Statistical Fraud Detection: A Review

Author(s): Richard J. Bolton and David J. Hand

Source: Statistical Science, Vol. 17, No. 3 (Aug., 2002), pp. 235-249
Published by: Institute of Mathematical Statistics
Stable URL: http://www.jstor.org/stable/3182781 .
Accessed: 17/08/2013 15:38

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at .
http://www.jstor.org/page/info/about/policies/terms.jsp

.
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of
content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms
of scholarship. For more information about JSTOR, please contact [email protected].

Institute of Mathematical Statistics is collaborating with JSTOR to digitize, preserve and extend access to
Statistical Science.

http://www.jstor.org

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
Statistical
Science
2002,Vol. 17,No. 3, 235-255

StatisticalFraud Detection:A Review

RichardJ. Boltonand DavidJ. Hand

Abstract. Fraudis increasingdramatically withtheexpansionof modem

of
technologyand the global superhighways communication, in
resulting
the loss of billionsof dollarsworldwideeach year.Althoughprevention
technologiesare the best way to reduce fraud,fraudsters are adaptive
and, given time,will usually findways to circumvent such measures.
Methodologiesforthe detectionof fraudare essentialif we are to catch
fraudstersonce fraudprevention and machinelearning
has failed.Statistics
provideeffective technologiesforfrauddetectionand have been applied
successfully suchas moneylaundering,
todetectactivities e-commerce credit
cardfraud,telecommunications fraudandcomputer tonamebuta
intrusion,
few.We describethetools availableforstatistical frauddetectionand the
areasin whichfrauddetection technologiesaremostused.
statistics,
Key words and phrases: Fraud detection,fraudprevention,
machinelearning,
moneylaundering,computer e-commerce,
intrusion, credit
cards,telecommunications.

1. INTRODUCTION identificationnumbers forbankcards, Internetsecurity

systemsforcreditcardtransactions, Subscriber Iden-
The Concise OxfordDictionarydefinesfraudas
tityModule(SIM) cardsformobilephones,andpass-
"criminal deception;theuse offalserepresentations to
wordson computersystemsand telephonebank ac-
gainan unjustadvantage." Fraudis as old as humanity
counts.Of course,none of thesemethodsis perfect
itselfand can take an unlimitedvarietyof different
and,ingeneral,a compromise hastobe struck between
forms.However,in recentyears,thedevelopment of
expenseandinconvenience (e.g.,to a customer) on the
newtechnologies (whichhavemadeit easierforus to onehand,andeffectiveness on theother.
communicate andhelpedincreaseourspending power) Incontrast, frauddetectioninvolvesidentifying fraud
has also providedyetfurther waysin whichcriminals as quicklyas possibleonce it has been perpetrated.
may commitfraud.Traditionalformsof fraudulent Frauddetectioncomes intoplay once
fraudpreven-
behaviorsuchas moneylaundering havebecomeeasier tionhas failed.In practice,of coursefrauddetection
to perpetrateand have been joined by new kindsof mustbe usedcontinuously, as one willtypicallybe un-
fraudsuch as mobiletelecommunications fraudand awarethatfraudprevention has failed.We can tryto
computer intrusion. prevent creditcardfraudby guarding ourcardsassid-
We begin by distinguishing betweenfraudpre- uously,butifnevertheless thecard'sdetailsarestolen,
ventionand frauddetection.Fraud preventionde- thenwe needto be able to detect,as soon as possible,
scribesmeasuresto stopfraudfromoccurring in the thatfraudis beingperpetrated.
firstplace. These includeelaboratedesigns,fluores- Fraud detectionis a continuously evolvingdisci-
centfibers,multitonedrawings,watermarks, laminated pline.Whenever itbecomesknownthatone detection
metalstripsand holographson banknotes, personal methodis in place, criminalswill adapttheirstrate-
gies and tryothers.Of course,newcriminalsare also
RichardJ.Boltonis ResearchAssociateintheStatistics constantly enteringthefield.Manyofthemwillnotbe
SectionoftheDepartment ofMathematics at Imperial awareofthefrauddetection methodswhichhavebeen
College.David J. Hand is Professorof Statisticsin successfulin thepastand will adoptstrategies which
theDepartment of Mathematics at ImperialCollege, lead to identifiable
frauds.This meansthattheearlier
LondonSW7 2BZ, UnitedKingdom(e-mail:rbolton, detection toolsneedto be appliedas well as thelatest
[email protected]). developments.

235

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
236 R. J.BOLTON AND D. J.HAND

The development of new frauddetectionmethods theoriginaldata used to buildthemodels.It also re-

is made moredifficult by thefactthattheexchange quiresthatone has examplesofbothclasses.Further-
of ideas in frauddetection is severelylimited.It does more,it can onlybe used to detectfraudsof a type
notmakesenseto describefrauddetection techniques whichhavepreviously occurred.
in greatdetail in the public domain,as this gives In contrast, unsupervised methodssimplyseekthose
criminalsthe information thattheyrequireto evade accounts,customersand so forthwhich are most
detection.Data setsarenotmadeavailableandresults dissimilar fromthenorm.Thesecan thenbe examined
are oftencensored,makingthemdifficult to assess moreclosely.Outliersarea basicformofnonstandard
(e.g.,Leonard,1993). observation. Tools used forcheckingdataqualitycan
Manyfrauddetectionproblemsinvolvehuge data be used,butthedetection ofaccidental errorsis a rather
sets thatare constantly evolving.For example,the different problemfromthe detectionof deliberately
creditcardcompany Barclaycard carriesapproximately falsifieddata or data which accuratelydescribea
350 milliontransactions a yearin the UnitedKing- fraudulent pattern.
dom alone (Hand, Blunt,Kelly and Adams,2000), This leads us to notethefundamental pointthatwe
The Royal Bank of Scotland,whichhas the largest can seldombe certain,by statisticalanalysisalone,
creditcard merchantacquiringbusinessin Europe, thata fraudhas beenperpetrated. Rather,theanalysis
carriesover a billiontransactions a yearand AT&T shouldbe regarded as alerting us tothefactthatan ob-
carriesaround275 millioncalls eachweekday(Cortes servation is anomalous,ormorelikelytobe fraudulent
and Pregibon,1998). Processingthese data sets in thanothers,so thatitcan thenbe investigated in more
a searchforfraudulent transactions or calls requires detail.One can thinkof theobjectiveof thestatisti-
more than mere noveltyof statisticalmodel, and cal analysisas beingtoreturn a suspicionscore(where
also needsfastand efficient algorithms: data mining we willregarda higherscoreas moresuspiciousthan
techniquesare relevant.These numbersalso indicate a lowerone). The higherthescoreis, thenthemore
the potentialvalue of frauddetection:if 0.1% of a unusualis theobservation or themorelikepreviously
100 milliontransactions are fraudulent, each losing fraudulent values it is. The factthatthereare many
thecompanyjust?10, thenoverallthecompanyloses different waysin whichfraudcan be perpetrated and
?1 million. manydifferent scenariosin whichit can occurmeans
Statisticaltools forfrauddetectionare manyand thatthereare manydifferent waysto computesuspi-
varied,since data fromdifferent applicationscan be cion scores.
diversein bothsize and type,butthereare common Suspicionscorescanbe computed foreachrecordin
themes.Suchtoolsareessentially basedon comparing thedatabase(foreachcustomer witha bankaccountor
theobserveddata withexpectedvalues,butexpected creditcard,foreachownerofa mobilephone,foreach
valuescan be derivedin variousways,dependingon desktopcomputer andso on),andthesecanbe updated
thecontext. Theymaybe singlenumerical summaries as timeprogresses.These scores can thenbe rank
of someaspectof behaviorand theyare oftensimple orderedand investigative attention can be focussedon
graphicalsummaries in whichan anomalyis readily thosewiththehighestscoresoron thosewhichexhibit
apparent, buttheyarealso oftenmorecomplex(multi- a suddenincrease.Hereissuesofcostenter:giventhat
variate)behaviorprofiles. Such behaviorprofilesmay itis tooexpensivetoundertake a detailedinvestigation
be basedon pastbehaviorofthesystembeingstudied of all records,one concentrates investigationon those
(e.g.,thewaya bankaccounthasbeenpreviously used) thought mostlikelytobe fraudulent.
or be extrapolated fromothersimilarsystems.Things One of thedifficulties withfrauddetectionis that
areoftenfurther complicated by thefactthat,in some typicallythereare manylegitimate recordsforeach
domains(e.g.,trading on the stockmarket) a givenac- fraudulent one. A detectionmethodwhichcorrectly
tormaybehaveina fraudulent manner someofthetime identifies 99% of thelegitimate recordsas legitimate
andnotat othertimes. and99% ofthefraudulent recordsas fraudulent might
Statisticalfrauddetectionmethodsmay be super- be regardedas a highlyeffective system.However,if
visedorunsupervised. In supervised methods, samples only1 in 1000recordsis fraudulent, then,on average,
ofbothfraudulent andnonfraudulent recordsareused in every100 thatthesystemflagsas fraudulent, only
toconstruct modelswhichallowoneto assignnewob- about9 will in factbe so. In particular, this means
servations intoone of thetwoclasses.Of course,this thattoidentify those9 requiresdetailedexamination of
requiresone to be confident aboutthetrueclasses of all 100-at possiblyconsiderable cost.Thisleadsus to

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
 STATISTICALFRAUD DETECTION 237

a moregeneralpoint:fraudcan be reducedto as low a costsof investigating observations and thebenefits of

levelas onelikes,butonlybyvirtueofa corresponding identifying fraud.Moreover,oftenclass membership
levelof effortand cost.In practice,somecompromise is uncertain. For example,credittransactions maybe
has to be reached,oftena commercialcompromise, labelledincorrectly: a fraudulent transactionmayre-
betweenthecostof detecting a fraudand thesavings mainunobserved and thusbe labeledlegitimate (and
to be madeby detecting it. Sometimestheissuesare the extentof thismay remainunknown)or a legit-
complicatedby, for example,the adversepublicity imatetransaction may be misreported as fraudulent.
accompanying frauddetection.At a businesslevel, Some workhas addressedmisclassification oftraining
revealingthata bankis a significant targetforfraud, samples(e.g.,Lachenbruch, 1966,1974;Chhikaraand
evenif muchhas been detected,does littleto inspire McKeon,1984),butnotin thecontextof frauddetec-
confidence, andata personallevel,takingactionwhich tionas faras we are aware.Issues suchas thesewere
impliesto an innocentcustomerthattheymay be discussedby Chanand Stolfo(1998) and Provostand
suspectedof fraudis obviouslydetrimental to good Fawcett(2001).
customer relations. Link analysis relates knownfraudsters to other
The body of thispaperis structured accordingto individualsusingrecordlinkageand social network
differentareas of frauddetection.Clearlywe cannot methods(Wasserman and Faust,1994). For example,
hopetocoverall areasinwhichstatistical methodscan intelecommunications networks,securityinvestigators
be applied.Instead,we haveselecteda fewareaswhere have foundthatfraudsters seldomworkin isolation
suchmethodsare used and wherethereis a bodyof fromeach other.Also, afteran accounthas been
expertiseand of literaturedescribing them.However, disconnected forfraud,thefraudster willoftencall the
beforelookingat the detailsof different application samenumbers fromanother account(Cortes,Pregibon
areas, Section2 providesa briefoverviewof some and Volinsky, 2001). Telephonecalls froman account
toolsforfrauddetection. can thusbe linkedto fraudulent accountsto indicate
intrusion. A similarapproachhas beentakenin money
2. FRAUDDETECTIONTOOLS laundering (GoldbergandSenator,1995,1998;Senator
As we mentioned above,frauddetection can be su- etal., 1995).
pervisedor unsupervised. Supervisedmethodsuse a Unsupervised methodsare used whenthereare no
databaseof knownfraudulent/legitimate cases from priorsets of legitimate and fraudulent observations.
whichto construct a modelwhichyieldsa suspicion Techniquesemployedhereare usuallya combination
scorefornew cases. Traditional statistical
classifica- of profiling and outlierdetection methods.We model
tionmethods(Hand, 1981; McLachlan,1992), such a baselinedistribution thatrepresents normalbehav-
as lineardiscriminantanalysisandlogisticdiscrimina- ior and thenattempt to detectobservations thatshow
tion,haveprovedto be effective toolsformanyappli- thegreatest departure fromthisnorm.Thereare sim-
cations,butmorepowerful tools(Ripley,1996; Hand, ilaritiesto authoridentification in textanalysis.Digit
1997; Webb,1999), especiallyneuralnetworks, have analysisusingBenford'slaw is an exampleof sucha
also beenextensively applied.Rule-basedmethodsare method.Benford'slaw (Hill, 1995) saysthatthedistri-
supervised learningalgorithms thatproduceclassifiers butionof thefirstsignificant digitsof numbersdrawn
usingrulesof theformIf {certainconditions},Then froma widevariety of randomdistributions willhave
{a consequent}.Examplesof suchalgorithms include (asymptotically) a certainform.Untilrecently, thislaw
BAYES (Clark and Niblett,1989), FOIL (Quinlan, was regardedas merelya mathematical curiositywith
1990) and RIPPER (Cohen, 1995). Tree-basedalgo- no apparentusefulapplication.However,Nigriniand
rithms suchas CART (Breiman, Friedman, Olshenand Mittermaier (1997) and Nigrini(1999) showedthat
Stone,1984) andC4.5 (Quinlan,1993)produceclassi- Benford'slawcanbe usedtodetectfraudinaccounting
fiersofa similarform.Combinations of someor all of data.The premisebehindfrauddetectionusingtools
thesealgorithms canbe createdusingmeta-learning al- such as Benford'slaw is thatfabricating data which
gorithms toimprove predictioninfrauddetection (e.g., conform toBenford'slaw is difficult.
Chan,Fan,Prodromidis andStolfo,1999). Fraudsters adapt to new prevention and detection
Major considerations when buildinga supervised measures,so frauddetection needsto be adaptiveand
toolforfrauddetection includethoseof unevenclass evolveovertime.However,legitimate accountusers
sizes and different
costsof different typesof misclas- may graduallychangetheirbehaviorover a longer
sification.We mustalso take intoconsideration the periodof timeand it is important to avoid spurious

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
238 R. J.BOLTON AND D. J.HAND

alarms.Modelscan be updatedat fixedtimepointsor and the companydecreasesand revenueis lost, in

continuously overtime;see, forexample,Burgeand additionto thedirectlosses made through fraudulent
Shawe-Taylor(1997), Fawcettand Provost(1997a), sales. Because of thepotential forloss of sales due to
Cortes,Pregibonand Volinsky(2001) and Senator loss of confidence, in general,themerchants assume
(2000). responsibility forfraudlosses,evenwhenthevendor
Although modelsforfrauddetec-
thebasicstatistical has obtainedauthorization fromthecardissuer.
tioncan be categorizedas supervisedorunsupervised, Creditcardfraudmaybe perpetrated invariousways
theapplicationareasof frauddetection cannotbe de- (a description of thecreditcard industry and how it
scribedso conveniently.Theirdiversityis reflectedin functions is giveninBluntandHand,2000),including
theirparticular
operational and theva-
characteristics simpletheft, applicationfraudand counterfeit cards.
rietyand quantityof dataavailable,bothfeatures that In all of these,thefraudster uses a physicalcard,but
drivethechoiceofa suitablefrauddetection tool. physicalpossessionis notessentialtoperpetrate credit
cardfraud:oneofthemajorfraudareasis "cardholder-
3. CREDITCARD FRAUD not-present" fraud,whereonlythecard's detailsare
given(e.g.,overthephone).
The extentof creditcardfraudis difficult to quan- Use of a stolencardis perhapsthemoststraightfor-
tify,partlybecause companiesare oftenloathto re- wardtypeof creditcardfraud.In thiscase, thefraud-
lease fraudfiguresin case theyfrighten thespending stertypically spendsas muchas possiblein as shorta
publicand partlybecause the figureschange(prob- space of timeas possible,beforethetheftis detected
ably grow) over time.Variousestimateshave been andthecardis stopped;hence,detecting thetheft early
given.Forexample,Leonard(1993) suggested thecost can prevent largelosses.
of Visa/Mastercard fraudin Canada in 1989, 1990 Applicationfraudarises when individualsobtain
and 1991 was $19, 29 and 46 million(Canadian),re- new creditcardsfromissuingcompaniesusingfalse
spectively. Ghoshand Reilly(1994) suggesteda fig- personalinformation. Traditionalcreditscorecards
ure of $850 million(U.S.) per yearforall typesof (Hand andHenley,1997) areusedto detectcustomers
creditcardfraudin theUnitedStates,and Aleskerov, whoarelikelyto default, andthereasonsforthismay
Freisleben andRao (1997) citedestimates of$700 mil- includefraud.Such scorecardsare based on thede-
lionintheUnitedStateseachyearforVisa/Mastercard tailsgivenon theapplicationformsand perhapsalso
and$10 billionworldwide in 1996.Microsoft's Expe- on otherdetailssuchas bureauinformation. Statistical
dia set aside $6 millionforcreditcardfraudin 1999 modelswhichmonitor behavior over time be used
can
(Patient,2000). Totallosses through creditcardfraud todetectcardswhichhavebeenobtainedfroma fraud-
intheUnitedKingdomhavebeengrowing rapidlyover ulentapplication timecardholderwhoruns
(e.g.,a first
thelast4 years[1997,?122 million;1998,?135 mil- outand rapidlymakesmanypurchasesshouldarouse
lion; 1999,?188 million;2000,?293 million.Source: suspicion).Withapplicationfraud,however,urgency
AssociationforPaymentClearingServices,London is notas important to thefraudster anditmightnotbe
(APACS)] and recently APACS reported ?373.7 mil- untilaccountsaresentoutorrepayment datesbeginto
lion losses in the 12 monthsendingAugust2001. pass thatfraudis suspected.
Jenkins (2000) says "forevery?100 you spendon a Cardholder-not-present fraudoccurswhenthetrans-
cardin theUK, 13p is lostto fraudsters." Mattersare actionis maderemotely, so thatonlythecard'sdetails
complicated by issuesofexactlywhatone includesin are needed,and a manualsignature and cardimprint
thefraudfigures. Forexample,bankruptcy fraudarises arenotrequiredat thetimeofpurchase.Suchtransac-
whenthecardholder makespurchases forwhichhe/she tionsincludetelephonesales and on-linetransactions,
has no intention of payingand thenfilesforpersonal andthistypeoffraudaccountsfora highproportion of
bankruptcy, leavingthebanktocoverthelosses.Since losses.To undertake suchfrauditis necessary toobtain
thesearegenerally regardedas charge-off losses,they thedetailsofthecardwithout thecardholder's knowl-
oftenarenotincludedin fraudfigures. However,they edge. This is done in variousways,including"skim-
can be substantial: GhoshandReilly(1994) citedone ming,"whereemployeesillegallycopy themagnetic
estimate of$2.65 billionforbankruptcy fraudin 1992. stripon a creditcard by swipingit through a small
It is in a companyand card issuer'sinterests to handheldcard reader,"shouldersurfers," who enter
preventfraudor,failingthis,to detectfraudas soon card detailsintoa mobilephonewhilestandingbe-
as possible.Otherwise consumer trustin boththecard hinda purchaser ina queue,andpeopleposingas credit

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
 STATISTICALFRAUD DETECTION 239

cardcompanyemployeestakingdetailsof creditcard wheretheaimis toillustrate newdataanalytictoolsby

transactions fromcompaniesoverthephone.Counter- applyingthemto the detectionof fraud,ratherthan
feitcards,currently thelargestsourceof creditcard to describemethodsof frauddetectionper se. Fur-
fraudin the UnitedKingdom(source:APACS), can thermore, since anomalydetectionmethodsare very
also be createdusingthisinformation. Transactions contextdependent, muchof the publishedliterature
made by fraudsters usingcounterfeit cardsand mak- in the area concentrates on supervisedclassification
ing cardholder-not-present purchasescan be detected methods.In particular, rule-basedsystemsand neural
throughmethodswhichseek changesin transaction networks haveattracted interest.
Researchers whohave
patterns, as well as checkingforparticular patterns used neuralnetworks forcreditcard frauddetection
whichareknowntobe indicative ofcounterfeiting. includeGhosh and Reilly (1994), Aleskerovet al.
Creditcard databasescontaininformation on each (1997), Dorronsoro, Ginel,Sanchezand Cruz (1997)
transaction. This information includessuchthingsas andBrause,Langsdorf andHepp(1999),mainlyin the
merchant code, accountnumber, typeof creditcard, context ofsupervised classification. HNC Software has
typeof purchase,clientname,size of transaction and developedFalcon,a software packagethatreliesheav-
dateof transaction. Some of thesedataare numerical ilyon neuralnetwork technology to detectcreditcard
(e.g.,transaction size) andothersarenominalcategor- fraud.
ical (e.g.,merchant code,whichcan havehundreds of Supervisedmethods, usingsamplesfromthefraud-
thousandsof categories)or symbolic.The mixeddata ulent/nonfraudulent classes as the basis to construct
typeshave led to theapplicationof a wide varietyof classification
rulesto detectfuture cases offraud,suf-
statistical,machinelearning anddataminingtools. ferfromtheproblemof unbalancedclass sizes men-
Suspicionscoresto detectwhetheran accounthas tionedabove:thelegitimate transactions generally far
beencompromised can be basedon modelsofindivid-
outnumber thefraudulent ones.Brause,Langsdorf and
ual customers'previoususage patterns, standardex-
Hepp (1999) said that,in theirdatabase of credit
pectedusage patterns, particular patternswhichare
card transactions, "the probability of fraudis very
knownto be oftenassociatedwithfraud,and on su-
low (0.2%) and has been loweredin a preprocessing
pervisedmodels.A simpleexampleofthepatterns ex-
stepby a conventional frauddetectingsystemdown
hibitedbyindividual customers is giveninFigure16of
to 0.1%." Hassibi (2000) remarked that"outof some
HandandBlunt(2001),whichshowshowtheslopesof
12 billiontransactions made annually,approximately
cumulative creditcardspendingovertimeareremark-
10 million-or one out of every1200 transactions-
ably linear.Suddenjumps in thesecurvesor sudden
changesof slope (transaction or expenditure ratesud- turnoutto be fraudulent. Also, 0.04% (4 outofevery
denlyexceedingsome threshold) meritinvestigation. 10,000)ofall monthly activeaccountsarefraudulent."
Likewise,some customerspractice"jam jarring"- It followsfromthis sortof figurethatsimplemis-
restricting particularcardsto particular typesof pur- classificationrate cannotbe used as a performance
chases (e.g., usinga givencard forpetrolpurchases measure:witha bad rateof 0.1%, simplyclassifying
onlyand a different one forsupermarket purchases), everytransaction as legitimate willyieldan errorrate
so thatusageofa cardtomakean unusualtypeofpur- of only0.001. Instead,one musteitherminimizean
chase can triggeran alarmforsuch customers. At a appropriate cost-weighted loss or fixsome parameter
moregenerallevel,suspicionscorescan also be based (suchas thenumberofcases one can afford to investi-
on expectedoverallusage profiles.For example,first gatein detail)andthentryto maximizethenumberof
timecreditcardusersare typically fairlyten-
initially fraudulentcases detectedsubjecttotheconstraints.
tativein theirusage,whereasthosetransferring loans Stolfoet al. (1997a, b) outlineda meta-classifier
fromanothercard are generallynot so reticent.Fi- systemfordetectingcreditcard fraudthatis based
nally,examplesof overalltransaction patternsknown on the idea of using different local frauddetection
to be intrinsically suspiciousare thesuddenpurchase toolswithineach different corporate environment and
ofmanysmallelectricalitemsorjewelry(goodswhich mergingthe resultsto yield a moreaccurateglobal
permit easyblackmarket resale)andtheimmediate use tool. This workwas elaboratedin Chan and Stolfo
ofa newcardin a widerangeofdifferent locations. (1998), Chan,Fan,Prodromidis andStolfo(1999) and
We commentedabove that,for obvious reasons, Stolfoet al. (1999), who describeda morerealistic
thereis a dearthof publishedliterature on fraudde- cost modelto accompanythe different classification
tection.Much of thatwhichhas been publishedap- outcomes.Wheelerand Aitken(2000) also explored
pears in the methodological data analyticliterature, thecombination ofmultiple classification rules.

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
240 R. J.BOLTON AND D. J.HAND

4. MONEYLAUNDERING creditcardindustry. Whereascreditcardfraudcomes

to lightfairlyearlyon,in moneylaundering it maybe
Moneylaundering is the processof obscuringthe
yearsbeforeindividual transfers or accountsaredefin-
source,ownership or use of funds,usuallycash,that
itivelyand legallyidentified as partof a laundering
aretheprofits ofillicitactivity. The size oftheproblem
process.While,in principle(assumingrecordshave
is indicatedin a 1995 U.S. Officeof Technology As-
been kept),one could go back and tracetherelevant
sessment(OTA) report(U.S. Congress,1995): "Fed-
transactions,inpracticenotall ofthemwouldbe iden-
eralagenciesestimatethatas muchas $300 billionis
tified,so detracting fromtheiruse in supervisedde-
launderedannually,worldwide.From$40 billionto
tectionmethods.Furthermore, thereis typicallyless
$80 billionof thismay be drugprofitsmade in the extensiveinformation availablefortheaccounthold-
UnitedStates."Prevention is attempted bymeansofle- ersin investment banksthanthereis in retailbanking
gal constraints andrequirements-the burdenofwhich operations. Developingmoredetailedcustomer record
is gradually increasing-andtherehas beenmuchde- systems mightbe a goodwayforward.
baterecently abouttheuse ofencryption. However,no As withotherareas of fraud,moneylaundering
prevention strategy is foolproof anddetection is essen- detection workshandinhandwithprevention. In 1970,
tial.In particular,theSeptember11thterrorist attacks forexample,in theUnitedStatestheBank Secrecy
on New YorkCityand thePentagonhavefocusedat- Actrequired thatbanksreport all currencytransactions
tentionon the detectionof moneylaundering in an of over $10,000 to the authorities. However,also
attempt to starveterrorist networks offunds. as in otherareas of fraud,the perpetrators adapt
Wiretransfers providea naturaldomainforlaunder- theirmodusoperandito matchthe changingtactics
ing: accordingto the OTA report,each day in 1995 of the authorities. So, followingthe requirement of
abouthalfa millionwiretransfers, valuedatmorethan banksto reportcurrency transactions of over$10,000,
$2 trillion(U.S.), werecarriedout usingtheFedwire the obviousstrategy was developedto dividelarger
and CHIPS systems, alongwithalmosta quarterof a sumsintomultipleamountsof less than$10,000and
milliontransfers usingthe SWIFT system.It is esti- depositthemin different banks (a practicetermed
matedthataround0.05-0.1% ofthesetransactions in- smurfing or structuring). In theUnitedStates,thisis
volvedlaundering. Sophisticated statistical
and other now illegal,buttheway themoneylaunderers adapt
on-linedata analyticprocedures are neededto detect to the prevailingdetectionmethodscan lead one to
suchlaundering activity. Sinceitis nowbecominga le- thepessimistic perspective thatonlytheincompetent
galrequirement toshowthatall reasonablemeanshave moneylaunderersare detected.This, clearly,also
beenused to detectfraud,we mayexpectto see even limitsthevalue of superviseddetectionmethods:the
greater application ofsuchtools. patternsdetectedwill be thosepatternswhichwere
Wiretransfers containitemssuchas dateoftransfer, characteristic of fraudin the past, but whichmay
identity ofsender, routing number oforiginating bank, no longerbe so. Otherstrategiesused by money
identity ofrecipient, routing numberofrecipient bank launderers whichlimitthevalueofsupervised methods
and amounttransferred. Sometimesthosefieldsnot include switchingbetweenwire and physicalcash
neededfortransfer are leftblank,freetextfieldsmay movements, the creationof shell businesses,false
be completedin different ways and, worsestill,but invoicing and,ofcourse,thefactthata singletransfer,
inevitable,sometimes thedatahaveerrors.Automatic in itself,is unlikelyto appear to be a laundering
errordetection(and correction)softwarehas been transaction. Furthermore, because of the large sums
developed, basedon semantic andsyntactic constraints involved, money launderers arehighly and
professional
of
on possible content,but, course, this can never oftenhave contactsin thebankswho can feedback
be a completesolution.Mattersare also complicated detailsofthedetection strategies beingapplied.
by the factthatbanks do not sharetheirdata. Of The numberof currency transactions over$10,000
course,banks are not the only bodies thattransfer in value increaseddramatically afterthemid-1980s,
moneyelectronically, and otherbusinesseshavebeen to theextentthatthenumberof reportsfiledis huge
established preciselyforthispurpose[theOTA report (over 10 millionin 1994,withtotalworthof around
(U.S. Congress,1995) estimatesthenumberof such $500 billion),and thisin itselfcan cause difficulties.
businessesas 200,000]. In an attempt to cope withthis,theFinancialCrimes
The detection ofmoneylaundering presents difficul- Enforcement Network (FinCEN) of theU.S. Depart-
tiesnotencountered in areassuchas, forexample,the ment of the Treasury processes all suchreportsusing

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
 STATISTICALFRAUD DETECTION 241

theFinCEN artificialintelligencesystem(FAIS) de- moneylaundering schemesrequirestheabilityto re-

scribedbelow.Moregenerally, banksarealso required construct thesepatterns of transactions by linkingpo-
to reportanysuspicioustransactions,and about0.5% tentiallyrelatedtransactions and thento distinguish
ofcurrency transaction
reportsareso flagged. thelegitimate setsoftransactions fromtheillegitimate
Moneylaundering involvesthreesteps: ones.This techniqueof finding relationships between
elements ofinformation, calledlinkanalysis,is thepri-
1. Placement:the introduction of the cash into the
maryanalytictechniqueused in law enforcement in-
bankingsystemor legitimate business(e.g., trans-
telligence(Andrewsand Peterson,1990)." An obvi-
ferringthe banknotesobtainedfromretaildrugs
ous andsimplistic illustrationis thefactthata transac-
transactions into a cashier's cheque). One way
tionwitha knowncriminal mayrousesuspicion.More
to do this is to pay vastlyinflatedamountsfor
subtlemethodsare based on recognition of the sort
goods imported acrossinternational frontiers.Pak
ofbusinesseswithwhichmoneylaundering operations
and Zdanowicz(1994) describedstatistical analy-
transact.Of course,theseare all supervisedmethods
sis of tradedatabasesto detectanomaliesin gov-
and are subjectto theweaknessesthatthoseresponsi-
ernment tradedatasuchas charging $1694 a gram
ble mayevolvetheirstrategies. Similartoolsare used
forimports ofthedrugerythromycin comparedwith
to detecttelecomfraud,as outlinedin thefollowing
$0.08 a gramforexports.
section.
2. Layering: carryingout multiple transactions
Rule-basedsystemshave been developed,often
through multipleaccountswithdifferent ownersat
withtherulesbased on experience("flagtransactions
different financialinstitutions in thelegitimate fi-
fromcountriesX and Y"; "flag accountsshowing
nancialsystem.
a large depositfollowedimmediately by a similar
3. Integration: merging thefundswithmoneyobtained
sized withdrawal").Structuring can be detectedby
fromlegitimate activities.
computingthe cumulativesum of amountsentering
Detectionstrategies can be targeted at variouslev- an accountovera shortwindow,suchas a day.Other
els. In general(and in commonwithsome otherar- methods havebeendevelopedbasedon straightforward
eas in whichfraudis perpetrated), itis verydifficultor descriptivestatistics,such as rateof transactions and
impossibleto characterize an individual transactionas proportion of transactions whichare suspicious.The
fraudulent. Rathertransaction patternsmustbe iden- use of theBenforddistribution is an extensionof this
tifiedas fraudulent or suspicious.A singledepositof idea. Althoughone maynotusuallybe interested in
justunder$10,000is notsuspicious,butmultiple such detecting changesin an account'sbehavior,methods
depositsare; a largesumbeingdepositedis notsus- suchas peergroupanalysis(Boltonand Hand,2001)
picious,buta largesumbeingdepositedand instantly andbreakdetection (Goldbergand Senator,1997) can
withdrawn is. In fact,onecan distinguish severallevels be appliedtodetectmoneylaundering.
of(potential)analysis:theindividual transaction level, One of themostelaboratemoneylaundering detec-
theaccountlevel,thebusinesslevel(and,indeed,indi- tionsystems is theU.S. FinancialCrimesEnforcement
vidualsmayhavemultipleaccounts)andthe"ring"of NetworkAl system(FAIS) describedin Senatoret al.
businesseslevel.Analysescan be targeted atparticular (1995) andGoldbergand Senator(1998). This system
levels,butmorecomplexapproachescan examinesev- allowsusersto followtrailsof linkedtransactions. It
eral levels simultaneously. (Thereis an analogyhere is builtarounda "blackboard"architecture, in which
withspeechrecognition systems:simplesystemsfo- program modulescan readandwriteto a centraldata-
cused at theindividualphonemeand wordlevelsare base thatcontainsdetailsof transactions, subjectsand
notas effective as thosewhichtryto recognizethese accounts.A keycomponent of thesystemis itssuspi-
elementsin a higherlevel contextof theway words cionscore.Thisis a rule-based system basedon an ear-
are put together whenused.) In general,linkanaly- liersystemdevelopedbytheU.S. CustomsServicein
sis, whichidentifies groupsof participants involved themid-1980s.The systemcomputessuspicionscores
in transactions, playsa keyrolein mostmoneylaun- forvariousdifferent typesof transaction and activity.
deringdetectionstrategies. Senatoret al. (1995) said SimpleBayesianupdating is usedtocombineevidence
"Moneylaundering typicallyinvolvesa multitude of thatsuggeststhata transaction or activityis illicitto
transactions, perhapsbydistinct individuals, intomul- yieldan overallsuspicionscore.Senatoret al. (1995)
tipleaccountswithdifferent ownersat different banks includeda briefbutinteresting discussionof an inves-
andotherfinancial institutions.Detectionoflarge-scale tigationof whether case-basedreasoning(cf. nearest

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
242 R. J.BOLTON AND D. J.HAND

neighbormethods)and classification treetechniques used to derivethem,thereare otherreasonsforthe

could usefullybe added to thesystem. differences. One is the distinction betweenhardand
The AmericanNationalAssociationof Securities softcurrency. Hard currency is real money,paid by
Dealers,Inc.,usesanadvanceddetection system(ADS; someoneotherthanthe perpetrator for the service
Kirklandet al., 1998; Senator,2000) to flag"patterns theperpetrator has stolen.Hynninen (2000) gave the
or practicesof regulatory concern."ADS uses a rule exampleof the sum one mobilephoneoperatorwill
patternmatcher and a time-sequence pattern matcher, payanother fortheuse oftheirnetwork. Softcurrency
and(likeFAIS) placesgreatemphasison visualization is thevalue of theservicetheperpetrator has stolen.
tools.Also as withFAIS, data miningtechniquesare At leastpartof thisis onlya loss if one assumesthat
usedtoidentify newpatterns ofpotential interest. thethiefwouldhaveused thesameserviceevenifhe
A different approachto detectingsimilarfraudu- or she had had to pay forit. Anotherreasonforthe
lent behavioris takenby SearchSpaceLtd. (www. differences derivesfromthefactthatsuch estimates
searchspace.com), whichhas developeda systemfor maybe used fordifferent purposes.Hynninen (2000)
theLondonStockExchangecalledMonITARS(moni- gave the examplesof operatorsgivingestimateson
toringinsidertrading andregulatory surveillance)that the high side, hopingfor more stringent antifraud
combinesgeneticalgorithms, fuzzylogic and neural legislation,and operators givingestimateson thelow
network technology to detectinsiderdealingandmar- sidetoencouragecustomer confidence.
ket manipulation. Chartierand Spillane (2000) also We need to distinguish betweenfraudaimed at
describedan applicationof neuralnetworks to detect theserviceproviderand fraudenabledbytheservice
moneylaundering. provider.An example of the formeris the resale
of stolencall timeand an exampleof the latteris
5. TELECOMMUNICATIONS FRAUD interfering withtelephonebankinginstructions. (It is
thepossibility of thelattersortof fraudwhichmakes
The telecommunications industry has expandeddra- the publicwaryof usingtheircreditcardsoverthe
maticallyin thelast fewyearswiththedevelopment Internet.)We can also distinguish betweenrevenue
of affordable mobilephonetechnology. Withthein- fraudand nonrevenue fraud.The aim of theformer is
creasingnumberof mobilephoneusers,global mo- tomakemoneyfortheperpetrator, whiletheaimofthe
bile phonefraudis also setto rise.Variousestimates latteris simplyto obtaina servicefreeof charge(or,
havebeenpresented forthecostof thisfraud.For ex- as withcomputer hackers,e.g., thesimplechallenge
ample,Cox, Eick,Willsand Brachman(1997) gave a represented bythesystem).
figure of$1 billiona year.Telecomand Network Secu- Therearemanydifferent typesoftelecomfraud(see,
rityReview[4(5) April1997]gavea figure ofbetween e.g.,Shawe-Taylor et al., 2000) andthesecan occurat
4 and 6% of U.S. telecomrevenuelostdue to fraud. variouslevels.The twomostprevalent typesare sub-
Cahill,Lambert,Pinheiroand Sun (2002) suggested scription fraudand superimposed or "surfing" fraud.
thatinternational figuresareworse,with"severalnew Subscription fraudoccurswhenthefraudster obtainsa
serviceproviders reporting losses over20%." Moreau subscription to a service,oftenwithfalseidentity de-
etal. (1996) gavea valueof"severalmillionECUs per tails,withno intention of paying.This is thusat the
year."Presumably thisrefersto withintheEuropean level of a phonenumber-all transactions fromthis
Unionand,giventhesize of the other estimates, we numberwillbe fraudulent. Superimposed fraudis the
wonderif thisshouldbe billions.Accordingto a re- use ofa servicewithout havingthenecessary authority
centreport(NeuralTechnologies, 2000), "theindustry and is usuallydetectedby theappearanceofphantom
alreadyreportsa loss of ?13 billioneach yeardue to calls on a bill.Thereare severalwaysto carryoutsu-
fraud." MobileEurope(2000) gavea figure of$13 bil- perimposed fraud, including mobilephonecloningand
lion(U.S.). The latterarticlealso claimedthatitis es- obtaining callingcardauthorization details.Superim-
timated thatfraudsterscan stealup to 5% of someop- posed fraudwill generallyoccurat thelevel of indi-
erators'revenues, and thatsomeexpecttelecomfraud vidualcalls-the fraudulent callswillbe mixedinwith
as a wholetoreach$28 billionperyearwithin3 years. thelegitimate ones. Subscription fraudwill generally
Despitethevarietyin thesefigures, it is clearthat be detected atsomepointthrough thebillingprocess-
theyare all verylarge.Apartfromthefactthatthey althoughtheaim is to detectit well beforethat,since
are simplyestimates, and hence subjectto expected largecostscan quicklybe runup. Superimposed fraud
inaccuraciesand variability based on the information can remain undetected for a long time. The distinction

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
 STATISTICALFRAUD DETECTION 243

betweenthesetwotypesoffraudfollowsa similardis- also weredescribedbyFawcettandProvost(1997a,b,

tinction increditcardfraud. 1999) and Moreau,Verrelstand Vandewalle(1997).
Othertypesof telecomfraudinclude"ghosting" Some work(see,e.g.,FawcettandProvost,1997a)has
(technology thattricksthenetwork so as to obtainfree focusedon detecting changesinbehavior.
calls) and insiderfraud,wheretelecomcompanyem- A generalcomplication is thatsignaturesandthresh-
ployeessell information to criminalsthatcan be ex- olds mayneed to dependon timeof day,typeof ac-
ploitedforfraudulent gain.This,ofcourse,is a univer- countand so on, and thattheywill probablyneed to
sal cause of fraud,whatever thedomain."Tumbling" be updatedovertime.Cahill et al. (2002) suggested
is a typeof superimposed fraudin whichrollingfake excludingtheverysuspiciousscoresin thisupdating
serialnumbersare used on clonedhandsets,so that process,although moreworkis neededin thisarea.
successivecalls are attributed to different legitimate Once again,neuralnetworks havebeenwidelyused.
phones.The chanceof detectionby spotting unusual The main fraud detectionsoftwareof the Fraud
patterns is smalland theillicitphonewill operateun- SolutionsUnitofNortelNetworks (Nortel,2000) uses
tilall oftheassumedidentities havebeenspotted.The a combination ofprofiling and neuralnetworks. Like-
term"spoofing"is sometimesused to describeusers wise, ASPeCT (Moreau et al., 1996; Shawe-Taylor
pretending tobe someoneelse. et al., 2000), a projectof the EuropeanCommis-
Telecommunications networks generatevastquanti- sion, Vodaphone,otherEuropean telecom compa-
ties of data,sometimeson theorderof severalgiga- niesand academics,developeda combinedrule-based
bytesper day,so thatdata miningtechniquesare of profilingand neural networkapproach.Taniguchi,
particular importance. The 1998databaseofAT&T,for Haft,Hollmenand Tresp(1998) describedneuralnet-
example,contained350 millionprofiles andprocessed works,mixturemodels and Bayesian networksin
275 millioncall recordsperday(CortesandPregibon, telecomfrauddetectionbased on call recordsstored
1998). forbilling.
As withotherfrauddomains,apartfromsomedo- Link analysis,withlinksupdatedovertime,estab-
mainspecifictools,methods fordetectionhingearound lishes the "communities of interest"(Cortes,Pregi-
outlierdetectionand supervisedclassification, either bon andVolinsky, 2001) thatcan indicatenetworks of
usingrule-basedmethodsor based on comparing sta- fraudsters.Thesemethods arebasedon theobservation
tisticallyderivedsuspicionscoreswithsome thresh- thatfraudsters seldomchangetheircallinghabits,but
old. At a low level,simplerule-baseddetectionsys- areoftencloselylinkedtootherfraudsters. Usingsim-
temsuse rulessuch as theapparentuse of the same ilarpatterns of transactions to inferthepresenceof a
phone in two verydistantgeographicallocationsin particularfraudster is in thespiritofphenomenal data
quicksuccession, callswhichappeartooverlapintime, mining(McCarthy, 2000).
and veryhighvalue and verylong calls. At a higher Visualization methods(Cox et al., 1997),developed
level, statisticalsummariesof call distributions (of- forminingverylargedatasets,havealso been devel-
tencalledprofilesor signaturesat theuserlevel) are oped foruse in telecomfrauddetection. Herehuman
comparedwiththresholds determined eitherbyexperts pattern recognition skillsinteract withgraphicalcom-
or by applicationof supervisedlearningmethodsto puterdisplayof quantitiesof calls betweendifferent
knownfraud/nonfraud cases.MuradandPinkas(1999) subscribers in variousgeographical locations.A possi-
and Rossetet al. (1999) distinguished betweenprofil- ble futurescenariowouldbe to code intosoftware the
ingat thelevelsof individualcalls,dailycall patterns patterns whichhumansdetect.
andoverallcall patterns, anddescribedwhatareeffec- The telecommarket willbecomeevenmorecompli-
tivelyoutlierdetectionmethodsfordetectinganom- catedovertime-withmoreopportunity forfraud.At
alous behavior.A particularly interestingdescription presenttheextentof fraudis measuredby consider-
ofprofiling methodswas givenbyCortesandPregibon ing factorssuchas call lengthsand tariffs. The third
(1998). Cortes,Fisher,PregibonandRogers(2000) de- generation of mobile phonetechnology will also need
scribedthe Hancock languageforwritingprograms to takeintoaccountsuchthingsas thecontentof the
forprocessingprofiles, basingthesignatures on such calls(becauseofthepacketswitching technology used,
quantitiesas averagecall duration, longestcall dura- equallylongdatatransmissions maycontainverydif-
tion,numberof calls to particular regionsin thelast ferent numbers ofdatapackets)andthepriority ofthe
day and so on. Profiling and classificationtechniques call.

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
244 R. J.BOLTON AND D. J.HAND

6. COMPUTERINTRUSION number ofbreak-in attempts." ShiehandGligor(1991,

1997)described a pattern-matching methodandargued
On Thursday,September21, 2000, a 16-year-old
thatit is moreeffective thanstatistical methodsat de-
boywasjailed forhackingintoboththePentagonand
tectingknowntypesof intrusion, butis unableto de-
NASA computer systems.Betweenthe 14thand 25th
tectnovelkindsof intrusion patterns, whichcouldbe
ofOctober2000 Microsoft securitytrackedtheillegal
detectedbystatistical methods.
activity of a hackeron theMicrosoftCorporateNet-
Since intrusion representsbehaviorand theaim is
work.These examplesillustrate thatevenexception-
to distinguish betweenintrusion behaviorand usual
ally well protected domainscan have theircomputer
in
behavior sequences,Markov models havenaturally
security compromised.
been applied (e.g., Ju and Vardi,2001). Qu et al.
Computerintrusion fraudis big businessand com-
(1998) also used probabilitiesof eventsto define
puterintrusion detection is a hugelyintensive area of
theprofile.Forrest, Hofmeyr, SomayajiandLongstaff
research. Hackerscan findpasswords, readandchange
(1996) describeda methodbased on how natural
files,altersourcecode, reade-mailsand so on. Den-
immunesystemsdistinguish betweenself and alien
ning(1997) listedeightkindsofcomputer intrusion.If
patterns. As withtelecomdata,bothindividualuser
thehackerscanbe prevented frompenetrating thecom-
patternsand overallnetworkbehaviorchange over
putersystem orcanbe detected earlyenough,thensuch
time,so thata detection systemmustbe able to adapt
crimecanbe virtually eliminated. However,as withall
to changes,butnotadaptso rapidlythatitalso accepts
fraudwhentheprizesarehigh,theattacksareadaptive
intrusions as legitimatechanges.Lane and Brodley
andonceonekindofintrusion hasbeenrecognized the
(1998) and Kosoresowand Hofmeyr (1997) also used
hackerwilltrya different route.Because ofitsimpor-
similarity of sequencesthatcan be interpreted in a
tance,a greatdeal ofeffort has beenputintodevelop-
probabilistic framework.
ingintrusion detection methods, and thereare several
Inevitably, neuralnetworks have been used: Ryan,
commercial products available,including Cisco secure
Lin and Miikkulainen (1997) performed profilingby
intrusion detectionsystem(CSIDS, 1999) and next-
traininga neuralnetwork on the process data and
generation intrusion detection expertsystem(NIDES;
also referenced otherneuralapproaches.In one ofthe
Anderson, FrivoldandValdes,1995).
morecarefulstudiesinthearea,Schonlauetal. (2001)
Since theonlyrecordof a hacker'sactivitiesis the
describeda comparative studyof six statisticalap-
sequenceofcommandsthatis usedwhencompromis- of otherusers
proachesfordetectingimpersonation
ingthesystem, analysts ofcomputer intrusiondatapre-
(masquerading), wheretheytookrealusagedatafrom
dominantly use sequenceanalysistechniques. As with
50 usersand plantedcontaminating data fromother
otherfraudsituations, bothsupervisedand unsuper-
userstoserveas themasqueradetargets tobe detected.
visedmethodsareused.In thecontextofintrusion de-
A niceoverviewofstatistical issuesincomputer intru-
tection,supervised methodsaresometimes calledmis-
siondetection was givenbyMarchette (2001), andthe
use detection,whilethe unsupervised methodsused
October2000 editionofComputer Networks [34(4)] is
aregenerally methodsof anomalydetection, basedon
a specialissueon (relatively) recentadvancesin intru-
profiles ofusagepatterns foreach legitimate user.Su-
siondetection systems,includingseveralexamplesof
pervisedmethodshavetheproblemdescribedin other newapproachestocomputer intrusion detection.
contexts, thattheycan,of course,onlyworkon intru-
sion patterns whichhave alreadyoccurred(or partial
7. MEDICALANDSCIENTIFICFRAUD
matchesto these).Lee and Stolfo(1998) appliedclas-
sificationtechniquesto data froma useror program Medicalfraudcan occurat variouslevels.It can oc-
thathas been identified as eithernormalor abnormal. curinclinicaltrials(see,e.g.,Buyseetal., 1999).Itcan
Lippmann etal. (2000) concludedthatemphasisshould also occurin a morecommercial context:forexample,
be placed on developingmethodsfordetectingnew prescriptionfraud,submitting claimsforpatientswho
patterns of intrusion ratherthanold patterns, butKu- are dead or who do notexist,and upcoding,wherea
marand Spafford (1994) remarked "a
that majority of doctorperforms a medicalprocedure, butchargesthe
break-ins ... aretheresultofa smallnumber ofknown insurerforone thatis moreexpensive, orperhapsdoes
attacks,as evidencedby reportsfromresponseteams notevenperform one at all. Allen(2000) gave an ex-
(e.g., CERT). Automating detectionof theseattacks ampleof bills submitted formorethan24 hoursin a
shouldtherefore resultin thedetection ofa significant workingday. He, Wang,Graco and Hawkins(1997)

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
 STATISTICALFRAUD DETECTION 245

and He, Graco and Yao (1999) describedtheuse of accounting andmanagement fraudin contexts broader
neuralnetworks, geneticalgorithms andnearestneigh- thanthoseof moneylaundering. Digit analysistools
bormethodsto classifythepracticeprofiles ofgeneral have foundfavorin accountancy(e.g., Nigriniand
practitionersin Australiaintoclasses fromnormalto Mittermaier, 1997;Nigrini,1999).Statistical sampling
abnormal. methods are important in financial audit, and screen-
Medical fraudis oftenlinkedto insurancefraud: ingtoolsareappliedto decidewhichtaxreturns merit
TerryAllen, a statistician withthe Utah Bureau of detailedinvestigation. We mentioned insurancefraud
Medicaid Fraud, estimatedthatup to 10% of the in thecontextof medicine,butit clearlyoccursmore
$800 millionannual claims may be stolen(Allen, widely.Artis,Ayusoand Guillen(1999) describedan
2000). Major and Riedinger(1992) createda know- approachtomodelling fraudbehaviorincarinsurance,
ledge/statistical-based systemto detect healthcare andFanning,CoggerandSrivastava (1995) andGreen
fraudby comparingobservationswith those with and Choi (1997) examined neural network classifica-
whichtheyshouldbe mostsimilar(e.g.,havingsimi- tionmethodsfordetecting management fraud.Statis-
largeodemographics). Brockett, Xia andDerrig(1998) ticaltoolsforfrauddetectionhave also been applied
used neuralnetworks to classifyfraudulent and non- to sporting events.For example,Robinsonand Tawn
fraudulent claims for automobilebodily injuryin (1995), Smith(1997) and Barao and Tawn(1999) ex-
healthcareinsuranceclaims.Glasgow (1997) gave a aminedtheresultsofrunning eventsto see ifsomeex-
shortdiscussionof riskand fraudin theinsurancein- ceptional times were out of line withwhatmightbe
dustry.A glossaryof severalof thedifferent typesof expected.
medicalfraudis availableat http://www.motherjones. Plagiarism is also a typeoffraud.Webriefly referred
com/mother-jones/MA95/davis2.html. to the use of statistical tools for author verification
Of course,medicineis nottheonlyscientific area and such methodscan be applied here. However,
wheredata have sometimesbeen fabricated, falsified statisticaltools can also be applied more widely.
or carefullyselectedto supporta pettheory. Problems For example,withtheevolutionof the Internet it is
of fraudin scienceare attracting increasedattention, extremely easy for students to plagiarize articles and
but theyhave alwaysbeen withus: errantscientists pass them off as their own in school or university
havebeenknowntomassagefigures fromexperiments coursework.The websitehttp://www.plagiarism.org
to pushthrough development of a productor reacha describesa systemthatcan take a manuscript and
magicalsignificance level fora publication.Dmitriy compare it against their "substantial database" of
Yuryevdescribedsuch a case on his webpages at articles from the Web. A statistical measureof the
http://www.orc.ru/-yur77/statfr.htm. Moreover,there originality of the manuscript is returned.
are many classical cases in which the data have As we commented in theIntroduction, frauddetec-
been suspectedof being massaged (includingthe tion is a post hoc strategy, being applied afterfraud
workof Galileo,Newton,Babbage,Kepler,Mendel, prevention has failed.Statistical toolsare also applied
Millikanand Burt).Pressand Tanur(2001) presented in some fraud prevention methods. For example,so-
a fascinating discussionof therole of subjectivity in called biometric methods of fraud detection areslowly
thescientificprocess,illustrating withmanyexamples. becoming more widespread. These include computer-
The borderline betweensubconscious selectionofdata ized fingerprint and retinal identification, and also face
andout-and-out distortion is a fineone. recognition (although thishas received most publicity
in thecontext ofrecognizing footballhooligans).
8. CONCLUSIONS In many of the applications we havediscussed,speed
ofprocessing is oftheessence.Thisis particularly the
The areas we have outlinedare perhapsthosein case in transaction processing, especiallywithtelecom
whichstatisticaland otherdata analytictools have and intrusion data,wherevastnumbers of recordsare
madethemostimpacton frauddetection. Thisis typi- processedeveryday,but also appliesin creditcard,
callybecausetherearelargequantities ofinformation, bankingandretailsectors.
andthisinformation is numerical orcan easilybe con- A keyissue in all of thisworkis how effective the
vertedintothenumerical intheformofcountsandpro- statisticaltoolsarein detecting fraudanda fundamen-
portions.However,otherareas,notmentioned above, tal problemis thatone typicallydoes notknowhow
have also used statisticaltoolsforfrauddetection. Ir- manyfraudulent cases slipthrough thenet.In applica-
infinancial
regularities statements canbe usedtodetect tionssuchas bankingfraudandtelecomfraud,where

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
246 R. J.BOLTON AND D. J.HAND

speedof detection matters, measuressuchas average BARAO,M. I. andTAWN,J.A. (1999). Extremal analysisofshort
timeto detection after fraud starts(in minutes,num- serieswithoutliers:Sea-levelsand athleticsrecords.Appl.
Mea- Statist.48 469-487.
bersoftransactions, etc.)shouldalso be reported.
BLUNT,G. and HAND,D. J. (2000). The UK creditcardmarket.
suresofthisaspectinteract withmeasuresof finalde- Technicalreport, ImperialCollege,Lon-
Dept. Mathematics,
tectionrate:in manysituations an account,telephone don.
andso forth, willhavetobe usedforseveralfraudulent BOLTON,R. J. and HAND,D. J. (2001). Unsupervised profiling
transactionsbeforeitis detectedas fraudulent, so that methodsforfrauddetection. In Conferenceon CreditScoring
and CreditControl7, Edinburgh,UK, 5-7 Sept.
severalfalsenegative willnecessarily
classifications be
BRAUSE, R., LANGSDORF, T. and HEPP, M. (1999). Neural data
made. miningforcreditcardfrauddetection.In Proceedingsof the
An appropriate overallstrategy is to use a graded 11thIEEE International on Tools withArtificial
Conference
systemof investigation. Accountswith very high Intelligence103-106. IEEE ComputerSocietyPress,Silver
suspicionscoresmeritimmediateand intensive(and Spring,MD.
BREIMAN, L., FRIEDMAN, J. H., OLSHEN, R. A. and
expensive)investigation, while thosewithlargebut and RegressionTrees.
STONE, C. J. (1984). Classification
less dramaticscoresmeritcloser(butnotexpensive) Wadsworth,Belmont,CA.
observation. Once again,it is a matterof choosinga BROCKETT, P. L., XIA, X. and DERRIG, R. A. (1998). Using
suitablecompromise. mapto uncoverautomobile
feature
Kohonen'sself-organising
Finally,itis worthrepeating theconclusions reached bodilyinjuryclaimsfraud.TheJournalofRiskand Insurance
65 245-274.
by Schonlauet al. (2001), in the contextof statisti- BURGE, P. and SHAWE-TAYLOR, J. (1997). Detectingcellular
cal toolsforcomputer intrusiondetection:"statistical In AAAI Workshop
fraudusing adaptiveprototypes. on Al
methods can detectintrusions, evenindifficultcircum- Approachesto FraudDetectionand RiskManagement 9-13.
stances,"butalso "manychallengesand opportunities AAAI Press,MenloPark,CA.
remain."We believethis BUYSE, M., GEORGE, S. L., EVANS, S., GELLER, N. L.,
forstatisticsand statisticians
RANSTAM,J., SCHERRER, B., LESAFFRE, E., MURRAY,G.,
positiveconclusionholdsmoregenerally. Frauddetec- EDLER, L., HUTTON, J., COLTON, T., LACHENBRUCH, P.
tionis an important area,one in manywaysideal for and VERMA,B. L. (1999). The role of biostatisticsin the
theapplication ofstatisticalanddataanalytic tools,and prevention,detection of fraudin clinicaltrials.
and treatment
onewherestatisticians can makea verysubstantial and inMedicine18 3435-3451.
Statistics
CAHILL, M. H., LAMBERT, D., PINHEIRO, J. C. and SUN, D. X.
important contribution.
fraudintherealworld.InHandbookofMas-
(2002). Detecting
siveDatasets(J.Abello,P. M. PardalosandM. G. C. Resende,
ACKNOWLEDGMENT eds.). Kluwer,Dordrecht.
CHAN, P. K., FAN, W., PRODROMIDIs, A. L. and STOLFO, S. J.
The work of RichardBolton was supportedby (1999). Distributeddataminingin creditcardfrauddetection.
a ROPA award fromthe Engineering and Physical IEEE IntelligentSystems 14(6) 67-74.
SciencesResearchCounciloftheUnitedKingdom. CHAN, P. and STOLFO, S. (1998). Towardscalable learning
withnon-uniform A case study
class and cost distributions:
in creditcard frauddetection.In Proceedingsof theFourth
REFERENCES InternationalConference on KnowledgeDiscoveryand Data
Mining164-168.AAAI Press,MenloPark,CA.
ALESKEROV, E., FREISLEBEN, B. and RAO,B. (1997). CARD- CHARTIER,B. and SPILLANE,T. (2000). Money laundering
WATCH:A neuralnetwork baseddatabaseminingsystemfor detectionwitha neuralnetwork. In BusinessApplicationsof
creditcardfrauddetection.In Computational for
Intelligence NeuralNetworks (P. J.G. Lisboa,A. VellidoandB. Edisbury,
FinancialEngineering. Proceedingsof theIEEE/IAFE 220- eds.) 159-172.WorldScientific, Singapore.
NJ.
226. IEEE, Piscataway, CHHIKARA,R. S. and McKEoN, J. (1984). Lineardiscriminant
ALLEN,T. (2000). A dayinthelifeofa Medicaidfraudstatistician. analysis with misallocationin trainingsamples. J. Amer.
Stats29 20-22. Statist.Assoc.79 899-906.
ANDERSON, D., FRIVOLD, T. and VALDES, A. (1995). Next- CLARK,P. andNIBLETT,T. (1989). TheCN2 induction algorithm.
generationintrusion
detectionexpertsystem(NIDES): A sum- MachineLearning3 261-285.
mary.TechnicalReportSRI-CSL-95-07,ComputerScience COHEN,W. (1995). Fasteffective In Proceedings
ruleinduction. of
Laboratory, MenloPark,CA.
SRI International, the12thInternational Conference on MachineLearning115-
ANDREWS,P. P. and PETERSON,M. B., eds. (1990). Criminal 123.MorganKaufmann, Palo Alto,CA.
Intelligence Loomis,CA.
Analysis.PalmerEnterprises, CORTES, C., FISHER, K., PREGIBON, D. and ROGERS, A.
ARTiS, M., Ayuso, M. and GUILLEN,M. (1999). Modelling (2000). Hancock:A languageforextracting from
signatures
differenttypesofautomobileinsurancefraudbehaviourin the data streams.In Proceedingsof the SixthACM SIGKDD
Spanishmarket.InsuranceMathematics and Economics24 International
Conferenceon KnowledgeDiscoveryand Data
67-81. Mining9-17. ACM Press,New York.

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
 STATISTICALFRAUD DETECTION 247

CORTES,C. andPREGIBON,D. (1998). Giga-mining.

In Proceed- GOLDBERG, H. and SENATOR, T. E. (1998). The FinCEN Al
ings of the FourthInternational on Knowledge
Conference system:Findingfinancialcrimesin a largedatabaseof cash
Discoveryand Data Mining174-178. AAAI Press,Menlo transactions. InAgentTechnology: Foundations, Applications,
Park,CA. and Markets(N. Jennings andM. Wooldridge, eds.) 283-302.
Springer, Berlin.
CORTES,C, PREGIBON,D. and VOLINSKY,C. (2001). Commu-
GREEN, B. P. and CHOI, J. H. (1997). Assessingthe risk
LectureNotesinComput.Sci. 2189 105-114.
nitiesofinterest. of management fraudthroughneuralnetworktechnology.
Cox, K. C., EICK, S. G. and WILLS, G. J. (1997). Visualdata Auditing 16 14-28.
mining: Recognizing telephonecallingfraud.Data Miningand HAND, D. J. (1981). Discrimination and Classification. Wiley,
KnowledgeDiscovery1 225-231. Chichester.
CSIDS (1999). Cisco secure intrusiondetectionsystemtech- HAND,D. J. (1997). Construction and Assessment of Classifica-
tionRules.Wiley,Chichester.
nical overview.Available at http://www.wheelgroup.com/
HAND, D. J. and BLUNT, G. (2001). Prospectingforgems in credit
warp/public/cc/cisco/mkt/security/nranger/tech/ntran_tc.htm.
carddata.IMA JournalofManagement Mathematics 12 173-
DENNING,D. E. (1997). Cyberspace attacksandcountermeasures. 200.
In InternetBesieged(D. E. Denningand P. J.Denning,eds.) HAND, D. J., BLUNT, G., KELLY, M. G. and ADAMS, N. M.
29-55. ACM Press,New York. (2000). Data miningfor fun and profit(withdiscussion).
DORRONSORO, J.R., GINEL,F., SANCHEZ,C. andCRUZ,C. S. Statist.Sci. 15 111-131.
(1997). Neuralfrauddetection in creditcardoperations.IEEE HAND, D. J. and HENLEY, W. E. (1997). Statisticalclassification
Transactions onNeuralNetworks 8 827-834. methodsin consumer creditscoring:A review.J.Roy.Statist.
Soc. Ser A 160 523-541.
FANNING,K., COGGER,K. 0. and SRIVASTAVA, R. (1995). HASSIBI, K. (2000). Detectingpaymentcard fraudwithneural
Detectionof management fraud:A neuralnetwork approach. networks.In Business Applicationsof Neural Networks
International Journalof Intelligent Systemsin Accounting, (P. J.G. Lisboa,A. VellidoandB. Edisbury, eds.). WorldSci-
Financeand Management 4 113-126. entific,Singapore.
FAWCETT, T. andPROVOST,F. (1997a). Adaptivefrauddetection. HE, H., GRACO,W. and YAO,X. (1999). Application of genetic
Data Miningand KnowledgeDiscovery1 291-316. algorithm and k-nearest neighbourmethodin medicalfraud
detection.LectureNotesinComput. Sci. 158574-81. Springer,
FAWCETT, T. and PROVOST,F. (1997b). Combiningdata mining
Berlin.
and machinelearningforeffective frauddetection.In AAAI HE, H. X., WANG, J. C., GRACO, W. and HAWKINS, S. (1997).
Workshop on AI Approachesto Fraud Detectionand Risk Application of neuralnetworks to detection ofmedicalfraud.
Management14-19. AAAI Press,MenloPark,CA. ExpertSystems withApplications 13 329-336.
FAWCETT,T. and PROVOST,F. (1999). Activitymonitoring: HILL, T. P. (1995). A statisticalderivation of thesignificant-digit
Noticinginteresting changesinbehavior. InProceedings ofthe law.Statist.Sci. 10 354-363.
FifthACM SIGKDD International Conference on Knowledge HYNNINEN,J. (2000). Experiencesin mobilephonefraud.Semi-
Discoveryand Data Mining53-62. ACM Press,New York. naron NetworkSecurity. ReportTik-110.501,HelsinkiUniv.
Technology.
FORREST,S., HOFMEYR,S., SOMAYAJI, A. andLONGSTAFF, T.
JENKINS,P. (2000). Gettingsmartwithfraudsters. Financial
(1996). A senseofselfforUNIX processes.In Proceedings of Times,September 23.
the1996 IEEE Symposium on Securityand Privacy120-128. JENSEN,D. (1997). Prospectiveassessmentof Al technologies
IEEE Computer SocietyPress,SilverSpring,MD. forfrauddetection:a case study.In AAAI Workshop on Al
GHOSH,S. andREILLY,D. L. (1994). Creditcardfrauddetection Approachesto FraudDetectionand RiskManagement 34-38.
witha neuralnetwork.In Proceedingsof the 27th Hawaii AAAI Press,MenloPark,CA.
InternationalConference on System Sciences(J.F. Nunamaker Ju, W.-H. and VARDI, Y. (2001). A hybridhigh-order Markov
and R. H. Sprague,eds.) 3 621-630. IEEE ComputerSociety chain model for computerintrusiondetection.J. Comput.
Press,Los Alamitos,CA. Graph.Statist.10 277-295.
KIRKLAND, J.D., SENATOR,T. E., HAYDEN, J.J.,DYBALA, T.,
GLASGOW,B. (1997). Risk and fraudin theinsuranceindustry. GOLDBERG, H. G. and SHYR, P. (1998). The NASD regula-
In AAAIWorkshop on AI Approachesto FraudDetectionand tionadvanceddetection system(ADS). In Proceedingsofthe
RiskManagement 20-21. AAAI Press,MenloPark,CA. 15thNationalConference on Artificial
Intelligence (AAAI-98)
GOLDBERG,H. and SENATOR,T. E. (1995). Restructuring data- and ofthe10thConference on Innovative Applications ofAr-
bases forknowledgediscovery by consolidationand linkfor- tificial
Intelligence (IAAI-98)1055-1062.AAAI Press,Menlo
mation.In ProceedingsoftheFirstInternational Conference Park,CA.
on KnowledgeDiscoveryand Data Mining136-141. AAAI KoSORESow, A. P. and HOFMEYR, S. A. (1997). Intrusion
detection via systemcall traces.IEEE Software 14 35-42.
Press,MenloPark,CA.
KUMAR, S. and SPAFFORD, E. (1994). A pattern matching model
GOLDBERG,H. and SENATOR,T. E. (1997). Break detection formisuse intrusion detection.In Proceedingsof the 17th
systems.In AAAI Workshopon Al Approachesto Fraud NationalComputer SecurityConference 11-21.
Detectionand RiskManagement22-28. AAAI Press,Menlo LACHENBRUCH, P. A. (1966). Discriminant analysiswhenthe
Park,CA. initialsamplesaremisclassified. Technometrics 8 657-662.

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
248 R. J.BOLTON AND D. J.HAND

LACHENBRUCH,P. A. (1974). Discriminantanalysis when theini- PATIENT, S. (2000). Reducing online credit card fraud.
misclassifica-
II: Non-random
tial samplesare misclassified. Web Developer's Journal. Available at http://www.
tionmodels.Technometrics 16 419-424. webdevelopersjournal.com/articles/card_fraud.html
LANE, T. and BRODLEY, C. E. (1998). Temporal sequence learn- of
PRESS, S. J. and TANUR, J. M. (2001). The Subjectivity
inganddatareduction In Proceedings
foranomalydetection. and theBayesianApproach.Wiley,New York.
Scientists
ofthe5thACM Conferenceon Computerand Communications PROVOST, F. and FAWCETT,T. (2001). Robust classificationfor
(CCS-98) 150-158.ACM Press,New York.
Security imprecise MachineLearning42 203-210.
environments.
LEE, W. and STOLFO, S. (1998). Data mining approaches for Qu, D., VETTER, B. M., WANG, F., NARAYAN,R., Wu, S. F.,
InProceedings
detection.
intrusion ofthe7thUSENIXSecurity Hou, Y. F., GONG,F. and SARGOR,C. (1998). Statistical
Symposium, San Antonio,TX 79-93. USENIX Association, anomalydetection routing
forlink-state protocols.In Proceed-
Berkeley,
CA. ingsoftheSixthInternational Conference on Network Proto-
cols 62-70. IEEE Computer SocietyPress,Los Alamitos,CA.
LEONARD,K. J. (1993). Detectingcreditcardfraudusingexpert
QUINLAN,J. R. (1990). Learninglogical definitions fromrela-
systems.Computersand IndustrialEngineering25 103-106.
tions.MachineLearning5 239-266.
LIPPMANN, R., FRIED, D., GRAF, I., HAINES, J.,
QUINLAN, J. R. (1993). C4.5: Programs for MachineLearning.
KENDALL, K., MCCLUNG, D., WEBER, D., WEBSTER, S.,
MorganKaufmann, San Mateo,CA.
WYSCHOGROD, D., CUNNINGHAM, R. and ZISSMAN, M.
Recognition
RIPLEY, B. D. (1996). Pattern and NeuralNetworks.
(2000). Evaluatingintrusiondetectionsystems:The 1998
Cambridge Univ.Press.
DARPA off-line evaluation.Unpublished
intrusion-detection
ROBINSON, M. E. and TAWN,J. A. (1995). Statisticsforexcep-
manuscript,MIT LincolnLaboratory.
records.Appl.Statist.44 499-511.
tionalathletics
MAJOR, J. A. and RIEDINGER, D. R. (1992). EFD: A hybrid
ROSSET, S., MURAD, U., NEUMANN, E., IDAN, Y. and
systemforthedetection
knowledge/statistical-based of fraud.
PINKAS, G. (1999). Discovery of fraud rules for
JournalofIntelligent
International Systems7 687-703. and solutions. In Pro-
telecommunications-challenges
MARCHETTE,D. J. (2001). ComputerIntrusionDetectionand Conference
ACM SIGKDD International
ceedingsoftheFifth
Network Monitoring: Springer,
A StatisticalViewpoint. New on KnowledgeDiscoveryand Data Mining409-413. ACM
York. Press,New York.
MCCARTHY, J.(2000). Phenomenal datamining.Comm.ACM 43 RYAN, J., LIN, M. and MIIKKULAINEN, R. (1997). Intrusion
75-79. detectionwithneuralnetworks.In AAAI Workshopon Al
McLACHLAN, G. J.(1992). Discriminant Analysisand Statistical 72-79.
ApproachestoFraudDetectionand RiskManagement
PatternRecognition.Wiley,New York. AAAI Press,MenloPark,CA.
MOBILE EUROPE (2000). New IP world, new dangers. Mobile SCHONLAU, M., DUMOUCHEL, W., Ju, W.-H., KARR, A. F.,
Europe,March. THEUS, M. and VARDI, Y. (2001). Computer intrusion:
MOREAU, Y., PRENEEL, B., BURGE, P., SHAWE-TAYLOR, J., Detectingmasquerades.Statist.Sci. 16 58-74.
STOERMANN, C. and COOKE, C. (1996). Novel techniques SENATOR,T. E. (2000). Ongoingmanagement and application
InACTSMobile
inmobilecommunications.
forfrauddetection of discoveredknowledgein a largeregulatory organization:
Summit,Grenada. A case studyof the use and impactof NASD regulation's
MOREAU, Y., VERRELST, H. and VANDEWALLE,J. (1997). De- advanceddetectionsystem(ADS). In Proceedingsof the
tectionof mobilephonefraudusingsupervisedneuralnet- SixthACM SIGKDD International Conference on Knowledge
works:A first
prototype.In Proceedingsof 7thInternational Discoveryand Data Mining44-53. ACM Press,New York.
on Neural
Artificial Networks (ICANN'97) 1065- SENATOR, T. E., GOLDBERG, H. G., WOOTON, J., COT-
Conference
Berlin.
1070.Springer, TINI, M. A., UMAR KHAN, A. F., KLINGER, C. D., LLA-
MAS, W. M., MARRONE, M. P. and WONG, R. W. H. (1995).
MURAD, U. and PINKAS, G. (1999). Unsupervised profilingfor
network
crimesenforcement
Thefinancial Al system
(FAIS)-
superimposed
identifying fraud.Principlesof Data Mining
potentialmoneylaundering
Identifying fromreportsof large
and KnowledgeDiscovery.LectureNotesinArtificialIntelli-
Al Magazine16 21-39.
cashtransactions.
Berlin.
gence1704 251-261. Springer,
SHAWE-TAYLOR, J., HOWKER, K., GOSSET, P., HYLAND,
NEURAL TECHNOLOGIES (2000). Reducing telecoms fraud and
M., VERRELST, H., MOREAU, Y., STOERMANN, C. and
churn.Report,NeuralTechnologies, U.K.
Ltd.,Petersfield, and fraud
BURGE,P. (2000). Novel techniquesforprofiling
NIGRINI,M. J. (1999). I've gotyournumber.JournalofAccoun- detectionin mobiletelecommunications. In BusinessAppli-
tancyMay 79-83. cationsof NeuralNetworks (P. J.G. Lisboa, A. Vellidoand
NIGRINI, M. J. and MITTERMAIER, L. J. (1997). The use of B.Edisbury,eds.) 113-139.WorldScientific,Singapore.
Benford'slaw as an aid in analyticalprocedures. A
Auditing: SHIEH, S.-P. W. and GLIGOR, V. D. (1991). A pattern-oriented
JournalofPracticeand Theory16 52-67. In Proceedings
modelanditsapplications.
intrusion-detection
NORTEL(2000). Nortelnetworks fraudsolutions.FraudPrimer, ofthe1991IEEE Computer SocietySymposium onResearchin
Issue 2.0. NortelNetworksCorporation. SecurityandPrivacy327-342.IEEE Computer SocietyPress,
PAK, S. J. and ZDANOWICZ, J. S. (1994). A statisticalanalysis of SilverSpring,MD.
theU.S. MerchandiseTradeDatabase and its uses in trans- SHIEH, S.-P. W. and GLIGOR, V. D. (1997). On a pattern-
ferpricingcomplianceand enforcement.Tax Management, modelforintrusion
oriented on
IEEE Transactions
detection.
May 1. 9 661-667.
Knowledgeand Data Engineering

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions
 STATISTICALFRAUD DETECTION 249

SMITH, R. L. (1997). Commenton "Statisticsforexceptional TANIGUCHI, M., HAFT, M., HOLLMEN, J. and TRESP, V.
athleticsrecords,"by M. E. Robinsonand J.A. Tawn.Appl. (1998). Fraud detectionin communication networksusing
Statist.46 123-128. neuraland probabilistic
methods.In Proceedingsofthe1998
STOLFO, S. J.,FAN, D. W., LEE, W., PRODROMIDIS, A. L. and IEEE InternationalConferenceon Acoustics,Speech and
CHAN, P. K. (1997a). Creditcardfrauddetection usingmeta- SignalProcessing(ICASSP'98) 2 1241-1244.IEEE Computer
learning:Issues and initialresults.In AAAI Workshop on Al SocietyPress,SilverSpring,MD.
Approachesto FraudDetectionand RiskManagement 83-90. U.S. CONGRESS (1995). Information technologies forthecontrol
AAAI Press,MenloPark,CA. of moneylaundering. Officeof TechnologyAssessment, Re-
STOLFO, S., FAN, W., LEE, W., PRODROMIDIS, A. L. and portOTA-ITC-630,U.S. Government PrintingOffice,Wash-
CHAN, P. (1999). Cost-basedmodeling forfraudandintrusion ington,DC.
detection:ResultsfromtheJAMProject.In Proceedings ofthe WASSERMAN, S. andFAUST,K. (1994). Social NetworkAnalysis:
DARPAInformation SurvivabilityConference and Exposition MethodsandApplications. Cambridge Univ.Press.
2 130-144.IEEE Computer Press,New York. WEBB, A. R. (1999). StatisticalPatternRecognition.Arnold,
STOLFO, S. J., PRODROMIDIS, A. L., TSELEPIS, S., LEE, W., London.
FAN,D. W. and CHAN, P. K. (1997b). JAM:Javaagentsfor WHEELER, R. and AITKEN, S. (2000). Multiplealgorithms
meta-learning overdistributed databases.In AAAI Workshop for fraud detection.Knowledge-BasedSystems 13(2/3)
on Al Approachesto FraudDetectionand RiskManagement 93-99.
91-98. AAAI Press,MenloPark,CA.

Comment
Foster Provost

The stateofresearchon frauddetectionrecallsJohn cettandProvost, 2002)]. Considerfrauddetection as a

GodfreySaxe's 19th-century poem "The Blind Men classification
problem.Frauddetection certainlymust
and theElephant"(Felleman,1936,page 521). Based be "cost-sensitive"-rather thanminimizing errorrate,
on a Hindufable,each blindmanexperiencesonlya someotherloss function mustbe minimized. In addi-
partof theelephant,whichshapeshis opinionof the tion,usuallythemarginalclass distribution is skewed
natureof the elephant:the leg makesit seem like a stronglytowardoneclass (legitimate behavior).There-
tree,thetaila rope,thetrunk
a snakeandso on.In fact, fore,modelingforfrauddetectionat least is a diffi-
"... thougheach was partlyin the right... all were in cultproblemofestimating class membership probabil-
thewrong."Saxe's poemwas a criticism oftheological ity,rather thansimpleclassification.However,thisstill
debates,and I do not intendsuch a harshcriticism is an unsatisfying attempt to transform thetrueprob-
of researchon frauddetection. However,becausethe lem intoone forwhichwe have existingtools (prac-
problemis so complex,each researchprojecttakes ticaland conceptual).The objectivefunction forfraud
a particularangle of attack,which oftenobscures detection systemsactuallyis muchmorecomplicated.
the view of otherpartsof the problem.So, some For example,thevalue of detectionis a function of
researchers see theproblemas one of classification, time.Immediate detection is muchmorevaluablethan
othersof temporalpatterndiscovery;to some it is delayeddetection.Unfortunately, evidencebuildsup
a problemperfectfora hiddenMarkovmodel and overtime,so detectionis easier the longerit is de-
so on. layed.In cases of self-revealingfraud,eventually,de-
So whyis frauddetectionnotsimplyclassification tectionis trivial
(e.g., a defraudedcustomercalls to
or a memberof some otheralreadywell-understood complainaboutfraudulent transactionson his or her
problemclass? Boltonand Hand outlineseveralchar- bill).
acteristics
of frauddetectionproblemsthatdifferenti- In mostresearchon modelingforfrauddetection,
ate them[as did Tom Fawcettand I in ourreviewof a subproblemis extracted(e.g., classifying transac-
theproblemsand techniques of frauddetection (Faw- tionsor accountsas beingfraudulent) and techniques
are comparedfor solvingthis subproblem-without
FosterProvostisAssociateProfessor, LeonardN. Stern moving on to comparethetechniquesforthegreater
School of Business,New YorkUniversity, New York, problem of detectingfraud.Each particular subprob-
New York10012 (e-mail:[email protected]). lem naturallywill abstract away those partsthatare

This content downloaded from 206.212.0.156 on Sat, 17 Aug 2013 15:38:38 PM

All use subject to JSTOR Terms and Conditions