Bad Actors at Scale: The Real Cost of Fraud & Policy Abuse Featured Image

Bad Actors at Scale: The Real Cost of Fraud & Policy Abuse

The cost of promo abuse isn’t always apparent right away, but when fraudsters abuse promotions systematically, the scale of losses can spiral out of control right under your nose. Explore how fraud and policy abuse cost money at scale, and how you can stop fraudsters from expanding their operations.

For those who prefer listening over reading, we've provided an audio transcription player below, allowing you to enjoy this post through your speakers or headphones.

Bad Actors at Scale: The Real Cost of Fraud & Policy Abuse

We know that fraud costs platforms money, but exactly how much money isn’t always clear at a glance—even to the people directly involved with a fraud prevention team. In the past, many stakeholders have thought of fraud as just a cost of doing business. As digital tools allow the fraudsters of today to scale faster and more cheaply, however, it’s becoming clear that fraud is a serious financial problem.

In a webinar with Marketplace Risk called “Fraud Prevention: Cost Center or Profit Center?” Incognia CEO and co-founder André Ferraz shared some insightful anecdotes about the true, hidden scale of fraud, fraud losses, and multi-accounting.

Multi-accounting allows fraudsters to scale quickly & cheaply

If multi-accounting fraud required fraudsters to have a brand new device for every new account they wanted to create, the cost and effort of committing it would quickly outweigh the benefits. Instead, they use tools at their disposal to get around re-identification signals like device ID, which allows them to use the same device for many, many different accounts. App cloners, app tampering tools, emulators, and factory resets are just a few examples of these tools, most of which are easily accessible online.

The amount of accounts a fraudster can make on using a single device can easily stretch into the hundreds, and fraudsters can use multiple devices. Some fraudsters even work in small times with each person managing a couple devices, and each device hosting dozens or hundreds of accounts. Without a persistent device fingerprinting solution to re-identify the same devices across accounts, this problem might be all but invisible to targeted platforms.

Promo abuse washes your marketing budget down the drain

So, fraudsters have hundreds of accounts on one or only a few devices, but they still have to leverage them if they want to make money. Promo abuse is one of the ways that fraudsters profit from fake accounts.

During the “Profit Center or Cost Center?” webinar, André told a story of a ride-hailing business that was unknowingly paying out around 60% of their referral bonuses to existing users instead of new users. Essentially, the app would offer $10 incentives to existing users to invite new users to join the platform. Instead of inviting new individuals, fraudsters would create new fake accounts to invite and claim those referral bonuses over and over again.

André explained:

“They were losing over a million dollars per month with this. They thought that the problem was that the users were simply not sticking around, like, ‘Oh, my retention rate is this low.’ No, that's actually fraud. That's the promotion abuse. So we were able to help them fix that, and now they're able to really invest 100 percent of their budget and not lose 60 percent of it… Increasing conversion rates for user acquisition and improving the retention rates as well is something you can have an impact on if you're a fraud fighter.”

What looks like hundreds of accounts could be one person

As we’ve mentioned a few times in this post, one of the most insidious things about fraud at scale is that even at the scale of hundreds of accounts, the problem might be invisible to platforms. In fact, platforms who already have a device fingerprinting solution in place might be even more vulnerable if they don’t keep up with testing.

André used one example we’ve seen to explain why assuming your platform’s safety from multi-accounting (even if you have a device fingerprinting solution) is a mistake: “Many times I've seen fraud fighting organizations assuming that they were safe because, let's say, ‘Oh, I have device fingerprinting in place.’ For example, when we tested [one platform] we saw like, ‘Hey, have you seen this device here? This device alone was able to make 400 purchases, and on your side, we see that those 400 purchases were made using over 300 accounts.

“They looked at it and they said, ‘Well, our device fingerprinting vendor is telling us that these are in fact, 300 devices.’ And then we were able to show, ‘No, here's our data. And this is just one device. This fraudster was able to trick your device fingerprinting solution.’”

Assuming that your device fingerprinting solution is unspoofable without doing continuous testing could mean you’re inviting a sleeping giant onto your platform–to the tune of hundreds or thousands of fake accounts draining your marketing dollars and undermining the integrity of your user experience.

The importance of persistent device fingerprinting

We’ve seen some impressive numbers in this post that point to the real scale of fraud and policy abuse. Sixty percent of referral bonuses wasted on existing users costing over a million dollars a month on one platform, and over 400 purchases made across 300 different accounts, all on a single device, affecting another platform. Think about what this scale of fraud could mean on your platform. How do we stop this kind of problem? How do we keep eyes on the true scale of fraud on a platform when fraudsters invest so many tools into evading detection?

The answer is persistent device fingerprinting, but it has to be truly persistent.

Traditional device fingerprinting, relying on things like device ID and parameters like OS, screen resolution, and so on, is easy for fraudsters to outfox. Instead, you need device fingerprinting bolstered in strength by additional signals, like location intelligence.

If we think about fraud prevention signals like a net meant to catch fraudsters, the more layers you have, the smaller the holes in the net for fraudsters to slip through and commit abuses against your platform. If you have precise location data for a device, you can re-identify that device using its location even beyond a factory reset or device ID spoofing attempt.

Something to keep in mind, however, is to test solutions regularly. Fraudsters are always adapting to the newest fraud prevention best practices, so assuming that having a solution at all means you’re safe from fraud is a mistake.

Like André emphasized during the webinar, “Just checking the box and saying, ‘I have these three, four, or five different signals that everybody recommends,’ it's not enough. You need to be testing what you have in place against other things. You should be testing your in-house solutions with external solutions and you have to have, again, the structure to support you.”

Fraudsters have the power of a lower cost floor and high profit ceiling at their disposal that gives them an advantage over platforms, which have to invest a lot of time and money into protecting their margins from fraudulent activity. Even so, by staying on top of testing new solutions and remaining skeptical of vendor claims, platforms can protect their profits and integrity from hidden threats and stop multi-accounting from scaling out of control.