Do you want to gain a step on fraudsters? Do you want to beat them while also making it as seamless as possible for legitimate consumers to buy from your website and contribute to your bottom line?
Then be prepared to toss out the rules.
Okay, that’s hyperbolic. But it’s in service of a larger, very important point: Online fraudsters are much smarter than they were just a decade ago, and slavish adherence to rule-based fraud prevention systems will, essentially, leave a door or two open for those criminals to come through.
In the latest edition of the PYMNTS Masterclass video series, Kevin Lee, trust and safety architect at Sift, dives deep into the new landscape of fraud, and gives specific advice about how to best counter it. Sure, everyone knows fraudsters are becoming more sophisticated and organized — but how many know what to really do about it? Besides that Masterclass video, Lee, along with Karen Webster, will discuss this subject further in today’s PYMNTS webinar entitled “Building a Trust and Safety Team from the Ground Up.”
In the new Masterclass video, Lee summed up the evolution of fraud over the past decade or so, providing an observation that might lead to some anxious nights for merchants. No longer does fraud typically mean “one individual” trying to break into an eCommerce platform. “Now, different types of bots and scripts attack platforms, not one by one but thousands at a time,” he said.
And that’s not all: Fraud today involves relatively complicated — compared to a decade or so ago — attempts to take over legitimate accounts or create enduring fake ones. As well, retailers handle much more than payments these days, of course: Digital commerce means delivery, content and other factors that can also give criminals an opening.
That all presents numerous challenges for any retailers interested in avoiding the bad PR, litigation and loss of revenue that typically follows a breach or hack. Among them is building better fraud prevention defenses without alienating honest consumers and existing and potential customers. To put it another way, the challenge is to stop criminals without introducing too much friction that can result in customers giving up on creating accounts or abandoning online shopping carts.
It’s a simple matter of numbers, Lee said. Traditional fraud management “might focus on the 1 percent who are exploiting the system.” That sort of fraud prevention “spends 100 percent of the time on that one aspect of fraud.”
But what about the 99 percent who are on an online retail site with honest intentions, and just want to buy as quickly as possible and then get on with their lives? Well, that’s where a practice he called “dynamic friction” comes into play — a concept that can not only help prevent fraud, but also builds trust in the platform and with the merchant.
As Lee told it, the danger of fraud starts well before the transaction, and that knowledge can help defeat it. A fraud prevention system that is based on machine-learning algorithms — not just legacy rules that have probably been around for years — can lead to more understanding about the people who come to a particular platform. And that understanding can lead to more precise detection of fraud attempts without putting too many speed bumps in the path of honest consumers.
Digital Bread Crumbs
Consumers leave “digital bread crumbs along the way,” Lee said. Such factors as how quickly a consumer created an account, the nature of the keyboard strokes and other traits can help determine if the person’s intent is legitimate or criminal.
“Within 10 seconds, did they go to purchase three GoPros, or were they browsing?” he asked by way of example. “Did they start with GoPro accessories first? Did they put something in the cart and then remove it? All these things, from a behavior standpoint, are really telling.”
A fraud prevention system that is primarily rules-based, by contrast, would not spot those traits, those complications. Rules are binary — they do only “yes” or “no.” Fraudsters — at least the successful ones — are not so dim as to be stopped by a binary fraud prevention system, Lee said. “Fraudsters learn to adapt very quickly.”
Not only that, but consumers are impatient and unforgiving. Faced with too much friction, they might just leave and check out a competitor. Another goal of that machine learning model for fraud prevention is to reduce what Lee called the “insult rate” — treating legitimate customers as potential criminals, which could lead to honest accounts being shut down.
Getting past rules-based thinking when it comes to fraud prevention requires more than a few conditions, not the least of which is what Lee called “executive buy-in.”
He drew upon his spam prevention experience at Facebook to explain how various teams within a single business not only have to work together — the practice of eCommerce gets increasingly complicated, with new products coming out all the time, and online retail encompassing a variety of tasks and features — but to “evangelize” their goals and work.
As well, an organization needs a “centralized team dedicated to trust and safety,” Lee said. In short, “you need a holistic approach.”
Platform operators have an advantage: The “tremendous” amounts of data they have about the “user’s entire online journey.” The key is making sure that data is fed into machine learning data-mining tools to detect those patterns that indicate fraud — and to focus not just on fraud, but the larger, potentially more lucrative concept of “trust and safety,” he said.
That’s not to say rules are useless, though. “You still want rules at the end of the day,” Lee said. For instance, a good rule is to not deal with consumers who have IP addresses from North Korea. “You don’t need a machine to tell you that,” he said.
Still, he said, “You are going to need to move beyond the rules, pure and simple.”