September 20, 2023 | By: Justin McDonald, Sr. Risk Management Consultant, The Fraud Practice
Organizations can better manage payment fraud by taking both an internal and external-looking approach to assess their fraud prevention strategy. In this context, an internal-looking approach refers to what an organization does in-house, how effectively they utilize the fraud prevention tools and technology available to them, and the self-assessments that drive growth and improvement. Looking externally refers to examining the tools, technology and platforms the organization leverages via partners and solution providers that will enable their payment fraud prevention strategy to be effective.
Payment fraud prevention strategies are complex and look vastly different from one organization or merchant to another. Ultimately, the effectiveness of a payment fraud prevention strategy comes down to the tools and technology available to detect payment fraud, and the organization’s ability to make the most of the tools and features available to them. Metaphorically, there are the tools of the trade and the skills of the trade. A highly-skilled tradesperson with outdated tools, as well as tradesperson with the latest and greatest tools but a limited skill set, cannot consistently deliver the results of a highly-skilled tradesperson with high-quality tools. The same applies to an organization’s risk management team and the fraud detection tools, technology and features available to them via solution partners.
The internal and external-looking assessments discussed focus on three basic steps for responding to payment fraud attacks:
Recognize the attack and its characteristics
Determine how to stop it
Implement the changes required to effectively stop it
A deeper dive into these steps for containing fraud attacks, as well as moving from quick-fixes to long-term solutions, is discussed in The Fraud Practice’s recent white paper Payment Fraud Prevention: Quick Pivots and Proactive Planning.
Recognition
Reporting, both real-time and post-transaction, is an essential aspect of an effective fraud prevention strategy and is often what drives the recognition of an ongoing fraud attack. Assessing your organization’s reporting procedures begins with an internal view. Reporting should occur on regular intervals defined within standard operating procedures (SOPs), and much of the reporting should occur automatically. This not only includes the creation of a report, but some form of anomaly detection or “red flagging” of data in the report that may be indicative of a fraud attack or other issue.
The creation, automation and consistency of reporting are typically internally-driven tasks, although many fraud solution provider platforms offer reporting tools that make this process more efficient. Even if reporting is driven internally, assessing vendor tools and services that feed these reports is critical. Consider what fraud solution providers offer in terms of the risk signals that are featured in daily and post-transaction reporting, to include both the quantity and quality of the risk signals they provide.
We tend to look internally with reporting and focus on in-house data, but there is immense value in looking externally for data as well. Fraud solution providers that support cross-merchant data sharing enable their client organizations to benefit from the fraud attacks already experienced by others in their network. Whether it’s identifying a shipping address or payment card that has been knowingly used to commit fraud against other organizations, or recognizing that a data point has been presented in many different transaction attempts across other merchants, data sharing provides meaningful risk signals that takes reporting to the next level.
"A wide-ranging data consortium or network plays a crucial role in fighting digital fraud due to the complex and evolving nature of fraudulent online activities. These fraudulent activities often involve sophisticated techniques that are difficult to detect and prevent through isolated efforts. Partnering with a third-party tool that has access to a vast network of fraud signals across industries and payment types will enhance your ability to proactively prevent malicious activity on your business's website."
Rebecca Alter, Trust and Safety Architect at Sift
Another key aspect of recognition is how long it takes to detect the presence of a problem. This is where real-time reporting is especially important. The ability to detect spikes in activity as it occurs is extremely valuable. While post-transaction reporting is important too, identifying a spike in fraud chargebacks only informs you on what to look for when preventing future losses, while much damage has already been done. Consider how your organization will aggregate risk signals from the tools and features provided by fraud solution providers into a meaningful reporting or red flag detection process that occurs in near real-time.
Determination
Recognizing there’s a problem is the first step, but some course of action needs to be taken in response to actually fix the problem or stop the attack. Determining how to stop a fraud attack with immediacy is a tactical decision. It involves formulating the most effective response based on the tools and features available to the organization right now, and therefore falls under an internal point of view. Once the attack is mitigated, however, it’s important to also take an external-looking perspective by assessing whether the tools and features available were sufficient to respond to that attack effectively.
Ideally, organizations will feel as though they were able to quickly and effectively respond to a payment fraud attack such that the external-looking assessment is easy. The organization can confidently say they had the proper tools, technology and risk signals to stop that attack and could stop others like it. While we’d hope this to be the case now and always, fraud prevention just isn’t that easy. Organizations have to evolve their fraud strategies over time. There are many organizations that do not have the necessary tools and techniques to respond to a sophisticated fraud attack they may see in the next 12 months. Organizations that have a sufficiently robust set of tools in place today will find themselves less capable of responding to fraud attacks if they fail to continue to evolve their fraud strategy over the years.
If the risk manager or fraud prevention team finds themselves incapable of responding to fraud attacks in a way that is sufficient, they need to consider what else they may need to enable a swift and effective response. This requires an external assessment of the current fraud solution vendors in place and whether there are other features, tools or services they offer that are not being fully utilized, or whether other fraud solution vendors with different or more robust offerings must be considered.
It’s also important to be detailed in how success is defined or measured when it comes to stopping a fraud attack. Keep in mind that fraud prevention is a balancing act. It’s not only important to stop a fraud attack, but to do so with minimal impact or friction to legitimate users or transactions. It’s not just that an organization was able to leverage tools and risk signals to stop an attack that is important, but that these signals were nuanced enough to catch the high risk activity without compromising the experience of many legitimate customers, and without the operational strain of flooding manual review queues. If an organization uncovers a meaningful impact to sales conversion or operational efficiency when responding to fraud attacks, their approach is casting too wide of a net and an outward assessment is required to explore new approaches that are more refined.
Implementation
While determination is more about how a payment fraud attack will be stopped and whether an organization has the capabilities to do so, implementation is more about the time it takes to put that plan into action. Consider the time and efficiency to respond to and mitigate a fraud attack, and how the primary platform or architecture supporting the fraud prevention strategy influences this by facilitating automated and operational steps.
Rules-based strategies tend to be more operationally intensive and, therefore, tend to have a longer implementation time. Once a mitigation response is devised, it’s an operational task to edit, remove or make new logic rules. Every fraud prevention vendor is different in terms of their platforms and user interface (UI), and some platforms may be more streamlined or efficient than others, as well as offer more capabilities in terms of the complexity and compound logic around building rules. Additionally, there can be differing levels of comfort and skill among the risk managers or analysts who use these platforms which also influences the time it takes to put a new set of rules into production.
Model-based fraud prevention strategies, on the other hand, tend to be more fluid and implement minor adjustments somewhat regularly; particularly if they incorporate machine learning (ML). Payment fraud strategies and solution providers that leverage ML benefit from more regular refinements of the risk models that constantly improve risk decision-making.
One of the major value propositions of machine learning is that it automatically incorporates all three of the steps discussed in this article: detection, determination and implementation. An ML fraud scoring model can detect new patterns in behavior or activity, determine what aspects of the fraud scoring model should be tweaked to better account for this new behavior or trend, and then implement how the presence of these signals will impact the numeric fraud score.
Looking externally, a director of fraud prevention may determine that a model-based strategy should replace a rules-based strategy, or that another ML or model-based fraud solution provider should be considered in place of the incumbent solution provider. There are many factors that influence this kind of decision and this is one of the most critical decisions (if not the most critical) around managing a payment fraud strategy. Whether a rules-based or model-based platform, this is typically the hub or center of the organization’s risk architecture.
Organizations should not only consider the strengths and capabilities across different fraud solution providers but also their internal preference around how much they want to control and manage in-house. There is a tradeoff here: the more an organization wants to control risk-decisioning and what goes into a model-based fraud score, the more in-house expertise they will need to supervise and train models. Even for enterprise organizations that manage most of their fraud prevention strategy in-house, while more assessments will be internal, it is still important to perform external-looking assessments to compare the capabilities of fraud solution vendors to current, internal capabilities.
Conclusion
Fraud is a moving target and payment fraud prevention strategies must be assessed regularly for an organization to ensure they can continue to keep pace with evolving fraud risks. These assessments should be both internal and external. Organizations should always consider what they could do better first, but also acknowledge when there are limitations based on the mix of fraud prevention tools currently available and the solution providers they currently utilize.
Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivaled global data network of one trillion (1T) events per year, and a commitment to long-term customer partnerships. Global brands such as DoorDash, Poshmark, and Twitter rely on Sift to gain a competitive advantage in their markets. Visit us at sift.com, and follow us on LinkedIn.