The Four Elevations of Effective Fraud Prevention

· BleepingComputer

Effective fraud prevention programs call for monitoring across every customer touchpoint from account creation to checkout, login to customer service interactions. Once established, this practice provides ground-level insights on user engagement on an interaction-by-interaction basis.

While this is a necessary layer of visibility, appropriate collation of various data sets provides the context for the identification of advanced fraud methods and early detection of emerging trends.

Below, we provide one fraud case with examples of relevant data visibility across 4 levels necessary for establishing a competitive fraud program in this constantly evolving world. 

Transaction Level: The individual interactions of users monitored and decisioned in siloes. 

Commonly, a fraud program will begin with pressure from chargebacks inciting action for monitoring transaction performance at the checkout page.

Fraudsters are persistent. When one door closes, they move to the window, the garage, and so on; Payment fraud attacks shift into Account Takeovers, deposits into transfers, Account Takeovers upstream to identity theft / synthetic ID Fraud and Mule Accounts. 

The shift happens in seconds and impacts our organizations in many ways. 

In response, practitioners deploy checks at each touchpoint. This is effective for many isolated fraud incidents but can result in increased false positives and false negatives. 

Account Level: The performance of the account over time. 

Device Intelligence, spending behaviors, geolocation, behavioral biometrics, step-up verification interactions, all help to identify evidence of account-level exploits like Account Takeovers (ATOs). 

The benefit of tracking this level of performance becomes especially clear when contrasting fraudster behavior against the historical performance of the account. Fraudsters cannot duplicate what has been defined as ‘trusted’ behavior and still get what they are after. 

They will seek to change payment information, bypass automated verifications, satisfy verifications after what can be deemed “a suspicious number of attempts”, associate new addresses / geographies, and more. 

When monitored appropriately, fraudster behaviors emerge clearly and afford practitioners increased confidence and accuracy.  

Platform Level: The performance of grouped accounts on a single platform. 

By successfully tracking performance of both ‘trusted’ and ‘confirmed fraud’ account performance, practitioners leverage these deeper insights resulting in less friction for trusted interactions, increasing customer satisfaction, and decreasing false positive rates. 

Additionally, fraud rings and multi-account attacks are quickly identified based on geolocation, device intelligence, IP resolution, and more, decreasing the time that multi-account exploits are active on the platform. 

Don’t be fooled by a single-layer fraud defense.

Build an effective fraud program that addresses threats at every elevation without sacrificing your budget or customer experience.

Sign up for a free trial today for 1,000 free credits!

Schedule A Demo

Network Level: Partnerships with providers in the space, delivering data enrichment and decisioning based on insight across their network.  

Until this point, we have spoken about the rich data available to practitioners operating in isolation. By partnering with a solution provider, your fraud program leverages the performance of all of the other practitioners.

“First seen to you is not first seen to us.” 

Example Fraud Case: A fraudster is adamant about attacking a particular platform with stored value. For this example, we’ll use a bank. The fraudster is armed with typical information; payment information, Identity Information, and system knowledge. The majority of fraudsters have this access and deploy new methods at a moment’s notice. 

For this exercise, we will use a common fraud method wherein the fraudster sees that the target identity banks with ‘Bank X’. The fraudster accesses the account to do 3 things; Transfer funds into the account from other compromised funding accounts, request a card for an ‘Authorized User’ (the fraudster), transfer funds to a 3rd compromised account off-platform.

Transaction Level: Logging into the account is performed by contacting customer service; historically underserved, heavily reliant on knowledge-based verifications (KBVs). The fraudster is equipped with bureau information and is prepared to satisfy the verification process. 

The fraudster resets access information and orders an authorized card for a new authorized user for the account. Too rarely does this process receive the appropriate level of scrutiny. 

The fraudster reviews the spending behaviors of the account and mimics the dollar amounts for transfers into the account and withdraws from the account. Following the historic behavior seen in the transaction summaries, the fraudster follows the same behaviors.

From the transaction level, the fraudster is flying under the radar and triggers siloed verifications that they are prepared to satisfy. The clock ticks until the real account holder contacts customer service and files a report. The problem that started with customer service is finally identified at customer service. 

From an Account Perspective, this fraudster has exhibited many suspicious behaviors: 

  1. Calling customer service from a new phone number 
  2. Updating contact information
  3. The time to ordering a secondary card
  4. The relationship to the authorized user and the account holder
  5. The timeline of transfers and withdrawals 
  6. The device used to interact with the platform and initiate these suspicious actions 

Any of these interactions can be monitored and tracked with associated verifications. Again, reinforcing the idea of accuracy is a key point, when viewing the storyline from this altitude, confidence should be high. 

From a Platform Perspective, it is unlikely that this storyline was the first of its kind. By tracking these events with automation, practitioners will identify the other occurrences and pick out regions, IPs, devices, and behaviors that transcend the performance of the single account. This, in turn, informs the decisioning downstream. 

This entire process takes a matter of hours to execute. As we know, fraudsters are not operating against one account at a time. It is likely that many other accounts are currently walking through this same scenario. Time to action is vital to avoid deep financial impact. 

Indicators include: 

  1. The shipping address for the “authorized card / user”. 
  2. Device Fingerprinting 
  3. Geolocation of the user 
  4. Geolocation of the withdrawals 
  5. Dollar amounts (though crafty fraudsters follow the behaviors of the accounts, many will gradually increase amounts over time, which is a valuable indicator) 
  6. Funding institutions 

…..and more 

Looking at this from a Network Perspective empowers practitioners to automate against known suspicious data points such: 

  1. The phone number that call customer service, 
  2. The device used to interact with the platform 
  3. The shipping address used for the authorized card / user 
  4. The name of the authorized user 

….and more. 

By leveraging network information, practitioners are afforded the opportunity to leverage the insights provided by peers’ operations to make a decision in the moment and apply these findings downstream and across the entire platform. 

Schedule a consultation with one of IPQS Fraud Experts today!

Sponsored and written by IPQS.