Detecting Fraud Rings
3 min read
A fraud ring is a small group of accounts — usually 3–10 — operated by the same person or team using slight email variations to multiply discounts, distribute refund risk, or coordinate chargebacks. They’re harder to spot than individual abusers because each account looks moderately suspicious in isolation but the network reveals coordinated activity. This walkthrough shows how to use TrustLens’s Linked Accounts module to surface rings, investigate them, and block them as units.
How Rings Operate #
Common patterns:
- Welcome-discount harvesting: Each account places one order using a first-order coupon, then disappears
- Refund distribution: Each account refunds at a moderate rate, but together the ring refunds a lot of inventory
- Chargeback coordination: Accounts share methods of payment and produce coordinated dispute filings
- Block evasion: When one account is blocked, the operator falls back to another already in the ring
The connecting tissue is what TrustLens detects: shared shipping address, shared IP, shared payment method, shared device fingerprint, shared phone number.
Step 1: Surface Existing Rings #
The Linked Accounts module has been running since activation. To find established rings:
- Open TrustLens → Customers
- Filter to Linked accounts count >= 3
- Sort by trust score ascending
Customers at the top are likely ring members — multiple linked accounts plus low trust score is the signature.
Step 2: Investigate a Suspected Ring #
- Click one suspected customer’s profile
- Open the Linked Accounts panel
- For each linked account, click through to their profile
- Note shared characteristics:
- Similar email patterns (john+1@, john+2@, johnny@, j.smith@)
- Same shipping address
- Same phone number
- Same payment method fingerprint
- Coordinated order timing
- Coordinated coupon usage
A confirmed ring usually shows links via multiple fingerprint types — address AND phone AND payment, not just IP-only.
Step 3: Confirm It’s a Ring (Not a Household) #
Households produce similar signal patterns but are legitimate. Distinguishing:
| Signal | Ring | Household |
|---|---|---|
| Email patterns | Slight variations (typos, +numbers) | Distinct names |
| Coupon usage | Each used new-customer coupon | Maybe one used welcome code; others didn’t |
| Order timing | Often coordinated bursts | Independent timing |
| Order content | Similar items repeated | Different items per person |
| Refund behavior | Each refunds at moderate rate | Mixed — some refund, some don’t |
| Phone numbers | Same number across all | Usually distinct numbers |
When in doubt, ring vs household is usually obvious from email patterns alone. If you see [email protected] and [email protected] sharing an address, that’s almost certainly a household. If you see [email protected] and [email protected], it’s almost certainly a ring.
Step 4: Take Action on the Ring #
For a confirmed ring:
- Open the Customers list
- Use the bulk-select feature to select every confirmed ring member
- Bulk Action: Block
- Add admin notes to each documenting the ring members
- If on Pro, generate Dispute Evidence Reports for any existing or future disputes
Blocking the entire ring as a unit prevents the operator from falling back to another known account.
Step 5: Automate Ring Detection (Pro) #
Build an automation rule that fires when a new linked-account detection meets ring criteria:
- Trigger: Linked Accounts Detected
- Conditions:
customer.linked_accounts_count >= 3AND any linked account is in segment Risk or Critical - Actions: Tag customer “fraud_ring_candidate”; send Slack alert with link to the ring profiles
The tag lets you batch-review ring candidates without immediately blocking — sometimes manual confirmation is the right next step.
Step 6: Handle Block Evasion #
After blocking a ring, the operator may create new accounts. TrustLens catches this when:
- The new account shares fingerprints with the blocked accounts (auto-detected by Linked Accounts module)
- The new account triggers Card-Testing signals (if the payment method is reused)
- The new account uses a new-customer coupon and is linked to existing ring members
The new account’s trust score will start low because of the “linked to high-risk account” signal (-25). With Pro’s auto-block automation on segment changes, the new account is blocked automatically on its first order.
Step 7: Build a Ring Audit Routine #
Monthly:
- Open the Dashboard
- Look at the Linked Accounts module stat — how many fraud rings detected?
- Drill into new rings since last review
- Confirm or dismiss each
- Block confirmed rings; allowlist households
Step 8: Use the Dispute Evidence Report #
If a blocked ring member files a chargeback later, the Dispute Evidence Report (Pro) is decisive:
- Trust score and signals show the behavioral pattern
- Linked Accounts section shows the ring
- Event timeline shows the coordinated activity
Submit this with your dispute response. Adjudicators are increasingly receptive to behavioral-pattern evidence, especially for friendly-fraud claims.
What to Expect #
- First-month surfacing: 1–5 confirmed rings on a typical store, more on stores with heavy coupon promotion
- Ongoing detection of 1–3 new rings per month
- Some false positives initially (households mistaken for rings) — allowlist as discovered
- Block-evasion attempts in the first few weeks after blocking
Metrics to Track #
- Confirmed fraud rings per month
- Ring member count distribution
- Time between ring detection and first block
- Block-evasion attempts caught (Card-Testing or Linked Accounts re-detection)
Common Pitfalls #
- Confusing households with rings: Use the table above to distinguish before blocking
- Single-link false positives: A customer linked to only one other isn’t necessarily a ring — usually a household or shared device
- IP-only links: Mobile carrier NAT can produce IP-only links with no real shared identity. Don’t act on IP-only without a corroborating signal.
- Acting too fast: Investigate before bulk-blocking. A wrongly-blocked household is more expensive than a one-week-delayed ring block.
