DEV Community: Fixel Smith The latest articles on DEV Community by Fixel Smith (@fixelsmith). https://dev.to/fixelsmith https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3931917%2F9d88cc72-7f15-4358-98e4-9d5433bd2ffc.png DEV Community: Fixel Smith https://dev.to/fixelsmith en Six SQL patterns I use to catch transaction fraud Fixel Smith Thu, 14 May 2026 20:18:26 +0000 https://dev.to/fixelsmith/six-sql-patterns-i-use-to-catch-transaction-fraud-coc https://dev.to/fixelsmith/six-sql-patterns-i-use-to-catch-transaction-fraud-coc <p><strong>Quick disclaimer:</strong> I do data work on a program-integrity team. Examples below use generic transaction tables and made-up scenarios. Nothing here comes from anything I've actually worked on or seen. Views are mine, not my employer's.</p> <p>Fraud detection in transaction data is mostly SQL. Not machine learning, not graph databases, not whatever Gartner is hyping this year. SQL, run against the right tables, with the right joins, looking for the right shapes.</p> <p>I work mostly with government-funded benefit programs, but the patterns below port over to anything with a transactions table: credit cards, healthcare claims, e-commerce, point-of-sale. If money moves and gets logged, these queries will find weird things in the log.</p> <p>Six patterns. Roughly in the order I'd build them out on a new dataset.</p> <h2> 1. Velocity </h2> <p>The simplest one. Someone with a stolen card wants to drain it before the holder notices. So they hit the card fast.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="n">date_trunc</span><span class="p">(</span><span class="s1">'hour'</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_bucket</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">tx_count</span><span class="p">,</span> <span class="k">min</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">first_tx</span><span class="p">,</span> <span class="k">max</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">last_tx</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="k">HAVING</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <p>Tune two knobs: the window size and the count threshold. I usually run a 1-minute, 5-minute, and 1-hour version in parallel and compare. Different fraud shows up at different scales — a card-testing ring hits a server in seconds; a benefits-trafficking ring might take an afternoon.</p> <p>A few cardholders will legitimately blow past the threshold. Route operators servicing vending machines. People reloading prepaid cards in bulk. Your false positives. Worth keeping a whitelist after the first pass.</p> <p>For sliding-window velocity, this is the form I use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">RANGE</span> <span class="k">BETWEEN</span> <span class="n">INTERVAL</span> <span class="s1">'5 minutes'</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">tx_in_last_5min</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="n">QUALIFY</span> <span class="n">tx_in_last_5min</span> <span class="o">&gt;=</span> <span class="mi">5</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">;</span> </code></pre> </div> <p><code>QUALIFY</code> works in Snowflake, BigQuery, Databricks, Teradata. For Postgres you wrap the whole thing in a CTE and filter on the outside. Slight pain, same result.</p> <h2> 2. Impossible travel </h2> <p>If a card swipes in Chicago and seven minutes later swipes in Los Angeles, one of those swipes is fake. The card is cloned. This is the most uncontroversial fraud signal you'll find — there's almost no legitimate reason a single card is in two distant places in seven minutes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">ordered_tx</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="k">location</span><span class="p">,</span> <span class="n">LAG</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">prev_ts</span><span class="p">,</span> <span class="n">LAG</span><span class="p">(</span><span class="k">location</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">prev_loc</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="n">prev_ts</span> <span class="k">AS</span> <span class="n">first_tx</span><span class="p">,</span> <span class="nb">timestamp</span> <span class="k">AS</span> <span class="n">second_tx</span><span class="p">,</span> <span class="n">prev_loc</span> <span class="k">AS</span> <span class="n">first_location</span><span class="p">,</span> <span class="k">location</span> <span class="k">AS</span> <span class="n">second_location</span><span class="p">,</span> <span class="k">EXTRACT</span><span class="p">(</span><span class="n">EPOCH</span> <span class="k">FROM</span> <span class="p">(</span><span class="nb">timestamp</span> <span class="o">-</span> <span class="n">prev_ts</span><span class="p">))</span> <span class="o">/</span> <span class="mi">60</span> <span class="k">AS</span> <span class="n">minutes_apart</span><span class="p">,</span> <span class="n">haversine</span><span class="p">(</span><span class="n">prev_loc</span><span class="p">,</span> <span class="k">location</span><span class="p">)</span> <span class="k">AS</span> <span class="n">miles_apart</span> <span class="k">FROM</span> <span class="n">ordered_tx</span> <span class="k">WHERE</span> <span class="n">prev_ts</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">prev_loc</span> <span class="o">&lt;&gt;</span> <span class="k">location</span> <span class="k">AND</span> <span class="n">haversine</span><span class="p">(</span><span class="n">prev_loc</span><span class="p">,</span> <span class="k">location</span><span class="p">)</span> <span class="o">/</span> <span class="k">nullif</span><span class="p">(</span><span class="k">EXTRACT</span><span class="p">(</span><span class="n">EPOCH</span> <span class="k">FROM</span> <span class="p">(</span><span class="nb">timestamp</span> <span class="o">-</span> <span class="n">prev_ts</span><span class="p">)),</span> <span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">3600</span> <span class="o">&gt;</span> <span class="mi">600</span><span class="p">;</span> </code></pre> </div> <p><code>haversine</code> is the great-circle distance function. Most warehouses ship one. If yours doesn't, it's about ten lines to write your own.</p> <p>The 600 mph threshold is rough — commercial jet cruise is around 575, so this is "faster than a plane could possibly do it." You can tighten it to 100 mph if you want to catch suspiciously-fast ground travel too, but at that threshold you start picking up real airline travelers, kids with parents driving them home from camp, that kind of thing.</p> <p>A few other shapes in the same family are worth running:</p> <ul> <li>Two distant cities, same state, inside 5 minutes. Local cloning rings.</li> <li>Multiple ZIP codes inside an hour. Skimmer rings working a region.</li> <li>Border crossings inside 10 minutes. International rings.</li> </ul> <h2> 3. Amount anomalies </h2> <p>There are a couple of amounts that show up disproportionately in fraud and almost never in normal use.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">amount</span><span class="p">,</span> <span class="n">merchant_id</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="p">(</span><span class="n">amount</span> <span class="o">&gt;=</span> <span class="mi">99</span><span class="p">.</span><span class="mi">50</span> <span class="k">AND</span> <span class="n">amount</span> <span class="o">&lt;</span> <span class="mi">100</span><span class="p">.</span><span class="mi">00</span><span class="p">)</span> <span class="k">OR</span> <span class="p">(</span><span class="n">amount</span> <span class="o">&gt;=</span> <span class="mi">499</span><span class="p">.</span><span class="mi">50</span> <span class="k">AND</span> <span class="n">amount</span> <span class="o">&lt;</span> <span class="mi">500</span><span class="p">.</span><span class="mi">00</span><span class="p">)</span> <span class="k">OR</span> <span class="n">amount</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">.</span><span class="mi">00</span><span class="p">,</span> <span class="mi">5</span><span class="p">.</span><span class="mi">00</span><span class="p">,</span> <span class="mi">10</span><span class="p">.</span><span class="mi">00</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">;</span> </code></pre> </div> <p>What's happening:</p> <p>Round dollar amounts at small values — $1.00, $5.00, $10.00 — are almost always card tests. Someone got a card number from a dump and they're checking if it works before reselling it. Real cardholders almost never buy something for exactly $1.00. Coffee is $4.73, gas is $52.81. The roundness is the signal.</p> <p>Amounts just below a threshold are different. $99.99 is interesting because at a lot of places, $100 is the line where the cashier is supposed to check ID. $499.99 is interesting because $500 is often a daily ATM cap. Whoever's doing the transaction knows the rules and is staying under them.</p> <p>(For benefits transactions specifically, the round-number pattern doesn't help much. Benefits don't get card-tested the same way. There the signal is usually duplicate recipients, which is a different post.)</p> <h2> 4. Suspicious merchants </h2> <p>When a skimmer compromises a card reader at, say, a gas pump, you don't get one fraud case. You get dozens. Every card swiped at that pump for the next few weeks is now in someone's database. So the symptom from the merchant side is: an unusual number of unrelated cards spending more than usual, in a short window.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">date_trunc</span><span class="p">(</span><span class="s1">'hour'</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_bucket</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">cardholder_id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">unique_cards</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">total_tx</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="k">AS</span> <span class="n">total_amount</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'7 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="k">HAVING</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">cardholder_id</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">20</span> <span class="k">AND</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">5000</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">total_amount</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>The problem with static thresholds (20 unique cards, $5000) is they don't account for size. A Costco does that in 90 seconds. A used bookshop, never. So the better version compares each merchant against itself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">merchant_hourly</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">date_trunc</span><span class="p">(</span><span class="s1">'hour'</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_bucket</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">cardholder_id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">unique_cards</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'60 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="p">),</span> <span class="n">with_baseline</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="o">*</span><span class="p">,</span> <span class="k">avg</span><span class="p">(</span><span class="n">unique_cards</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">merchant_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">hour_bucket</span> <span class="k">ROWS</span> <span class="k">BETWEEN</span> <span class="mi">168</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="mi">1</span> <span class="k">PRECEDING</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">rolling_avg_cards</span> <span class="k">FROM</span> <span class="n">merchant_hourly</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="o">*</span><span class="p">,</span> <span class="n">unique_cards</span> <span class="o">/</span> <span class="k">nullif</span><span class="p">(</span><span class="n">rolling_avg_cards</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">AS</span> <span class="n">spike_ratio</span> <span class="k">FROM</span> <span class="n">with_baseline</span> <span class="k">WHERE</span> <span class="n">unique_cards</span> <span class="o">&gt;</span> <span class="n">rolling_avg_cards</span> <span class="o">*</span> <span class="mi">3</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">spike_ratio</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>The 168 is the trailing seven days of hourly buckets. I use a week because daily and weekly seasonality matters — Tuesday 2pm at a coffee shop is not the same baseline as Saturday 9am at the same shop. A week catches both cycles.</p> <p>Three times normal is where I start. It's loose enough not to drown you in alerts but tight enough to flag the actually weird hours.</p> <h2> 5. Off-hours </h2> <p>Most people are creatures of habit when they spend money. A nine-to-fiver doesn't suddenly start buying gas at 3am. If their card does, it's either being used by someone else or they're traveling — and travel produces other signals you can check.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">cardholder_hour_pattern</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="k">EXTRACT</span><span class="p">(</span><span class="n">HOUR</span> <span class="k">FROM</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_of_day</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">tx_count</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'90 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="p">),</span> <span class="n">cardholder_normal</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="k">min</span><span class="p">(</span><span class="n">hour_of_day</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">tx_count</span> <span class="o">&gt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">earliest_hour</span><span class="p">,</span> <span class="k">max</span><span class="p">(</span><span class="n">hour_of_day</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">tx_count</span> <span class="o">&gt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">latest_hour</span> <span class="k">FROM</span> <span class="n">cardholder_hour_pattern</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">t</span><span class="p">.</span><span class="n">cardholder_id</span><span class="p">,</span> <span class="n">t</span><span class="p">.</span><span class="nb">timestamp</span><span class="p">,</span> <span class="n">t</span><span class="p">.</span><span class="n">amount</span><span class="p">,</span> <span class="n">t</span><span class="p">.</span><span class="n">merchant_id</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="n">t</span> <span class="k">JOIN</span> <span class="n">cardholder_normal</span> <span class="n">cn</span> <span class="k">USING</span> <span class="p">(</span><span class="n">cardholder_id</span><span class="p">)</span> <span class="k">WHERE</span> <span class="k">EXTRACT</span><span class="p">(</span><span class="n">HOUR</span> <span class="k">FROM</span> <span class="n">t</span><span class="p">.</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">BETWEEN</span> <span class="n">cn</span><span class="p">.</span><span class="n">earliest_hour</span> <span class="k">AND</span> <span class="n">cn</span><span class="p">.</span><span class="n">latest_hour</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">t</span><span class="p">.</span><span class="nb">timestamp</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>The "two or more in that hour" filter on the inner query is doing important work. Without it, one stray late-night gas station purchase three months ago becomes part of the cardholder's "normal" hours, and you never flag them again. Requiring at least two purchases in a given hour, in 90 days, sets the bar at "actually a habit" instead of "happened once."</p> <p>Drawback: this doesn't work until you have history. New accounts have no baseline. For those, you fall back to global hour patterns or just skip this pattern entirely until they've been around for a couple months.</p> <h2> 6. Window functions for chained signals </h2> <p>This one isn't really a pattern. It's a setup that makes the other five patterns composable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">amount</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="nb">timestamp</span> <span class="o">-</span> <span class="n">LAG</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">time_since_last</span><span class="p">,</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">merchant_id</span> <span class="o">&lt;&gt;</span> <span class="n">LAG</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">THEN</span> <span class="s1">'changed'</span> <span class="k">ELSE</span> <span class="s1">'same'</span> <span class="k">END</span> <span class="k">AS</span> <span class="n">merchant_change</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">RANGE</span> <span class="k">BETWEEN</span> <span class="n">INTERVAL</span> <span class="s1">'24 hours'</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">running_24h_total</span><span class="p">,</span> <span class="n">ROW_NUMBER</span><span class="p">()</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">date</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">tx_of_day</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WINDOW</span> <span class="n">w</span> <span class="k">AS</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">;</span> </code></pre> </div> <p>Once you've materialized those columns, fraud rules collapse to filter expressions. Say you're hunting card-testing rings, where the tell is "lots of small charges, all at different merchants, within minutes of each other." The rule becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">tx_with_windows</span> <span class="k">WHERE</span> <span class="n">tx_of_day</span> <span class="o">&gt;=</span> <span class="mi">5</span> <span class="k">AND</span> <span class="n">time_since_last</span> <span class="o">&lt;</span> <span class="n">INTERVAL</span> <span class="s1">'60 seconds'</span> <span class="k">AND</span> <span class="n">merchant_change</span> <span class="o">=</span> <span class="s1">'changed'</span><span class="p">;</span> </code></pre> </div> <p>Three filters. That's it.</p> <p>The reason this matters is that the moment your analysts can express new fraud hypotheses as SQL filters instead of engineering tickets, your iteration loop drops from weeks to hours. You catch more fraud, faster.</p> <h2> Putting it together </h2> <p>None of these alone is enough. Velocity has false positives (vending operators). Geographic impossibility misses anything inside a single metro. Amount anomalies don't apply outside of card-test contexts. The off-hours rule needs history.</p> <p>What works is running them all and scoring each transaction across the signals. A transaction that fails on three or four of them is almost always fraud. A transaction that fails on one might be your grandma being weird with her debit card on vacation.</p> <p>If you're brand new to fraud detection, start with pattern 1. It alone will surface a useful amount of fraud and very little legitimate activity, and it's cheap to run.</p> <p>If you've already got 1 through 5, the place to invest is pattern 6 — those window-function primitives. Every analyst on your team will use them once they exist, and adding the next fraud pattern stops being a project.</p> <h2> Things I left out </h2> <p>A few things this post doesn't cover that come up constantly:</p> <p>NULL handling. Real transaction tables don't use NULL the way intro SQL books do. A lot of legacy systems use sentinel values like <code>9999-12-31</code> for "no end date" or <code>0001-01-01</code> for "no start date." Filtering with <code>IS NULL</code> will silently miss those rows. Always check what the convention is in your specific table before writing WHERE clauses that assume NULL.</p> <p>False positives. Every rule above will flag real cardholders doing weird-but-legitimate things. Your fraud workflow needs human review of flagged cases, with a feedback loop that lets you tune thresholds based on what's actually fraud and what isn't. Auto-blocking on a single rule is how you lose customers.</p> <p>Privacy. If the data has PII, your queries need to comply with your applicable data-use policies. De-identified or sampled data first, production data with authorization second.</p> <p>Cost. Window functions with big partitions are not cheap. Filter your date range first, then apply the window, not the other way around. I've watched a junior analyst burn through a warehouse credit budget by running a <code>LAG()</code> across two years of transactions on the entire dataset before adding the WHERE.</p> <p>Things I want to write about next, depending on what people ask for:</p> <ul> <li>Eight window-function tricks beyond <code>LAG</code> and <code>ROW_NUMBER</code> </li> <li>Detecting fraud rings, which is the social-graph problem in disguise</li> <li>What goes on a fraud team's dashboard, and what doesn't</li> <li>Why your fraud alerts are noisy, and how to actually fix that instead of just raising thresholds</li> </ul> <p>If there's something specific you want covered, message through <a href="https://fixelsmith.com" rel="noopener noreferrer">fixelsmith.com</a>.</p> <p><em>Fixel Smith is an experienced Program Integrity Analyst working in public-sector data.</em></p> sql analytics frauddetection database