The Ultimate Fraud Risk Assessment Checklist in 2023

Fraud is pretty much a given these days. Just make sure you can anticipate the right attacks with the right tools using our fraud risk assessment checklist.

In an ideal world, every company would have a strong RiskOps team in place. The reality, of course, is that not every business can afford it. Even more worrying: the largest organisations in the world, with seemingly unlimited resources, still get defrauded on a daily basis. 

This begs the question: how effective are the current risk audits performed by CFOs and other departments? And could we improve on them?

What is a Fraud Risk Assessment Checklist?

As the name suggests, it’s a list of points to verify to ensure you have a strong strategy to detect business fraud. It’s industry-agnostic and should be understandable by every department, regardless of technical risk management knowledge. Our anti-fraud checklist is divided into three key categories where fraudsters can strike, namely: payments, user accounts, and marketing.

Why Use a Fraud Risk Assessment?

Online fraud is a tax on successful businesses. While this once only used to be true for high-value retailers or online banks, these days any kind of company is at the mercy of attacks. The problem is that fraud often takes companies by surprise. In order to be prepared, it’s best to understand risk wherever it may lie.

Our anti-fraud checklist should help anyone doing online business understand the potential risk – so that they may prepare against potential attacks using the right risk management system & methods. This is true regardless of your risk management skill or experience, or even the kind of vertical you do business in.

Your Fraud Risk Assessment Checklist in 3 Steps:

This checklist is our attempt to help you identify risk before it happens and to understand which tools you’ll need to deploy to mitigate it.

1. Payments

The general rule of thumb: if there’s money coming in and out through your website, someone will attempt to steal it. Let’s see where the risk lies. 

1.1 – Do You Accept Credit Card Payments / PayPal?

It doesn’t matter if you’re a SaaS, travel operator or only sell luxury items. When it comes to purchasing stuff with a stolen credit card, no prize is too small for fraudsters. In fact, low-value goods are often targeted to test that the credit card works, without raising suspicion.

Even more concerning: the rise of friendly fraud. This is what happens when the legitimate cardholder contests a purchase they made (or a family member). If their intentions were malicious, it can be very hard to prove, unless you have the right data at hand.

• What you risk: paying a lot in chargeback fees. Card networks can put you on a high-risk list and take a larger cut for each transaction. In extreme cases, they may consider your business so risky that they’ll stop allowing you to accept card payments.

• What to look out for: high chargeback rates, obviously. Also worth keeping an eye on small purchases (under $1), that could point to card testing.

• The tools to deploy: digital footprint analysis can reveal a lot about your customers. Use device fingerprinting and data enrichment to learn as much as possible about the customer. Reverse media lookup can point to suspicious accounts.

You can read more about how to prevent chargeback fraud here.

1.2 – Do You Accept Digital Wallets?

Digital wallets, also known as e-wallets include famous names such as Apple Pay, Google Pay and AliPay. They are considered safer than credit card payments, but accepting them may incentivise fraudsters to steal your users’ accounts. 

• What you risk: account takeover and credential stuffing. That’s when fraudsters log into your customers’ accounts and purchase things for themselves. It’s bad for your reputation.

• What to look out for: logins from suspicious devices and locations.

• The tools to deploy: device fingerprinting and IP analysis can reveal a lot about who is logging into a certain account. You can create IDs for each combination of software and hardware, and ask for extra authentication when the details don’t match.

1.3 – Do You Allow Buy Now Pay Later?

Buy Now, Pay Later (BNPL) payments are all the rage these days. They allow customers to spend more on your site, and you pay a small fee for the benefit. 

• What you risk: the customer could default on their “loan” at any time. Most BNPL providers offer protection for that scenario but do keep an eye on how often it happens, and what the contract terms say about it.

• What to look out for: terms and conditions of the BNPL provider.

• The tools to deploy: you could use custom rules and velocity rules to keep track of user behaviour and flag suspicious patterns. It would also be a good use case for Machine Learning, which could identify strange patterns and suggest risk rules.

1.4 – What About Crypto Payments?

Third-party solutions like Coinbase Commerce and BitPay are growing in popularity for businesses who want to accept cryptocurrencies. A low transaction fee and absence of chargebacks should make them a clear favourite. But they’re not without risk.

• What you risk: another good reason to steal your users’ accounts via an Account Takeover (ATO) attack. Crypto’s anonymous or pseudonymous nature could also put you at risk of AML (anti-money laundering) fines.

• What to look out for: large transactions from new accounts (which could point to money laundering). Suspicious logins.

• The tools to deploy: here again, digital footprint analysis and IP analysis are great to authenticate logins. Some fraud prevention tools allow integration with communication tools, so you can use them for real-time monitoring and alerts. 

2. User Accounts

From SaaS to neobanks, many companies count user onboarding as a metric for growth. This comes with its own set of fraud challenges.

2.1 – Do You Need to Meet KYC Requirements?

Financial institutions, fintechs and neobanks are under constant scrutiny from regulators. It’s your duty to ensure the accounts created on your platform are by legitimate users, not fraudsters.

• What you risk: heavy KYC and AML fines. Damaged reputation. If you offer loans or financial products, chances are that fraudsters will default and leave you in a lurch.

• What to look out for: fake IDs and synthetic IDs (using a combination of real and made-up data).

• The tools to deploy: digital footprint analysis via data enrichment can reveal a lot about who your users are, in real-time. KYC verification checks with official companies are also expensive, so filtering out junk users beforehand is cost-effective.

2.2 – Do You Store User Data?

Chances are that your user accounts are linked to personal information. This can include an address, or better yet for fraudsters, payment information. 

But do not be fool into thinking you have nothing to fear if your user accounts aren’t used for payments: fraudsters will attempt to steal any kind of login details to mine the accounts for personal information, or to phish for it.

• What you risk: ATO attack or account takeover. If fraudsters manage to mine a lot of data, you may also be under the obligation to publicly disclose it (for instance under the GDPR). This can seriously damage your company’s reputation.

• What to look out for: suspicious login attempts. Quick changes of personal information from a new device. 

• The tools to deploy: data enrichment and device fingerprinting can help authenticate users at login. Use velocity rules to see how often users attempt to login and to monitor their behaviour.

2.3 – Are You a Marketplace?

Online marketplaces need user accounts and often operate as online wallets too. This makes them doubly vulnerable to attacks. But even those that don’t store funds can be high targets for fraudsters.

• What you risk: fake accounts, multi-accounting, fraudulent listings, fake content and reviews. Account takeover (ATO) and transaction fraud (chargebacks, for instance).

• What to look out for: suspicious login attempts. Connections between accounts (suspiciously similar data points). Spam and phishing attempts.

• The tools to deploy: data enrichment can help onboarding new users safely, and spot connections between users to take down entire networks of bots or multi-accounting fraud. Device fingerprinting is useful to authenticate logins. 

2.4 – Gambling Requirements?

iGaming, online gambling and sports betting have their own sets of legal challenges. They must not only prove that users are who they say they are, but also that they are safe to play. Fraudsters abuse these systems and attempt to blackmail operators later.

• What you risk: self-exclusion fines. Customer affordability fines.

• What to look out for: players losing large amounts of money. Long gaming sessions.

• The tools to deploy: aside from an affordability calculator and self-exclusion checkbox, you should also use AI to promote responsible online gambling. Your fraud prevention’s velocity rules can also spot unwanted user behaviour.

3. Marketing

Regardless of the tools you use to reach new users and customers, fraudsters have every reason to take advantage of them. 

3.1 – Do You Offer Promos, Bonuses and Rewards?

Once the favoured marketing tactic of iGaming and gambling operators, promos, bonuses and signup rewards are increasingly used as a growth hack by all kinds of industries, from challenger banks to online stores.

The problem has once again to do with how easily fraudsters create multiple accounts. They have no shortage of options there: emulators, spoofing software, virtual SIM cards, disposable email addresses… 

• What you risk: waste marketing dollars on bad users. Incentivise fraudsters to check out your business and infiltrate it. Bad for analytics.

• What to look out for: connections between accounts. Fast signups immediately trigger rewards with accounts that then lay dormant.

• The tools to deploy: device fingerprinting and IP analysis can help spot connections between user configurations, or highlight suspicious use of Tor, VPNs, proxies and emulators. Email and phone analysis can also point to risky user profiles. Velocity rules can identify suspicious behaviour.

3.2 – Do You Work With Affiliates?

Do you do CPA, CPL, CPC or CPM? It barely matters: sophisticated fraud rings with the largest resources will be able to exploit your affiliate programme in order to trigger the rewards and walk away with the payouts. 

• What you risk: here again, you will waste entire marketing campaigns, and the results will waste budget, mess up the KIPs and flaw your analytics.

• What to look out for: high numbers of bad leads. Users opting out in droves. Low conversion rates with high signup rates.

• The tools to deploy: traffic and merchant monitoring, plus device fingerprinting to spot bot traffic and multi-accounting. Behaviour analysis (via velocity rules) can also spot patterns such as suspiciously fast signups and conversions.

What to Do After Your Fraud Prevention Checklist

A fraud prevention checklist is a good start for your initial risk assessment. But for the best results, you should also calculate the severity of losses from each potential point of attack. It’s also a good idea to deploy roles whose goal is to stay abreast of the latest threats and scams. Fraud is adaptive, and blocking one avenue often opens two more. 

Finally, common sense also helps. If the numbers are too good to be true, there could be something fishy at play! For more information about the anti-fraud tools mentioned in this fraud risk assessment checklist, please check our guide on device fingerprinting, velocity rules, and customer due diligence proofing.