Choosing the right fraud prevention strategy for your business
There are a number of important considerations to keep in mind when deciding how to manage fraud in any online business. Some simple factors include:
- the type of goods sold.
- the value of the goods.
- the target customer.
- the location of the customers.
More complex factors include:
- the speed with which orders are fulfilled.
- the percentage of orders fulfilled on mobile versus web.
- the importance of the account creation, ordering and checkout process.
- the balance of adding customers versus revenue per customer.
- marketing and customer acquisition spend.
So strategies will necessarily vary but there is one consistent truth: any business selling any good or service online that reaches some level of market penetration will be targeted by fraudsters.
See 'how online fraud happens' to see how easy it is for fraudsters to access the tools to do so.
Fraud prevention strategies for a growing business
In order to prepare yourself for and protect yourself from fraud there are a number of strategies that you can work through. Depending on the scale and severity of the fraud hampering your business it may be possible to work through these in order or you may need to skip to more formal measures straight away.
- Do nothing but monitor this is a surprisingly effective strategy for a growing business in its earlier stages. Before deciding on a strategy it’s useful to know the type of fraud that you will encounter, as well as its scale and characteristics. This doesn’t mean allowing an order that is obviously fraudulent to take place, but for many businesses it’s not always obvious that an order is fraudulent. Until you get the chargeback you may never have suspected a specific order was bogus. Gaining at least an initial picture of your fraud vulnerability will allow you to build stronger defences as we shall see. So when you get hit by fraud – don’t panic. Use it as part of the learning process.
- Manually review all orders In the case of our online watch retailer, painful as it might be, this could be the right strategy when starting out. In the case of cab rides on the other hand, it’s simply not possible. But if there is the time, the volume allows and the average transaction value (ATV) is significant enough then reviewing each order at least builds a very rich idea of what is happening with good and bad transactions in your business. The knowledge gained in manual review, will lead to a more informed choice of fraud strategy later on.
- Implement some rules and review some orders There are lots of rules-based fraud products out there, but you can start by creating your own and query orders within your own database. A good rule of thumb when creating rules is that they should be based on experience gained through previous chargebacks or fraud factors you saw while doing manual review. So if, for instance, all fraud you encounter is over a certain value then create a rule alerting you when an order in this value range comes in. Again for some fast-turnaround, high-volume businesses, it will be hard to react to these notifications so it’s important to not create too many and keep monitoring your orders.
- Payment Gateway Fraud Product Most payment gateways have some fraud options available either built-in or as an additional option. If your gateway gives you some fraud levers to pull it is worth investigating their impact for your business. If you do so remember to watch the false positives as well as tracking whether they actually stop any fraudulent transactions. Gateways only have access to the checkout data and are therefore limited in how deeply they can impact your fraud prevention capabilities.
- Chargeback guarantee Some businesses offer a form of chargeback guarantee, which means if you send the fraud company a transaction it will respond with either a score or a recommendation to accept or reject the order. If there is a subsequent chargeback on an accepted transaction the fraud company is liable and pays.
The benefits of a chargeback guarantee are clear but there are drawbacks. Firstly, you pay up to 4% or 5% for the transactions you send across. Secondly, selecting the transactions to send remains a burden for the business. Thirdly if hit with previously unseen fraud types it is likely that they will not be sent to for guarantee and the chargeback liability remains with the merchant.
- Full Fraud Solution Your business has grown to the point where it has order volumes that negate the possibility of manual reviews. Your home-cooked rules are coming under pressure and the gateway fraud solution is killing conversion or not stopping fraud. These are all signs that it is time to look to a fuller fraud product. At this point you should be armed with a degree of insight and knowledge on fraud and your business that will make your choice both informed and effective.
What are false positives and why should I worry?
Preventing a legitimate buyer from purchasing on your website or app is a false positive. While it’s unfortunate, it can happen for a lot of reasons: user error, payment gateway decline, good customers with bad cards, bank error.
However a false positive can also happen because your fraud strategies are wrong or have become wrong over time. Having too many false positives is usually a measure that your fraud strategies are too stringent. However having zero or very few is usually an indication that your fraud strategies are too lax! There is no perfect fraud solution, so finding the balance is a constant task and the appropriate level of tolerance will depend on where you are as a business and how highly you value fraud prevention over margin protection.
What are false negatives?
A false negative is when a transaction is allowed to happen when it should have been prevented. Usually this is spotted when a dreaded chargeback arrives. Even with the best solution in place you should be prepared for this to happen. The key is to learn from the experience and feed it back into your fraud strategies to make sure the same type of fraud does not happen again.
How do I spot a fraudster creating multiple accounts?
There might be legitimate reasons for a single individual to open up multiple accounts on your service. However, opening multiple accounts that remain dormant and appear unconnected at first glance is a clear sign that the fraud sharks are circling. Why is this?
- Opening an account and leaving it for days or weeks means the account has aged and will avoid any simple ‘Account Age’ rules that many merchants have.
- Carding (testing multiple cards bought online to see which ones work) will often result in the blocking of an account. Since being able to move swiftly to another is beneficial, fraudsters open many at the same time.
- When a vulnerability on a site is found, having multiple accounts to attack it in a short timeframe will ensure maximal return for a fraudster.
- Voucher fraud or some kind of bonus fraud that requires a single account can be rapidly exploited by multiple account.
So if there are a lot of of accounts with no activity sitting on your network it’s worth investigating. Spotting legitimate and illegitimate accounts is more difficult. If you are sure you have found a bogus account, try and find other with the same email address or similar. In reality, with a scaled businesses you need some clever tech. Ravelin uses graph network databases to do this and provides our users with useful visualisations so you can instantly see and block accounts that are associated with a fraudster. This is an incredibly effective tool in the battle against fraud.
When should I use 3DSecure?
You can read more about 3DSecure (3DS) in 'An introduction to online payments' and it is worth reading as it discusses the limitations of liability shift. Here we will concern ourselves with when to deploy it in the customer journey if at all.
3DS has a negative impact on conversion so the decision to use it should be taken carefully. Unless you are extremely fortunate to be in a position where the user has little choice but to buy from your service then 3DS needs to be deployed within some limited parameters. Applying it to every order will have a severe impact on your conversion.
Here are some non-exhaustive recommendations for when to deploy it as a tactic:
- Push orders that would be rejected anyway through 3DS. That’s to say orders you have assessed as high risk and are likely to reject. Pushing the liability to the card scheme in these cases makes sense.
- Push first time, high value orders to 3DS. If a customer is new and the value of the purchase is high compared to your average transaction value then pushing them through more security is reasonable and expected.
- Automate 3DS for certain risk profiles. This requires use of a fraud-scoring system like Ravelin’s that can route certain users with a specified risk score through 3DS using an automated API callback. This is an incredibly effective use of 3DS.