Transaction fraud is inevitable, but what does it look like in practice for online businesses, and how can you improve detection?
In this post, we’ll go over some concrete examples of transaction fraud detection methods you can use, and how they work together to help your online operations.
How to Know if You Need Transaction Fraud Detection
The first giveaway that you need to monitor payments more closely will be because of chargebacks.
And just in case you aren’t sure of what they are: it’s the buyer protection in place designed by card network operators to ensure their customers aren’t being scammed by businesses. It allows cardholders to contest a charge, and get a refund.
If you start getting an unusual number of chargeback requests, it’s very likely that your business is being abused by bad agents.
This is a warning sign for many reasons.
You will have to pay large amounts in chargeback admin fees. You will spend inordinate amounts of time disputing the cases by providing all the evidence you can gather. And worse, if the rates are too high, card networks like Visa or MasterCard could put you on a high-risk list, or even block you from processing their card payments.
Anatomy of Transaction Fraud
There are many types of card fraud. The most common one will occur when bad agents get their hands on card data through phishing, data leaks, or thievery. Here’s an example of how it works with a darknet marketplace.
- Fraudsters acquire stolen credit card details on the darknet
- They purchase goods and services online with it
- They resell the items on the darknet or clearnet marketplaces such as eBay
- The cardholder notices an unusual charge, and files for a chargeback
- Your business has to refund the customer, and pay chargeback admin fees.
This puts a heavy burden on the business to block fraudulent payments ASAP. And unfortunately, the current trend shows that most businesses will see an increase in chargeback rates.
Why Are Chargeback Rates Going Up?
Card fraud is on the rise worldwide, and for any industry. In the UK alone, fraudsters managed to steal £1.2B in 2019. This is all due to a number of factors:
- Increase in CNP (card not present) payments: online businesses must accept as many payment channels as possible to remain competitive. This makes card not present fraud a growing challenge.
- Consumer demand for a frictionless experience: the more verification steps you put in place between the customer and their purchase, the more churn you will experience.
- Fraudster technology is easy to access: anyone with a computer, Internet connection and bad intentions can easily log onto a darknet marketplace, and use crypto to buy stolen credit card numbers.
- Increase in leaks of personal data: every month, millions of new customer records land on darknet marketplaces. Fraudsters can easily use them to fool verification systems before making a purchase for themselves.
- Friendly fraud is on the rise: whether accidental or malicious, there are certain cases when the real cardholder demands a chargeback. This is also considered fraud, albeit of the “friendly” type.
To top it all, the COVID-19 crisis has boosted the demand for online stores (as brick and mortar retailers had to close their doors worldwide). A high unemployment rate is also correlated with an increase in crime, and cybercrime has also risen by up to 33% during the pandemic.
What is Considered an Unusually High Chargeback Rate?
The old rule of thumb was that 1% of all payments could end up in chargeback requests. If you process 2,500 payments a month, it’s not out of the ordinary if 25 of them end up contested by the cardholders.
But there are some caveats. Firstly, each card issuer calculates monthly rates differently.
- Visa: the provider divides the number of chargebacks in a month by the number of transactions processed during the same month
- Mastercard: divides the number of chargebacks by the number of transactions the previous month.
Then, card networks agree that dispute rates vary widely depending on the industry or business model. For instance, you can find what kind of verticals are considered inherently high-risk directly from the Visa documentation.
What Happens If a Business is Considered High-Risk?
iGaming, crypto and FX trading exchanges, or retailers that sell expensive items like electronics and jewelry are de facto considered high risk. But if your chargeback and fraud alert rates shoot above the standard number for your vertical, you can also be placed on a special list.
The best scenario: you will have to pay extra fees for each payment with your acquirer. There are also more restrictions on the number of payments you can process monthly.
Worst case scenario: you will be barred from using that card network altogether. This would be a death knell for most online businesses who must rely on Mastercard, Visa or American Express to survive.
Keeping all that in mind, it’s easy to see why every business has every incentive to stop transaction fraud as soon as possible. Here are 5 steps to doing just that.
Interested In The Solution?
The 5 Steps To Better Transaction Fraud Detection
Now that we have a better understanding of why transaction fraud rates go up, let’s see what systems we can put in place to reduce them.
1. Enrich Your Customer Data
The key challenge when dealing with transaction fraud is linking the card to the correct cardholder. Of course, you could have complex authentication steps such as selfie ID, handwritten messages, or phone verification.
But in today’s world, it’s simply not practical nor effective. You cannot easily scale heavy KYC (know your customer) processes, and it also pushes customers away. Younger generations are especially sensitive to online obstacles, favouring a frictionless experience over security. If your competitors can make it easier, that’s where the customers will go.
So how do you balance security and friction? One solution is to work with the lowest amount of data points, and to enrich them to get a 360 view of your users. For instance:
- An email address: you can check if it looks suspicious by verifying the domain information. Is it from a disposable email service? Was it created only minutes before the transaction? Was it ever found on a data breach list?
- A phone number: has the user linked it with a Messenger app like Whatsapp? Is it a real number? Does it point to the same country as the card or not?
- IP address: does it point to a proxy, emulator or TOR connection? And how far is it from the cardholder’s billing or shipping address? IP analysis can help answer all these questions.
Ideally, all the extra information should come back to you in real-time, so you can make an informed decision within seconds, or feed it to your risk scoring engine (more on that below). This also helps you spot hidden customer connections, which comes in handy if you have to find bonus abuse or multi accounting.
2. Perform a Social Media Lookup
An increasingly powerful weapon in the fight against fraudsters is simply checking if they have a social network profile. Why does it work? Creating a social footprint is time-consuming, which means fraudsters who want to steal as much as quickly as possible don’t have the time to do it.
As a career fraudster mentioned when we interviewed him for our podcast:You just have to understand that if something takes a lot of time to deal with, like creating fake profiles on the Internet or creating fake Facebook accounts, etc., fraudsters wouldn’t do it. Click To Tweet
“Doing it would take more time and they would have a lower hourly fee so they’ll maybe go to another site where there are not so strong security measures.”
In practice, these security measures look like reverse social profile lookup. It’s used to see if the cardholder’s details point towards a social media network profile. You’ll be able to get information such as a bio, last time checked and gravatar.
A missing digital footprint should alert you that the user could be made up using the stolen ID and card details. According to our own research, for instance, 76% of customers who defaulted on their loans had zero social media presence.
3. Deploy Device Fingerprinting
A good fraud detection system should also give you information about how customers connect to your website. Specifically, we’re talking about their software and hardware configuration.
This is useful because you can create profiles based on these configurations. The browser fingerprinting tool, for instance, could show that your user has been consistently logging in with the same browser, and suddenly changed the device at checkout. This should increase suspicion that you’re about to deal with a fraudulent transaction.
In the long run, you can create complete logs of how your users connect to your site, using hashes (or IDs), which represent the most common software and hardware configurations and help highlight suspicious ones.
4. Leverage Fraud Scores
There are two things you could do with all the extra information you’ve collected in steps 1-3. You can look at it and see if anything suspicious jumps at you (manual review). Or you could feed it all to a fraud engine that can calculate transaction risk scoring.
Here’s how it works:
- All the user and credit card transaction data is fed into the payment fraud prevention system in real time
- Each rule outcome increases or decreases the score. For instance, the email address domain doesn’t require verification. This increases the score.
- The result is a score that gives you an idea of how risky the transaction is.
Ideally, you want to run the data through numerous custom rules that make sense depending on your business model. A good prevention system should also come with preset rules tailored to your merchant needs.
The advantage of fraud scores is that you can create thresholds to block or allow the transaction to go through. It helps you mitigate risk however you see fit, and you can only get alerts to the highest risk factors when you detect fraud.
5. Get Help From Machine-Learning
The terms artificial intellitence and machine learning might sound intimidating, but a good fraud prevention system with machine learning should actually be fairly intuitive.
The idea is to have the system analyze your data over time (real-time data and historical data). When you flag a transaction as fraudulent, the learning models remember all the data points. Eventually, the Machine Learning engine will be able to suggest rules that you hadn’t thought of.
One great example is that of a footwear online store, whose machine learning engine suggested looking at shoe size as a risk factor. Why is that? Fraudsters tend to purchase the shoes with the most common size, as they are easier to resell later.
It’s the kind of real time insights even an experienced fraud manager might have missed. But the learning model system, by looking purely at the data, was able to detect fraud and to find connections that were previously invisible to avoid more chargebacks.
Transaction fraud is on the rise. For high-risk merchants it’s inevitable. For any other kind of retailer or online business, it’s a very high possibility.
And unfortunately, it costs a lot more than just chargeback admin fees. There is the time, effort and stress lost to trying to dispute the chargeback, not to mention the fact that you are losing customer trust and damaging your business reputation.
Luckily, fraud prevention tools have increased in sophistication, flexibility and ease of use in recent years. Even a full end-to-end platform with artificial intelligence is much easier to integrate and affordable these days. So you should be able to check out the pricing to get an idea of ROI when deploying a fraudulent transaction detection system.
Learn more about our products
Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.