It’s one thing to respond to fraud after it happens by remediating accounts, filing chargebacks, restoring customer access, and more, but most people would agree that the best kind of fraud is fraud that doesn’t happen at all. Fraud detection and prevention is all about assessing risk further upstream in the user journey and stopping fraud and abuse before it can have a negative impact on a platform and its users. Fraud detection can also extend further and apply to identifying active fraud—otherwise known as real-time fraud detection—that would then be dealt with by a company’s fraud response team.
Fraud detection and prevention uses sophisticated tools and tactics to identify and safeguard against threat actors. These can include machine learning, device and location intelligence, multi-factor authentication, manual transaction review, transaction monitoring, using various types of fraud detection software, and more.
What is fraud detection and prevention?
Methods for detecting and preventing fraud
The face of the Internet has evolved a lot in the past thirty years, and so have the best practices for protecting users. As we trust the Internet with more of our daily needs, personal information, and transactions, the stakes are higher than ever to embrace resilient, user-friendly fraud detection and prevention practices. Today’s fraud fighters use a number of different fraud detection tools and techniques.
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is a tool that prevents fraud by adding an extra layer of security to user accounts. MFA requires a user to provide two or more independent credentials in order to gain access—usually something they know (like a password), something they have (like a phone or hardware token), or something about them (biometric verification). This extra layer of security can help to detect and deter fraud by making it more difficult for unauthorized individuals to gain account access.
MFA also allows organizations to create a digital trail that can be used to identify suspicious activity and take appropriate action. By requiring users to provide multiple credentials, MFA reduces the risk of account takeover through stolen or guessed passwords. With that said, it’s also important to acknowledge that MFA can have its own vulnerabilities if not configured properly. If MFA is opt-in rather than opt-out, many users will never enable it. In addition, MFA that’s based on SMS codes or one-time passwords (OTP) is vulnerable to phishing attacks.
Geolocation and IP address tracking
Geolocation and IP address tracking can both be used to help authenticate users and detect anomalies in sign ups or logins. For example, if a user who typically logs in from North America is suddenly logging in from Europe, that might indicate higher risk of fraud that should prompt some form of step-up authentication. Similarly, if an onboarding user reports a location that’s very different from what’s provided by their IP or device location, that may also raise the risk indications for that user.
However, tamper resistance is a critical requirement if an organization plans to rely on geolocation, since IP addresses and GPS data can both be manipulated and spoofed by bad actors.
Transaction monitoring and analytics
The way consumers handle their transactions can tell you a lot about who they are and, to an extent, how risky their transactions might be. For example, some marketplaces use velocity limiters to control how quickly transactions can take place. This ensures that, in the case that someone gains unauthorized access to an account or steals a credit card, they can only buy so much before they’re put on a cooldown period. Monitoring suspicious transaction behavior can also help platforms step in more quickly to stop fraud.
Automated fraud detection
Automated fraud detection systems use advanced algorithms and machine learning to detect suspicious activities. By analyzing data points such as user behaviors, transaction patterns, account information, and IP addresses, the system can quickly identify potential fraudulent activity. These systems are designed to be highly adaptive and able to respond to changing patterns of behavior.
Manual review
Sometimes, automated fraud detection systems and machine learning algorithms lack the contextual understanding that a human being might have when it comes down to a judgment call about whether or not to approve a transaction. This is when manual reviews can be particularly useful. However, manual reviews are lengthy and costly compared to their automated counterparts, so they’re best used sparingly to supplement an automated fraud detection and prevention solution.
Challenges facing fraud detection and prevention today
Despite the advances in fraud detection technology, there are still plenty of challenges to effective online fraud detection. Some of the biggest challenges include increasing sophistication of attacks and inadequate resources for fraud departments. In addition, a constantly evolving technological landscape presents its own unique set of challenges, such as limiting false positives when dealing with multiple connected devices in the same household or hundreds of devices in the same apartment building.
Spoofing attacks
Biometric authenticators can be a strong authentication solution, but they aren’t foolproof. In spoofing attacks, dedicated fraudsters manipulate their image, voice, geolocation data, IP address, or device data in order to fool automated anti-fraud systems and authentication gateways.
Evolving fraudster tactics
As quickly as anti-fraud teams formulate defenses against the latest fraud tactics, fraudsters are already moving onto the next cash cow. Keeping up with the rapid development of new attack vectors can put a serious resource strain on even the most dedicated fraud teams.
Balancing user friction with security
Unfortunately, some of the strongest verification methods are also the most frustrating to navigate as a user. Uploading a selfie holding a photo ID can be an excellent way to cut down on the number of fraudsters trying to join a platform, but it can also turn away legitimate users who aren’t attached enough to the platform to divulge that level of personally identifiable information. Finding a balance between user friendliness and security is critical for ensuring user compliance and maintaining healthy onboarding numbers.
Social engineering and phishing attacks
As smart as most users are, it’s not their job to know about every kind of social engineering and phishing scheme out there. That’s why fraud prevention professionals can’t rely fully on user education to prevent stolen credentials and the account takeover attacks that follow.
At the same time, it’s hard to detect fraudulent transactions that stem from an account takeover enabled by phishing or social engineering—from the outside, all might appear normal. This makes these types of attacks particularly hard to detect and defend against.
Multi-accounting
Unfortunately, catching and banning a fraudster often isn’t the end of the story—it’s just the tip of an iceberg. By creating dozens or even hundreds of accounts using stolen or fabricated information, fraudsters cultivate an arsenal of personas to use for their fraud. If one is banned, they simply switch to a new one. Spreading their attack capabilities out like this can make permanently identifying and banning fraudsters incredibly complicated.
Mobile fraud detection challenges and approaches
Mobile fraud detection is a growing concern in the online world. As more users become comfortable with completing daily tasks such as banking or shopping on their phone, criminals are taking advantage of this convenience to commit fraudulent activities. To combat this growing issue, fraud detection companies and mobile app developers must be aware of the risk involved, develop tools and best practices for mobile fraud detection, and be prepared to act quickly in the event of an attack.
Each market segment has different fraud concerns as well as different laws and regulations governing how they must approach user verification.
Social media
Social media is a little bit different from the other segments on this list in that it doesn't necessarily involve payments processing. While it's true that social media websites might have some reasons to keep a user's card information on file (e.g. paying for a premium subscription or subscribing to another user's content), it's often possible to use a social media platform for its primary function without spending any money or divulging any payment information.
Social engineering and scams are a few of the biggest concerns for social media platforms. For example, in romance scams, a fraudster joins a dating app or platform and pretends to cultivate a romantic relationship with another user. Over time, as that user grows attached to the fraudster (who is typically not sharing true details about their life, interests, income, etc.), the fraudster begins asking for money and other favors, typically under the guise of planning an in-person visit with the victim which will never happen.
Account takeover is another concern with social media accounts. A user might be socially engineered into divulging their account credentials or one-time passwords (OTPs), allowing bad actors unauthorized access to their account. The fraudster can then hold the account hostage for money, use credit card information if any is saved to the platform, socially engineer people on the victim's friends list, and so on.
Because 2FA methods like SMS codes and OTPs are so vulnerable to phishing and social engineering, some of the best ways to detect fraud on social media are passive, tamper-resistant solutions that require minimal engagement from the user. For example, in the case of behavioral biometrics like location intelligence, it’s impossible for the user to be phished out of the behavioral data being used to authenticate them, and it’s extremely difficult for a fraudster to fake that data.
Online marketplaces & e-commerce
Online marketplaces and e-commerce websites have specialized fraud detection processes to protect their users from fraudulent transactions. These include the use of machine learning algorithms to detect patterns in user behavior that indicate fraudulent activity, such as a sudden change in spending habits or geographical location. Additionally, they often employ techniques such as velocity checks (i.e., limiting the number of purchases allowed in a certain amount of time per account or IP address), blacklisting of suspicious users, and risk scoring (assigning a numerical value to the relative risk of each transaction).
Other techniques used by online marketplaces and e-commerce sites include requiring customers to provide additional documentation such as ID or utility bills for verification; using payment gateway solutions with fraud protection features like 3D Secure protocols; and employing anti-fraud teams to manually review flagged transactions. By combining these tools and techniques, online marketplaces and e-commerce sites can effectively detect fraud while providing a seamless user experience.
iGaming
iGaming platforms have unique needs when it comes to fraud detection and prevention due to the high monetary value of transactions that occur, as well as the associated risks with underage gambling. To ensure compliance with anti-fraud regulations, iGaming sites use a combination of techniques such as IP address verification, age/identity verification, user profiling (to identify suspicious account behavior), transaction monitoring, and cardholder verification.
IP address verification is used to identify suspicious activity originating from a single IP or range of IP addresses. Age/identity verification requires customers to provide additional documentation such as an ID card or utility bill for confirmation of age and identity before they’re allowed to make a deposit or withdrawal.
User profiling looks at the user's past account activity to spot suspicious behavior such as unusual deposits or withdrawals, and transaction monitoring analyzes the velocity of transactions to detect any irregular patterns.
Finally, cardholder verification requires an additional layer of authentication before a user can complete a financial transaction, such as a one-time password (OTP) sent via SMS.
Gig economy apps (food delivery, grocery delivery, task hiring, etc.)
Gig economy apps have their own unique set of fraud concerns due to the fact that they typically involve multiple parties trading goods and services. To ensure trust among all users, gig economy sites employ a variety of fraud detection techniques such as background checks, identity verification, geolocation tracking, user profiling, transaction monitoring, and machine learning algorithms.
Online banking
Online banking fraud detection involves a variety of approaches used to ensure the security and safety of customers’ money. These include geolocation tracking to verify that a customer is logging in from an authorized location; biometric authentication for additional layer of confirmation; user profiling to identify any unusual account activity; transaction monitoring to flag suspicious payments or transfers; anti-phishing techniques to ensure customers are not tricked into divulging their confidential information; and machine learning algorithms that can detect patterns in user behavior that indicate fraudulent intent.
In addition, most online banking sites will require further authentication such as one-time passwords (OTPs) for high-value transactions. By combining these techniques, banks can effectively detect fraud and provide a secure experience for their users.
Online banking platforms must also comply with anti-money laundering (AML) regulations in order to protect customers from fraud and financial crime. AML requirements include customer due diligence measures such as identity verification, IP address tracking, geolocation monitoring, and user profiling. Banks are also required to implement procedures designed to prevent customers from circumventing AML regulations by using multiple accounts or providing false information.
In addition, banks must take steps to ensure that customers are not trying to transfer funds for illegal activities such as money laundering, drug trafficking, or terrorist financing. To do this, they have to perform risk-based assessments of each customer in order to detect any suspicious activity. They can then flag and report these activities to the appropriate authorities for investigation.
The best fraud detection software
Being able to identify fraudsters before they act is one of the best ways to go about fraud detection. By stepping in early, you can stop the negative fallout that follows a fraud attack, including loss of revenue, damaged user trust, spent resources, and more.
How to balance fraud detection, fraud prevention, and user experience
So, how does one detect fraud before it happens? It’s all about analyzing the risk signals of users and transactions and reacting accordingly.
For example, Incognia’s location fingerprinting technology uses a combination of geolocation data and device intelligence to look for user activity or characteristics that would indicate a higher risk of fraud. If someone’s device has on it known fraudster tools like app cloners, emulators, and GPS spoofers, that’s probably a good indication of bad intent further down the road. Similarly, if the address someone provides is wildly different from where their location data shows they actually are, that too can be a cause for concern, and step-up verification might be necessary.
Taking a proactive approach can also help stakeholders protect the user experience. Device integrity checks and real-time address verification can both happen passively, meaning that the user doesn’t have to take any additional steps aside from granting permissions. It’s only when a higher risk assessment is returned that users might be asked to provide additional information. This approach can cut down significantly on user frustration while also weeding out a lot of bad actors before they can even onboard.
Fraud fighters and cybercriminals are in a constant game of cat-and-mouse to see who can develop the quickest and most effective counter to the other’s tactics. As long as they have opportunities to exploit people and platforms online, fraudsters have no incentive to stop innovating in their tactics and technologies, meaning that fraud prevention stakeholders bear the responsibility of always staying one step ahead.
By understanding the current state of fraud detection and prevention solutions, as well as looking forward to the future of the space, we can promote a safer and more secure online experience for users and platforms.