top of page

Three Rules for Effective Payment Fraud Prevention

August 9, 2023 | By: Justin McDonald, Sr. Risk Management Consultant, The Fraud Practice

Payment fraud is a persistent threat impacting organizations of all types. This article discusses three key rules at the core of effective payment fraud prevention strategies.

1. Focus on Containment and Rapid Response

It’s naive to think we can stop every fraud attempt. Even if we could, it would come at the expense of an exorbitant false positives rate. Therefore, the basis for most fraud prevention strategies begins with containment. Although it’s impossible to prevent every instance of fraud, we can focus more effort and resources on the orders with higher loss potential and increase scrutiny on orders that seem to be associated with the same end users via repeating or morphing patterns.

In the context of payment fraud prevention, containment is a “fool me once shame on you, fool me twice shame on me” type of philosophy. Effective payment fraud prevention strategies have bumpers or limiters in place that detect and stop repeated activity or use of data points once the determined threshold is reached.

In a rules-based strategy, this comes in the form of logic rules applying velocity of use and velocity of change techniques. Velocity of use refers to how many times a data point, such as a shipping address, has been used in a period of time, looking solely at the use of that data point and ignoring other order characteristics or additional data points used with it. Velocity of change tracks how many times one data point has changed, such as a payment card number, while another data point it has been used with, such as a shipping address, remains the same over a period of time.

Model-based strategies also make use of velocity of use and change techniques as part of the model to derive a risk score, but provide the flexibility to be more fluid in the velocity of use and change thresholds. With logic rules, a velocity count threshold (such as how many transactions have used the same shipping address) and time period (such as within the past 7 days) must be explicitly defined, and these are hard thresholds that can only be changed by editing the rule or creating a new one. In model-based strategies, the confluence of many more risk signals are taken into account, such that different thresholds can be considered enough to decline an order depending on other risk characteristics of the order or user.

The key factor of these velocity checks and other containment features of a fraud prevention strategy is that they are set to occur automatically. When the threshold is reached, whether explicitly defined in a logic-rule or with a dynamic threshold influenced by a multitude or risk signals within a fraud-scoring model, the order is declined and containment has occurred. The containment effectively puts a stop to the fraud attack with little-to-no operational oversight required to do so.

However, just as we can’t expect to detect and stop all fraud attempts, we can’t expect containment to account for every possible scenario to limit the losses of every fraud attack. This is where it is critical to support rapid response as well.

For fraud attacks and events that are not effectively contained, operational resources will be needed to detect then put a stop to the fraud attack that is unfolding. Sophisticated fraudsters and fraud rings work to reverse-engineer fraud prevention rules and often have access to large troves of compromised data, allowing them to evade the limits set for containment. In such cases, a reactionary response is required, and must be applied rapidly.

Rapid responses come in many forms and vary greatly depending on the traits of the fraud attack that is evading containment. Rapid response techniques range from adding specific data points to negative lists, to creating new rules, to defining specific features or variables for a model to focus on before retraining, to identifying specific products or SKUs that will be screened with a different rule set or model, and many more potential ways to solve the problem at hand.

Whereas containment occurs automatically, rapid response requires analysts and managers to identify the issue and determine the best way to stop it quickly. Because the containment did not occur automatically, it is critical to respond quickly to the vulnerability.

"Incorporating automation is a crucial component of building strong fraud defenses. Improving efficiency and precision is imperative when tackling low-hanging fruit, responding to an ongoing fraud attack, or devising a comprehensive product roadmap for the long term. Through automation, your team can swiftly accelerate its operations by removing elementary tasks or deploy nuanced rules to address immediate fraud concerns."
Rebecca Alter, Trust and Safety Architect at Sift

2. Find Longer-Term Solutions to Replace the Quick-Fixes

Fraud events that require a rapid response are typically stressful, and the number one goal is to stop fraud losses as soon as possible. This often means that the action taken to stop the fraud event immediately is not the best solution to maintain long-term.

A recent whitepaper from The Fraud Practice, titled Payment Fraud Prevention: Quick Pivots and Proactive Planning, discusses the balance of maintaining an effective fraud prevention strategy with the ability to support rapid responses, while also keeping a long-term view on how the strategy must continue to evolve over multi-year time horizons. Rapid responses are compared to triage or immediate first-aid. These are the actions required to stop the hemorrhaging of fraud losses as soon as possible, but often the medical attention required and provided in the field is just temporary, before the permanent solution is provided in the hospital.

This is an appropriate metaphor for rapid response within payment fraud prevention strategies. Fraud attacks need to be stopped swiftly to limit financial losses, but often the immediate response has side effects such as false positives or operational strain, just as a tourniquet may be required in immediate response to an injury but is only intended to be used for a limited time until the patient can be transported to a hospital.

Say a sophisticated fraud ring is targeting fence-able merchandise or gift cards with a variety of stolen payment instruments and personally identifiable information (PII), enabling them to stay under the radar of the containment strategies in place. Anomaly reporting or data analysis catches the activity, and now it is up to the fraud prevention team to stop this attack immediately. Quick fixes could include focusing on the product or SKU being targeted, such as by using a different rule set or model, or turning the risk-score threshold down for orders with this SKU. Another option might be targeting an IP range or the use of any VPN or proxy, blocking all orders from these IP addresses or IP ranges.

These options will put a damper on the fraud attack, but over time they will also implicate many legitimate orders. Trustworthy customers buy this product and use VPNs too. This rapid response is a necessary tourniquet, but it has to be acknowledged as a temporary solution.

The longer-term solution might take several weeks or months to determine, and in some cases may even require long-term strategy decisions, such as adding new tools or signals, to properly address the vulnerability. Every rapid response needs to be documented, and the impact of these quick-fixes must be measured not just in terms of how they are performing at stopping the fraud losses, but how they are impacting conversion rates.

Rules-based strategies tend to have issues with the side-effects from quick-fixes and the tech debt they create. This is because a simple logic rule can be implemented to stop an attack that requires an immediate response, but that logic rule often casts a wide net, catching many legitimate orders in addition to the risky ones. While the fraud attack is taking place, the opportunity cost of false positives may be worth the fraud losses avoided. Once the attack wanes, however, the rule will be doing more harm than good if it was left in place.

3. Prune the Low-Hanging Fruit

If you are hiking in the woods with a group of people and encounter a bear, you don’t need to be the fastest person in the group, but you really don’t want to be among the slowest. A similar way of thinking can be applied to how strong one organization’s payment fraud prevention strategy should be relative to their peer group of competitors.

The concept of relative strength amongst an organization’s peers is important. Different vertical markets or industries have different needs in terms of their fraud prevention strategies. Organizations in money movement or selling high-end electronics and luxury goods must maintain lower fraud loss rates than merchants selling goods at a lower cost or with a higher margin. The reality is that all of these types of organizations will be targeted with fraud, but the ones who are easiest to steal from among their peer groups will be continuously targeted.

Fraudsters and fraud rings do not stop until you stop them. Once they find a vulnerability, they will continue to exploit it as long as it continues to make them money. While containment limits this, fraudsters will come back to targets that yield the highest returns month after month.

The lowest hanging fruit would be organizations with no or ineffective containment strategies, but chances are those organizations won’t be in business for much longer. In other words, even the low-hanging fruit has a somewhat effective payment fraud prevention strategy in place, but it’s one the fraudsters can consistently beat, at least in small to medium increments.

Remember that many fraudsters are doing this for a living. They don’t solely rely on a boom-or-bust strategy looking for big hits, rather they have lists of targets they revisit every month or quarter for a small but steady and consistent yield. These fraudsters are playing the long-game, having reverse engineered the time thresholds on containment strategies. They may reappear with new payment instruments each month, but tend to reuse the same shipping addresses or other data points that are harder to come by.

The concept of low-hanging fruit needs to be considered on two levels. First is not being the slowest handful of hikers in the woods, or being above at least the 50th percentile amongst your peer group in terms of having a robust and effective payment fraud prevention strategy. Second is pruning the low-hanging on your own tree. Identify the gaps in your containment strategy by having fraud analysts take a long-term view. Most velocity techniques look at activity in terms of hours and days, but reporting and data analysis can uncover unscrupulous activity that took place over months and years. The data points, and ultimately the fraudsters, associated with these long-cons need to be on negative lists and prevented from picking the low-hanging fruits of your labor.


Payment fraud prevention requires a multifaceted approach that combines containment, rapid response and a long-term perspective to both find a more permanent solution to temporary quick-fixes while pruning the low-hanging fruit that falls under the containment strategy radar. While it is unrealistic to completely eliminate payment fraud, organizations can significantly reduce its impact by implementing these three key strategies.

Containment is critical but is just one component of an overall payment fraud prevention strategy. Many fraud attacks will evade containment measures, necessitating a quick-fix solution that functions like tourniquet—effective but intended only to be temporary in nature. Containment must be supplemented with rapid responses when required, but longer-term solutions must ultimately replace the quick-fix. Similarly, automated containment-focused techniques need to be supplemented with data-driven insights looking over longer time periods to detect aspects of a containment strategy that may have been reverse engineered by professional fraudsters.


Sift Sponsor Image

Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivaled global data network of one trillion (1T) events per year, and a commitment to long-term customer partnerships. Global brands such as DoorDash, Poshmark, and Twitter rely on Sift to gain a competitive advantage in their markets. Visit us at, and follow us on LinkedIn.


bottom of page