7 Ways you can use Mixpanel to track fraud activity

While Mixpanel is widely recognized for its strengths in tracking user engagement, conversion funnels, and product adoption, the capabilities extend to a crucial yet often underutilized area: fraud detection. 

That said, understanding the characteristics of fraudulent behavior is the first step in effectively leveraging Mixpanel's powerful analytics to combat it. As you explore the various use cases and examples below, you may notice some crossover between them, which is a testament to the interconnected nature of detecting fraud.

"Leveraging Mixpanel for fraud detection is not just about preventing financial loss; it's about reducing organizational risk and focusing on abuse cases where your product is being used in unintended ways. Our integrated approach empowers teams to maintain a secure and trustworthy platform for all users."

"The closest way to do this is if you have an idea about what fraudulent behavior looks like (e.g., a certain threshold of events per user or number of pages per user or something like that), you can create cohorts and/or alerts around those." 

This emphasizes the importance of having a clear definition of what constitutes fraud for your business. Once you have this understanding, Mixpanel provides the tools to identify, monitor, and even prevent such activities.

Mixpanel offers a multifaceted approach to tracking fraud, combining event tracking, session replay, cohort analysis, and integrations to provide comprehensive visibility into suspicious activities. 

Echoing Peter’s comments above, Principal Customer Success Architect Kurby Chua agrees:

“You need to know or define what fraud is, and tracking or detection might be better with events augmented with session replay as visual proof.”

Here are some of the ways you can spot fraud from your analytics in Mixpanel.

"Friendly fraud" chargebacks can be a significant drain on resources. Mixpanel Session Replay offers a direct visual defense. By finding a user's session at the time of purchase and watching the replay of their actions, you can gather direct visual proof to dispute chargebacks. This allows you to see exactly what the user did, providing irrefutable evidence against false claims.

When fraud alerts are triggered, the next crucial step is understanding the nature of the suspicious behavior. By watching session replays for users who trigger fraud alerts (e.g., multiple failed payments), you can visually confirm whether the behavior originates from a bot, a genuine fraudster, or a legitimate user encountering UI difficulties. This context is invaluable for making informed decisions and responding appropriately.

Beyond individual sessions, Mixpanel can help you spot broader suspicious patterns. By using Event Tracking for key actions and creating Funnels for important user flows like checkout, you can automatically detect unusual drop-offs or sequences of actions. Watching replays of these drop-offs can provide further insights into why users are abandoning a flow in an unexpected manner.

Fraudsters often use automated scripts or unusual setups. You can leverage Cohort Analysis to group users by default properties such as $browser or $screen_width. By looking for correlations between non-standard or unusual display settings and fraudulent activity, you can identify patterns that might indicate automated or illicit behavior.

While requiring some manual implementation, capturing a user's IP address on your server and sending it to Mixpanel as a custom property (e.g., "user_ip") can be highly effective. You can then segment your reports by this property to find high-volume activity originating from a single IP address, which could indicate botnets or other concentrated fraudulent efforts.

For more advanced fraud detection, you can integrate Mixpanel data with your data warehouse using Warehouse Connectors. Once in your data warehouse, you can build machine learning models to generate a "fraud score" for users and then import this score back into Mixpanel as a custom user property. This allows for sophisticated segmentation and proactive identification of high-risk users.

Mixpanel's Webhooks and APIs enable you to trigger actions in your other systems based on user behavior detected within Mixpanel. For instance, if a suspicious order is identified, you can automatically place it on hold for manual review, preventing potential losses.

Mixpanel customers have successfully leveraged these capabilities to detect and mitigate various forms of fraud.

Social media monitoring platform Buffer recently shared how they set up alerts in Mixpanel to identify fraudulent spikes in sign-up behavior, such as bots creating numerous accounts or performing "card stuffing."

“It’s very helpful to quickly spin up alerts when we see discrepancies in a small number of users posting significantly more frequently than even the 99th percentile of users.”

Traffic alerts are another key area they focus on, such as changes in SEO performance being captured. These alerts proved crucial in catching issues early and investigating discrepancies in expected data patterns.

A leading resource for comprehensive data, research, and insights spanning the global capital markets, needed to identify suspicious patterns and make fraud evidence more accessible org-wide. Their team started exploring using session replay to communicate the precise problems to leadership—and it’s been an eye-opening experience.

Setting up alerts based on discrepancies between expected and actual event flows, such as mismatches between front-end and back-end sign-up events, is a recommended practice and one that a well-known cryptocurrency platform has started practicing in Mixpanel. Combined with automated alerts, they’ve begun tracking discrepancies over time in a graph, which has helped them closely monitor the difference between front- and back-end events and quickly spot potential fraud incidents.

A gaming app team successfully used Mixpanel to identify fraudulent users by creating cohorts of suspected cheaters and analyzing gameplay patterns, specifically looking for unusually fast completion times. This involved refining event definitions to accurately track user behavior and analyze sessions for patterns like unrealistically short game completion times.

An ecommerce platform explored using Mixpanel's session replay to understand and identify fraudulent user actions. The idea was to leverage user behavior as an additional layer of identification, using session replays to analyze how people were interacting with the platform and spot fraudulent actions.

A sporting equipment company described using Mixpanel to analyze potential bot traffic from an email campaign. They created cohorts based on user behavior to identify and filter out bot activity, utilizing custom properties and merging event properties for improved reporting and data analysis.

A software testing tool used Mixpanel’s built-in "hot shard" mechanism that automatically removes data from users (distinct IDs) performing 200,000 or more events in a single day, which typically indicates aggressive bot activity. Additionally, customers are advised to use session duration as a property to filter out likely bots (e.g., sessions shorter than five seconds) and create cohorts to exclude these bots and low-intention users from analysis.

Effectively tracking fraud in Mixpanel not only safeguards your business from financial losses but also ensures the integrity of your product and user experience. By combining a clear understanding of fraudulent behavior with Mixpanel's robust analytics, cybersecurity, product, and data teams can work together to build a resilient defense against evolving threats. 

Talk to your account representative to learn more or start a free trial today.