This FDS case study aims to analyze fraud detection statistics based on real FDS data and determine when online fraud is most likely to occur.
Thieves in Broad Daylight?
When you search for images of thieves on the internet, you often see them dressed in dark clothes, carrying a bag of stolen goods under the cover of night. The key detail here is ‘nighttime‘: thieves rarely operate in broad daylight; they are mostly active at night.
Do Online Thieves Also Operate at Night?
The online world is full of thieves, or fraudsters. When do they typically operate?
The bottom line is ‘always’. Compared to the number of thieves, the number of online fraudsters is much higher. Without geographical restrictions, online fraud knows no boundaries between day and night.
What if unified time zone for all online users around the world? Would online fraud appear more often in the middle of the night?
To answer this question, we set the following hypothesis and analyzed fraud detection statistics directly.
- Hypothesis: Fraud mainly occurs at night.
Time Zone Adjustment and Analysis of Fraud Detection Statistics
To test our hypothesis, we defined nighttime as the period from 10 PM to 6 AM, which is generally considered nighttime in most societal norms and labor standards.
For our analysis, we used data from a portal site visited daily by users from over 150 countries. We analyzed three months’ worth of logs using the Criminal IP FDS system to identify the latest trends.
Criminal IP FDS collects and analyzes log data from linked services in real-time to detect anomalies. Key features include detecting bypass IP addresses, unusual behavior patterns, and traffic spikes.
We preprocessed the collected data by adjusting user access times recorded in UTC+0 to their respective local times. For example, we subtracted 5 hours for users accessing from Colombia and added 7 hours for users from Thailand. Then, we checked the overall traffic at hourly intervals.
As shown in the graph, usage gradually increases from 9 AM, peaks around 3 PM, and then gradually decreases, reaching its lowest point around 4 AM.
- This graph illustrates the changes in overall traffic throughout the day. Traffic increases from 9 AM, peaks at 3 PM, and then decreases.
Analysis of Proxy IP Traffic Patterns in Fraud Detection Statistics
As expected, overall traffic increased during the day and decreased at night.
But what about high-risk users using proxy IP addresses? The bar graph below shows proxy IP address traffic, which is relatively evenly distributed throughout the day and night.
- This graph shows overall traffic and proxy IP address traffic by time of day. Proxy IP addresses are displayed as bars at the bottom and are used relatively evenly regardless of the time of day.
When viewed as a percentage of overall traffic, proxy IP addresses are more prominently used at night. During the day, proxy IP addresses account for about 10% of total traffic, but at night, they can exceed 20%.
- This graph shows the usage of bypass IP addresses compared to total traffic by time of day. It is confirmed that it peaks at 24% around midnight.
In other words, the hypothesis that “online fraud primarily occurs at night” is supported by the data.
Differences between VPN and Other Proxy IP addresses
Now let’s take a closer look at bypassing IP addresses, a key tool used in online fraud activity.
Criminal IP FDS detects various types of proxy IP addresses, including Tor, Proxy, VPN, and Hosting. Among these, VPNs have a slightly different nature.
For instance, when users in Korea use a VPN, they rarely select Korea as the region. VPNs are primarily used to choose regions or countries other than the user’s residence.
Therefore, users using a VPN may experience discrepancies between their actual region’s time zone and the VPN server’s time zone, showing a different pattern than the ‘high access at nighttime’ we are investigating.
When we separately analyzed traffic from IP addresses using VPNs in abnormal transaction detection statistics, we found a relatively constant traffic flow compared to traffic from all bypass IP addresses. On the other hand, traffic flow for bypass IPs, excluding VPN, is more concentrated at night.
This becomes clearer when you look at it as a ratio. When viewed as a percentage, VPN traffic was around 2% during the day but could reach up to 20% at night.
- This graph shows VPN usage separately compared to total traffic. It shows a relatively constant traffic flow regardless of day or night.
- This graph shows traffic trends for bypass IP addresses excluding VPNs compared to overall traffic. The proportion of day/night traffic is clearly revealed.
The correlation coefficient, which quantifies the relationship between daytime and nighttime access frequencies, is 0.8, indicating a strong positive correlation (1: represents a perfect positive correlation, -1: represents a perfect negative correlation).
Additionally, the p-value is below 0.05, demonstrating the statistical significance of higher proxy IP traffic at night.
In conclusion, the analysis of fraud detection statistics supports the hypothesis that “online fraud primarily occurs at night.” Therefore, companies and organizations providing online services should consider enhancing security measures during nighttime hours.
For more information, please refer to the article Fraud Detection Methods According to the Federal Reserve’s FraudClassifier Model.
Criminal IP FDS, an anomaly detection system, was utilized in this analysis.
Related Article(s):