Machine learning detects fraud by learning the patterns of past fraudulent
transactions and flagging new transactions that match those patterns —
combining models trained on known fraud cases with anomaly-detection methods
that catch fraud patterns no one has seen before. Most production fraud
systems use both approaches together, not one or the other.
Here's how that actually works, and what makes fraud detection a harder
problem than it first looks.
Older fraud systems ran on fixed rules: flag any transaction over $5,000,
flag any purchase from a new country, flag any card used twice in 10 minutes.
Rules are easy to understand, but they break down fast:
Machine learning replaces fixed thresholds with learned patterns that adjust
per customer, per merchant, and per context automatically.
Banks and payment processors have years of transactions already labeled
fraudulent or legitimate (often confirmed by customer disputes or
investigations). A supervised model trains on that history, learning which
combinations of features tend to appear in fraud cases.
Common features fed into the model:
The model doesn't apply a fixed rule to any single feature — it learns the
combination of signals that historically correlates with fraud, which is
why it catches cases a simple rule would miss entirely.
Supervised models are only as good as their training data — they're built
to catch fraud patterns that have already happened before. New fraud techniques won't be in the training data, which is exactly where
Unsupervised models don't need a label called "fraud." Instead, they learn
what normal behavior looks like for a customer or system, and flag
anything that deviates significantly — whether or not it matches a known
fraud pattern. This is what catches genuinely new fraud techniques before
enough labeled examples exist to train a supervised model on them.
Fraud decisions for card transactions typically need to happen in well under
a second — the transaction is either approved or declined before the
customer's payment terminal moves on. This puts real constraints on the
system:
Every fraud system makes a trade-off: There's no setting that eliminates both. Most systems use a risk score
rather than a binary yes/no, routing borderline transactions to additional
verification (a text message confirmation, a manual review) instead of an
outright block — reducing customer friction while still catching high-risk cases.
A customer who normally spends $50-$150 per transaction in their home city suddenly has a $2,000 transaction from a country they've never shopped in,
at 3 a.m. local time, on a new device. No single feature here is
automatically fraud — large purchases, travel, and new devices all happen
legitimately. But the combination, scored against the customer's typical
pattern, produces a high risk score, and the transaction gets flagged for
extra verification rather than an automatic block.
Fraud detection works best as a layered system: supervised models catch
known fraud patterns with high accuracy, unsupervised models catch novel
patterns supervised models haven't seen yet, and a risk-scoring layer on top
decides whether to block, allow, or verify — balancing fraud prevention
against the cost of frustrating legitimate customers.