Fraud Detection & Prevention: What It Is & How to Choose a Solution

Fraud detection and prevention tools are everywhere these days. Here’s your free complete guide on what works, what doesn’t, and why choosing the right one is a key business decision. But first let’s start with the basics:

What Is Fraud Detection?

Fraud detection is a collection of processes and techniques designed to identify, monitor, and prevent fraud. In the online business world, fraud, scams, and bad agents are damaging in a number of ways. Companies have to put steps in place to ensure that fraud is detected and stopped before it affects business.

Detecting fraud is the first step in identifying where the risk lies. You can then prevent it automatically or manually using fraud detection software, RiskOps tools, and other risk management strategies.

Most modern businesses also employ dedicated fraud detection specialists, whose job titles can be as varied as: Trust and Safety officer, Risk Manager, Payment Specialist, Fraud Analyst, etc…

Why Detecting Fraud Is Important

There’s simply no way around it: if your business is online, you’ll need real-time fraud detection and prevention software. Attacks take on many forms and affect businesses differently, but they are certainly pervasive. According to PwC’s 2021 Global Economic Crime and Fraud Survey:

• 46% of companies experienced fraud in the past 24 months
• Companies report 6 fraud attacks on average
• $42B was lost to fraud in the US alone
• Only 56% of the targeted companies conducted investigation into their worst fraud incident.

More bad news: the intensity, scale, and sophistication of fraud attacks show no sign of slowing down. In this online guide, we’ll look at the latest attack vectors, what you can do to measure detection successfully, and of course, how to choose the right fraud prevention tool for your business.

What Are the Best Fraud Prevention and Detection Features?

For fraud prevention and detection, you’ll need to combine as many of the following features as possible:

• Data enrichment: to learn more information based on a single data point. This process aggregates external data to complete picture about a user, for instance. A good example is reverse email lookup, which lets you know how risky the user is based on the single datapoint of an email address.
• Social media lookup: a powerful way to learn if your user has a social media presence. This can be useful for compliance reason, or simply to verify someone’s ID. Make sure that your solution can check as many social media networks as possible, and in as many regions as possible.
• Custom risk scoring: fraud prevention works by weighing risk. You need to be able to control how risk is calculated to make sure the results adapt to your business. This is not only important to improve accuracy, but also to automate the approval, review, or rejection of certain user actions.
• Pay-per-API pricing: paying per API call offers the most flexibility as you can scale your fraud prevention usage based on your business growth. Be especially aware of chargeback-guarantee models, which incentivize vendors to be overly zealous in declining credit card payments.
• Clean UX: fraud prevention involves a lot of data visualization. Ensure it’s available in a way that’s user-friendly and intuitive. At the very least, you should be able to export your data and to access reports to understand what how fraud prevention engine is working under the hood.

Read our guide for the best fraud detection software available.

What Are the Common Types of Fraud?

Fraud takes on many forms, and it adapts to every business model. However, there are a few recurrent attack vectors worth knowing about. These include:

• Stolen credit card purchase: criminals steal credit card numbers and use them to buy services or products from your company. A chargeback is then submitted, for which you must cover the administrative fees.
• Account takeover: more sophisticated attacks, which use identity theft (often through phishing) to steal credentials of an existing account. The end goal, however, is still the same: steal money or personal data from the original user.
• Fake accounts: fraudsters falsify information or use stolen IDs to create a new account. A lax signup policy may allow easier onboarding for traction, but it also opens the door to bad agents. It’s one area we’ve seen a boom during the pandemic – for example in the FX trading world.
• Bonus abuse: fraudsters use linked accounts to abuse merchant terms, whether it is to benefit from signup promotions or loyalty rewards.
• Friendly fraud: This fraud happens when the legitimate cardholder contests a payment. This is either because they forgot, regret their purchase, or maliciously anticipated a chargeback request.
• Affiliate fraud: a marketing partnership can quickly turn sour if your affiliates send bad traffic to your site on purpose. This is particularly prevalent in the iGaming industry, where unscrupulous affiliate fraudsters target PPC (pay-per-click) and PPL (pay-per-lead) acquisition models.
• Return fraud: another new fraud attack vector, growing in popularity due to Amazon’s frictionless COVID return policies. Fraudsters purchase items on your site and take advantage of your return policy to get free items, or intentionally deplete your inventory.

What Are the Main Challenges of Fraud Prevention and Detection?

And even with the best technology around, there are major obstacles that could impact how effective your business is in fraud detection – or even backfire against your business goals.

False Positives Can Hurt Your Business

How do you ensure your transactions aren’t fraudulent? Block every single transaction. Of course, you’ll also be preventing legitimate customers from paying on your site. This is called a false positive, and the problem is that aggressively conservative tools may create a lot of them.

In fact, vendors who offer their prevention services with a chargeback guarantee model have a strong incentive to be more strict. They may tolerate more false positives without you noticing. 

There’s a reason companies started calling it the customer insult rate: false positives hurt your sales numbers and your business reputation. If users can’t use your services, they’ll take their business to a competitor.

Read more about how false positives can impact a vertical here.

No One-Size-Fits-All

Detection works by setting up rules. You will block suspicious IPs. Flag strange-looking devices. Or block emails found on blacklists. 

The problem? The rules that work one day may not the next. Your risk team needs to constantly think on their feet, and remain agile with the systems in place. Moreover, what works for one business might be damaging to another. You won’t use the same rules to catch a poker bot farm, as to detect anti browser fingerprinting by ID fraudsters.

There is no one-size-fits-all solution, even within the same vertical – every business needs prevention that meets its needs.

Friction in Your Customers’ Journey

Another (bad) way to stop fraud: be overbearing with your data collection. Yes, in theory, you could ask each user to fill an incredibly long questionnaire about themselves. You could have the most in-depth KYC verification checks (Know Your Customer). You could ask for a selfie ID every time they log on.

The problem is of course that you are creating so much friction that users will turn to competitors. In today’s online landscape, websites and apps that are the easiest to use will have a competitive advantage. Aggressive risk management may actually backfire if it slows access to your goods or services.

How to Integrate a Fraud Prevention Solution

Even if you’re convinced that you need a fraud prevention system, the question remains as to how you should deploy it. Here are 5 of the best options:

Built-in Fraud Detection and Prevention Systems

Most payment gateways and providers will offer their own fraud prevention tools. This is true of Stripe (who has their own Radar tool for payments), or even Shopify (who lets you enable Fraud Protect on their eCommerce platform).

This is how they work:

1. The service gathers the user’s card and transaction data.
2. Data is compared with previous transactions.
3. They block risky users whose transactions have been fraudulent in the past.

The key advantage of this method is due to the amount of historical card data analytics these companies have. Stripe, for instance, claim there’s an 89% chance that any card has already been used on their network before – even if it’s the first time they identify it on your site.

There are two key downsides here:

• Firstly, payment gateways have a strong incentive to be conservative. It’s better for them to refuse payments and avoid chargebacks.
• Second: these tools aren’t sophisticated enough to give you control.

Time to look at more advanced solutions, but you’re now faced with a new dilemma: buy or build?

In-House Fraud Prevention Systems

Building fraud prevention in-house is absolutely possible, provided:

• You have the technical knowledge, tools and IT resources.
• You can staff a dedicated risk management department.

There are numerous advantages to this route, especially in terms of data protection, product knowledge and integration. You also get more control over the technology, which can be useful for internal training and career development. A lot of seasoned fraud managers started in customer service or payment and moved to the internal RiskOps team later. 

However, the main issue is with scaling. Salaries and costs aren’t easy to budget when you never know how regular attacks will be. If they only spike during one month of the year, can you suddenly hire more staff? Moreover, it can be hard to track down expenses, whereas third party solutions will have clear ROI figures and transparent results.

You can read more about in-house versus outsourced fraud detection solutions here.

An interesting development in the lexicon of risk management: many companies now favour the term Trust & Safety over Fraud or Risk. This is particularly common in B2C businesses, where the old terms (inherited from the banking world) tend to scare customers. In spite of this rebranding, the departments have virtually identical roles and goals.

Cloud-Based, End-to-End

Cloud-based solutions from third-party providers have a number of advantages. Scaling possibilities are an obvious one, as you can pay depending on usage. This, of course, has a positive impact on helping you manage costs and overheads.

Maintenance is also a plus. Updates and bug fixes are all taken care of by the provider. No need to monitor upgrades or to develop extra features in-house. And the roll-out for new features tends to be much faster than with built-in solutions.

Speaking of features, you will of course be at the mercy of the provider’s tech, which is why testing it with your real data is primordial. 

The biggest challenge, however, may be the integration process. We’ll dive deeper into the options you have below, but always keep an eye on: 

• Extra integration costs.
• Additional support fees.
• Multi-year contracts.

API-Based Solutions

The latest trend in risk tech, a fraud prevention API meets the needs of modern, cloud and web-app powered businesses. Using API calls is fast, affordable, and becomes extremely useful if you already have a tech stack, or want to build multi-layered protection feature by feature.

Essentially, it’s like an anti-fraud feature buffet. You can pick and choose the services that make sense for your industry, such as real-time data enrichment for KYC and AML (great for financial services and banking), or geo IPs (to prevent chargebacks in eCommerce).

These solutions take single data points on your site (email address) and find linked external data from various open-source databases. This allows you to get a complete user profile for your security team, without adding extra friction to your customers’ journey.

There are two points to consider: firstly, you need one license per provider, which can quickly make the costs balloon. Secondly, a middleware platform might need to be built, which can add to development costs and integration complexity. 

Multi-Layered Approach

What if you need more than one solution to meet your needs? Multi-layered risk management is the way to go, giving you complete control and flexibility over your prevention arsenal. Here is when it makes sense:

• To enrich the data: A lot of systems let you gather data and analyze it. But you might need to source external data in order to learn more about users, based on single data points for instance.
  
• To meet scalability issues: If a company is growing fast and security is lagging behind, fraud managers can integrate an external tool to boost the efficiency of the current system without too much disruption.
  
• To patch holes in the line of defense: Instead of completely rebuilding their fraud prevention systems, some companies will add 3rd party solutions with very specific goals. For instance, a reverse email lookup tool, reverse phone lookup tool or device fingerprinting solution that was originally missing.
  
• To speed up manual reviews: If you can’t tweak your system to reduce manual reviews, you can add another solution to help. For instance, certain managers use additional tools like plugins that query external databases to get a final say on approving/denying a transaction.

Concrete examples would include partners we work with who have in-house systems for calculating risk. They do not want to rebuild everything from the ground up, or they are legally required to keep some data to themselves (for instance with credit scoring). 

They can simply feed the results of our modular APIs into their system. This can be their own middleware, or even an external risk scoring system, and will improve the accuracy of their scoring through real-time data enrichment, including with social identity data.

Another use case would be clients who already use our Sense Platform as their core solution, and need to integrate external data via our user_label field. We’ll provide data to contribute to risk scoring or rule generation. It can also create a “network effect”, by sharing risky data with other merchants.

Finally, for the manual review stage, you can still enhance your processes by using a third-party tool such as our Intelligence Chrome plugin.  While not technically an integration, the fraud analyst acts as a bridge between multiple systems to improve efficiency. There is no shared data between the multiple systems, and from the customer’s perspective this is one seamless process.

How Do You Choose Fraud Detection & Prevention Features?

After evaluating how you can integrate the solution, there are key differences between the systems you should consider.

Tailored vs Customizable Systems

A lot of anti-fraud solutions and management software come with rules tailored to a certain vertical. If you want to reduce fraudulent app installs, you’ll find a provider for that. More interested in boosting AML (anti-money laundering) protection for alternative credit scoring than to detect fraud? Another provider has got you covered.

The benefit is of course that you are working with intelligence that targets your specific problem. The shortcomings are just as obvious: a lack of control could incur more risk.

A flexible system, for instance, may give you control over:

• Customizable rules,
• Customizable data fields,
• Thresholds for automatically approving or rejecting an action,
• Targeting different touchpoints such as login, signup or withdrawals,
• Etc…

As with any customizable system, the added control may give better results, but also require more time and effort from your side. 

Pros and Cons of Shared Blacklists 

Safety management is nothing new, and certain vendors have become household names over the years. They also tend to specialize over time to target specific verticals, which is why you’ll often find organizations in the same market using the same anti-fraud platform.

One benefit? These legacy platforms have been in operation for many years, and have accrued incredible amounts of data, mainly through shared blacklists. 

One downside is that the data itself may become stale, or obsolete. Some flags may have been wrongly placed, which corrupts the entire database. 

There are also concerns with data protection and compliance (which we’ll cover in more detail below).

Any company operating in iGaming will be familiar with a handful of legacy risk management platforms. They have been operating for years, and have accumulated vast amounts of data about blacklisted IP addresses, email addresses, and even player names.

Whitebox vs Blackbox Machine Learning

Machine learning is often sold as a magical solution. Put simply, it’s about using your own business data to suggest precise risk rules. The accuracy of these rules improves over time, which can make them an effective tool against attacks.

The problem? Not all machine-learning solutions are created equal. This is largely due to how transparent the system is.

Blackbox solutions tend not to go the extra mile to explain their decision, which makes them harder to fine-tune. Whitebox solutions, on the other hand, will do their best to deliver clear explanations in the form of decision trees or human-readable explanations.

The key point here is that machine-learning tends to bring more value when it can assist human intelligence rather than replace it completely. This is particularly relevant in the context of the next point: supervised vs unsupervised fraud detection.

Supervised vs Unsupervised Fraud Detection

Whether your fraud prevention system is supervised or unsupervised varies largely on your risk appetite. 

After your system runs the data through rules, you will generally get a score. This can be used to set thresholds for approving or denying an action. You can also create a threshold for manual review – but this is optional.

In fact, some businesses may want to automatically approve or reject all user actions with minimal interaction. In other words: whether the detection is supervised or unsupervised depends on you. But having the option to manually review cases will always give you more control and precision for those cases in grey areas.

Data Protection and Compliance

In the world of fraud, prevention is based on data collection. And as we know, this is a practice that is increasingly under scrutiny from government agencies.

While these vary from one market to the next, certain regulations such as The General Data Protection Regulation (GDPR) and the EU’s PSD2 immediately spring to mind. 

Ensuring your fraud management system is compliant is particularly important for financial institutions, banks and other companies with strict KYC and AML regulations. This is true whether you build in-house or purchase third-party services.

User Experience and Team Management

One often overlooked feature of fraud prevention solutions: the ease of use. The best engineers are not always the best designers of user experience, which is why some interfaces can be confusing, bloated, and frustrating. 

While navigation is a matter of personal preference, users should consider whether the following features are available to make their lives easier in the long term:

• Search function: is it available, and can you find specific transactions? For advanced users, can you find them based on custom parameters and replace SQL queries?
• Logging function: data analysts shouldn’t have to check the same transaction twice, so logging is important.
• Workflow creation: can you create specific search filters for later use?
• Flexible data presentation: can you view a user’s connected accounts? Can you list transactions in the order you want? Can you view all historical transaction data from one user?
• Permissions and rules: how easy are they to create? Can multiple team members access the risk management tool? How can they let each other know of their new implementations?
• Reporting: can you get clear data? Is it displayed in a way that is readable by your staff?
• Custom rules engine: how easily can you tweak the rules to improve decision-making? Do you need support from the provider or can you train your staff to do it? Can you create velocity rules or validate a rule’s effectiveness with a confusion matrix?

There is always a fine balance between data aggregation and noise. How clean is the dashboard, and how easy is it to make important numbers jump at you without having to slice and dice through hundreds of data points?

Response Time

Accuracy is one thing, speed is another hugely important metric. Once integrated into your platform, how quickly can you make a decision to allow processes? Ideally, your prevention tool should offer real-time blocking and a short response time, whether it’s for reverse email lookup or device fingerprinting.

The system should also process asynchronous requests, where one data point is immediately checked while other data points are queued up for analysis – without slowing down the customer experience.

This is particularly important with API calls. How fast is communication between endpoints? What is the provider’s uptime rate? 

Monitoring KPIs and KRIs (Key Risk Indicators)

Finally, the fraud-prevention tool should give enough reports and analytics for your team to monitor its efficiency. Manual processes, detection accuracy (checked via confusion matrices), and ROI are all metrics you must regularly keep an eye on. 

These are crucial numbers you should be able to access, both for your team’s KPIs, and also to create KRIs or Key Risk Indicators.

KRIs will allow you to unveil new growth opportunities, anticipate risk in advance, and generally take a more proactive approach to risk management.

You can read more here about our complete guide to KPIs Vs KRIs in fraud detection.

Integration and Support

Your developers or CTO should check in advance the API documentation. Having a clear understanding of how the tool will integrate with your platform can save hours of costly technical difficulties down the line. Some points to consider:

• Number of integration endpoints.
• Number of data fields to process.
• Does the integration come with support and training?
• Is it paid extra?

Integrating a fraud management tool can be temporarily disruptive to your business. Here again, a clear knowledge of the processes prior to integration will reap more rewards in the long term.

It’s not common practice, but ideally, you should be able to test the solution for free, and with your own business data.

Pricing Model

For most online businesses, margins are razor-thin, and the competition is strife. Which is why a reasonable pricing model is just as important as its features. Below are some of the points to consider before selecting your provider:

• Monthly fees or subscription model: good to calculate your yearly spend. However, beware that providers can lock you into a pricing tier that isn’t advantageous for you. Moreover, scalability is reduced, as you need to continue paying even if your sales dip seasonally.
• Microfees based on API calls: an interesting model that is both flexible and adaptable. It’s easier to get a clear picture of your costs and to predict a budget if your transactions fluctuate regularly.
• % of checked transactions: self-explanatory, but often more costly than other models above. Certain providers offer chargeback guarantee based on this model – unfortunately, this is a strong incentive to increase the number of false positives.

Potential Extra Costs

In addition to an adequate pricing model, you should also consider if the provider has:

• An integration fee: not ideal as you which means you must pay upfront without any accuracy-validation.
• Support fees: another hidden cost to be aware of. Some providers will charge you when you contact the support team for help with integration or custom rule creation.
• Trial: ideally, the provider should be confident enough in its tool’s ability to let you try it for free. It should be part of the pre onboarding process and come with no strings attached.

While it’s challenging to calculate the true cost of fraud, some providers make it just as hard to evaluate the ROI of their solution. Always read the fine print and ask for clear, transparent pricing whenever possible.

To Sum Up Fraud Identification

With a growing number of fraud-prevention tools available on the market, it can be easy for merchants to be confused. It is bad enough that companies have to deal with relentless attacks, on top of that they must now face the challenge of vetting the right solution as an important business decision.

Hopefully, this guide will serve as a good primer. By now, you should have a clearer idea of which tools make sense for your company. And remember that remaining informed, whether it’s about the latest attack techniques or cybersecurity tools, is always the best way to stay one step ahead of the fraudsters – and your competitors.

Frequently Asked Questions

Learn more about:

• SEON: Compare the Top 9 Fraud Management Systems & How to Pick the Right Software For You