inform. educate. connect.

Issue #18 - June 2013  

Anomaly Detection: The What, How and Why Behind Using It to Prevent Fraud

By Tiffany Riley, Guardian Analytics

As stated in the June 2011 Guidance Supplement, the FFIEC expects all institutions that allow high-risk online transactions to have layered security controls that include the ability to detect anomalies and effectively respond to suspicious or anomalous activity related to initial login and the initiation of electronic banking transfers.

The Guidance goes on to explain why the agencies chose anomaly detection as a required layer of online banking security:

“Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.” (emphasis added)

In short, the agencies expect all institutions to have anomaly detection because it works! Anomaly detection solutions have been in place at institutions of all sizes for years and are proven to identify a wide array of online banking attacks. So, what is anomaly detection, and what are the different types?

Anomaly Detection – A Primer
Simply put, anomaly detection is the process of detecting something unusual relative to something expected. In the world of online banking this typically means monitoring for unusual or suspicious (anomalous) online banking activity in order to identify account takeover, reconnaissance, fraud setup and fraudulent transactions.

Here are three specific approaches to anomaly detection. All qualify as “anomaly detection” in that they look for differences when compared to a norm, but the differences between them lies in how that norm is established.

  • Detection based on general or “population” level behavior. This means looking for unusual behavior relative to an average or “typical” user. This type of anomaly detection is often set up using a set of rules, each rule defining some aspect of “normal” behavior, such as time of day, frequency or amount, and often is overly focused on transactions. This technique often generates a high number of false positive alerts for an in-house team to review and misses anomalous activity that is indicative of fraud but doesn’t include a transaction.

  • Detection of website traffic anomalies. This approach seeks indications that malware is automating the process of setting up and executing transactions. For example, setting up a large number of wire transfers in a very short period, something that a human couldn’t physically do as quickly. This approach, however, would not detect a criminal using malware, phishing or data breaches to steal credentials and then manually logging into online banking and using the online banking application as a human would to execute transactions.

  • Detection based on individual account holder behavior. In this approach a unique baseline of behavior is established for each account holder and suspicious activities are surfaced when online behavior is unexpected for that particular account holder. Because what is unusual for one account holder may be normal for another, behavior-based anomaly detection at the individual level ensures institutions are only alerted when something is actually suspicious for that individual.

Which Technique is Best?
The FFIEC points out that the fraud incidents they reviewed would have been stopped if the transfers were compared to the customer’s established patterns of behavior. This points to a focus on individual behavior.

Additionally, in a federal court judgment on a case regarding liability for commercial account takeover and fraud, the judge cited that the bank did not act in good faith when executing over $1 million in wire transfers because the amounts, timing and destination of the wires were all significantly different from the customer’s normal banking activity, again suggesting that an individual behavior monitoring approach is preferable.

The most effective anomaly detection approach focuses on individual account holder behavior. Different users quite naturally have different banking behavior. Behavior-based anomaly detection solutions develop a model of each account holder’s behavior, and then compare every activity in every session, from login to logout, to historical patterns for that user. This avoids having to develop and maintain rules and decreases the number of false positives.

In addition, because behavior-based anomaly detection focuses on account holder activity instead of looking for a particular type of attack or malware, it can detect newly emerging threats immediately, without having to wait for the particulars of the new scheme to be documented.



Examples of what behavior-based anomaly detection monitors include the following (also see the figure above for additional examples):

  • Access to online banking from an unusual location or at an usual time of day

  • Use of online banking features not typically used

  • Use of online banking features in an unexpected or unusual sequence

  • Changes to personal information such as the phone number used for OOB authentication

  • Types and amounts of transactions

  • New payees

  • New approvers or changed approval limits

Knowing your customers’ behaviors can greatly reduce fraud and respond to threats more readily.

<back to June 2013 Technology & Security Digest>

Tiffany Riley is vice president of marketing for Guardian Analytics ( She can be reached at