Back to Projects

Fraud Detection & Anomaly Monitoring

A statistical anomaly detection system that identifies unusual order patterns and alerts the team before fraud causes damage.

The Problem

Digital goods businesses are prime targets for payment fraud. Stolen cards get used for large orders. Coordinated attacks place dozens of orders in minutes. Sometimes legitimate traffic spikes look identical to attacks. Without automated detection, fraudulent orders fulfill before anyone notices-resulting in chargebacks and lost inventory. But aggressive blocking creates false positives that reject good customers.

The Solution

An anomaly detector runs continuously, comparing real-time metrics against historical baselines. It pulls the last 6 hours of orders and compares against the same time window from previous weeks-adjusting for day-of-week patterns. When order volume, revenue, or average order value deviates beyond statistical thresholds, it triggers alerts. Moderate anomalies get logged for pattern analysis; severe anomalies send immediate Telegram notifications. The system distinguishes between positive anomalies (traffic spike from marketing) and negative ones (velocity suggesting fraud).

How It Works

  1. 1 Baseline Calculation: Historical data from matching weekday time windows establishes normal ranges. Standard deviation calculations set thresholds.
  2. 2 Real-Time Comparison: Every 15 minutes, current metrics are compared against baselines. Deviation is calculated as a z-score.
  3. 3 Escalation Logic: Moderate anomalies (2σ) are stored but not alerted. Consecutive moderate anomalies or single severe anomalies (3σ) trigger immediate notification.
  4. 4 Multi-Metric Analysis: Order count, revenue, unique customers, and average order value are tracked independently. Fraud often shows in specific metrics while legitimate spikes affect all proportionally.

Tech Stack

  • Detection: Python with statistical analysis
  • Alerting: Telegram Bot API, Discord webhooks
  • Storage: SQLite for anomaly history
  • Scheduling: Daemon with configurable intervals

Results

  • Real-time fraud detection with sub-15-minute latency
  • Historical baseline comparison adjusting for weekly patterns
  • Tiered alerting separating moderate from severe anomalies
  • Multi-metric analysis catching patterns invisible in single metrics