Skip to main content

Fraud Investigation Engine Overview

The Fraud Investigation Engine is an agentic workflow that investigates fraud alerts by analyzing transaction data, alert signals, and external intelligence. It evaluates evidence against your Standard Operating Procedures (SOPs), performs web research to verify external entities, and queries data warehouses to produce a comprehensive investigation with a clear verdict and recommended action.

Key Capabilities

  • Policy-Driven Analysis: Investigates alerts against your fraud investigation SOP guidelines
  • Fraud Classification: Categorizes fraud by scenario (what happened), actor (who did it), vector (how), and payment rail
  • Automated Evidence Collection: Uses web research and SQL queries to gather and cite evidence
  • Risk Signal Detection: Identifies high-risk signals and verification checks that passed from your SOP
  • Structured Verdicts: Produces investigation results with clear verdicts from your policy dispositions

Prerequisites

Before using the Fraud Investigation Engine, ensure you have:
  1. A Fraud Investigation Policy: Create a policy containing your fraud investigation SOP with guidelines, red flag criteria, and disposition options. See Policies for setup instructions.
  2. Context Sources (Recommended): Configure data connectors (Snowflake, ClickHouse, or Zendesk) to allow the agent to query transaction history and customer data. See Data Connectors.

Fraud Investigation Engine Inputs

The Fraud Investigation Engine Configuration has four parameters:
ParameterRequiredDescription
policy_version_idYesThe Policy version ID containing your fraud investigation guidelines (SOP)
context_sourcesNoData sources (e.g., Snowflake, Zendesk) for the agent to query transaction and customer data during investigation
alert_dataYesAlert data that triggered this investigation (JSON string with alert details)
transaction_dataNoPre-loaded transaction data (JSON string). If empty, the agent will fetch from context sources
See Template Strings for dynamic parameter configuration.

Fraud Investigation Output

The output is a structured JSON object containing:

Policy Applied

Information about the policy used for investigation:
  • name: Name of the policy applied
  • version: Version ID of the policy applied

Customer Profile

Customer information gathered during the investigation:
FieldDescription
account_idCustomer’s account identifier
emailCustomer’s email address
nameCustomer’s full name
phoneCustomer’s phone number
locationCustomer’s location (city, state, country or IP-based geolocation)
devicesDevices associated with the customer (e.g., “iPhone 14”, “Android”)
productProduct or service the customer is using
accountsList of account types or linked accounts
kyc_statusKYC verification status including provider and verification method

Fraud Analysis

Complete investigation result including:
FieldDescription
verdictFinal verdict from policy dispositions (e.g., “False Positive”, “Needs Review”)
summaryMarkdown executive summary with inline evidence references using $REF_X$ markers
summary_evidencesArray of evidence objects corresponding to $REF_X$ markers in the summary
railPayment method used (wire, ach, check, card_present, card_not_present, zelle_rtp)
scenarioFraud typology if fraud is suspected (e.g., account_takeover, scam_investment)
actorWho committed the fraud (third_party, first_party, second_party, internal_employee)
vectorsAttack vectors used (e.g., phishing_link, credential_stuffing, sim_swap)
high_risk_signalsArray of detected risk signals with evidence
checks_passedArray of verification checks that passed with evidence
action_recommendationRecommended action with reasoning

Risk Signal Structure

Each risk signal includes:
  • signal_name: Clear, concise name of the risk signal
  • reasoning: One sentence explanation of the key finding
  • evidences: Array of evidence supporting this finding

Checks Passed Structure

Each check passed includes:
  • check_name: Clear, concise name of the check passed
  • reasoning: One sentence explanation of the key finding
  • evidences: Array of evidence supporting this finding

Evidence Structure

Each piece of evidence includes:
  • evidence_type: “web_link”, “screenshot”, or “artifact”
  • evidence_data: URL or artifact reference
  • evidence_name: Short descriptive name
  • evidence_description: Why this evidence is relevant

Action Recommendation Structure

FieldDescription
suggested_actionOne of: clear_alert, escalate, or lock_account
reasoningExplanation for why this action is suggested over others

Fraud Classification Taxonomy

The Fraud Investigation Engine uses a structured taxonomy to classify fraud:

Fraud Scenarios (The “What”)

ScenarioDescription
account_takeoverUnauthorized access to an existing account
new_account_fraudSynthetic or stolen identity used at onboarding
card_testingHigh velocity small authorizations
scam_impersonationBank/government impostor scams
scam_investmentCrypto/pig butchering investment scams
scam_romanceRomance-based fraud schemes
first_party_abuse”Friendly fraud” / refund abuse
mule_activityReceiving stolen funds
structuringSmurfing to avoid reporting limits

Fraud Actors (The “Who”)

ActorDescriptionLiability
third_partyExternal criminalBank Liability
first_partyCustomer themselvesCustomer Liability
second_partyMule/CollusionShared Liability
internal_employeeInsider threatBank Liability

Attack Vectors (The “How”)

VectorTypeDescription
credential_stuffingTechnicalReusing passwords from breaches
malware_botTechnicalAutomated malicious software
sim_swapTechnicalPhone number hijacking
man_in_the_middleTechnicalIntercepting communications
phishing_linkSocialClicked malicious link
vishing_callSocialFraudulent phone call
document_forgerySocialFake ID or documents
check_washingSocialChemically altering checks

Payment Rails (The “Vehicle”)

RailDescription
wireWire transfer
achACH transfer
checkCheck payment
card_presentIn-person card transaction
card_not_presentOnline/remote card transaction
zelle_rtpZelle or real-time payments

Policy (SOP) Structure

Your fraud policy should contain:
  1. Instructions: High-level investigation guidance for fraud detection
  2. Guidelines: Organized as Categories > Rules
    • Each Category contains multiple Rules
    • Each Rule has a flag type (GREEN_FLAG or RED_FLAG), title, and description
  3. Dispositions: Classification options for final verdicts

Supported Context Sources

The Fraud Investigation Engine supports the following data source connectors:
ConnectorTypeDescription
SnowflakeSQLQuery your Snowflake data warehouse for transaction history, customer data, device logs, etc.
ClickHouseSQLQuery ClickHouse for high-performance analytics on transaction data
Roe TablesSQLQuery tables stored in VolansDB for internal data analysis
ZendeskAPIFetch support tickets and customer communication history
Configure context sources to allow the agent to automatically fetch transaction and customer data during investigation. The agent uses an iterative SQL querying strategy—first discovering the schema, then verifying entity columns, before running aggregated queries.

Creating a Fraud Policy

Fraud investigation requires a policy containing your Standard Operating Procedures (SOP). You can create policies using the Policies feature.
A pre-built Fraud Investigation Workflow policy template is available in the platform. This template provides a comprehensive framework for alert review, typology assessment, evidence synthesis, and decision labels.

Example Alert Data

{
  "alert_id": "FRD-2024-005678",
  "account_id": "ACC-123456",
  "customer_name": "John Smith",
  "customer_email": "[email protected]",
  "alert_type": "ACCOUNT_TAKEOVER_SUSPECTED",
  "alert_date": "2024-01-20",
  "triggered_by": "Multiple failed login attempts followed by password reset from new device",
  "risk_score": 85,
  "device_info": {
    "device_id": "DEV-789",
    "device_type": "Android",
    "ip_address": "203.0.113.45",
    "geolocation": "Lagos, Nigeria"
  },
  "transaction_summary": {
    "attempted_transfer": 5000.00,
    "recipient": "Unknown Wallet",
    "payment_method": "wire"
  }
}

Example Output

{
  "policy_applied": {
    "name": "Fraud Investigation SOP v3",
    "version": "pol_ver_xyz789"
  },
  "customer_profile": {
    "account_id": "ACC-123456",
    "email": "[email protected]",
    "name": "John Smith",
    "phone": "+1-555-0123",
    "location": "New York, NY",
    "devices": ["iPhone 14 Pro", "MacBook Pro"],
    "product": "Premium Checking",
    "accounts": ["checking", "savings"],
    "kyc_status": {
      "verified": true,
      "last_verified": "2023-06-15",
      "provider": "Persona",
      "verification_method": "Selfie, ID Upload"
    }
  },
  "fraud_analysis": {
    "verdict": "highly_suspected",
    "summary": "Investigation of account takeover alert for customer ACC-123456. The alert flagged suspicious login activity from an unrecognized device.\n\n**Red Flags:**\n- **New device from Nigeria** detected, inconsistent with customer's US-based transaction history $REF_1$\n- **5 failed login attempts** before successful authentication via password reset $REF_2$\n- **Attempted $5,000 wire transfer** to unknown wallet immediately after access $REF_3$\n\n**Green Flags:**\n- Customer has **verified KYC status** with Persona $REF_4$\n\nStrong evidence of third-party account takeover via credential compromise. Immediate account protection recommended.",
    "summary_evidences": [
      {
        "id": "REF_1",
        "evidence_type": "artifact",
        "evidence_data": "FraudInvestigationEngine-456/sql_query_device_history.json",
        "evidence_name": "Device geolocation analysis",
        "evidence_description": "Customer's previous 50 logins were all from New York; this login originated from Nigeria"
      },
      {
        "id": "REF_2",
        "evidence_type": "artifact",
        "evidence_data": "FraudInvestigationEngine-456/sql_query_login_attempts.json",
        "evidence_name": "Login attempt logs",
        "evidence_description": "5 failed password attempts within 3 minutes before password reset request"
      },
      {
        "id": "REF_3",
        "evidence_type": "input",
        "evidence_data": "alert_data",
        "evidence_name": "Wire transfer attempt",
        "evidence_description": "Attempted wire of $5,000 to unregistered recipient within 10 minutes of account access"
      },
      {
        "id": "REF_4",
        "evidence_type": "artifact",
        "evidence_data": "FraudInvestigationEngine-456/sql_query_kyc_status.json",
        "evidence_name": "KYC verification record",
        "evidence_description": "Customer completed identity verification in June 2023"
      }
    ],
    "rail": "wire",
    "scenario": "account_takeover",
    "actor": "third_party",
    "vectors": ["credential_stuffing"],
    "high_risk_signals": [
      {
        "signal_name": "Geolocation Anomaly",
        "reasoning": "Login from Nigeria when customer history shows exclusively US-based activity.",
        "evidences": [
          {
            "evidence_type": "artifact",
            "evidence_data": "FraudInvestigationEngine-456/sql_query_device_history.json",
            "evidence_name": "Device location history",
            "evidence_description": "All 50 previous logins from New York area"
          }
        ]
      },
      {
        "signal_name": "Password Reset After Failed Attempts",
        "reasoning": "Classic account takeover pattern—multiple failed attempts followed by password reset.",
        "evidences": [
          {
            "evidence_type": "artifact",
            "evidence_data": "FraudInvestigationEngine-456/sql_query_login_attempts.json",
            "evidence_name": "Authentication logs",
            "evidence_description": "5 failed attempts then password reset in 3-minute window"
          }
        ]
      }
    ],
    "checks_passed": [
      {
        "check_name": "KYC Verification Valid",
        "reasoning": "Customer completed identity verification through Persona with selfie and ID upload.",
        "evidences": [
          {
            "evidence_type": "artifact",
            "evidence_data": "FraudInvestigationEngine-456/sql_query_kyc_status.json",
            "evidence_name": "KYC record",
            "evidence_description": "Verified June 2023 via Persona"
          }
        ]
      }
    ],
    "action_recommendation": {
      "suggested_action": "lock_account",
      "reasoning": "Strong evidence of third-party account takeover with attempted fund transfer. Immediate account lock prevents further unauthorized access and protects customer funds."
    }
  }
}

Action Recommendations

Based on the verdict, the engine recommends one of three actions:
ActionWhen to Use
clear_alertVerdict is false_positive—no further action needed
escalateVerdict is needs_review—requires human analyst review or additional context
lock_accountVerdict is highly_suspected—immediate protective action to prevent losses

Use Cases

The Fraud Investigation Engine is designed for:
  • Account Takeover Alerts: Investigate suspicious login patterns, device changes, or credential compromise
  • Transaction Fraud Alerts: Analyze unusual transaction patterns, velocity anomalies, or suspicious recipients
  • New Account Fraud: Investigate synthetic identity or application fraud signals
  • Scam Detection: Identify investment scams, romance scams, or impersonation attempts
  • Chargeback Investigation: Investigate disputes and determine first-party vs. third-party fraud
  • Mule Account Detection: Identify accounts receiving or laundering stolen funds

Best Practices

Define Clear SOPs

Create comprehensive fraud investigation policies with specific criteria for each verdict level

Connect Multiple Data Sources

Configure SQL and Zendesk context sources to give the agent access to transaction history, device logs, and customer communications

Structure Alert Data

Include all relevant identifiers (account ID, device info, IP, transaction details) in your alert data for thorough investigation

Review Dispositions

Define clear disposition classifications in your policy for consistent verdict assignment

Policies

Learn how to create and manage fraud investigation policies

Data Connectors

Set up Snowflake, ClickHouse, and Zendesk connections

AML Investigation

Explore the related AML Investigation Engine for anti-money laundering cases