Fraud Detection Deep Dive

Thu, Jan 19, 2023 17-minute read

featured on ITG Software blog!

When you think about fraud, thoughts of complex modern financial operations may pop into your head. However, on the contrary, financial fraud has existed since the dawn of time. The earliest recorded case of financial fraud was recorded in ancient Greece around the year 300 BC, when two merchants planned a hustle to build a small fortune. Spoiler alert.. they’ve died in the process!

Jumping forward a few thousand years and scammers are still as relentless as these two Greek merchants were. PriceWaterhouseCoopers (PwC), one of the largest accounting networks around the globe and one of the big-four accounting firms, published shocking numbers in its 2022 Global Economic Crime and Fraud Survey. PwC states that customer fraud is leading the charts in the consumer and retail industry.

This is totally understandable, most of the players in the consumer and retail market had to do some operational shifts to expand their online presence to meet customer demands when the pandemic hit two years ago. With this shift most of these merchants are now operating multiple digital business channels simultaneously. For that, credit card fraud and other types of online scams are now on the rise.

What is online fraud and why should you care?

Online fraud is an umbrella term that usually is correlated with a wide range of fraudulent activities, ranging from financial fraud to identity theft. In this article, however, we will be focusing on one aspect of fraudulent activities, which is credit card fraud.

Credit card fraud happens when an unauthorized personnel, other than the card holder, initiates a payment transaction on a card they don’t own for malicious reasons.

This type of fraud is an ever-growing concern to businesses of all sizes and to payment processors. Credit card fraud doesn’t discriminate and all businesses are under its radar. The US Federal Trade Commission (FTC) reported 389,845 cases of credit card fraud in 2021 in the US alone and this is affecting businesses more than consumers.

You might be asking yourself why though, right?

Major card issuers have $0 fraud liability policies in place to protect their card holders from confirmed credit card theft transactions. If the customer is not paying for these transactions, who will do that then? Well you guessed it right! Merchants would!! Therefore, accepting shady transactions might become a huge hiccup for a business if not handled right. The company in most cases will lose the money from the sale, the value of the sold item and it will even pay a small fee to the payment processor. Businesses wouldn’t only be losing money here, in some cases they’ll lose the trust of their customers as well.

We’re talking big numbers here, a Nilson report stated that businesses across the globe lost around $24 million dollars to credit card theft in 2018 and that’s not expected to drop any time soon.

Types of credit card fraud

Credit card fraud is one size fits all kinda term for a few sub-categories. It’s important, however, to understand these subtle differences between each sub-category of credit card fraud in order to set policies that are efficient and guaranteed to be working.

Credit Card Payment Fraud

This type of fraudulent activity is the most prevalent type. These attacks happen when an unauthorized personnel gains access to a stolen credit card and tries to place orders or charge payments using its information.

Credit Card Test Fraud

Scammers don’t only steal credit cards to commit payment fraud. Stolen credit cards can be sold to 3rd parties for a much higher price on black markets. However, some scammers prefer to test stolen credit cards before listing it on the black market.

Therefore, these scammers would try to test stolen credit cards by entering the newly gained card numbers on a website that uses zero dollar authorizations. If the card is valid, the card gets listed, if not, it gets dumped.

Gift Card Fraud

It’s not a secret that gift cards are not as thoroughly regulated as credit/debit cards. They’re also harder to track and trace. These two simple facts make this type of card the go-to solution for scammers around the globe. Gift cards are the preferred payment methods for phone scams, technical support scams and sometimes credit card fraud.

Forter has published a report back in February 2022 around gift card fraud. During the 2021 holiday season, the system tracked a steep increase in this type of fraud across all platforms. The report stated that this type of fraud had an increase by 60% that year.

How to stop that on your e-comm site? What is fraud detection & screening?

Credit card fraud is not going away soon, therefore, businesses should adapt their operations to control this risk. Online payment providers like Cybersource, Adyen, Stripe, PayPal, and Forter, etc… are in a constant game of cat and mouse with scammers. These tech giants are always on the hunt for new technologies and methods to detect fraud as soon as possible.

Fraud detection software leverages behavioral analytics, machine learning, artificial intelligence, rule-based risk analysis among other cutting-edge technologies to spot –or atleast advise on– potential fraudulent transactions to stop scammers in their ground.

The fraud detection software analyzes each payment transaction thoroughly based on many fraud screening techniques and factors. Then, it assigns a risk score for each transaction. Based on that score, the system might pass, decline, or assign the charge to manual review. If the payment transaction was assigned to manual review, a CSR or a payment specialist would need to login to the dashboard and either accept or decline the transaction based on all of the presented factors.

Strict fraud policies are a must on every digital commerce website. However, if these policies are too strict, the merchant risks losing actual sales. Balance is key here! To gain this balance, let’s analyze some of the most common methods used in the industry:

Address Verification Systems (AVS)

Address verification is an industry standard fraud prevention measure. Available on almost all platforms such Cybersource and Adyen. The service is performed by comparing the billing address of the user with the billing address associated with the card by the issuing bank. When a customer submits a payment transaction, the billing address entered in the checkout will be passed to the payment gateway and the fraud system used. If there’s a mismatch between the two, an AVS decline or error code will be returned. The merchant then decides how to handle such incidents, either by setting a risk rule or any other different measure.

Merchants who sell on a global level should be prepared to accept both domestic or international AVS codes. As each one is performed against different measures and data points. Even different card issuers might have different AVS codes.

Of course, accepting AVS declined cards is possible, but this might have an impact on the company’s bank fees and charges. Each decision in this aspect shouldn’t be taken lightly.

Machine Learning and Artificial Intelligence

Cutting-edge technologies are now helping businesses fight fraud like never before. Machines trained with millions or sometimes billions of data points are currently in play to detect cards and individuals with high fraud scores.

Industry giants capture payment transactions from 150+ countries across the globe. These networks offer huge scale datasets that allow their systems to provide insights with high accuracy.

Stripe Radar is a great example of such an AI solution to prevent fraud. It goes beyond the regular credit card screening, as it examines TC40s, SAFE reports and early dispute claims. Stripe checkout also incorporates certain behavioral patterns to detect potential fraudulent activities.

Behavioral Analytics, Velocity Checking & Risk Profiles

Behavioral science is not a new science! It’s a well known branch of applied psychology. Human beings are creatures of habit and routine. This branch of science is focused on analyzing human behavior and patterns. With data science and supervised machine learning, these types of data can be processed quite easily.

If certain activities were marked as strange by these systems, that means that the customer is not acting according to his recorded behavioral pattern. This is definitely a red flag. It might mean that unauthorized personnel might have taken over the actual customer’s account. PayPal and Adyen’s RevenueProtect are great examples for this aspect.

Red flagged behaviors include shipping to vacant or hotel addresses, bulk orders on a retail site, placing much larger orders than usual, using suspicious emails, etc… The system will return the appropriate fraud review code and the merchant can decide how to handle such cases.

Another technique used to detect malicious fraudulent attacks is velocity checking and it is a very interesting technique. Some behaviors may not be suspicious at first, however, if these behaviors were repeated multiple times over a certain time window, odds change. Time is an important element in fraud. Someone trying to place an order with a vacant address might be regular, if done once. However, if this was repeated within a very short timeframe, odds are that these orders are fraudulent in their nature.

Card Authentication and 3D Secure (3DS)

3DS is an additional layer for fraud prevention and an industry standard. 3DS is even a must for Europe’s Strong Customer Authentication (SCA) regulation. When 3DS is enabled, digital commerce sites will redirect the user to his issuing back, the customer will then receive a text message that contains a randomly generated token he needs to enter in his bank’s page to finalize the transaction.

3D Secure 1 was deprecated in Oct 2022 by all major card issuers and was replaced with 3D Secure 2, which supports frictionless authentication. It also provides better customer experience with the introduction of the new SDK that allows app makers to implement the whole 3DS flow without the need of redirects whatsoever.

How to build the perfect defense?

As each business and industry is different, the best way to figure out the best fraud prevention approach for a specific business is by constantly inspecting and adapting implemented fraud strategies. Fraud prevention efforts should be viewed as an iterative and incremental process.

This process is not straightforward at all. Many businesses prioritize customer experience over security while others prefer the exact opposite. However, from my own personal experience with the clients I worked for, I can tell you that balance is key.

The best way to approach this is by categorizing your efforts into 4 main sub-categories; Setting fraud prevention measures, inspecting results, adapting and adjusting those measures and repeating the whole cycle again. This is not an immediate solution but I can confidently say that over a realistic timeline, this cycle will come up with a bulletproof strategy for any business.

Let’s reduce risk with our industry best practices

Dealing with fraud is like navigating tricky waters but fear not, Captain e-commerce is here with you on deck.. Just kidding! Fraud prevention has never been easier with the help of AI, ML and a robust fraud prevention software. Let’s take a look at some tips a business can follow to reduce their exposure to fraud with providing a more customer-friendly user experience.

Wider network to pick up fraud signals

With fraud prevention, strength is in numbers. The bigger the data set we are analyzing against, the better and more accurate the results. Each decision that a fraud prevention software takes, shouldn’t be taken lightly. Therefore, leveraging a robust network that is picking up hundreds of billions of data points, can detect fraud more accurately with lower risk of rejecting real customer orders.

Compliance with industry security standards like PCI and PSD2

Security standards like Payment Card Industry (PCI) or European Union’s Second Payment Services Directive (PSD2) doesn’t only ensure that card security is enforced but it also enforces retailers and services to follow certain security measures that would help them fight fraud. For example, 3DS –which we talked about before– is a requirement by the Strong Customer Authentication protocol, which in turn is a requirement of PSD2.

Invest in Artificial Intelligence and Machine Learning

Humans are prone to make errors. Therefore, a good fraud prevention strategy shouldn’t be relying only on human review. Machine learning offers two solutions to help businesses. Supervised machine learning predicts new fraud patterns and unsupervised machine learning helps with learning from observed results.

Machine learning models can also be trained to adapt to newer fraud patterns daily. This is something human reviewers can’t match. Adapting manual reviewers to evolving fraud patterns can be a costly effort.

Address Verification Services (AVS) and Multi factor authentication (MFA) are a must in today’s business. Implementing those measures into your own flow would definitely hinder scammers efforts. Scammers and fraudsters use certain elements of identity theft. Using strict AVS, 3DS and MFA processes and measures would definitely play a huge role in stopping the majority of these attacks.

Partnership with major card issuers and leading banks

Services that partner up with major card issuers and leading financial institutions offer businesses a huge advantage. This partnership allows these companies to use data from these reliable sources to train their models and detect fraudulent activities more accurately.

What to look for in a fraud screening and prevention solution?

Selecting the correct fraud screening service is certainly no easy task. Many factors come to play. It is a very busy neighborhood and there alot of balls to juggle. However, I’ve composed a list of areas, from my open experience with leading retailers, that a business should look for when making that decision.

Branch out or stay in the house?

Every ecommerce website will definitely partner with some sort of a payment gateway to authorize their customer’s payment (you can read more on that in my other article titled: Technical Overview on Payment Gateways). Some payment gateways offer native fraud screening capabilities. Based on the offered features and set of capabilities, the business can either take the decision to use those native capabilities or branch out to use a standalone service.

Does it support the payment methods available on the site?

One of the most vital criteria to choose the perfect fraud screening solution for your business is to review the payment methods supported by the provider. When a merchant wants to integrate with a fraud screening provider, the provider should at least be capable of handling such payment.

For example, if a site is running on credit cards, Google Pay and Apple Pay. We need to find a provider that can handle all of them. Having multiple fraud screening solutions and bundling them on the website is widely frowned upon and very expensive to maintain.

Does it offer the needed features and services?

In an earlier section in this article, we have discussed that the best defense against fraud needs to follow an iterative approach. Best decisions on this matter should be based on an empirical approach. Therefore, the business would observe what is the type of fraud they’re mostly experiencing and pick the correct service that provides a solution for that.

For example, if a business is facing a lot of velocity attacks, choosing a service that doesn’t offer such capabilities would render the whole enhancement exercise useless.

Is the reporting capability up to the bar?

No one likes to fly blind! Businesses rely on reporting to gain clarity and make informed decisions in key areas. Payments and security are two very critical areas for any e-commerce business, the core of the whole digital commerce industry. Therefore, crystal clear reports are a must for any platform. These reports should cover the key areas of the system as a bare minimum.

Is the system always available?

The availability of the system directly correlates with a better customer experience. When the service has a high fail rate, customers would be blocked from placing orders. This might really hurt the business and greatly influence user perception and expectation very negatively.

The business should always pick a service that is super reliable and has a near to zero down time. The total request time is a also a vital pillar for the customer satisfaction, as a slow checkout might push users away from the website.1

Can it handle the business expectations?

It is a well-known fact that advanced fraud screening services requiring a difficult integration process enable businesses to offer more accurate results and an overall better customer experience. Therefore, such services may be the best option for companies handling massive volumes of transactions with a higher probability of fraud attacks.

Is it easy to integrate with?

Many fraud screening services understand that businesses get attracted to plug and play pieces of software, and for that they invest in creating plugins and pluggable pieces of code for the major platforms in the e-commerce market. However, that’s not always the case. Some services will require extensive changes within the code to get the basic functionality up and running. That translates into additional costs for the merchant.

I’ve worked with a major retailer before, who was branching out of the fraud screening service offered by their payment gateway to a different 3rd party service. The service the merchant wanted to use didn’t offer an easy integration with Salesforce. We spent over 200 development and QA hours to get the service running as expected.

Offering on the long term

I remember working with a client, which had to switch their fraud service because their service was pushing the majority of their transactions to manual review and charging them extra fees. This kind of situation was caused because the service couldn’t handle their business requirement and the merchant didn’t have a crystal clear understanding of the fees. This miss lost the business a few hundred thousand dollars and a few months to weigh different fraud services, settle on one and integrate with it.

Before a business settles on a service, it should fully understand how fees are calculated, when they are charged and under which conditions.

How to integrate fraud services with Salesforce Commerce Cloud?

Different services integrate differently with Salesforce Commerce Cloud. Many factors play a role in the way the integration will roll. However, based on my experience, I’ve tried to categorize three essential phases that all integrations go through.

Successful businesses are always aware, at least from a high level abstract point of view, of the work that needs to be done to get something up and running on their platform and don’t worry I’m here to help on this.

Prepare the data

Fraud screening services require a lot of data (ex: billing info, payment info, customer info, etc…) to be passed to perform their job properly. However, different payment methods require different data. For example, credit card tokens may be required for credit card fraud checks. However, if you’re checking an Apple Pay transaction, that might not be the case. The engineering team should pull all the data required for all the different payment methods available on the site.

Place the call

The engineering team then should decide the optimal place to add the code that will actually call the fraud service. This depends on the type of the service offered. Some fraud services do pre-authorization checks, while the majority do them post-authorization.

Parse the response

Based on the provided data, the service will either return a fraud accept status, a fraud decline status or a fraud review one. I believe the terms are pretty much self explanatory, but let’s review them together:

  • Fraud Accept

This means that the info provided passed the fraud screening review process and the business can confidently authorize and pass the order.

  • Fraud Decline

On the other hand, this status tells the business that the provided data failed the fraud screening checks set by the service. The business should decline the order and cancel the authorization.

  • Fraud Review

Finally, this status is used for transactions that fall in some sort of a gray area. These transactions can be then handled as the business wishes. Some businesses prefer to accept those orders and review them manually by a CSR before shipment, some prefer to maximize security by declining them and some prefer a better customer experience and accept them with no questions asked. I believe, based on my experience within the field, the first option should be the way to go, although it may charge some extra fees. It’s the perfect balance between security and a great customer experience.

Handle manual reviews

If a business decides to accept orders with a manual review status, that means that they’ll have to reject some orders after some time of them being authorized. Therefore, there arises a need for triggering refunds of these authorized orders.

There are two ways to do that generally. Some fraud screening services use hooks. So when a decision is made on an order with a “review” status, a hook will be triggered to cancel the order and reauthorize the payment. Some services, on the other hand, don’t have this ability and therefore we need a frequent job that sifts through these orders, checks their status and decides next steps accordingly.

I believe after reading this extensive guide, you’re now ready to dive into the realms of fraud detection with a deep understanding of how things move around there. Good luck!