Someone once said to me “Fraudsters are lazy.” It is this misunderstanding of the type of people committing fraud that leads online merchants to create ineffective fraud prevention policies. This is not a post on the psychology of fraudsters, but rather a discussion of how understanding that fraudsters are not “lazy” will help you create better fraud prevention strategies.
Fraud is not a black and white issue. It has been around since one person decided to deceive another person – so pretty much forever. In our day and age, fraud has evolved from deceiving one person to deceiving hundreds of thousands. According to Statista, more than 40 percent of worldwide Internet users have bought products or goods online via desktop, mobile, tablet or other devices. This equates to more than 1 billion online buyers.
The amount of people utilizing the Internet for purchases is staggering; the sheer number of fraudsters attempting to deceive these shoppers is just as staggering. According to Europol “victims lose around $288 billion each year worldwide (source: Norton Cybercrime Report 2012) as a result of cybercrime, making it more profitable than the global trade in marijuana, cocaine and heroin combined.” Fraud prevention has been playing catch up since day one.
Aaron Johnson, CTO of Retriever of Chicago (former manager of Merchant Risk at Vantiv/NPC) remembers a time where he and his risk team at NPC tried to catch high risk orders by reviewing every single credit card processing batch that came through every day. This type of manual review became ineffective and inefficient as the company grew, acquired new portfolios, and expanded their business. Now, they were unable to catch actual fraud.
Johnson sat down with a programmer and went through “ … case study after case study after case study. We reviewed activity that turned out to be fraud or chargebacks and came up with hundreds of rules [for identifying fraud]. Going through the database orders, we eventually went to production with 20-25 scored rules.” These rules would form the backbone of a manual review system designed to allow frictionless processing for valid orders, and catch as much high risk/high fraud orders for review.
This type of data analysis and rule development is also the backbone of a lot of fraud prevention today; Aaron’s team was doing this 5-10 years ago at a small credit card processor in Tinley Park, IL.
Profit vs. Risk
Johnson often states that he is in the business of “risk management — not risk elimination.” This new system helped his team identify the small amount of orders that needed manual review, and process all the valid orders without delay. Ineffective fraud policies focus on risk elimination at the downfall of any current fraud system development. Trying to eliminate every instance of potential fraud becomes a wild goose chase where eventually the snake will eat its own tail – it’s impossible and impractical.
Johnson points to his mentor as the person who helped shaped this understanding of risk management and prevention. Any tool that creates friction for end-users; any tool that forces a customer to abandon their transactions; any tool that stops a transaction from happening is an ineffective tool. Risk elimination means declining every single order that even remotely looks fraudulent. Risk management means having a tool and a team that understands there is a grey area in the world of ecommerce and fraud.
Evolution of Fraud
If a fraud prevention team is spending this much time developing tactics to prevent fraudsters from stealing from us, imagine how much time fraudsters are spending on their products. They utilize VPNs to hide their actual locations. They autofill everything to avoid basic entry mistakes. They steal customer address information for AVS from something as simple as whitepages.com. They spoof their browsers. They create bots that now spend more time on every page to make themselves look like actual customers — and so much more. Fraudsters might be on the fringe of society, outside the established mores — but lazy they are not.
The most successful fraud prevention teams have a fully developed fraud tool that looks at the whole picture. They take single risk identifiers and connect them all together to make better, more complex rules. Technology like device fingerprint is required; they are not a “nice to have” tool. IP and proxy identification are the norm. Customer entered data are less a measure of validity and now just one piece of a large puzzle of identifying valid customer behavior. Bots are not scary tools of the Matrix any longer. Continuing to push the boundaries of risk management, advanced fraud teams look for whatever edge they can find to fight fraud. Fraud is a whole world of grey colors and uncertainties, but effective fraud policies combined with a sophisticated fraud tool help you manage risk properly.
Fraud prevention continues to develop. Machine Learning/AI is already here for some companies and around the corner for many others. Trying to keep up with fraudsters means staying on the cutting edge of technology. Identifying data points that only a machine can connect is the next step. Fully analyzing customer behavior through complex algorithms will soon be common. Where teams once spent time reviewing every single batch or orders that came through their system, soon they will be feeding the machine new data through advanced analysis and reporting.
Aaron Johnson points out that their system, while not unsophisticated, had “none of this advanced machine learning or neuron networks,” but it did cut their manual review efforts in half. They were pushing the boundaries of risk management. Fraud prevention teams can learn from this type of thought leadership by creating effective fraud policies, spending time developing a fraud prevention tool, and looking at what is happening in the technology world. Fraud is continually adapting and changing — so should you.
The future is here. Stop playing catch up with your fraud prevention techniques and tools. Invest in your risk management (not risk elimination) strategy and the dividends will be worthwhile. Or don’t, and watch as the fraudsters win.