LendingIQ logo

Use case #0002

Network Graph Analysis: How Fraud AI Links Connected Fraud Rings

Organised fraud rings do not operate as isolated individuals. They share phone numbers, addresses, devices, bank accounts, and IP addresses across dozens of applications submitted to the same or multiple lenders. Each application looks legitimate in isolation. The network graph makes the connections visible — and what looks like a creditworthy borrower on a single-application view becomes the obvious centrepiece of a coordinated fraud ring on a graph view.

Organised fraud rings do not operate as isolated individuals. They share phone numbers, addresses, devices, bank accounts, and IP addresses across dozens of applications submitted to the same or multiple lenders. Each application looks legitimate in isolation. The network graph makes the connections visible — and what looks like a creditworthy borrower on a single-application view becomes the obvious centrepiece of a coordinated fraud ring on a graph view.

Why Traditional Fraud Models Miss Organised Rings

Conventional fraud detection evaluates each application independently — checking the applicant's bureau, their income, their address, their identity documents. This is adequate for opportunistic fraud: the individual who submits false income documentation or takes a loan they cannot repay. It fails completely against organised fraud rings, whose defining characteristic is that the individual application is carefully constructed to pass exactly these checks.

A synthetic identity — a fraud persona built by combining genuine identity documents from multiple real people with fabricated or stolen credentials — may have a plausible credit bureau history seeded by small legitimate loans. It may have a genuine bank account with manufactured transaction history. It may have a real-looking employer reference. None of these are detectable by single-application analysis. What is detectable — only on a graph — is that the phone number linked to this application also appears on seven other applications submitted to this lender in the last 90 days. That the IP address last used to log in matches the IP address of four other applications. That the bank account shows identical transaction patterns to two other applicants whose loans are already in default.

The Fraud Risk AI builds and continuously updates an entity relationship graph — a live map of every shared attribute across every application in the system — and uses graph analytics to detect clusters of connected entities that share the structural signature of coordinated fraud.

"A fraud ring is a graph problem. Every member looks clean in isolation. Only the graph reveals that they are all connected to the same address, the same device, and the same empty bank account."

The Network Graph: Live Visualisation of Connected Entities

Fraud Ring Network Graph — Ring #FR-2025-0441
11 Connected Entities · ₹48.2L Exposure · Detected Nov 12, 2025
SHARED NODE 26 Dev Society Andheri East ADDRESS APP-4821 ₹6.8L APP-4788 ₹4.2L APP-4804 ₹5.1L APP-4819 ₹3.9L PHONE 98XX-4421 DEVICE IMEI-8821 BANK ACC SBI-4441 APP-4831 ₹7.4L EMAIL shared All nodes share ≥2 attributes with central address node
Fraud application node
Shared attribute node
— Solid: strong link   - - Dashed: secondary link
11 connected entities · ₹48.2L total exposure

The 6 Entity Attributes That Build the Graph

The fraud network graph is built from six categories of shared attributes. Every application submitted is checked against every attribute in the graph database — not just the attributes of other applications to the same institution, but across the fraud intelligence consortium of lenders sharing the Fraud Risk AI's network graph. A fraudster who submitted applications to three other lenders last month is identifiable the moment they submit to a fourth, even if they changed their name and address.

Shared Attribute Graph Connection Type Examples in Ring #FR-2025-0441 Link Strength Physical address Hard link — same building / flat number 7 of 11 applications share "26 Dev Society, Andheri East" — different flats, same building Critical Mobile phone number Hard link — same number across multiple identities 98XX-4421 appears in 4 applications as "alternate contact" or "guarantor" number Critical Device fingerprint (IMEI) Hard link — same device used for different identity submissions IMEI-8821 used for 3 different PAN-linked applications from different "applicants" Critical Bank account number Hard link — disbursement account shared or pattern-matched SBI-4441 listed as disbursement account for 2 applications with different PANs Critical IP address / subnet Soft link — same IP or same /24 subnet 6 applications from same /24 subnet in Andheri East over 11 days Strong Email domain pattern Soft link — identical email format across applications firstname.lastname@gmail + 4-digit number — same pattern across 5 applicant emails Strong

From Graph Detection to Coordinated Response

When the Fraud Risk AI identifies a ring — a cluster of 3 or more applications connected by 2 or more hard-link attributes — it does not simply flag the newest application. It reviews the entire cluster and assigns a ring fraud score to every member, including applications already disbursed, applications in pipeline, and applications pending disbursement.

The coordinated response has three components. For applications pending disbursement: immediate hold, pending ring fraud investigation. For applications in pipeline: review queue with ring membership evidence provided to the fraud team. For already-disbursed accounts: flagged for enhanced collection and legal review, with documentation preserved for potential law enforcement referral and insurance claim.

Critically, the ring detection triggers an alert to other lenders in the fraud intelligence consortium — not the individual application data, but the shared attributes (phone numbers, devices, addresses) that can be used to block the same ring from succeeding elsewhere. This consortium intelligence model is the reason that catching a fraud ring at one lender prevents it from simply moving to the next.

11Entities connected in detected ring — 9 applications + 2 shared attribute nodes
₹48.2LTotal exposure across ring — prevented from disbursement by graph detection
6Shared attribute categories used to build the fraud ring graph
ConsortiumRing detection shared with consortium lenders — blocking cross-lender fraud

The Fraud Ring That Is Invisible on a Single Application Is Unmistakable on a Graph

Organised fraud ring detection is a problem that individual-application analysis cannot solve — not because the data is insufficient, but because the pattern only emerges at the population level. The Fraud Risk AI's graph model is the only analytical framework that can see what experienced human fraud investigators have always known: fraud rings reveal themselves through their connections, not their individual applications. The graph makes those connections machine-readable, searchable, and detectable in seconds rather than weeks.

← Back to Fraud Risk Agent AI