Function1 - Fighting Financial Fraud with Splunk

Naveed Krabbe (Senior Operational Intelligence Consultant with Splunk Partner Function1) joins us with a guest article exploring how Splunk can be used to fight financial fraud. As a leader in the Operational Intelligence and Middleware space, Function1 not only designed the base architecture for some of the largest Splunk deployments in the world today, but also helped to develop the standard for enterprise class governance and data onboarding. Function1 received the 2017 Revolution Award for Innovation at .conf2017.

It comes as no surprise that as the banking industry is increasing its online presence, financial organizations are making fraud detection and prevention a top priority. Fraud can have a significant impact to organizations both financially and operationally. In addition to massive monetary losses, fraud leaves businesses vulnerable to reputation damage and customer relation strain.

Organizations must have the ability to perform advanced data analytics in order to recognize and respond to patterns of fraud. Simply stated, quicker fraud detection is essential to minimizing loss.

Fraudulent patterns (both internal and external) are often lurking in the vast, unstructured machine data generated by a company’s applications and IT systems. Function1 has helped numerous customers use Splunk to detect and analyze these patterns. Let’s examine some of the use cases built in Splunk and highlight other Splunk features we’ve utilized in the fight against financial fraud.

Fraud Detection Use Cases

Much like with cybersecurity, Splunk can be used for a wide variety of anti-fraud use cases. Although every organization will have their own unique anti-fraud challenges to address, there are some common use cases across banking and financial industries. Here are some examples of use cases that Function1 has implemented with Splunk. 

Fraudulent Membership and Card Applications

  • Applications started and completed in a short period of time
  • Velocity use cases:
    • Many accounts created from one IP/device
    • Many accounts sharing the same personal information
  • Email addresses with suspicious/invalid email domains
  • Geo-location focused use cases
  • Integrations with external or third party fraudster databases

Account Takeover

  • Unusually high value or number of transfers or withdrawals
  • Velocity use cases:
    • Many accounts accessed via one IP/device
    • One account accessed via many IPs/devices
  • Profile and address changes followed by:
    • Transfers or withdrawals
    • New Credit/Debit Card requests
  • Blacklist/Lookup based use cases:
    • Banned device IDs
    • Suspicious IP domains/providers
  • Brute force use cases – excessive amount of failed/lockout events followed by a successful login
  • Geo-location focused use cases
  • Integrations with external or third party risk scoring systems

Functionality and Adaptation

Beyond use case development, Splunk can also be leveraged to provide additional features and tools to assist with fraud detection, analytics, investigation, and response. Here are few bonus benefits that Splunk provides in the fight against fraud.

  • Customized, form-based dashboards with drilldowns to provide analysts easy access to data that is targeted to their investigative needs. This can allow lower-tier analysts to perform searches over relevant data without learning the Splunk search language.
  • Lookup tables and GUI-based editors to allow teams to easily manage and update their lookups that are used to enrich data or to maintain blacklists and whitelists.
  • Summary dashboards to provide high-level overviews, trend analysis statistics and workflow based reports.
  • Ease and flexibility in the onboarding of a wide variety of data sources. Regardless of whether the data is structured (database tables) or unstructured proprietary data sources, Splunk can be configured to ingest the data.
  • Correlation of otherwise disjoined data sources. Splunk provides the ability to join distinct data sources together to provide insight into sequence-based transactions.
  • Flexibility to integrate and export data to other systems via scripting, alert actions, and dynamic forms or drilldowns.
  • The ability to pull historical reports for compliance requirements and to assist in financial crime investigations.

What's Next?

Unquestionably, static based rules can be highly effective in detecting fraud and typically have a quick development cycle. However, as fraudsters continue to adapt and utilize new methods, it will become increasingly important to leverage machine learning and data science algorithms in the fight against fraud. Detecting anomalies and outliers through machine learning, utilizing adaptive thresholds, and other advanced techniques are clearly the next wave in fraud detection and prevention, and, of course, Splunk has an app for that! Check out Splunk’s Machine Learning Toolkit.


Our team at Function1 has had the opportunity to implement Splunk as a fraud detection and analytics solution with various customers in the financial industry. In each situation, our customers have found Splunk to be a highly effective and efficient tool in the fight against fraud. These organizations have consistently reported high values for Splunk prevented losses, particularly in the areas of fraudulent applications and member account takeovers.

Please feel free to contact me if you have any questions about this blog or if you’d like to discuss how we can help your team use Splunk to meet its fraud detection needs.

Happy Splunking!

Naveed Krabbe

Senior Consultant, Operational Intelligence


Posted by