Forem: Fixel Smith The latest articles on Forem by Fixel Smith (@fixelsmith). https://forem.com/fixelsmith https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3931917%2F9d88cc72-7f15-4358-98e4-9d5433bd2ffc.png Forem: Fixel Smith https://forem.com/fixelsmith en Eight window-function tricks beyond LAG and ROW_NUMBER Fixel Smith Mon, 18 May 2026 17:19:00 +0000 https://forem.com/fixelsmith/eight-window-function-tricks-beyond-lag-and-rownumber-paa https://forem.com/fixelsmith/eight-window-function-tricks-beyond-lag-and-rownumber-paa <p>The first post in this series got more reader response than I expected. The comments were full of practical follow-up questions and a few good corrections, and one thing that kept coming up was a request to go deeper on window functions specifically. Pattern 6 in the previous post leaned heavily on them. People wanted to see what else lives in that toolbox.</p> <p>This is that.</p> <p>LAG and ROW_NUMBER are usually the first two window functions analysts learn. They are the right starting point. But after a year or two of writing SQL you start running into shapes those two can't quite hit, and you start hitting problems where those two stop being enough.</p> <p>Eight patterns below. Same disclaimer as the previous post: I work as a data analyst on a program-integrity team. Examples use generic transaction tables and synthetic scenarios. Nothing here reflects actual systems, procedures, or data from any specific employer.</p> <h2> 1. QUALIFY </h2> <p>QUALIFY lets you filter directly on window-function output without wrapping the whole query in another CTE or subquery.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">RANGE</span> <span class="k">BETWEEN</span> <span class="n">INTERVAL</span> <span class="s1">'5 minutes'</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">tx_5min</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="n">QUALIFY</span> <span class="n">tx_5min</span> <span class="o">&gt;=</span> <span class="mi">5</span><span class="p">;</span> </code></pre> </div> <p>Without QUALIFY this usually turns into an extra query layer just to filter on the computed column. Not a big deal in tiny examples, but once fraud rules start stacking together it gets messy fast.</p> <p>Support is still inconsistent depending on the engine. Snowflake, BigQuery, DuckDB, Databricks, ClickHouse and a few others have it. Postgres, MySQL, SQLite still don't.</p> <p>If you're on Postgres, the fallback is usually just a CTE and an outer WHERE clause.</p> <h2> 2. Frame specs (ROWS vs RANGE) </h2> <p>A lot of people write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">x</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">y</span><span class="p">)</span> </code></pre> </div> <p>and never think much about the frame underneath it. Usually fine until sliding windows start behaving strangely.</p> <p>The two big ones:</p> <ul> <li><code>ROWS BETWEEN N PRECEDING AND CURRENT ROW</code></li> <li><code>RANGE BETWEEN INTERVAL '5 minutes' PRECEDING AND CURRENT ROW</code></li> </ul> <p>ROWS counts rows. RANGE works off the ORDER BY value itself.</p> <p>The difference starts mattering once duplicate timestamps show up. ROWS and RANGE stop behaving the same way at that point.</p> <p>For fraud velocity checks, RANGE on timestamps is usually the right fit because you're actually asking "how many transactions happened within this time window," not "what happened in the previous 5 rows."</p> <p>For rolling hourly baselines or trailing-week comparisons, ROWS is often cleaner because each row already represents a fixed bucket.</p> <p>One related thing that came up in the comments on the previous post and is worth surfacing here: the timestamp you key off matters more than people realize. Authorization time and settlement time can be days apart. If you use settlement time on a velocity or impossible-travel check, charges from days ago suddenly look like they happened "now" in the warehouse, and the windows blow up with false positives. Use auth time. Most card systems have both columns; the home-grown ones don't always make the distinction obvious.</p> <h2> 3. FILTER for conditional aggregation </h2> <p>Most people start with CASE WHEN inside SUM or COUNT:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">sum</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">amount</span> <span class="o">&gt;</span> <span class="mi">100</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> </code></pre> </div> <p>FILTER does the same thing with less noise:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">amount</span> <span class="o">&gt;</span> <span class="mi">100</span><span class="p">)</span> <span class="k">AS</span> <span class="n">high_value_count</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="nb">timestamp</span><span class="p">::</span><span class="nb">time</span> <span class="k">BETWEEN</span> <span class="s1">'00:00'</span> <span class="k">AND</span> <span class="s1">'06:00'</span><span class="p">)</span> <span class="k">AS</span> <span class="n">off_hours_count</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">merchant_id</span><span class="p">;</span> </code></pre> </div> <p>Works inside window functions too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">merchant_category</span> <span class="o">=</span> <span class="s1">'gas_station'</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">ROWS</span> <span class="k">BETWEEN</span> <span class="mi">100</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">rolling_gas_spend</span> </code></pre> </div> <p>Mostly just easier to read once queries get large.</p> <p>Support varies though. Postgres, Snowflake, DuckDB and ClickHouse support it. MySQL still doesn't. BigQuery handles this a little differently with IF inside the aggregate instead.</p> <h2> 4. FIRST_VALUE / LAST_VALUE / NTH_VALUE </h2> <p>These are useful anytime you need one row's value carried across the whole partition.</p> <p>Example: tagging every transaction with the first merchant a cardholder ever used.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">first_value</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">ROWS</span> <span class="k">BETWEEN</span> <span class="n">UNBOUNDED</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="n">UNBOUNDED</span> <span class="k">FOLLOWING</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">first_merchant_ever</span><span class="p">,</span> <span class="n">last_value</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">ROWS</span> <span class="k">BETWEEN</span> <span class="n">UNBOUNDED</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="n">UNBOUNDED</span> <span class="k">FOLLOWING</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">most_recent_merchant</span> <span class="k">FROM</span> <span class="n">transactions</span><span class="p">;</span> </code></pre> </div> <p>The LAST_VALUE behavior trips people up constantly.</p> <p>Without the explicit frame, LAST_VALUE usually returns the current row instead of the actual last row in the partition because the default frame stops at the current row.</p> <p>NTH_VALUE works the same way conceptually. Useful for questions like "what was the third transaction this cardholder ever made?"</p> <h2> 5. LEAD chains for sequence detection </h2> <p>LAG gets most of the attention because analysts usually look backwards more than forwards.</p> <p>LEAD becomes useful once you're looking for sequences instead of isolated events.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">lead</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">next_merchant_1</span><span class="p">,</span> <span class="n">lead</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">next_merchant_2</span><span class="p">,</span> <span class="n">lead</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">next_merchant_3</span><span class="p">,</span> <span class="n">lead</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="o">-</span> <span class="nb">timestamp</span> <span class="k">AS</span> <span class="n">time_to_4th_tx</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WINDOW</span> <span class="n">w</span> <span class="k">AS</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">);</span> </code></pre> </div> <p>Then you can filter on the sequence itself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WHERE</span> <span class="n">next_merchant_1</span> <span class="o">&lt;&gt;</span> <span class="n">merchant_id</span> <span class="k">AND</span> <span class="n">next_merchant_2</span> <span class="o">&lt;&gt;</span> <span class="n">merchant_id</span> <span class="k">AND</span> <span class="n">next_merchant_3</span> <span class="o">&lt;&gt;</span> <span class="n">merchant_id</span> <span class="k">AND</span> <span class="n">time_to_4th_tx</span> <span class="o">&lt;</span> <span class="n">INTERVAL</span> <span class="s1">'90 seconds'</span> </code></pre> </div> <p>A lot of card-testing behavior starts showing up in shapes like this.</p> <h2> 6. Gap-and-island </h2> <p>Gap-and-island is basically the standard SQL trick for finding streaks or runs of related activity.</p> <p>One common version looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">amount</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">merchant_id</span> <span class="o">&lt;&gt;</span> <span class="n">lag</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span> <span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">island_id</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WINDOW</span> <span class="n">w</span> <span class="k">AS</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">);</span> </code></pre> </div> <p>Every time the merchant changes, the island ID increments. Depending on the engine, this is also one of those patterns where query planners can suddenly get a lot more expensive than you expected.</p> <p>Once you have that grouping value, streak analysis gets much easier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">islands</span> <span class="k">AS</span> <span class="p">(</span> <span class="c1">-- query above</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">island_id</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">streak_length</span> <span class="k">FROM</span> <span class="n">islands</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">streak_length</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>This kind of thing is useful for spotting behavior shifts. Somebody with a year-long coffee-shop routine suddenly spending every day at gas stations is at least worth a second look.</p> <h2> 7. Conditional running totals </h2> <p>CASE WHEN inside SUM OVER ends up doing a huge amount of work in fraud analysis.</p> <p>Simple example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">approved</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="k">NOT</span> <span class="n">approved</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">RANGE</span> <span class="k">BETWEEN</span> <span class="n">INTERVAL</span> <span class="s1">'24 hours'</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">declines_last_24h</span> <span class="k">FROM</span> <span class="n">transactions</span><span class="p">;</span> </code></pre> </div> <p>Decline clusters are usually worth paying attention to. A surprising amount of card testing shows up as repeated declines followed by a successful approval somewhere later in the sequence.</p> <p>The reset-on-condition versions get more complicated and usually end up combining multiple windows together. Useful pattern, but also one of the easier places to write something unreadable by accident.</p> <h2> 8. PERCENT_RANK and NTILE </h2> <p>These are useful anytime fixed thresholds stop making sense globally.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">monthly_spend</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="k">AS</span> <span class="n">month_spend</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span> <span class="p">),</span> <span class="n">buckets</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="o">*</span><span class="p">,</span> <span class="n">ntile</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">ORDER</span> <span class="k">BY</span> <span class="n">month_spend</span><span class="p">)</span> <span class="k">AS</span> <span class="n">spend_decile</span> <span class="k">FROM</span> <span class="n">monthly_spend</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">buckets</span> <span class="k">WHERE</span> <span class="n">spend_decile</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <p>A top-spend cardholder usually needs very different fraud thresholds than somebody barely using the card.</p> <p>NTILE gives you buckets. PERCENT_RANK gives you the actual percentile position instead.</p> <h2> Putting it together </h2> <p>The reason these patterns matter is that they compose well.</p> <p>Most individual fraud rules are actually pretty simple. The complexity comes from layering multiple weak signals together without turning the query into procedural spaghetti.</p> <p>Window functions let you keep a surprising amount of this logic in straight SQL before things spill over into procedural code.</p> <p>Most of the examples here are standard SQL. QUALIFY is still warehouse-specific, and FILTER support depends on the engine. If your warehouse doesn't support QUALIFY, the fallback is usually just another CTE layer.</p> <p>Next post is probably fraud-ring detection. Same general idea, just applied to graph-shaped problems instead of straight transaction streams.</p> <p>If you've got a specific window-function shape that gave you trouble or a fraud pattern you'd like to see written up, the comments on the original post are still active. Happy to take requests.</p> sql analytics frauddetection database Six SQL patterns I use to catch transaction fraud Fixel Smith Thu, 14 May 2026 20:18:26 +0000 https://forem.com/fixelsmith/six-sql-patterns-i-use-to-catch-transaction-fraud-coc https://forem.com/fixelsmith/six-sql-patterns-i-use-to-catch-transaction-fraud-coc <p><strong>Quick disclaimer:</strong> I do data work on a program-integrity team. Examples below use generic transaction tables and made-up scenarios. Nothing here comes from anything I've actually worked on or seen. Views are mine, not my employer's.</p> <p>Fraud detection in transaction data is mostly SQL. Not machine learning, not graph databases, not whatever Gartner is hyping this year. SQL, run against the right tables, with the right joins, looking for the right shapes.</p> <p>I work mostly with government-funded benefit programs, but the patterns below port over to anything with a transactions table: credit cards, healthcare claims, e-commerce, point-of-sale. If money moves and gets logged, these queries will find weird things in the log.</p> <p>Six patterns. Roughly in the order I'd build them out on a new dataset.</p> <h2> 1. Velocity </h2> <p>The simplest one. Someone with a stolen card wants to drain it before the holder notices. So they hit the card fast.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="n">date_trunc</span><span class="p">(</span><span class="s1">'hour'</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_bucket</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">tx_count</span><span class="p">,</span> <span class="k">min</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">first_tx</span><span class="p">,</span> <span class="k">max</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">last_tx</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="k">HAVING</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <p>Tune two knobs: the window size and the count threshold. I usually run a 1-minute, 5-minute, and 1-hour version in parallel and compare. Different fraud shows up at different scales — a card-testing ring hits a server in seconds; a benefits-trafficking ring might take an afternoon.</p> <p>A few cardholders will legitimately blow past the threshold. Route operators servicing vending machines. People reloading prepaid cards in bulk. Your false positives. Worth keeping a whitelist after the first pass.</p> <p>For sliding-window velocity, this is the form I use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">RANGE</span> <span class="k">BETWEEN</span> <span class="n">INTERVAL</span> <span class="s1">'5 minutes'</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">tx_in_last_5min</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="n">QUALIFY</span> <span class="n">tx_in_last_5min</span> <span class="o">&gt;=</span> <span class="mi">5</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">;</span> </code></pre> </div> <p><code>QUALIFY</code> works in Snowflake, BigQuery, Databricks, Teradata. For Postgres you wrap the whole thing in a CTE and filter on the outside. Slight pain, same result.</p> <h2> 2. Impossible travel </h2> <p>If a card swipes in Chicago and seven minutes later swipes in Los Angeles, one of those swipes is fake. The card is cloned. This is the most uncontroversial fraud signal you'll find — there's almost no legitimate reason a single card is in two distant places in seven minutes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">ordered_tx</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="k">location</span><span class="p">,</span> <span class="n">LAG</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">prev_ts</span><span class="p">,</span> <span class="n">LAG</span><span class="p">(</span><span class="k">location</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">prev_loc</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="n">prev_ts</span> <span class="k">AS</span> <span class="n">first_tx</span><span class="p">,</span> <span class="nb">timestamp</span> <span class="k">AS</span> <span class="n">second_tx</span><span class="p">,</span> <span class="n">prev_loc</span> <span class="k">AS</span> <span class="n">first_location</span><span class="p">,</span> <span class="k">location</span> <span class="k">AS</span> <span class="n">second_location</span><span class="p">,</span> <span class="k">EXTRACT</span><span class="p">(</span><span class="n">EPOCH</span> <span class="k">FROM</span> <span class="p">(</span><span class="nb">timestamp</span> <span class="o">-</span> <span class="n">prev_ts</span><span class="p">))</span> <span class="o">/</span> <span class="mi">60</span> <span class="k">AS</span> <span class="n">minutes_apart</span><span class="p">,</span> <span class="n">haversine</span><span class="p">(</span><span class="n">prev_loc</span><span class="p">,</span> <span class="k">location</span><span class="p">)</span> <span class="k">AS</span> <span class="n">miles_apart</span> <span class="k">FROM</span> <span class="n">ordered_tx</span> <span class="k">WHERE</span> <span class="n">prev_ts</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">prev_loc</span> <span class="o">&lt;&gt;</span> <span class="k">location</span> <span class="k">AND</span> <span class="n">haversine</span><span class="p">(</span><span class="n">prev_loc</span><span class="p">,</span> <span class="k">location</span><span class="p">)</span> <span class="o">/</span> <span class="k">nullif</span><span class="p">(</span><span class="k">EXTRACT</span><span class="p">(</span><span class="n">EPOCH</span> <span class="k">FROM</span> <span class="p">(</span><span class="nb">timestamp</span> <span class="o">-</span> <span class="n">prev_ts</span><span class="p">)),</span> <span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">3600</span> <span class="o">&gt;</span> <span class="mi">600</span><span class="p">;</span> </code></pre> </div> <p><code>haversine</code> is the great-circle distance function. Most warehouses ship one. If yours doesn't, it's about ten lines to write your own.</p> <p>The 600 mph threshold is rough — commercial jet cruise is around 575, so this is "faster than a plane could possibly do it." You can tighten it to 100 mph if you want to catch suspiciously-fast ground travel too, but at that threshold you start picking up real airline travelers, kids with parents driving them home from camp, that kind of thing.</p> <p>A few other shapes in the same family are worth running:</p> <ul> <li>Two distant cities, same state, inside 5 minutes. Local cloning rings.</li> <li>Multiple ZIP codes inside an hour. Skimmer rings working a region.</li> <li>Border crossings inside 10 minutes. International rings.</li> </ul> <h2> 3. Amount anomalies </h2> <p>There are a couple of amounts that show up disproportionately in fraud and almost never in normal use.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">amount</span><span class="p">,</span> <span class="n">merchant_id</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="p">(</span><span class="n">amount</span> <span class="o">&gt;=</span> <span class="mi">99</span><span class="p">.</span><span class="mi">50</span> <span class="k">AND</span> <span class="n">amount</span> <span class="o">&lt;</span> <span class="mi">100</span><span class="p">.</span><span class="mi">00</span><span class="p">)</span> <span class="k">OR</span> <span class="p">(</span><span class="n">amount</span> <span class="o">&gt;=</span> <span class="mi">499</span><span class="p">.</span><span class="mi">50</span> <span class="k">AND</span> <span class="n">amount</span> <span class="o">&lt;</span> <span class="mi">500</span><span class="p">.</span><span class="mi">00</span><span class="p">)</span> <span class="k">OR</span> <span class="n">amount</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">.</span><span class="mi">00</span><span class="p">,</span> <span class="mi">5</span><span class="p">.</span><span class="mi">00</span><span class="p">,</span> <span class="mi">10</span><span class="p">.</span><span class="mi">00</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">;</span> </code></pre> </div> <p>What's happening:</p> <p>Round dollar amounts at small values — $1.00, $5.00, $10.00 — are almost always card tests. Someone got a card number from a dump and they're checking if it works before reselling it. Real cardholders almost never buy something for exactly $1.00. Coffee is $4.73, gas is $52.81. The roundness is the signal.</p> <p>Amounts just below a threshold are different. $99.99 is interesting because at a lot of places, $100 is the line where the cashier is supposed to check ID. $499.99 is interesting because $500 is often a daily ATM cap. Whoever's doing the transaction knows the rules and is staying under them.</p> <p>(For benefits transactions specifically, the round-number pattern doesn't help much. Benefits don't get card-tested the same way. There the signal is usually duplicate recipients, which is a different post.)</p> <h2> 4. Suspicious merchants </h2> <p>When a skimmer compromises a card reader at, say, a gas pump, you don't get one fraud case. You get dozens. Every card swiped at that pump for the next few weeks is now in someone's database. So the symptom from the merchant side is: an unusual number of unrelated cards spending more than usual, in a short window.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">date_trunc</span><span class="p">(</span><span class="s1">'hour'</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_bucket</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">cardholder_id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">unique_cards</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">total_tx</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="k">AS</span> <span class="n">total_amount</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'7 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="k">HAVING</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">cardholder_id</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">20</span> <span class="k">AND</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">5000</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">total_amount</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>The problem with static thresholds (20 unique cards, $5000) is they don't account for size. A Costco does that in 90 seconds. A used bookshop, never. So the better version compares each merchant against itself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">merchant_hourly</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="n">date_trunc</span><span class="p">(</span><span class="s1">'hour'</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_bucket</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">cardholder_id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">unique_cards</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'60 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="p">),</span> <span class="n">with_baseline</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="o">*</span><span class="p">,</span> <span class="k">avg</span><span class="p">(</span><span class="n">unique_cards</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">merchant_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">hour_bucket</span> <span class="k">ROWS</span> <span class="k">BETWEEN</span> <span class="mi">168</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="mi">1</span> <span class="k">PRECEDING</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">rolling_avg_cards</span> <span class="k">FROM</span> <span class="n">merchant_hourly</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="o">*</span><span class="p">,</span> <span class="n">unique_cards</span> <span class="o">/</span> <span class="k">nullif</span><span class="p">(</span><span class="n">rolling_avg_cards</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">AS</span> <span class="n">spike_ratio</span> <span class="k">FROM</span> <span class="n">with_baseline</span> <span class="k">WHERE</span> <span class="n">unique_cards</span> <span class="o">&gt;</span> <span class="n">rolling_avg_cards</span> <span class="o">*</span> <span class="mi">3</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">spike_ratio</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>The 168 is the trailing seven days of hourly buckets. I use a week because daily and weekly seasonality matters — Tuesday 2pm at a coffee shop is not the same baseline as Saturday 9am at the same shop. A week catches both cycles.</p> <p>Three times normal is where I start. It's loose enough not to drown you in alerts but tight enough to flag the actually weird hours.</p> <h2> 5. Off-hours </h2> <p>Most people are creatures of habit when they spend money. A nine-to-fiver doesn't suddenly start buying gas at 3am. If their card does, it's either being used by someone else or they're traveling — and travel produces other signals you can check.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">cardholder_hour_pattern</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="k">EXTRACT</span><span class="p">(</span><span class="n">HOUR</span> <span class="k">FROM</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hour_of_day</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">tx_count</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;=</span> <span class="k">current_date</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'90 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="p">),</span> <span class="n">cardholder_normal</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="k">min</span><span class="p">(</span><span class="n">hour_of_day</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">tx_count</span> <span class="o">&gt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">earliest_hour</span><span class="p">,</span> <span class="k">max</span><span class="p">(</span><span class="n">hour_of_day</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">tx_count</span> <span class="o">&gt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">latest_hour</span> <span class="k">FROM</span> <span class="n">cardholder_hour_pattern</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="mi">1</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">t</span><span class="p">.</span><span class="n">cardholder_id</span><span class="p">,</span> <span class="n">t</span><span class="p">.</span><span class="nb">timestamp</span><span class="p">,</span> <span class="n">t</span><span class="p">.</span><span class="n">amount</span><span class="p">,</span> <span class="n">t</span><span class="p">.</span><span class="n">merchant_id</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="n">t</span> <span class="k">JOIN</span> <span class="n">cardholder_normal</span> <span class="n">cn</span> <span class="k">USING</span> <span class="p">(</span><span class="n">cardholder_id</span><span class="p">)</span> <span class="k">WHERE</span> <span class="k">EXTRACT</span><span class="p">(</span><span class="n">HOUR</span> <span class="k">FROM</span> <span class="n">t</span><span class="p">.</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">BETWEEN</span> <span class="n">cn</span><span class="p">.</span><span class="n">earliest_hour</span> <span class="k">AND</span> <span class="n">cn</span><span class="p">.</span><span class="n">latest_hour</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">t</span><span class="p">.</span><span class="nb">timestamp</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>The "two or more in that hour" filter on the inner query is doing important work. Without it, one stray late-night gas station purchase three months ago becomes part of the cardholder's "normal" hours, and you never flag them again. Requiring at least two purchases in a given hour, in 90 days, sets the bar at "actually a habit" instead of "happened once."</p> <p>Drawback: this doesn't work until you have history. New accounts have no baseline. For those, you fall back to global hour patterns or just skip this pattern entirely until they've been around for a couple months.</p> <h2> 6. Window functions for chained signals </h2> <p>This one isn't really a pattern. It's a setup that makes the other five patterns composable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">,</span> <span class="n">amount</span><span class="p">,</span> <span class="n">merchant_id</span><span class="p">,</span> <span class="nb">timestamp</span> <span class="o">-</span> <span class="n">LAG</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">AS</span> <span class="n">time_since_last</span><span class="p">,</span> <span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">merchant_id</span> <span class="o">&lt;&gt;</span> <span class="n">LAG</span><span class="p">(</span><span class="n">merchant_id</span><span class="p">)</span> <span class="n">OVER</span> <span class="n">w</span> <span class="k">THEN</span> <span class="s1">'changed'</span> <span class="k">ELSE</span> <span class="s1">'same'</span> <span class="k">END</span> <span class="k">AS</span> <span class="n">merchant_change</span><span class="p">,</span> <span class="k">sum</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="k">RANGE</span> <span class="k">BETWEEN</span> <span class="n">INTERVAL</span> <span class="s1">'24 hours'</span> <span class="k">PRECEDING</span> <span class="k">AND</span> <span class="k">CURRENT</span> <span class="k">ROW</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">running_24h_total</span><span class="p">,</span> <span class="n">ROW_NUMBER</span><span class="p">()</span> <span class="n">OVER</span> <span class="p">(</span> <span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">date</span><span class="p">(</span><span class="nb">timestamp</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">tx_of_day</span> <span class="k">FROM</span> <span class="n">transactions</span> <span class="k">WINDOW</span> <span class="n">w</span> <span class="k">AS</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">cardholder_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nb">timestamp</span><span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">cardholder_id</span><span class="p">,</span> <span class="nb">timestamp</span><span class="p">;</span> </code></pre> </div> <p>Once you've materialized those columns, fraud rules collapse to filter expressions. Say you're hunting card-testing rings, where the tell is "lots of small charges, all at different merchants, within minutes of each other." The rule becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">tx_with_windows</span> <span class="k">WHERE</span> <span class="n">tx_of_day</span> <span class="o">&gt;=</span> <span class="mi">5</span> <span class="k">AND</span> <span class="n">time_since_last</span> <span class="o">&lt;</span> <span class="n">INTERVAL</span> <span class="s1">'60 seconds'</span> <span class="k">AND</span> <span class="n">merchant_change</span> <span class="o">=</span> <span class="s1">'changed'</span><span class="p">;</span> </code></pre> </div> <p>Three filters. That's it.</p> <p>The reason this matters is that the moment your analysts can express new fraud hypotheses as SQL filters instead of engineering tickets, your iteration loop drops from weeks to hours. You catch more fraud, faster.</p> <h2> Putting it together </h2> <p>None of these alone is enough. Velocity has false positives (vending operators). Geographic impossibility misses anything inside a single metro. Amount anomalies don't apply outside of card-test contexts. The off-hours rule needs history.</p> <p>What works is running them all and scoring each transaction across the signals. A transaction that fails on three or four of them is almost always fraud. A transaction that fails on one might be your grandma being weird with her debit card on vacation.</p> <p>If you're brand new to fraud detection, start with pattern 1. It alone will surface a useful amount of fraud and very little legitimate activity, and it's cheap to run.</p> <p>If you've already got 1 through 5, the place to invest is pattern 6 — those window-function primitives. Every analyst on your team will use them once they exist, and adding the next fraud pattern stops being a project.</p> <h2> Things I left out </h2> <p>A few things this post doesn't cover that come up constantly:</p> <p>NULL handling. Real transaction tables don't use NULL the way intro SQL books do. A lot of legacy systems use sentinel values like <code>9999-12-31</code> for "no end date" or <code>0001-01-01</code> for "no start date." Filtering with <code>IS NULL</code> will silently miss those rows. Always check what the convention is in your specific table before writing WHERE clauses that assume NULL.</p> <p>False positives. Every rule above will flag real cardholders doing weird-but-legitimate things. Your fraud workflow needs human review of flagged cases, with a feedback loop that lets you tune thresholds based on what's actually fraud and what isn't. Auto-blocking on a single rule is how you lose customers.</p> <p>Privacy. If the data has PII, your queries need to comply with your applicable data-use policies. De-identified or sampled data first, production data with authorization second.</p> <p>Cost. Window functions with big partitions are not cheap. Filter your date range first, then apply the window, not the other way around. I've watched a junior analyst burn through a warehouse credit budget by running a <code>LAG()</code> across two years of transactions on the entire dataset before adding the WHERE.</p> <p>Things I want to write about next, depending on what people ask for:</p> <ul> <li>Eight window-function tricks beyond <code>LAG</code> and <code>ROW_NUMBER</code> </li> <li>Detecting fraud rings, which is the social-graph problem in disguise</li> <li>What goes on a fraud team's dashboard, and what doesn't</li> <li>Why your fraud alerts are noisy, and how to actually fix that instead of just raising thresholds</li> </ul> <p>If there's something specific you want covered, message through <a href="https://fixelsmith.com" rel="noopener noreferrer">fixelsmith.com</a>.</p> <p><em>Fixel Smith is an experienced Program Integrity Analyst working in public-sector data.</em></p> sql analytics frauddetection database