Between 2:10 and 2:25 a.m., we logged three near-identical redemptions at adjacent kiosks, each within $5 of $980 and tied to different IDs; VMS anomaly rules pinged but didn’t escalate to a hard alert. Does this read like a probe for a voucher-mill run to you, and if so, where do you draw the line between continued surveillance and a floor intervention to preserve the case without spooking them?
Looks like a probe; we saw the same $980-ish pattern and our rule is ‘after the second within $20 over 30 minutes, shadow the kiosk bank and temporarily route >$900 redemptions to cage.’ Check voucher serial sequences and printer IDs — if they’re marching in a tight range from one bank, it’s likely a mill, but if they scatter, I’d keep eyes on and wait for a fourth hit or a visible handoff before stepping in. Otherwise you end up playing whack-a-mole at 2 a.m.
Agree with @ellmart on the pattern; we caught a 2 a.m. trio like this where all vouchers came off the same printer bank, so we set a velocity cap per issuing printer and quietly diverted >$900 to the cage for 20 minutes after the cluster. Small caveat: if you don’t have eyes in place, use a 2–3 minute ‘attendant review’ delay on the next redemption so you preserve the cadence and still get the footage.
We saw this cadence last month; after the second “within $25 in 15 minutes” we trigger a soft hold at the kiosk (ID re-scan + 30s delay) — buys us just enough time to see if it’s whack‑a‑mole or real while we watch the issuing printer bank; if serial prefixes cluster, we pivot to a floor intercept to capture footage/voucher images, otherwise we keep shadowing. Small caveat: false positives spike on promo nights, so we whitelist promo printers for two hours — @nwilso23, is your cap tied to printer or customer ID?
Quick example: we had a 1:55 a.m; cluster that looked like this; the tell was voucher serials landing within about 40 numbers across different IDs. We keep surveillance rolling until a third hit, then force the next redemption to the cage with a brief “system maintenance” prompt and verify the issuing device — keeps the thread intact without spooking them. Caveat: if the serials aren’t adjacent or tie to different printer families, I’d stay passive and tighten the rolling sum threshold for that kiosk bank, since sometimes three buses really do arrive at once.