AWS Machine Learning Blog

Event-based fraud detection with direct customer calls using HAQM Connect

Several recent surveys show that more than 80% of consumers prefer spending with a credit card over cash. Thanks to advances in AI and machine learning (ML), credit card fraud can be detected quickly, which makes credit cards one of the safest and easiest payment methods to use. The challenge with cards, however, is that in some countries when fraud is suspected the credit card is blocked immediately, which leaves the cardholder without a reason as to why, how, or when. Depending on the situation, it can take anywhere from a few hours to days until the customer is notified and even longer to resolve.

With HAQM Connect, a cardholder can be notified immediately of a suspected card fraud and interactively verify if the suspected transactions were indeed fraudulent over the phone. HAQM Connect enables an event-based reaction, which allows you to contact the cardholder directly via phone without the need for an agent-in-the-loop. This makes for a cost-effective and frictionless cardholder experience.

This post shows you how to build, train, and deploy a fraud detection model and rules using HAQM Fraud Detector and integrate predictions with HAQM Connect in order to connect with customers in real time. HAQM Fraud Detector is a fully managed service that uses ML and more than 20 years of fraud detection expertise from HAQM to identify potentially fraudulent activity so you can catch online fraud faster and more frequently. HAQM Connect is an omnichannel cloud contact center that helps you provide superior customer service at a lower cost.

Solution overview

In this post, we use the following services:

  • AWS CloudFormation sets up the resources for our contact flow.
  • HAQM Connect is your contact center in the cloud. It allows you to set up contact centers and contact flows. We use a template that you can upload that helps you create your first contact flow.
  • HAQM DynamoDB is the NoSQL data storage used to store your customer data. You can exchange it in your existing cloud infrastructure for instance with HAQM Aurora
  • HAQM Fraud Detector is the AI/ML service that lets you build, train, and deploy your ML models. We provide all the data and code for you in this artifact.
  • AWS Lambda handles the event-driven request coming from a transaction and the connection between HAQM Connect and your DynamoDB table.

The following diagram illustrates our serverless architecture.

Whenever a transaction is made, you can send the metadata of that transaction to a Lambda function (Step 1). This function invokes your HAQM Fraud Detector model and predicts whether this transaction is fraudulent. If it is, the function looks up customer data from the DynamoDB table (2), sends these attributes to HAQM Connect, and calls the customer (3) whose credit card is affected. When the customer picks up the phone (4), they can interact with HAQM Connect and learn more about what happened. The customer can then decide whether it was fraud. If it was, another Lambda function is invoked through HAQM Connect (5) and blocks the corresponding credit card by setting a flag in the DynamoDB table (6).

Prerequisites

For this walkthrough, you should have the following prerequisites:

Set up HAQM Connect and the associated contact flow

In this section, we walk through setting up HAQM Connect and our contact flow. We also discuss the contact flow in more detail.

Create an HAQM Connect instance

The first step is to create an HAQM Connect instance. For the rest of the setup, we use the default values, but don’t forget to create an administrator login.

Instance creation can take 1-2 minutes, after which we log in to the HAQM Connect instance using the admin account created previously. We’re now ready to create our flow and claim a number to attach to the flow.

Set up the contact flow

For this post, we have a predefined contact flow template that we can import from our GitHub repo.

  1. In the repo, select the file contact-flow/credit-card-fraud and choose Import.

For detailed import instructions, see Import/export contact flows.

  1. Under the name of the contact flow, choose Show additional flow information.

Here you can find the ARN of the contact flow.

  1. Note the following information from the ARN to use in a later step: the contact flow ID and contact center instance ID.

Claim your phone number

For instructions on claiming a number, see Step 3: Claim a phone number. Make sure to choose the previously imported contact flow while claiming the number. If no numbers are available in the country of your choice, raise a support ticket.

Understanding the contact flow

The following diagram shows our contact flow.

The contact flow does the following:

  • Enables logging
  • Sets the output voice to HAQM Kendra
  • Gets customer input using DTMF (only keys 1 and 2 are valid)
  • Based on the user’s input, the flow takes the following action:
    • Prompts a goodbye message stating no action will be taken and exits
    • Prompts a goodbye message stating an action will be taken, invokes a Lambda function to log the credit card in your DynamoDB table, and exits
    • Fails with a fallback block stating that the machine will be shut down and exits

You can also enhance your system with an HAQM Lex bot.

Create the CloudFormation stack

We use a CloudFormation stack to set up our resources.

  1. Choose Launch Stack:

  1. In the Parameters section, provide the following information:
    1. The fraud detector entity name
    2. The event name of this detector
    3. The name of your fraud detector
    4. A name for your DynamoDB table, such as customer-table-fraud-detection
    5. The IDs of your HAQM Connect instance and your contact flow (which you noted when you set up the contact flow)
    6. The S3 bucket name you want to use (the word “sagemaker” needs to be present)
    7. The number you claimed in HAQM Connect
  2. Choose Next.

  1. Acknowledge the creation of new AWS Identity and Access Management (IAM) resources and choose Create stack.

After the stack is deployed, you can find your AWS Lambda function, HAQM DynamoDB table, and an up-and-running HAQM SageMaker notebook called event-based-fraud-detection.

Build, train, and deploy the HAQM Fraud Detector model

In this section, we build, train, and deploy the HAQM Fraud Detector model using an example Jupyter notebook. You can build your model on the HAQM SageMaker console. For programmatic deployment, access the HAQM SageMaker notebook instance you created by choosing Open Juypter.

The instance contains a clone of the GitHub repository. It contains the example Jupyter notebook and example dataset. A config JSON was also created for you. To view these items, navigate into event-based-amazon-fraud-detector/fraud-detector-example.

Open the Fraud_Detector_End_to_End_Blog_Post.ipynb notebook to get started. For more examples on HAQM Fraud Detector, see the GitHub repository.

The notebook walks you through building and training the model. It also contains a lot of explanations and additional code that helps you deploy your first fraud detector.

Model metrics

This example also contains functionality to see and analyze the training metrics of your model. You can view these metrics interactively on the HAQM Fraud Detector console. On the Models page of the HAQM Fraud Detector console, choose the model that was trained. From there you can see several versions, if applicable, that were trained. Choose a version (for this post, version 1.0). The Model performance section contains an interactive graph similar to the following screenshot.

You can change thresholds to see how the confusion matrix changes. Furthermore, you can look at the ROC curve in the Advanced metrics section.

You’re model is now ready to be called on demand, for example from a website.

Add a customer record to your DynamoDB table

To add a record to your DynamoDB table, complete the following steps after the ML model is deployed:

  1. On the HAQM DynamoDB console, choose the table you created with the AWS CloudFormation template (for this post, thefraudtable).

  1. Choose Create item.

A new window appears that displays an example JSON string.

  1. Enter the JSON file example-customer.json provided in the examples folder of the downloaded GitHub repository.
    1. Change the fields last_name, first_name, phone_number, and salutation).
    2. Leave the customer­_id field as is. We use this ID when we test our whole architecture.
  2. Choose Create item.

Your first customer record is saved in the HAQM DynamoDB table.

Test your event-based architecture

To test the solution, complete the following steps:

  1. On the AWS Lambda console, choose the function fraud-detection.

We add a test event to this function, which is also part of the cloned GitHub repository and can be found in examples/lambda-test-event.json. In this test event, you find four different keys:

  • customer – The customer ID you gave your contact in the HAQM DynamoDB table. If you followed our guidance and didn’t change the ID when creating a customer in HAQM DynamoDB, you can leave this number as is.
  • card_number – Any number (this number is passed into HAQM Connect and the last four digits are read to the customer).
  • amount – A sample dollar amount that the customer hears when they are called.
  • payload – The metadata generated during the transaction. We use this to predict whether the transaction was fraud (for this test, it’s a fraudulent case to demonstrate that the fraud detector is working).

After you test the original payload, you can change numbers and see what prediction HAQM Fraud Detector makes based on new input.

  1. Choose Test.
  2. For Event name, enter a name.
  3. Enter the JSON example code.
  4. Choose Create.

  1. Choose Test

The Lambda function starts running, and you should get a phone call to the phone number you have placed in your HAQM DynamoDB table. If you choose to block your credit card during the call, your HAQM DynamoDB customer entry changes the field is_blocked from false to true.

Clean up

To avoid incurring future charges, delete the resources you created:

  • HAQM Fraud Detector model, events, entities, and detector
  • AWS CloudFormation stack
  • HAQM S3 bucket created by the build.sh script

Conclusion

Congratulations! You just developed your first event-driven fraud detection architecture. We deployed a complete serverless architecture in which we integrated HAQM Fraud Detector with HAQM Connect to connect with customers in real time if credit card fraud is detected. You can putting the AWS Lambda function fraud-detection behind an HAQM API Gateway and call it directly from your website. Or integrate the architecture into your existing transaction chain and call the AWS Lambda function any time a new transaction is made.

The advantage of this event-driven architecture is that the building blocks are completely exchangeable. For example, instead of predicting fraud, you might want to classify images on your shop floor. To do so, you could use HAQM Lookout for Vision as your backend ML model. An example for this can be found here. The opportunities are almost limitless. So, get started today!

About the Author

Michael Wallner is a Global Data Scientist with AWS Professional Services and is passionate about enabling customers on their AI/ML journey in the cloud to become AWSome. Besides having a deep interest in HAQM Connect, he likes sports and enjoys cooking.