How to investigate connections in SEON

Effective fraud prevention requires more than just blocking individual suspicious transactions. To truly protect your business, you need to understand the hidden connections between users and uncover coordinated fraud rings.

SEON provides a complete suite of network analysis tools designed to help you investigate these connections. Depending on your workflow, you can take two distinct paths: a proactive approach to hunt for undetected fraud groups, or a reactive approach to expand an investigation starting from a single suspicious transaction. This guide will show you how to leverage SEON's capabilities for both strategies to dismantle entire fraud networks.

Investigating known threats is only half the battle. The most dangerous fraud is often a coordinated activity that you don't even know to look for. If you want to take a proactive approach to uncover these many-to-many connections, SEON offers specialized tools to automatically detect hidden groups before they cause significant damage.

Network detection

Network detection is a proactive tool that continuously analyzes your transaction data to automatically identify hidden relationships among users. It groups these users into networks, revealing suspicious groups that might otherwise go unnoticed. This allows you to move from a reactive to a proactive stance, identifying emerging threats and mitigating risk early.

Each detected network is assigned a Strength score that indicates the likelihood of coordinated activity based on the connectivity and fraud-relevance of shared data points:

• High: Members are highly connected by important fraud data fields, suggesting a strong likelihood of coordinated activity.
• Medium: Members are connected by a combination of important but less critical data points. These networks warrant investigation.
• Low: Connections are based on lower-weighted data points in a less tight network. This may indicate suspicious activity but could also be coincidental.

After investigating a network, analysts can update its status to manage the workflow (Open, Closed, False alert, Reopened). If analysts suspect the network’s activity is likely to continue, they can enable ongoing monitoring. Network detection will continue tracking the group and send notifications when new customers are added, allowing for continuous oversight.

Fraud investigations often start reactively with a single suspicious transaction or user alert. From there, you need to expand your investigation outward to understand the full scope of the threat. If you want to investigate a single transaction and find its one-to-one or one-to-many connections, SEON provides several powerful tools to dig deeper.

Graph

As you uncover connections from a single transaction, it can be difficult to keep track of them all. The Graph helps you visualize these relationships in an intuitive way. With the graph, you can easily uncover relationships between the customer you are investigating and others, as well as see exactly which data points they share.

Each node in the graph is color-coded to help you quickly interpret the type of relationship:

• Blue: Connected customers
• Gray: Connected data fields
• Red: Values that appear on a blacklist
• Green: Values that appear on a whitelist

Similarity ranking

Similarity ranking takes the manual work out of expanding your search. It automatically surfaces the customer profiles most closely related to the single transaction you’re investigating. Instead of manually checking data points, it highlights the strongest connections first, showing key identifiers (such as emails or usernames) and the number of shared values.

Surfaced connections are ranked by matching and similar data points, each receiving a label that indicates their closeness to the investigated customer:

• IDENTICAL
• HIGHLY SIMILAR
• ASSOCIATED

Data explorer

The Data explorer is the ideal starting point for manual, targeted investigation. It allows you to select a customer from a transaction and see who else shares specific data points, such as a device hash, email address, or IP address. This is highly useful when you have a specific lead from a single alert and want to quickly see who is directly connected to it.

Let’s walk through a step-by-step example of how to investigate connections using these tools together, blending both proactive discovery and reactive deep-dives.

Scenario: Your team conducts a daily review of newly detected networks to uncover hidden multi-accounting abuse.

1. Start proactively with Network detection
   Head to the Monitoring page, then open the Network detection tab to review recently detected networks. Click into a network with a High strength score where only 40% of transactions have been declined.
2. Identify key signals
   Based on network characteristics, you can identify a suspicious email naming pattern and a specific device (indicated by the True Device ID) that correlates across multiple customers and their transactions.
3. Expand the search
   Select one of the suspicious customers from the group and run Similarity ranking on their Customer details page. This automatically surfaces dozens of other highly similar profiles sharing the same True Device ID but slightly different email addresses, even outside the first detected network.
4. Verify with data explorer
   To manually verify specific data fields, you can use the Data explorer to check whether the True Device ID is shared across other customers not yet in the group.
5. Search the full database
   To ensure you have caught everyone, use Clone search to query your entire customer base for the group that was identified with the shared True Device ID. The search returns a massive group of linked accounts that extends far beyond the initial network.
6. Visualize the wider ring
   Open the Graph to visualize the connections around key users. The graph visually confirms that this is a massive, coordinated fraud ring — expanding the view from the initial 5 accounts to over 100 connected identities.
7. Take action
   Now that you have exposed the full scope of the fraud ring, you can take decisive action. Block the connected accounts, blacklist the shared True Device ID and create a new rule based on the discovered patterns.
8. Enable monitoring
   Finally, return to the Network detection page, set the network status to Closed and enable monitoring. This way, you are keeping your queue clean, and will receive a notification when activity resumes in a slightly different way, which is captured with network detection.

With the right tools, investigating connections becomes faster, more efficient and more effective. Whether you are taking a proactive approach to discover unknown fraud groups or a reactive approach to expand an investigation from a single transaction, SEON provides a complete toolkit for network analysis.

What is the difference between Network detection and Clone search?
Network detection is a proactive, automated tool that continuously finds fraud groups in the background. Clone search is a manual tool that lets you search your entire database for specific shared data points, starting from an identified customer list to find linked accounts.

How does Similarity ranking work?
Similarity ranking uses a graph-based algorithm to measure the "closeness" between users. It analyzes the number and type of shared data points to determine how strongly two users are connected.

Can I use these tools for AML and compliance?
Yes, investigating connections is highly effective for identifying money laundering rings and other coordinated financial crimes. The same principles of uncovering hidden networks apply.