> <span class="n">c2</span><span class="p">.</span><span class="n">member</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">account_b</span> <span class="k">AND</span> <span class="n">c2</span><span class="p">.</span><span class="n">component_id</span> <span class="o">&lt;=</span> <span class="k">c</span><span class="p">.</span><span class="n">component_id</span> <span class="p">)</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">component_id</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">member</span><span class="p">)</span> <span class="k">AS</span> <span class="n">ring_size</span> <span class="k">FROM</span> <span class="n">component</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span> <span class="k">HAVING</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">member</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">3</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">ring_size</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p><code>least(account_a, account_b) AS component_id</code> picks the lowest account_id in any pair as the canonical name for the component. The NOT EXISTS check stops members from getting re-added under a higher component_id.</p> <p>This version gets expensive a lot faster than the seeded query, so it's usually something you'd run as a scheduled batch process instead of inline with analyst queries.</p> <h2> Where this hits false positives </h2> <p>Not every shared attribute means fraud. The signals that get noisy in practice:</p> <ul> <li>Apartment complexes and dorms. Lots of unrelated accounts share an address.</li> <li>Household phone plans. Family members share the primary line.</li> <li>Employer-provided devices, IPs, and mailing addresses. Corporate accounts cluster.</li> <li>Mailbox stores and PO box services. Legitimate small businesses use these too.</li> </ul> <p>The fix isn't to drop those signals entirely. It's to weight them. A shared apartment address by itself is weak. Shared apartment address plus shared device plus shared payment method is still strong even if any one signal is noisy on its own. The component rollup naturally surfaces the dense clusters where multiple weak signals coincide.</p> <h2> When SQL stops being enough </h2> <p>The recursive CTE handles components up to a few thousand members fine on a modern warehouse. Past that, performance degrades because every iteration is a full self-join.</p> <p>You've outgrown the SQL approach when your largest component hits the tens of thousands of accounts, or when the recursion depth caps you've set are getting hit on the regular. Either of those is your cue to move to a purpose-built graph database (Neo4j, Memgraph, TigerGraph) or a graph extension on your warehouse. The SQL pattern still has a job to do as the feature-engineering layer feeding the graph engine.</p> <p>Worth flagging since the question comes up: ring detection is inherently batch. It's a complement to your real-time transaction checks, not a replacement. The realtime layer catches the immediate suspicious activity. The ring layer flags accounts to watch even when nothing's currently tripping a realtime rule.</p> <p>Until you hit that scale, the recursive CTE does the job without making you stand up new infrastructure.</p> <h2> What I'd actually do in a new system </h2> <p>In order:</p> <ol> <li>Build the shared_attributes table from the obvious signals: phone, address, device, IP, payment method.</li> <li>Run the pair-detection query weekly. Triage the strongest pairs (3+ shared attributes).</li> <li>Once the pair workflow has a confirmed-fraud feedback loop running, build the recursive CTE for ring detection. Run monthly.</li> <li>Save the rings as features that feed per-transaction scoring. A transaction from an account in a known ring is automatically high-risk.</li> </ol> <p>The mistake I see new teams make is jumping straight to step 3 and skipping step 2. The recursive query is more fun to write but it's useless without the pair workflow underneath it. No feedback loop means no way to tell which detected rings are real and which are coincidence.</p> <p>Next post: why your fraud alerts are noisy, and what to actually do about it. Most teams reach for more rules. The real fix is in the feedback loop.</p> <p><strong>A note on process:</strong> AI helps with editing, not engineering. The SQL and patterns are from years of program-integrity work; the model just cuts the rambling.</p> <p><em>Fixel Smith is an experienced Program Integrity Analyst working in public-sector data.</em></p> sql analytics frauddetection database Eight window-function tricks beyond LAG and ROW_NUMBER Fixel Smith Mon, 18 May 2026 17:19:00 +0000 https://dev.to/fixelsmith/eight-window-function-tricks-beyond-lag-and-rownumber-paa https://dev.to/fixelsmith/eight-window-function-tricks-beyond-lag-and-rownumber-paa <p>The first post in this series got more reader response than I expected. The comments were full of practical follow-up questions and a few good corrections, and one thing that kept coming up was a request to go deeper on window functions specifically. Pattern 6 in the previous post leaned heavily on them. People wanted to see what else lives in that toolbox.</p> <p>This is that.</p> <p>LAG and ROW_NUMBER are usually the first two window functions analysts learn. They are the right starting point. But after a year or two of writing SQL you start running into shapes those two can't quite hit, and you start hitting problems where those two stop being enough.</p> <p>Eight patterns below. Same disclaimer as the previous post: I work as a data analyst on a program-integrity team. Examples use generic transaction tables and synthetic scenarios. Nothing here reflects actual systems, procedures, or data from any specific employer.</p> <h2> 1. QUALIFY </h2> <p>QUALIFY lets you filter directly on window-function output without wrapping the whole query in another CTE or subquery.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">RANGE</span> <span class="k">BETWEEN</span> <span class="n">INTERVAL</span> <span class="s1">'5 minutes'</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">tx_5min</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="n">QUALIFY</span> <span class="n">tx_5min</span> <span class="o">&gt;=</span> <span class="mi">5</span><span class="p">;</span> </code></pre> </div> <p>Without QUALIFY this usually turns into an extra query layer just to filter on the computed column. Not a big deal in tiny examples, but once fraud rules start stacking together it gets messy fast.</p> <p>Support is still inconsistent depending on the engine. Snowflake, BigQuery, DuckDB, Databricks, ClickHouse and a few others have it. Postgres, MySQL, SQLite still don't.</p> <p>If you're on Postgres, the fallback is usually just a CTE and an outer WHERE clause.</p> <h2> 2. Frame specs (ROWS vs RANGE) </h2> <p>A lot of people write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">x</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">y</span><span class="p">)</span> </code></pre> </div> <p>and never think much about the frame underneath it. Usually fine until sliding windows start behaving strangely.</p> <p>The two big ones:</p> <ul> <li><code>ROWS BETWEEN N PRECEDING AND CURRENT ROW</code></li> <li><code>RANGE BETWEEN INTERVAL '5 minutes' PRECEDING AND CURRENT ROW</code></li> </ul> <p>ROWS counts rows. RANGE works off the ORDER BY value itself.</p> <p>The difference starts mattering once duplicate timestamps show up. ROWS and RANGE stop behaving the same way at that point.</p> <p>For fraud velocity checks, RANGE on timestamps is usually the right fit because you're actually asking "how many transactions happened within this time window," not "what happened in the previous 5 rows."</p> <p>For rolling hourly baselines or trailing-week comparisons, ROWS is often cleaner because each row already represents a fixed bucket.</p> <p>One related thing that came up in the comments on the previous post and is worth surfacing here: the timestamp you key off matters more than people realize. Authorization time and settlement time can be days apart. If you use settlement time on a velocity or impossible-travel check, charges from days ago suddenly look like they happened "now" in the warehouse, and the windows blow up with false positives. Use auth time. Most card systems have both columns; the home-grown ones don't always make the distinction obvious.</p> <h2> 3. FILTER for conditional aggregation </h2> <p>Most people start with CASE WHEN inside SUM or COUNT:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">sum</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">amount</span> <span class="o">&gt;</span> <span class="mi">100</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> </code></pre> </div> <p>FILTER does the same thing with less noise:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">amount</span> <span class="o">&gt;</span> <span class="mi">100</span><span class="p">)</span> <span class="k">AS</span> <span class="n">high_value_count</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="nb">timestamp</span><span class="p">::</span><span class="nb">time</span> <span class="k">BETWEEN</span> <span class="s1">'00:00'</span> <span class="k">AND</span> <span class="s1">'06:00'</span><span class="p">)</span> <span class="k">AS</span> <span class="n">off_hours_count</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">merchant_id</span><span class="p">;</span> </code></pre> </div> <p>Works inside window functions too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">merchant_category</span> <span class="o">=</span> <span class="s1">'gas_station'</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">ROWS</span> <span class="k">BETWEEN</span> <span class="mi">100</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">rolling_gas_spend</span> </code></pre> </div> <p>Mostly just easier to read once queries get large.</p> <p>Support varies though. Postgres, Snowflake, DuckDB and ClickHouse support it. MySQL still doesn't. BigQuery handles this a little differently with IF inside the aggregate instead.</p> <h2> 4. FIRST_VALUE / LAST_VALUE / NTH_VALUE </h2> <p>These are useful anytime you need one row's value carried across the whole partition.</p> <p>Example: tagging every transaction with the first merchant a cardholder ever used.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">first_value</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">ROWS</span> <span class="k">BETWEEN</span> <span class="n">UNBOUNDED</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="n">UNBOUNDED</span> <span class="k">FOLLOWING</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">first_merchant_ever</span><span class="p">,</span> <span class="n">last_value</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">ROWS</span> <span class="k">BETWEEN</span> <span class="n">UNBOUNDED</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="n">UNBOUNDED</span> <span class="k">FOLLOWING</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">most_recent_merchant</span> <span class="k">FROM</span> <span class="n">transactions</span><span class="p">;</span> </code></pre> </div> <p>The LAST_VALUE behavior trips people up constantly.</p> <p>Without the explicit frame, LAST_VALUE usually returns the current row instead of the actual last row in the partition because the default frame stops at the current row.</p> <p>NTH_VALUE works the same way conceptually. Useful for questions like "what was the third transaction this cardholder ever made?"</p> <h2> 5. LEAD chains for sequence detection </h2> <p>LAG gets most of the attention because analysts usually look backwards more than forwards.</p> <p>LEAD becomes useful once you're looking for sequences instead of isolated events.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">lead</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">next_merchant_1</span><span class="p">,</span> <span class="n">lead</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">next_merchant_2</span><span class="p">,</span> <span class="n">lead</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">next_merchant_3</span><span class="p">,</span> <span class="n">lead</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="o">-</span> <span class="nb">timestamp</span> <span class="k">AS</span> <span class="n">time_to_4th_tx</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WINDOW</span> <span class="n">w</span> <span class="k">AS</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">);</span> </code></pre> </div> <p>Then you can filter on the sequence itself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WHERE</span> <span class="n">next_merchant_1</span> <span class="o">&lt;&gt;</span> <span class="n">merchant_id</span> <span class="k">AND</span> <span class="n">next_merchant_2</span> <span class="o">&lt;&gt;</span> <span class="n">merchant_id</span> <span class="k">AND</span> <span class="n">next_merchant_3</span> <span class="o">&lt;&gt;</span> <span class="n">merchant_id</span> <span class="k">AND</span> <span class="n">time_to_4th_tx</span> <span class="o">&lt;</span> <span class="n">INTERVAL</span> <span class="s1">'90 seconds'</span> </code></pre> </div> <p>A lot of card-testing behavior starts showing up in shapes like this.</p> <h2> 6. Gap-and-island </h2> <p>Gap-and-island is basically the standard SQL trick for finding streaks or runs of related activity.</p> <p>One common version looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">amount</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">merchant_id</span> <span class="o">&lt;&gt;</span> <span class="n">lag</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span> <span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">island_id</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WINDOW</span> <span class="n">w</span> <span class="k">AS</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">);</span> </code></pre> </div> <p>Every time the merchant changes, the island ID increments. Depending on the engine, this is also one of those patterns where query planners can suddenly get a lot more expensive than you expected.</p> <p>Once you have that grouping value, streak analysis gets much easier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">islands</span> <span class="k">AS</span> <span class="p">(</span> <span class="c1">-- query above</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">island_id</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">streak_length</span> <span class="k">FROM</span> <span class="n">islands</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">streak_length</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>This kind of thing is useful for spotting behavior shifts. Somebody with a year-long coffee-shop routine suddenly spending every day at gas stations is at least worth a second look.</p> <h2> 7. Conditional running totals </h2> <p>CASE WHEN inside SUM OVER ends up doing a huge amount of work in fraud analysis.</p> <p>Simple example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">approved</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="k">NOT</span> <span class="n">approved</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">RANGE</span> <span class="k">BETWEEN</span> <span class="n">INTERVAL</span> <span class="s1">'24 hours'</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">declines_last_24h</span> <span class="k">FROM</span> <span class="n">transactions</span><span class="p">;</span> </code></pre> </div> <p>Decline clusters are usually worth paying attention to. A surprising amount of card testing shows up as repeated declines followed by a successful approval somewhere later in the sequence.</p> <p>The reset-on-condition versions get more complicated and usually end up combining multiple windows together. Useful pattern, but also one of the easier places to write something unreadable by accident.</p> <h2> 8. PERCENT_RANK and NTILE </h2> <p>These are useful anytime fixed thresholds stop making sense globally.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">monthly_spend</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="k">AS</span> <span class="n">month_spend</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span> <span class="p">),</span> <span class="n">buckets</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="o">*</span><span class="p">,</span> <span class="n">ntile</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">ORDER</span> <span class="k">BY</span> <span class="n">month_spend</span><span class="p">)</span> <span class="k">AS</span> <span class="n">spend_decile</span> <span class="k">FROM</span> <span class="n">monthly_spend</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">buckets</span> <span class="k">WHERE</span> <span class="n">spend_decile</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <p>A top-spend cardholder usually needs very different fraud thresholds than somebody barely using the card.</p> <p>NTILE gives you buckets. PERCENT_RANK gives you the actual percentile position instead.</p> <h2> Putting it together </h2> <p>The reason these patterns matter is that they compose well.</p> <p>Most individual fraud rules are actually pretty simple. The complexity comes from layering multiple weak signals together without turning the query into procedural spaghetti.</p> <p>Window functions let you keep a surprising amount of this logic in straight SQL before things spill over into procedural code.</p> <p>Most of the examples here are standard SQL. QUALIFY is still warehouse-specific, and FILTER support depends on the engine. If your warehouse doesn't support QUALIFY, the fallback is usually just another CTE layer.</p> <p>Next post is probably fraud-ring detection. Same general idea, just applied to graph-shaped problems instead of straight transaction streams.</p> <p>If you've got a specific window-function shape that gave you trouble or a fraud pattern you'd like to see written up, the comments on the original post are still active. Happy to take requests.</p> sql analytics frauddetection database Six SQL patterns I use to catch transaction fraud Fixel Smith Thu, 14 May 2026 20:18:26 +0000 https://dev.to/fixelsmith/six-sql-patterns-i-use-to-catch-transaction-fraud-coc https://dev.to/fixelsmith/six-sql-patterns-i-use-to-catch-transaction-fraud-coc <p><strong>Quick disclaimer:</strong> I do data work on a program-integrity team. Examples below use generic transaction tables and made-up scenarios. Nothing here comes from anything I've actually worked on or seen. Views are mine, not my employer's.</p> <p>Fraud detection in transaction data is mostly SQL. Not machine learning, not graph databases, not whatever Gartner is hyping this year. SQL, run against the right tables, with the right joins, looking for the right shapes.</p> <p>I work mostly with government-funded benefit programs, but the patterns below port over to anything with a transactions table: credit cards, healthcare claims, e-commerce, point-of-sale. If money moves and gets logged, these queries will find weird things in the log.</p> <p>Six patterns. Roughly in the order I'd build them out on a new dataset.</p> <h2> 1. Velocity </h2> <p>The simplest one. Someone with a stolen card wants to drain it before the holder notices. So they hit the card fast.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="n">date_trunc</span><span class="p">(</span><span class="s1">'hour'</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_bucket</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">tx_count</span><span class="p">,</span> <span class="k">min</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">first_tx</span><span class="p">,</span> <span class="k">max</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">last_tx</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="k">HAVING</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <p>Tune two knobs: the window size and the count threshold. I usually run a 1-minute, 5-minute, and 1-hour version in parallel and compare. Different fraud shows up at different scales — a card-testing ring hits a server in seconds; a benefits-trafficking ring might take an afternoon.</p> <p>A few cardholders will legitimately blow past the threshold. Route operators servicing vending machines. People reloading prepaid cards in bulk. Your false positives. Worth keeping a whitelist after the first pass.</p> <p>For sliding-window velocity, this is the form I use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">RANGE</span> <span class="k">BETWEEN</span> <span class="n">INTERVAL</span> <span class="s1">'5 minutes'</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">tx_in_last_5min</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="n">QUALIFY</span> <span class="n">tx_in_last_5min</span> <span class="o">&gt;=</span> <span class="mi">5</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">;</span> </code></pre> </div> <p><code>QUALIFY</code> works in Snowflake, BigQuery, Databricks, Teradata. For Postgres you wrap the whole thing in a CTE and filter on the outside. Slight pain, same result.</p> <h2> 2. Impossible travel </h2> <p>If a card swipes in Chicago and seven minutes later swipes in Los Angeles, one of those swipes is fake. The card is cloned. This is the most uncontroversial fraud signal you'll find — there's almost no legitimate reason a single card is in two distant places in seven minutes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">ordered_tx</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="k">location</span><span class="p">,</span> <span class="n">LAG</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">prev_ts</span><span class="p">,</span> <span class="n">LAG</span><span class="p">(</span><span class="k">location</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">prev_loc</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="n">prev_ts</span> <span class="k">AS</span> <span class="n">first_tx</span><span class="p">,</span> <span class="nb">timestamp</span> <span class="k">AS</span> <span class="n">second_tx</span><span class="p">,</span> <span class="n">prev_loc</span> <span class="k">AS</span> <span class="n">first_location</span><span class="p">,</span> <span class="k">location</span> <span class="k">AS</span> <span class="n">second_location</span><span class="p">,</span> <span class="k">EXTRACT</span><span class="p">(</span><span class="n">EPOCH</span> <span class="k">FROM</span> <span class="p">(</span><span class="nb">timestamp</span> <span class="o">-</span> <span class="n">prev_ts</span><span class="p">))</span> <span class="o">/</span> <span class="mi">60</span> <span class="k">AS</span> <span class="n">minutes_apart</span><span class="p">,</span> <span class="n">haversine</span><span class="p">(</span><span class="n">prev_loc</span><span class="p">,</span> <span class="k">location</span><span class="p">)</span> <span class="k">AS</span> <span class="n">miles_apart</span> <span class="k">FROM</span> <span class="n">ordered_tx</span> <span class="k">WHERE</span> <span class="n">prev_ts</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">prev_loc</span> <span class="o">&lt;&gt;</span> <span class="k">location</span> <span class="k">AND</span> <span class="n">haversine</span><span class="p">(</span><span class="n">prev_loc</span><span class="p">,</span> <span class="k">location</span><span class="p">)</span> <span class="o">/</span> <span class="k">nullif</span><span class="p">(</span><span class="k">EXTRACT</span><span class="p">(</span><span class="n">EPOCH</span> <span class="k">FROM</span> <span class="p">(</span><span class="nb">timestamp</span> <span class="o">-</span> <span class="n">prev_ts</span><span class="p">)),</span> <span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">3600</span> <span class="o">&gt;</span> <span class="mi">600</span><span class="p">;</span> </code></pre> </div> <p><code>haversine</code> is the great-circle distance function. Most warehouses ship one. If yours doesn't, it's about ten lines to write your own.</p> <p>The 600 mph threshold is rough — commercial jet cruise is around 575, so this is "faster than a plane could possibly do it." You can tighten it to 100 mph if you want to catch suspiciously-fast ground travel too, but at that threshold you start picking up real airline travelers, kids with parents driving them home from camp, that kind of thing.</p> <p>A few other shapes in the same family are worth running:</p> <ul> <li>Two distant cities, same state, inside 5 minutes. Local cloning rings.</li> <li>Multiple ZIP codes inside an hour. Skimmer rings working a region.</li> <li>Border crossings inside 10 minutes. International rings.</li> </ul> <h2> 3. Amount anomalies </h2> <p>There are a couple of amounts that show up disproportionately in fraud and almost never in normal use.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">amount</span><span class="p">,</span> <span class="n">merchant_id</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="p">(</span><span class="n">amount</span> <span class="o">&gt;=</span> <span class="mi">99</span><span class="p">.</span><span class="mi">50</span> <span class="k">AND</span> <span class="n">amount</span> <span class="o">&lt;</span> <span class="mi">100</span><span class="p">.</span><span class="mi">00</span><span class="p">)</span> <span class="k">OR</span> <span class="p">(</span><span class="n">amount</span> <span class="o">&gt;=</span> <span class="mi">499</span><span class="p">.</span><span class="mi">50</span> <span class="k">AND</span> <span class="n">amount</span> <span class="o">&lt;</span> <span class="mi">500</span><span class="p">.</span><span class="mi">00</span><span class="p">)</span> <span class="k">OR</span> <span class="n">amount</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">.</span><span class="mi">00</span><span class="p">,</span> <span class="mi">5</span><span class="p">.</span><span class="mi">00</span><span class="p">,</span> <span class="mi">10</span><span class="p">.</span><span class="mi">00</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">;</span> </code></pre> </div> <p>What's happening:</p> <p>Round dollar amounts at small values — $1.00, $5.00, $10.00 — are almost always card tests. Someone got a card number from a dump and they're checking if it works before reselling it. Real cardholders almost never buy something for exactly $1.00. Coffee is $4.73, gas is $52.81. The roundness is the signal.</p> <p>Amounts just below a threshold are different. $99.99 is interesting because at a lot of places, $100 is the line where the cashier is supposed to check ID. $499.99 is interesting because $500 is often a daily ATM cap. Whoever's doing the transaction knows the rules and is staying under them.</p> <p>(For benefits transactions specifically, the round-number pattern doesn't help much. Benefits don't get card-tested the same way. There the signal is usually duplicate recipients, which is a different post.)</p> <h2> 4. Suspicious merchants </h2> <p>When a skimmer compromises a card reader at, say, a gas pump, you don't get one fraud case. You get dozens. Every card swiped at that pump for the next few weeks is now in someone's database. So the symptom from the merchant side is: an unusual number of unrelated cards spending more than usual, in a short window.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">date_trunc</span><span class="p">(</span><span class="s1">'hour'</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_bucket</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">cardholder_id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">unique_cards</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">total_tx</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="k">AS</span> <span class="n">total_amount</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'7 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="k">HAVING</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">cardholder_id</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">20</span> <span class="k">AND</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">5000</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">total_amount</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>The problem with static thresholds (20 unique cards, $5000) is they don't account for size. A Costco does that in 90 seconds. A used bookshop, never. So the better version compares each merchant against itself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">merchant_hourly</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">date_trunc</span><span class="p">(</span><span class="s1">'hour'</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_bucket</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">cardholder_id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">unique_cards</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'60 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="p">),</span> <span class="n">with_baseline</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="o">*</span><span class="p">,</span> <span class="k">avg</span><span class="p">(</span><span class="n">unique_cards</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">merchant_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">hour_bucket</span> <span class="k">ROWS</span> <span class="k">BETWEEN</span> <span class="mi">168</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="mi">1</span> <span class="k">PRECEDING</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">rolling_avg_cards</span> <span class="k">FROM</span> <span class="n">merchant_hourly</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="o">*</span><span class="p">,</span> <span class="n">unique_cards</span> <span class="o">/</span> <span class="k">nullif</span><span class="p">(</span><span class="n">rolling_avg_cards</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">AS</span> <span class="n">spike_ratio</span> <span class="k">FROM</span> <span class="n">with_baseline</span> <span class="k">WHERE</span> <span class="n">unique_cards</span> <span class="o">&gt;</span> <span class="n">rolling_avg_cards</span> <span class="o">*</span> <span class="mi">3</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">spike_ratio</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>The 168 is the trailing seven days of hourly buckets. I use a week because daily and weekly seasonality matters — Tuesday 2pm at a coffee shop is not the same baseline as Saturday 9am at the same shop. A week catches both cycles.</p> <p>Three times normal is where I start. It's loose enough not to drown you in alerts but tight enough to flag the actually weird hours.</p> <h2> 5. Off-hours </h2> <p>Most people are creatures of habit when they spend money. A nine-to-fiver doesn't suddenly start buying gas at 3am. If their card does, it's either being used by someone else or they're traveling — and travel produces other signals you can check.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">cardholder_hour_pattern</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="k">EXTRACT</span><span class="p">(</span><span class="n">HOUR</span> <span class="k">FROM</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_of_day</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">tx_count</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'90 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="p">),</span> <span class="n">cardholder_normal</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="k">min</span><span class="p">(</span><span class="n">hour_of_day</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">tx_count</span> <span class="o">&gt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">earliest_hour</span><span class="p">,</span> <span class="k">max</span><span class="p">(</span><span class="n">hour_of_day</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">tx_count</span> <span class="o">&gt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">latest_hour</span> <span class="k">FROM</span> <span class="n">cardholder_hour_pattern</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">t</span><span class="p">.</span><span class="n">cardholder_id</span><span class="p">,</span> <span class="n">t</span><span class="p">.</span><span class="nb">timestamp</span><span class="p">,</span> <span class="n">t</span><span class="p">.</span><span class="n">amount</span><span class="p">,</span> <span class="n">t</span><span class="p">.</span><span class="n">merchant_id</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="n">t</span> <span class="k">JOIN</span> <span class="n">cardholder_normal</span> <span class="n">cn</span> <span class="k">USING</span> <span class="p">(</span><span class="n">cardholder_id</span><span class="p">)</span> <span class="k">WHERE</span> <span class="k">EXTRACT</span><span class="p">(</span><span class="n">HOUR</span> <span class="k">FROM</span> <span class="n">t</span><span class="p">.</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">BETWEEN</span> <span class="n">cn</span><span class="p">.</span><span class="n">earliest_hour</span> <span class="k">AND</span> <span class="n">cn</span><span class="p">.</span><span class="n">latest_hour</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">t</span><span class="p">.</span><span class="nb">timestamp</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>The "two or more in that hour" filter on the inner query is doing important work. Without it, one stray late-night gas station purchase three months ago becomes part of the cardholder's "normal" hours, and you never flag them again. Requiring at least two purchases in a given hour, in 90 days, sets the bar at "actually a habit" instead of "happened once."</p> <p>Drawback: this doesn't work until you have history. New accounts have no baseline. For those, you fall back to global hour patterns or just skip this pattern entirely until they've been around for a couple months.</p> <h2> 6. Window functions for chained signals </h2> <p>This one isn't really a pattern. It's a setup that makes the other five patterns composable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">amount</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="nb">timestamp</span> <span class="o">-</span> <span class="n">LAG</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">time_since_last</span><span class="p">,</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">merchant_id</span> <span class="o">&lt;&gt;</span> <span class="n">LAG</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">THEN</span> <span class="s1">'changed'</span> <span class="k">ELSE</span> <span class="s1">'same'</span> <span class="k">END</span> <span class="k">AS</span> <span class="n">merchant_change</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">RANGE</span> <span class="k">BETWEEN</span> <span class="n">INTERVAL</span> <span class="s1">'24 hours'</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">running_24h_total</span><span class="p">,</span> <span class="n">ROW_NUMBER</span><span class="p">()</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">date</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">tx_of_day</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WINDOW</span> <span class="n">w</span> <span class="k">AS</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">;</span> </code></pre> </div> <p>Once you've materialized those columns, fraud rules collapse to filter expressions. Say you're hunting card-testing rings, where the tell is "lots of small charges, all at different merchants, within minutes of each other." The rule becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">tx_with_windows</span> <span class="k">WHERE</span> <span class="n">tx_of_day</span> <span class="o">&gt;=</span> <span class="mi">5</span> <span class="k">AND</span> <span class="n">time_since_last</span> <span class="o">&lt;</span> <span class="n">INTERVAL</span> <span class="s1">'60 seconds'</span> <span class="k">AND</span> <span class="n">merchant_change</span> <span class="o">=</span> <span class="s1">'changed'</span><span class="p">;</span> </code></pre> </div> <p>Three filters. That's it.</p> <p>The reason this matters is that the moment your analysts can express new fraud hypotheses as SQL filters instead of engineering tickets, your iteration loop drops from weeks to hours. You catch more fraud, faster.</p> <h2> Putting it together </h2> <p>None of these alone is enough. Velocity has false positives (vending operators). Geographic impossibility misses anything inside a single metro. Amount anomalies don't apply outside of card-test contexts. The off-hours rule needs history.</p> <p>What works is running them all and scoring each transaction across the signals. A transaction that fails on three or four of them is almost always fraud. A transaction that fails on one might be your grandma being weird with her debit card on vacation.</p> <p>If you're brand new to fraud detection, start with pattern 1. It alone will surface a useful amount of fraud and very little legitimate activity, and it's cheap to run.</p> <p>If you've already got 1 through 5, the place to invest is pattern 6 — those window-function primitives. Every analyst on your team will use them once they exist, and adding the next fraud pattern stops being a project.</p> <h2> Things I left out </h2> <p>A few things this post doesn't cover that come up constantly:</p> <p>NULL handling. Real transaction tables don't use NULL the way intro SQL books do. A lot of legacy systems use sentinel values like <code>9999-12-31</code> for "no end date" or <code>0001-01-01</code> for "no start date." Filtering with <code>IS NULL</code> will silently miss those rows. Always check what the convention is in your specific table before writing WHERE clauses that assume NULL.</p> <p>False positives. Every rule above will flag real cardholders doing weird-but-legitimate things. Your fraud workflow needs human review of flagged cases, with a feedback loop that lets you tune thresholds based on what's actually fraud and what isn't. Auto-blocking on a single rule is how you lose customers.</p> <p>Privacy. If the data has PII, your queries need to comply with your applicable data-use policies. De-identified or sampled data first, production data with authorization second.</p> <p>Cost. Window functions with big partitions are not cheap. Filter your date range first, then apply the window, not the other way around. I've watched a junior analyst burn through a warehouse credit budget by running a <code>LAG()</code> across two years of transactions on the entire dataset before adding the WHERE.</p> <p>Things I want to write about next, depending on what people ask for:</p> <ul> <li>Eight window-function tricks beyond <code>LAG</code> and <code>ROW_NUMBER</code> </li> <li>Detecting fraud rings, which is the social-graph problem in disguise</li> <li>What goes on a fraud team's dashboard, and what doesn't</li> <li>Why your fraud alerts are noisy, and how to actually fix that instead of just raising thresholds</li> </ul> <p>If there's something specific you want covered, message through <a href="https://fixelsmith.com" rel="noopener noreferrer">fixelsmith.com</a>.</p> <p><em>Fixel Smith is an experienced Program Integrity Analyst working in public-sector data.</em></p> sql analytics frauddetection database