One day — maybe one that has already happened for some PYMNTS readers — we might look back with fondness and nostalgia on that time when chargebacks stood as the main worry merchants and other organizations faced when it came to fraud and risk. Chargebacks are still a problem, of course, but fraud has morphed into this multi-tentacled threat that is constantly on the prowl for any hole or weak spot that offers criminals the chance to get into your systems.
Excuse the dramatics. Excuse the reminder of something you already know, at least in theory: Criminals are super-smart, super-sophisticated and super-organized, and any business or organization that doesn’t at least grasp those facts stands little chance against hackers and data breaches. But getting from theory to daily fraud prevention practice presents massive challenges, and not everyone knows what to do or how to do it.
That’s where Kevin Lee comes in.
He is the trust and safety architect at Sift, and participated in a recent PYMNTS webinar entitled “Building a Trust and Safety Team from the Ground Up.” Along with Karen Webster, Lee talked about why the current realities of fraud require a new, much more “holistic” approach to fraud defense, prevention and detection within companies.
The stakes could hardly be higher.
A data breach or other hack not only puts customers at risk, but also puts the victimized company in legal jeopardy, and guarantees a lengthy bout of bad PR. And that’s in addition to the lost revenue and money that will have to be spent to compensate customers and upgrade security systems.
The mindset required to successfully battle fraudsters these days starts with a change of language. As Webster asked toward the beginning of the interview, what is the value of rebranding a company’s risk and fraud function into trust and safety?
“The scope of responsibility has changed fundamentally” in recent years, Lee responded, explaining how fraud has transformed from something centered on chargebacks to something that involves multiple eCommerce and payment functions – and, indeed, the entire user experience. “It’s not just about chargeback rates,” he said, but pretty much the entire scope of operations, and the entire range of customer satisfaction and trust.
In fact, Lee said, one way to get out of the “chargeback rate” way of thinking — to get past that limitation, as criminals have done — is to take up the concept of “insult rate.”
That refers to making life harder for that vast majority of customers who are not a fraud threat, by introducing enough friction into the shopping and transaction process so that, in Lee’s telling, those consumers are treated as guilty until proven innocent. He went even further than that, saying that traditional fraud management might focus on the 1 percent who are exploiting the system. That sort of fraud prevention spends 100 percent of the time on that one aspect of fraud, he noted.
A good trust and safety team, in fact, will figure out ways to make the insult rate into a firm KPI, one that can serve to open executives’ eyes about the current nature of fraud.
Such a KPI can help build an organization’s trust and safety team from multiple units within the company, units that could include such activities as marketing, operations and finance. And really digging into that insult rate — really figuring out how many legitimate customers are, essentially, sacrificed in the name of fraud prevention — can help with the crafting of more precise, more pragmatic company objectives when it comes to preventing hacks and data breaches.
By contrast, using a chargeback rate as the main metric — a “lagging indication” that comes a month or more after the fact — serves to provide a “head start for fraudsters to drive a truck through your vulnerabilities,” Lee said during the PYMNTS webinar. Much better, he said, is to latch onto the idea of “dynamic friction,” which, in conjunction with machine learning, can analyze the digital crumbs left by consumers — the nature of their keyboard strokes, for instance, or their browsing habits — to erect a smarter defense against fraud.
Building a Team
Building any new team — including one devoted to trust and safety, one that uses the insult rate as a guide for action — means a good deal of work, including buy-in from multiple departments, employees, managers and executives. Lee didn’t minimize those challenges, but during the webinar, he offered a road map for how to do so, a map based on his own professional experiences at Facebook and elsewhere.
The first key is recognizing that such a team needs cross-functionality — the expertise and ideas from different types of employees within an organization, which befits the holistic nature of digital fraud. The goal of such a consolidated trust and safety team, Lee said, is to “share best practices,” among other tasks. “Fraudsters will not hit just one product and be done with it. They will hit as many as possible to find those vulnerabilities.”
Such a team will include generalists and specialists, with team members developing their own specialties in time. Lee said some of those team members will essentially serve as “chainsaws,” capable of cutting through mountains of data and cases, while others will function as “scalpels,” able to be “very precise and go deep.” Both types of skills are needed for a robust trust and safety team.
So are intense curiosity, strong contrarian tendencies and “grit and resilience,” he said — traits that are “much more important than what you studied in school.”
As Lee told it, “a lot of times, you can only see half the hand” when it comes to effective fraud prevention. “You have to do a lot of investigative work to undercover the trust,” he noted. “We work in the grey, and need to read the tea leaves more than other folks.”
Besides that, dealing with crime and fraud every day “can be tough,” he said. “You can get jaded.” (Lee also said it’s useful — even imperative, depending on the organization — that team and safety members have knowledge about data and data sets.)
And that’s not all when it comes to those team members. “One of the key attributes for them is having a growth mindset,” Lee said. “I want them to be in a mode where they are constantly learning and looking to better themselves and the company.”
All this is much more than academic, much more than some wish list for the future. As eCommerce competition keeps getting hotter and hotter — Lee used the example of online food delivery services, a very crowded field right now — companies that want to stand out will have to find more ways to differentiate themselves. Doing better fraud prevention — which incorporates dynamic friction and insult rates and even trust and safety teams — could help with that.
No matter what, criminals are not slowing down — they are working hard to stay a step ahead of law enforcement and the latest fraud prevention technology. And customers are unforgiving. Taking on this new mindset — the trust and safety concept — could go a long way to keeping ahead of those harsh realities.