ATOVis—a Visualization Tool for the Detection of Financial Fraud

Fraud detection is related to the suppression of possible financial losses for institutions and their clients. It is a task of high responsibility and, therefore, an important phase of the decision-making chain. Nowadays, experts in charge base their analysis on tabular data, usually presented in spreadsheets and seldom supplemented with simple visualizations. However, this type of inspection is laborious, time-consuming, and may be of little use for the analysis and overview of complex transactional data. To aid in the inspection of fraudulent activities, we develop ATOVis—a visualization tool that enables a fast analysis and detection of suspicious behaviours. We aim to ease and accelerate fraud detection by providing an overview of specific patterns within the data, and enabling details on demand. ATOVis focuses on applying visualization techniques to the Finance domain, specifically e-commerce, contributing to the state-of-the-art as the first visualization tool primarily specialised in Account Takeover (ATO) patterns. In particular, the present paper incorporates: a task abstraction for detecting of a specific financial fraud pattern—ATO; two models for the visualization of ATO; and a multiscale timeline to enable an overview of the data. We also validate our tool through user testing, with experts in fraud detection and experts from other fields of data science. Based on the feedback provided by the analysts, we could conclude that ATOVis is an efficient and effective tool in detecting specific patterns of fraud which can improve the analysts’ work.


The tool


Figure 1

ATOVis is composed of three different areas: a Timeline Area (A); an area for the ATO visualization (B); and a Details Area (C).


In summary, the visualization model was defined by knowing that, when dealing with ATO, the analysts focus their attention on the changes in the transaction’s attributes. Consequently, we focus our visualization model on the representation of such changes and their periodicity. ATOVis is a functional application implemented in Java and using Processing, an open-source graphical library, to render the visualization. A video was recorded to exemplify the interaction with the application: In supplementary files.

We defined three different areas in response to the design requirements: the Timeline Area, the Main View, and the Details Area. Through our workshops with the analysts, and following Dilla and Raschke, we can refer that the process of discovering fraud usually involves detecting unusual patterns, drilling-down into the data, and selecting individual items for further analysis. A similar guideline was proposed by Shneiderman. For this reason, after selecting the time period of interest from the Timeline Area, the analyst can visualise the filtered data and analyse with more detail the user behaviours in the Main View. If any transaction(s) arouse suspicion, the analyst can further drill-down and visualise, in the Details Area: (i) some statistics on the selected transaction(s); and, (ii) their attributes placed in a tabular fashion.

All components of ATOVis have design requirements in common. For example, in both Timeline Area and Main View, the transactions must use similar representations, so the visualization is coherent. Additionally, to better highlight important attributes, the use of colour to encode data must be as reduced as possible. As the detection of fraud is the primary goal, we apply the red colour to highlight the transactions annotated as fraudulent.


Usage Scenario


Figure 2

Visualization of a certain client. This client performs a set of fraudulent transactions that occur mainly during December. By analysing the details of the clustered transactions, it is possible to see 10 fraudulent transactions in the same day.


In this usage scenario, the transactions occur between December 2016 and February 2017. However, the majority of the transactions occur in December. By looking at the second timeline, we can see that nearer the end of the year, the user makes 16 transactions, which is considered to be a high number of transactions for a short period of time. Also, we can see that the user has not a typical and periodic behaviour due to the reduced number of clusters. There is only one small cluster in the beginning which comprises four transactions.
In the Main View, we can see that the user makes a reduced number of attribute changes, being the card and IP the attributes that change the most. By hovering the day with more changes in the card attribute (i.e., with a bigger circle), we can see in the Details Area that, on the same day, the user used three distinct cards. By analysing that day, in which there are transactions with and without changes, we can see a total of 10 transactions, all considered as fraud (Fig. 11). When accessing the table through the Details Area, the transactions have three different amounts, indicating the attempt to buy three different objects. Also, each object was bought at least three times, with different cards. This may represent a more manual attempt to improperly use one user’s account to test different cards and determine which one could be used to commit fraud.




Through the collaboration with fraud analysts, were able to do the task abstraction for ATO patterns and define the design requirements which led to the definition of what data to use and which visual encodings to apply in ATOVis. We also could derive the main pattern to look for in ATO, which is the consecutive change in the transactions’ attributes. By focusing on the visual highlight of such behaviours, we could emphasise ATO patterns and ease their detection. This decision was well received by the analysts and even referred to as an important aid for their line of work and decision making. Such visual distinction was seen as an improvement to their current tools, spreadsheets, as it enables the overview of all related transactions in a single place.

Based on user tests with two distinct groups (experts and non-experts in fraud detection), we can argue that, with ATOVis, both less and more knowledgeable participants can be equally accurate while performing judgement tasks, which contradicts studies such as Cardinaels. The most experienced could drill down faster in specific scenarios (e.g., discovering fraudulent patterns), while the less experienced reasoned more slowly about the transactions but could arrive at similar conclusions. Independently of the expertise, most participants referred to multiple changes in the IP attribute as a user shopping in various places, discarding fraud.

The tasks defined for the user tests enabled us to assess the interpretability of the visualization design. We could attest how easily the participants understood the model and the transactional behaviours in a short time. As such, we can confirm the usefulness of ATOVis in the rapid perception of data, allowing the quick identification of fraud. The interaction in the user tests also allowed us to confirm the usefulness and intuitiveness of the tool’s components. The analysts had no difficulty interacting with the tool and used all functionalities during their exploration to drill down suspicious transactions and detect fraudulent activities.


  • C. Maçãs, E. Polisciuc, and P. Machado, “ATOVis – A visualisation tool for the detection of financial fraud,” Information Visualization, p. 14738716221098074, 2022.