Certain embodiments of the present disclosure provide techniques for identifying and blocking anomalous transactions within a computing system. An example method generally includes selecting a set of accounts for analysis. For each respective account, an anomaly score is calculated based on an account number associated with the respective account and transaction amounts associated with the respective account. An aggregated anomaly score is generated for each respective account provider of a plurality of account providers based on the anomaly score associated with each respective account. The aggregated anomaly score for each respective account provider is normalized based on a historical minimum and historical maximum anomaly score for the respective account provider. One or more account providers that are potential targets of anomalous activity are identified. One or more actions are taken to block completion of transactions requested by one or more accounts associated with the identified one or more account providers.