In the previous post I described the various factors that determine how much fraud you, the online merchant, see at your front door, and how sophisticated it is. In this post I’d like to characterize fraud’s “behavior” and infer from it the fundamentals of a good fraud prevention strategy.
To recap, the factors I described were:
Visibility: If and how visible your business is to fraudsters
Your competition: How good is your competitors’ fraud prevention
Evolution of fraud: How professional fraud has become
Fraud ROI: How profitable is your business to fraudsters
As a sophisticated activity perpetrated by many intelligent humans in a variety of contexts, online payment fraud doesn’t have one “behavior”. However, it is beneficial to call out some characteristics of fraud by analyzing the factors above, and by examining, over years, exactly what fraudsters are doing, how and why. A deep understanding of fraud is crucial in planning and executing effective long term fraud prevention. (You’d think I was stating the obvious but it’s actually quite common to “jump to solutions” before sufficiently understanding a problem).
Let’s talk about characteristics of online fraud – as experienced by online merchants and payment providers - and then try to draw from them the requirements for a solid fraud prevention strategy.
The characteristics of fraud
1. Erratic: surprising & irregular in quantity
As I’ve discussed, fraud tends to appear – seemingly - out of the blue. Once it’s there, it doesn’t have any reason to grow in proportion to your sales. Your CFO would love to keep fraud losses at a fixed (low) percentage of your volume, and consider it just another “cost of doing business” but fraud attacks tend to materialize quickly and a scalable attack might cause a large spike in the fraud-loss curve. Fraud can also seem to go away - as a result of something you did, or not - but there’s no guarantee it’s gone for good.
The key to dealing with such an “erratic” phenomenon is preparedness: education, early detection and effective tools and processes enable you to react quickly and “smooth” the fraud-loss curve.
2. Adaptive: changing in quality and reactive
You carry an umbrella in your car on dry days too, because you know that weather can change abruptly and you want to be prepared. Fraudsters go through trial and error and often vary their methods, so you always need be prepared for changes.
But there’s a big difference: rain doesn’t develop new ways to beat umbrellas. Fraudsters, on the other hand, react to your defenses and find ways to circumvent them. While it is tempting to predict that future fraud in your system will be similar to the fraud you’ve already seen, such predictions are always going to fall short.
This entails that fraud prevention requires an understanding of what fraudsters can do, in addition to what they have already done. It also explains why prevention cannot rely solely on statistical solutions based on past data.
3. Sly: mimicking the “goods”
A fraudster’s job is to submit an order on your website that looks like it came from one of your best customers. Fraud prevention is the ability to detect that it’s a fraudulent order, and at the same time accept your best customers’ orders without any friction. It’s impossible to be 100% accurate, so the result is that you will turn away some very good business in the process.
This may be the single most important challenge in fraud prevention, but sadly, it is not adequately addressed, and not often discussed by fraud professionals and tool vendors. There is an implicit assumption that preventing a fraudulent transaction is more important than preventing insult to a good customer. It’s a very slippery assumption that may end up hurting your business growth.
4. Ongoing: here to stay
Even after you’ve made great strides in prevention, you cannot make fraud go away. As long as there’s money to be made, fraudsters will keep trying. Moreover, the very evolution of your business provides fresh opportunities for fraudsters: new checkout options, improvements to user experience, promotion in the holiday season, a new version of the mobile app… any of these might have loopholes that require your attention.
The point here is that fraud is managed, not “solved once and for all”. Fraud prevention is an ongoing effort which requires ongoing investment in people, tools, processes, research and management’s attention.
5. Professional: increasing in sophistication
As I explained in the previous post, a significant chunk of ecommerce fraud is now perpetrated by professionals whose work is to set up scalable operations that milk money from insufficiently protected online businesses.
This means prevention, too, needs to be done by pros. In interacting with clients I often see well-intentioned people making decisions and taking actions without a formal understanding of fraud. In the long term, these actions might fall short in preventing fraud, and will often have adverse effects on the business and its best customers. Fraud is not prevented with broad strokes, it requires diligently drilling down to details.
Requirements for a prevention strategy:
It’s now time to call out the high-level requirements for a prevention strategy that emerge from observing theses characteristics of online fraud.
Requirement #1: Have a strategy. Even if you haven’t experienced any fraud yet, don’t ignore the problem. Get educated, assess your risks and make an informed decision. For some businesses the decision may be not to worry about fraud for now - there could be legitimate reasons - but make this decision consciously and know when you need to revisit it.
Requirement #2: Let pros handle fraud. Hire a professional to run fraud prevention in-house. Fraud prevention tools need to be used with skill so they stop the fraudsters without shooing away your good customers. Even if you decide to outsource fraud prevention (there are some emerging services out there) you may still need an in-house expert.
Requirement #3: Think long-term. Your fraud/loss prevention person needs to be a manager and needs to have your ongoing support. They will need to grow with your business by setting up processes, acquiring tools, and maybe hiring and training talent. Fraud prevention is not a project, it’s a team.
Requirement #4: Get good at getting better. Since you’re engaging in an arms race, you’ll have no choice but to keep improving your prevention, just to keep up with the fraudsters and your business growth. Make sure that improvement cycles are built into your business processes: Monitor-Analyze-Fix-Deploy-Monitor…
Translating these requirements into an actionable plan must be done in the context of your business: there is no one-size-fits-all plan. But if you keep these basic requirements in mind, you are more likely to come up with a good long-term plan for the fraud challenge. I suggest that you start now.
In future posts I will take a closer look at various aspects of online fraud prevention. Stay tuned.