As long as businesses have accepted payments, there has been fraud. And as long as fraudsters have tried to abuse the system, others have tried to prevent them.
This has only accelerated in the digital age. Fraud costs businesses worldwide a total of $5.127 Trillion in 2019, with no signs of slowing down in the near future.
In this in-depth guide, we’ll see what online fraud looks like, why it happens, and, of course what kind of systems you should deploy to protect yourself.
Fraud Management, Detection, or Prevention?
You’ll encounter many different interchangeable terms for the same service. Others include risk management, anti-fraud, risk tech, or even customer insult rate.
Why Online Business Fraud Happens
Businesses must accept payments online to survive. And anyone with a computer and Internet connection can take advantage of that. The same technology that makes it easy to purchase goods and services allows bad agents to act anonymously or by using identity theft.
What Makes an Online Business High Risk?
Historically, high-value items were the preferred targets. Ecommerce stores that held luxury items, expensive electronics or jewellery were considered high risk.
These days, any company that acts as an e-wallet is also attractive to fraudsters. Criminals want the quickest route to cash, and draining a bank account or crypto wallet is easier than reselling items on the black market.
iGaming operators also have a notoriously hard time with fraudsters who abuse their online casinos by bending the rules and taking advantage of cheap technology to create multiple accounts and cash out multiple bonuses.
The Most Common Types of Fraud You’ll Encounter
If you think of in-person fraud, maybe it’s someone impersonating someone else. They’re using a made-up identity. Or working with stolen personal credit card to purchase items.
The parallels with the online fraud world are numerous:
Without a doubt, the most common type of online fraud. It’s also known as card fraud, because the key component is that someone buys something with a card that isn’t theirs.
It doesn’t matter if the purchase is for a mobile, bitcoin or a Netflix account. Fraudsters will purchase anything, knowing that the money isn’t theirs and that they can resell goods or services on the clear net (eBay) or dar knet (specific marketplaces).
- How it works: fraudsters get financial details like credit card numbers through illegitimate means. They can be purchased in bulk on the dark web, or acquired via phishing or hacking.
- Who it affects the most: a growing number of businesses. Of course, eCommerce and online retailers are the most evident targets, but OTA (online travel agents), and SaaS are now also increasingly victims of transaction fraud.
- What happens next: the cardholder’s money is essentially stolen. If they realize something strange happened, (credit card statements or phone banking alert, for instance), they will report and contest the payment. This is called a chargeback and it’s one of the costliest problems for businesses.
- Key solution: your business must gather as much information about the users, without increasing friction. This is something data enrichment is particularly good at.
A Note About Chargebacks
If someone contests a payment made to your business, they will initiate a chargeback request, which is within their rights. Sometimes, the cardholder’s bank can do it automatically too. Because reversing the funds back to the cardholder is expensive, you will have to pay a chargeback fee, ranging from $20 – $50.
If it happens too often, the card company might also put you on a high-risk list. You could be banned from processing payments by Visa or Mastercard, which could sink your business.
Click here for a complete guide on how to reduce chargebacks.
Similar to transaction fraud, but the card is still in the possession of the cardholder. They may still contest the payment if someone in their family used it (which is why it’s also called family fraud), if they don’t recognise the charge, or if they’re not satisfied with what they received (error from your part, buyer’s remorse, etc..).
Sometimes, the cardholder knows they will make a chargeback request as soon as they buy the item or service. Their goal is to claim they never ordered or received it, and to get their money back. This is also known as chargeback fraud, and particularly common with digital goods, where it’s harder to provide shipping proofs.
- How it works: the cardholder or someone in their family makes a payment. The transaction is later contested for a variety of reasons.
- Who it affects the most: similar to transaction fraud, this can happen to anyone.
- What happens next: you have to go through a lengthy and complex chargeback dispute.
- Key solution: it’s very hard to fight friendly fraud preemptively, but you can still look at customers’ buying patterns and use your tool to create rule sets that can help identify suspicious behaviour.
A more complex type of fraud, where bad agents apply to online services using false identification documents.
The personal information IDs can be completely fake (using made-up names and photoshopped documents, for instance), or synthetic. Synthetic IDs are a mix of real information (a legitimate scanned passport copy) and made up information (a fake email address).
- How it works: fraudsters use online services to create fake ID documents. They can also buy them on the dark net, including full name and surname, digital ID copies, social security numbers etc…
- Who it affects the most: banks, fintechs, crypto exchanges, payday loan providers.
- What happens next: fraudsters may abuse your service, default on loans, and you might have to pay heavy KYC and AML fines, which cost businesses billions of dollars per year, unless they leverage financial fraud prevention.
- Key solution: when it comes to proving a customer’s identity, data enrichment is once again one of the strongest tools in your arsenal.
Fraudsters will steal anyone’s online account, which is known as an account takeover or ATO attack. For a complete guide on the topic, you can refer to our ebook on ATO attacks and how to stop them.
Once again, it doesn’t matter if it’s an online account with Uber, Spotify, Amazon, or a mom and pop store. They will try to log in, either to drain the account of funds, or to mine it for personal information.
- How it works: fraudsters purchase account login details on the dark net, acquire them through phishing (social engineering), malware, or get lucky with brute force.
- Who it affects the most: no online service is safe from account takeover.
- What happens next: your users will believe they’ve been hacked. You’ll have to support them to recover their data. If the account held funds, you’ll probably have to pay chargeback fees too.
- Key solution: IP analysis, along with looking at a user’s software and hardware configuration via device fingerprinting is the key in instantly detecting suspicious connections and protecting your users’ accounts.
Multi Accounting / Bonus Abuse
The fraudulent practices most of us are likely to have committed. You might have a couple of social media accounts, e.g: one under your own name and a private one. Or maybe you’ve sent yourself a discount coupon and created a new account to sign up to a service you already used.
On a large scale, the practice can cost businesses millions of dollars. Fraudsters will scale up their operations using bots to perform all kinds of illegal tricks, such as controlling multiple players at an online poker table, or claiming a referral bonus thousands of times.
- How it works: a fraudster or criminal organization creates multiple accounts on a platform in order to exploit it.
- Who it affects the most: common in the world of iGaming and online casinos. But any modern business with loyalty and referral programmes: fintechs, eCommerce, and crypto exchanges are now regularly targeted.
- What happens next: all your marketing efforts are wasted. If you’re a gaming or iGaming platform, multi accounting makes it unfair for other players, who will look for alternatives.
- Key solution: spotting connections between accounts is tricky. But analyzing at a customer’s behaviour and browsing habits through velocity rules and device fingerprinting can help.
The Tools of Fraud Prevention
If we examine all the most common fraud types above, we can see a pattern emerge. In fact, fraud is really ever only about one thing: trying to understand how risky your user is.
Which is why most of the features found in good fraud prevention software will first and foremost have to do with acquiring good data.
Digital Footprint Analysis
Any visitor who lands on your website already carries with them considerable amounts of valuable information, which you can extract with a device fingerprinting solution.
It will gather hundreds of data points relating users’ configuration of software and hardware.
This will let you know if they are connecting from a PC or smartphone, whether they are using incognito mode, or even more suspicious: if they use emulators to connect to your site.
Click here for a complete guide on device fingerprinting and how it helps with fraud protection services.
So how do you get to learn as much as possible about a user without making them fill data fields?
Well, it’s much easier to acquire fewer data points, and enrich that information from other databases:
- Email, IP and phone analysis: a single data point like an email address or phone number can actually reveal a lot. Was the domain address free? Is the number valid? Are they connecting via a VPN?
- Social media lookup: you can go one step further and link the user’s data with their social network accounts. This can give you a picture, a last seen date, etc…
Do You Really Need Fraud Prevention Services?
It will depend on a number of factors, such as vertical risk, chargeback rate, and more. To learn more about you can check out this article on whether fraud prevention is right for you.
It even includes a handy ROI calculator, to give you an idea of the cost versus benefits of deploying anti fraud tools.
Acquiring data is one thing. Understanding what to do with it is another. Which is why your fraud management system should come with a powerful risk scoring engine.
The way these engines work is by feeding the data through a series of rules. Each rule will add or subtract points from the risk score.
Example of the rules could be:
- Does the user have a social media account?
- Has their email address appeared on any data breaches?
- Have they tried logging with the wrong password several times in a row?
- Are they shipping an item to an unknown address?
Of course, the challenge here is to search and find rules that make sense for your business. Which is why the best fraud management tools will include a set of rules tailored for your industry, or you could even leverage the power of Machine Learning, where the system suggests rules automatically.
Click here for our complete guide on Machine Learning
The Challenges of False Positives
False positives are cases that are marked as fraudulent when they are in fact legitimate. They are extremely frustrating for your customers, and could damage your business reputation.
This is why fraud managers are always performing a difficult balancing act between security and business goals. They want to allow as many payments as possible without increasing their fraud rates. On the flip side, they want to stay safe, without increasing false positive rates. This is why certain cases that fall into a grey area still need to be reviewed manually.
How to Deploy Your Fraud Management Services
Ideally, you will have multiple options depending on your needs. For instance, SEON offers a powerful API, or you use our data enrichment modules manually. There’s even a Google Chrome extension for those who just need the odd data enrichment request.
The key here is to have enough flexibility to add and remove tools as needed. At SEON, for instance, we believe in true modularity, which allows you to scale your operations and fraud detection at the same time.
Choosing the Right Fraud Tool
Hopefully, at this stage you should have a good understanding of how fraud works online, and the features you need to fight it. But of course, fraud protection is a business decision and an important one at that.
Will you gain more benefits by using a fraud detection API? Or does it make sense for you to use manual data enrichment? And how much will the solution cost? Will you be able to prove ROI?
These are all questions we cover in our ebook on choosing the right prevention fraud tool for your business. And of course, we continuously strive to educate our readers and clients about the latest trends and benefits in our resource pages.