Detect fraud in user activity with PostgreSQL, OpenAI and Slack

AI Fraud Detection Workflow

> n8n + PostgreSQL + OpenAI + Slack

This AI Fraud Detection Workflow is an automated n8n pipeline that analyzes user activity in real time using a combination of rule-based fraud detection, AI interpretation and historical behavioral context. It processes events like login attempts, password changes or transactions, evaluates risk, stores results in PostgreSQL and triggers alerts for high-risk activity.

Quick Implementation Steps

Import workflow into n8n Configure webhook endpoint /user-activity
Set up PostgreSQL connection and user_activity_logs table Add OpenAI API credentials Configure alerting node (Slack or alternative) Activate workflow and test with sample payload

What It Does

This workflow continuously monitors user activity events and evaluates them for suspicious behavior.

When a user event is received, the system:

Validates the incoming request Fetches last 10 user activity logs from PostgreSQL Builds behavioral context Applies rule-based fraud scoring Sends structured data to AI for interpretation Combines AI + rule-based decisions Stores results in the database Sends alerts for HIGH-risk cases

It helps detect anomalies like:

New device usage Impossible travel (rapid location change) Foreign access attempts Sensitive actions like password changes

Who It's For

Fintech applications Banking & payment platforms SaaS applications with authentication systems E-commerce platforms Security and fraud prevention teams DevOps and backend engineers

Requirements to Use This Workflow

n8n account (cloud or self-hosted) PostgreSQL database OpenAI API key Alerting system (Slack / Email / Teams / etc.) Webhook support for incoming user activity events

Database Schema

CREATE TABLE user_activity_logs ( id BIGSERIAL PRIMARY KEY, user_id TEXT, event TEXT, ip TEXT, location TEXT, device TEXT, risk_score INT, ai_flag TEXT, created_at TIMESTAMP DEFAULT NOW() );

How It Works & Setup Guide

  1. Webhook Trigger

Receives user activity via POST request:

Endpoint:

/user-activity

Payload: { "user_id": "user_002", "event": "password_change", "ip": "192.165.1.45", "location": "United States", "device": "Chrome Browser - Windows" }

  1. Request Validation

Ensures required fields exist:

user_id event ip location device

  1. Fetch User History (PostgreSQL)

Retrieves last 10 activity logs for the user to build behavioral context.

  1. Context Builder

Merges:

Current event Historical activity logs

This helps detect behavioral anomalies.

  1. Rule-Based Fraud Engine

Applies deterministic fraud logic: New device detection Impossible travel detection Foreign location access Sensitive operations (password change, withdrawal)

Outputs: rule_score rule_risk (LOW / MEDIUM / HIGH) risk_reasons

  1. AI Fraud Interpreter (OpenAI)

The AI does not calculate risk.

It only interprets rule-based output and returns:

{ "risk_level": "LOW | MEDIUM | HIGH", "reason": "short explanation" }

  1. AI Response Cleaner

Parses AI output safely Extracts: ai_risk ai_reason

  1. Decision Fusion Layer

Final risk logic:

If rule OR AI = HIGH → FINAL = HIGH Else if either = MEDIUM → FINAL = MEDIUM Else → LOW

  1. Database Logger

Stores final result in PostgreSQL:

user_id event ip location device risk_score (rule-based) ai_flag (AI risk level)

  1. High Risk Filter

Triggers only when: final_risk === "HIGH"

  1. Alert Dispatcher

Sends fraud alert via Slack (or can be replaced with email, SMS, Teams, etc.)

How to Customize Nodes

Fraud Rules Engine:** Adjust scoring weights and conditions AI Prompt:** Add domain-specific fraud rules or compliance logic Database Node:** Add extra fields like session_id, user_agent Alert System:** Replace Slack with email, SMS or webhook Threshold Logic:** Modify HIGH/MEDIUM/LOW conditions

Add-ons (Enhancements)

GeoIP enrichment using IP tracking Device fingerprinting integration Real-time fraud dashboard Machine learning anomaly scoring Multi-channel alerting (Slack + Email + SMS) Fraud case management system Rate limiting and bot detection

Use Case Examples

Detect unauthorized login attempts Prevent account takeover (ATO) attacks Monitor suspicious password changes Detect fraudulent financial transactions Identify VPN or proxy-based access

This workflow can be extended to many more fraud detection and security monitoring use cases.

Troubleshooting Guide

| Issue | Possible Cause | Solution | |------|---------------|----------| | Webhook not receiving data | Incorrect endpoint or inactive workflow | Ensure workflow is active and webhook URL is correct | | AI parsing error | Unexpected response format from OpenAI | Verify JSON structure from AI output | | No historical data found | Empty user logs table | Ensure user_activity_logs has existing records | | Slack alert not triggered | Risk not classified as HIGH | Check fusion logic in decision node | | PostgreSQL error | Wrong credentials or schema mismatch | Verify DB connection and table structure | | Incorrect risk score | Rule logic misconfiguration | Review fraud scoring conditions |

Need Help

If you need help with:

Setting up this workflow in n8n
Customizing fraud detection rules
Integrating advanced alerting systems
Scaling workflows for production

You can reach out to our n8n workflow developers at WeblineIndia for professional assistance in building and optimizing automation workflows like this.

0
Downloads
1
Views
8.38
Quality Score
beginner
Complexity
Author:WeblineIndia(View Original →)
Created:5/5/2026
Updated:7/3/2026

🔒 Please log in to import templates to n8n and favorite templates

Workflow Visualization

Loading...

Preparing workflow renderer

Comments (0)

Login to post comments