What is fraud detection? An in-depth guide to risks, techniques and countermeasures

With fraud continuing to rise - estimated to lose businesses a global total of over 43 billion USD by 2028 - fraud detection and prevention have become higher and higher priorities for organizations of all types and sizes.

However, it's natural that many lack the resources to build their own teams and solutions from scratch, while others don't know where to start. From the various methods of fraud, to combating them with machine learning and advanced software, there's a lot to tackle.

In this article, we will explore the growing need for fraud detection through the businesses impacted, risks presented and challenges faced in implementing successful fraud prevention measures. We will then discuss how all of this can be used to build an effective fraud detection system that can prevent fraud in real time through machine learning and advanced software.

Just as there are many different fraudulent activities, so too are there many different potential targets. There are numerous sectors where fraud detection is becoming more and more critical, as their businesses or services present a viable option for fraudsters to make a profit.

E-commerce stores

Online merchant businesses are naturally a key target. Threats to e-commerce stores include payment fraud and account takeover fraud, wherein fraudsters commit identity theft to use other people's financial details. Similarly, chargeback fraud also damages businesses through both lost money and a damaged relationship with card issuers. E-commerce fraud detection needs to consider all of these potential angles.

Crypto

Currency exchanges and other businesses related to the transactions of cryptocurrencies have to deal with threats ranging from identity theft and fraudulent transactions, to automated bots and fake accounts. Due to the often anonymous nature of cryptocurrency, detecting fraud while keeping false positives to a minimum is critical. These are just some of the issues that crypto fraud detection needs to cover.

Digital goods 

Similar to merchants that sell physical goods, businesses that sell digital products and services also need to enable fraud detection and prevention from a range of threats. This includes account takeovers and chargeback claims. An effective digital goods fraud detection strategy needs to cover all these angles, using machine learning and historical data to assess and react to threats in real time.

Ride-hailing apps

A niche area within digital services, ride-hailing services face a growing range of threats. Fraudsters can not only commit identity theft via account fraud, but they may also commit new account fraud, creating multiple new accounts to take advantage of promotions and offers, costing the app owners' money. In extreme cases, such businesses need to consider fake driver accounts, as well as external phishing scams that try to represent your app's legitimate business and take money from potential customers.

Banks

Fraud prevention in banking helps protect the bank's reputation, keep customers and their money safe, and prevent wider fraud risks as a result. Bank accounts represent a key target for cybercriminals and, in order to fight fraud, the financial sector has invested heavily in adapting their services in response to the growing range of fraud tactics. Real customer accounts and data is often used to bypass the Know Your Customer (KYC) identity verification solutions popular in this sector.

Marketplaces

While marketplaces represent an opportunistic channel for additional sales, they also represent an additional attack vector for fraudsters. They can make false claims not only through chargebacks, but also through the marketplace business, and the ability to create new accounts outside of your business' system further limits typical fraud detection methods.

Online lenders 

Like other financial institutions, online money lenders have access to Know Your Customer tools and other means to verify identities. As such, fraudsters again turn to automated attacks and account takeovers of real accounts in order to commit identity fraud.

Travel companies

Fraudulent activities in the travel sector can range from phishing scams to acquire customer data, through to false accounts and fraudulent transactions designed to profit at another company's expense. Due to the often global nature of the travel sector, and the associated interconnection of businesses, fraudsters often rely on a lack of consistent fraud detection for easy targets.

Financial services 

Finally, we can also widen the scope of fraudulent targets to cover all financial-based services. These businesses are targeted for various activities, from payment fraud to account takeover attacks and phishing scams.

When we talk about fraud detection and prevention, it's important to understand the range of activities covered. Today's businesses are able to defend themselves to varying degrees, which has caused criminals to improve their techniques.

As such, criminals deploy a range of ever evolving fraud tactics, using the best methods for the target at hand. Therefore, fraud teams and security specialists need to not only know the most common fraudulent activities, but also emerging fraud patterns too.

It's also important to note that many of these terms overlap and are not necessarily independent of each other.

Online payment fraud

Online payment fraud covers a range of fraudulent activities that use someone else's details to make payments. It puts a burden on businesses to invest in fraud detection techniques to determine when a genuine user is making a payment, compared to a fraudster using stolen credentials.

Card not present fraud

When it comes to online fraud, the majority often falls under card not present (CNP) fraud. This refers to payments made without the physical card present, such as through online stores or even over the phone. This typically includes stolen information, such as the card number, CVV security code and other details, to bypass standard security. The biggest challenge with card not present fraud often comes in the aftermath, as card issuers often hold vendors responsible for checking and validating identities.  

Account takeovers

Account takeover attacks happen when fraudsters gain access to someone else's accounts, whether that's social media accounts, bank accounts or shopping accounts on e-commerce websites. Consequently, account takeover fraud (ATO) often leads to identity theft, where fraudsters make transactions under the assumed identity of the original account holder.

Policy abuse

Policy abuse fraud refers to a range of fraudulent activities designed to exploit the individual policies of businesses. This can include promotional abuse, or even finding loopholes in free shipping, returns and other offers. Fraudsters often make new accounts, abuse loyalty programs or otherwise try to gain free goods from merchants, costing the business as a result.

Resellers fraud

Common in limited goods or services where demand is high, reseller fraud occurs when fraudsters use various means to buy as many of these items as possible, only to resell them at a significantly higher price. This includes the likes of festival tickets, or goods that are limited in number, such as new phone releases. As a result, this hampers the experience customers have with the brand, threatening long term loyalty.

Multiaccounting

Also known as new account fraud, multiaccounting fraud occurs when fraudsters make multiple accounts with one business. This is done in order to either take advantage of special offers or promotions for new users, or to gain unfair access to goods or services limited at a per-user level. This can damage businesses through lower revenue and, in the latter case, to a damaged brand reputation in the eyes of customers that missed out.

Mobile app fraud

With mobile shopping and business growing regularly, it's unsurprising that mobile app fraud is also increasing. In fact, all major fraud trends can be found on mobile devices, from account takeover fraud to identity fraud and multiaccounting. What's important for businesses, then, is to ensure that they invest in fraud detection and prevention techniques on their mobile offerings too, less they become an exploitable vulnerability.

Friendly fraud

Friendly fraud refers to various complaints and actions taken by legitimate customers. Many of these are often due to misunderstanding, such as issuing chargebacks because the business name on their statements differs from the name of the store. However, it also covers a range of malicious activities, such as claiming products were not delivered and issuing a chargeback.

Identity fraud

Often the result of account takeovers, identity fraud occurs when criminals use stolen credentials to act as an unsuspecting customer or user. This often targets merchants that sell physical goods, as fraudsters aim to make a successful fraudulent transaction before the store detects it. Once achieved, both the customer and the merchant are at a loss.

Fake accounts

When real accounts can't be acquired, fraudsters can create fake accounts to try and gain access to systems. This is also sometimes known as synthetic identity fraud. While many fraud prevention methods can determine a fake account, basic systems often lack the ability to identify when the same fraudster or user makes a new account, as the information is often completely different.

Gift card fraud

Gift cards represent a choice target for many fraudsters. In addition to cracking the PIN or code of specific gift cards, criminals can also use phishing and other scams to acquire codes. These can often be used in money laundering, or sold on the dark web at a discount. Because the gift card itself represents a closed loop between the purchaser and user, gift cards often lack the wider security seen elsewhere, leading to the popularity of gift card fraud.

When it comes to fraud detection and its prevention, there are a number of challenges that businesses need to face throughout the process. This includes the risk of being too restrictive with fraud prevention solutions or, on the other hand, the costs of detecting fraud too slowly.

False positives

A fraud prevention system that is too stringent risks blocking genuine customers. These false positives can also hurt your business, as they lose new sales opportunities and hurt the overall experience of your brand.

Manual reviews

If your fraud detection techniques are manual, requiring human intervention at every process, this can greatly slow down your fraud detection. In addition to the significant cost of additional manpower, it's also simply impossible to provide fraud prevention when transaction data needs to be checked in real time across a range of criteria.

Chargebacks

When customers issue chargebacks, this is done via the card issuer. In addition to lost products or unhappy customers, this means that merchants may also have to deal with the penalties associated with each card issuer. In addition to chargeback fees, companies like Visa and Mastercard also have their own monitoring programs with additional fees and penalties based on your company's dispute ratio.

PSD2 SCA compliance

Implemented across Europe, including the UK, Strong Customer Authentication (SCA) is a requirement with the Revised Directive on Payment Services (PSD2). It requires banks, financial institutions and payment service providers to implement additional multifactor authentication into their services, in a bid to curb fraudulent activity. Specifically, it requires asking users two out of three categories:

• Something the user knows: A password, pin, secret answer or other piece of information
• Something the user has: A smartphone or smartwatch, token or other device.
• Something the user is: A fingerprint, retina scan, voice pattern or other biologically unique signature.

While this will certainly help combat financial fraud, it also puts pressure on such institutions to meet this regulatory compliance. In turn, this may impact the customer experience, as merchants naturally rely on such payment services as part of their business.

3DS authentication

Three Domain Secure (3DS) protocols encourage merchants to improve fraud detection by connecting with the card issuer when users try to make a payment. The bank or issuer will then ask the shopper to confirm the payment, typically via an SMS code. Like any transaction monitoring or fraud detection solution that faces the user, these extra steps can often irritate some. However, the overall security benefits of 3DS authentication make it a worthwhile inclusion in most risk management strategies.

Fraud rates

Obviously, the goal of any fraud detection strategy is to lower the overall fraud rate of the business. The challenge here lies in addressing this goal against the other challenges, such as meeting the aforementioned regulatory compliance needs, keeping card issuers content and, as mentioned shortly, not impacting the user experience. On top of this, companies need to invest in fraud detection that is scalable. The cost of preventing fraudulent transactions can't outweigh the typical sales gains.

Transaction declines

Declining a payment is a double edged sword. On one hand, it can serve as valuable fraud prevention against card testing and fraudulent transactions from stolen cards. Yet, on the other, it's another fraud detection technique that risks blocking genuine customers as well. In this regard, companies need to invest in fraud prevention that detects strange behavior before the payment is made and the issuer's own credit card fraud detection kicks in.

User experience

Finally, as far as fraud detection challenges go, we have to weigh all of the above against the impact on user experience. A smooth and effortless shopping process is ideal for customers, but this often leaves plenty of opportunities for fraudsters.

For example, multifactor authentication can add extra layers of security and fraud prevention, but there is a limit to user patience. The more actions required by the user, the more likely it is to impact customer experience to the point that the customer is unwilling to even proceed.

Instead, companies should invest in fraud detection techniques that run in the background, without needing the user's input. This includes machine learning and behavioral analysis, as well as assigning risk scores for detecting fraud when it's more and more likely. Under this approach, the most UX-harming efforts are only applied when the risk of payment fraud is high.

• Card testing: When criminals purchase stolen card details from the dark web in bulk, they need to determine which cards are still valid. Card testing practices, such as making small purchases in a merchant's store, are used to determine this. Due to scale, this is often automated and done with bots, while successful cards are then used in more advanced fraudulent activities.
• Social engineering: Phishing, vishing, man-in-the-middle and more are all common forms of social engineering attacks. This is when fraudsters attempt to impersonate a business, encouraging users to hand over account details.
• Remote desktop: With Remote access tools (RAT), fraudsters gain access to a victim's computer. A form of social engineering, fraudsters contact customers representing financial institutions, banks or other legitimate businesses. They then encourage the customer to download and use remote access software, gaining access to the victim's details, including emails, accounts, passwords and other networks.
• VPN: Virtual private networks help fraudsters by evading basic fraud detection techniques, spoofing their location and appearing to be in the same country or region as their victims. They often use less well-known networks, to counter growing VPN fraud detection capabilities.
• Network anonymization: Along with VPNs, proxy servers and TOR software both serve to mask these details. Today's fraud detection needs to look past location data and other easily-concealed information, and instead invest in machine learning that can highlight the tiny details that are more difficult to replicate.
• Bots: Automated bots help fraudsters target potential accounts en masse. This includes dictionary attacks and other brute force attacks to attempt to gain access. Bot attacks make it hard for businesses to accurately measure their website traffic, determine who is accessing their services or making purchases, and otherwise respond appropriately.
• Device fingerprint spoofing: This method involves replicating a user's fingerprint to gain access to their device, as well as any other services that might use it. While a fingerprint is arguably more secure than a password, as it's not susceptible to brute force attacks, it is nonetheless a digital piece of data that can be stolen. This is why many modern multifactor practices, such as 3DS, rely on a combination of inputs.
• Credential stuffing: Fraudsters look to see if people use the same email address, usernames and passwords on multiple websites or services, and credential stuffing is the automated process of doing so.
• Account details manipulation: When fraudsters gain access to accounts that lack key access, they may attempt to manipulate the account to improve its status. This lets them gain access to additional areas and the data they contain, commit more fraud or even gain access to other accounts.
• Web scraping: Fraudsters can scrape websites to grab as much personal information as possible, including names, email addresses, addresses and more. This can be gathered from various sites, most notably social media, and can then be used in credential stuffing and other techniques.

The best approach to fraud detection and prevention is to engage in automated solutions that look for the minor inconsistencies in the data of active sessions, detecting fraud before transactions occur. This is often done through advanced machine learning tools that look at a variety of factors, based on both training data and the data of your own customers.

Also known as fraud monitoring, this approach sees businesses invest in automated fraud detection and react as quickly as possible, rather than responding after fraudulent activity has occurred. Here, we will explore the key data points that such an active fraud prevention strategy should include.

• Behavioral biometrics: A range of data based on how a user interacts with your service, analyzing behavioral biometrics can indicate the potential use of automated tools or even a user different to the genuine customer. Machine learning can look at keystroke dynamics, mouse movements and finger gestures on touchscreens. This is all compared against existing customer data, so it's not an effective solution for brand new users.
• Digital fingerprinting: If behavioral biometrics focuses on how the user behaves, then digital fingerprinting looks for consistencies in the hardware and software they use. Thanks to cookies and other data sources, these fraud prevention tools consider factors such as the type of browser, operating system or device used. There are a wide variety of digital fingerprinting data sources to consider and, the more they match, the more likely the active session is legitimate.
• Machine learning and artificial intelligence: When it comes to real time fraud detection, machine learning can be essential. While initially making decisions based on training data, ML tools grow to understand your customers and the unique aspects of your business, getting better and better at fraud detection. They can act fast, respond appropriately and use the outcomes to feed their own machine learning model for constant improvement. Of course, if needed, they can also be configured to require human intervention during critical incidents.
• Reputation scores: Also known as risk scores, reputation scores are assigned to customers based on their historical data and other statistical parameters. They help automated systems better stop fraud threats by identifying accounts with a higher probability of fraudulent activity.
• Rules: By implementing rules based systems, businesses can set up automatic responses, including human intervention, to specific actions. This can include transactions over a certain volume, when an account makes a certain frequency of payments, or even users from known suspicious IP addresses or locations enter the system.
• Network effect: In fraud detection, the network effect comes in the form of the data generated by users. Compare an isolated solution contained to your own business to a system that learns from a wider network or database of information. The latter can more greatly leverage the network of information to learn and improve, which also makes it a natural companion to machine learning techniques.
• IP quality score: Also known as IP scores or IP reputations, this score associates the unique qualities of the IP address being used in a given session. There are a range of tools, such as SenderScore, that track this information. Addresses known for spam email, or even previous cases of fraud, will have a significantly lower score, which can influence your own internal fraud monitoring or machine learning.
• Reverse engineering and profiling: By investigating and replicating fraudulent activity, experts can better understand specific incidents and update their fraud prevention tools as a result. Rather than just responding to threats, this approach seeks to understand them, learn as much as possible and even build profiles of known actors or techniques that can inform your security system. This is also one of the most advanced forms of fraud detection, and not widely available on the market. Nethone provides a combination of sophisticated machine learning, darknet intelligence and risk alerts to make this possible.

Now that we've explained some of the key technologies behind fraud detection, let's look at some of the types of solutions offered. We'll also show how your business can make the best choice.

Automated fraud detection

In order to combat potential fraud at the highest level, you need to consider some form of automated fraud detection. This can be either through a rules-based decision engine, fully based on machine learning, or a combination of the two. Through risk alerts and appropriate responses, your business can respond to threats as they emerge, enabling fraud prevention through attention to detail.

What is a decision engine?

A decision engine, also known as a rules engine, is a piece of fraud detection software that determines whether a transaction is fraudulent based on meeting predetermined criteria, or rules. Typically, an action will trigger a set of parameters to alert the rules engine, that then further looks at the event and takes action based on which criteria have been met.

Rules vs machine learning

With typical rules engines, businesses gain an automated solution that requires little intervention, but this comes at the trade off of not being able to adapt or learn. Machine learning techniques, often a mix of supervised and unsupervised learning, are able to adapt and get better. Because they focus on anomaly detection rather than simply following rules, they can also adapt to changing situations.

That's not to say that a rules engine is not useful, however. A flexible rules engine offers a finer degree of customization, able to better categorize potential threats and risks. This, especially when paired with machine learning systems, allows for thousands of specific scenarios, helping companies tailor exact responses to very specific needs, whilst still affording the adaptability required.

The biggest decision you first need to make is whether you should buy or build your own fraud prevention system. This is a much wider topic, but to weight up the most immediate pros and cons:

• Building your own system offers you more control, but it also puts the burden of quality on you. This includes not only the expenses to set-up and implement such a solution, but also research and keep it up to date against evolving fraud tactics.
• Buying, on the other hand, is an immediate investment that gives you a solution ready to combat fraudulent activities. If it's built by a reliable and proven team in the fraud detection field, such as Nethone, then your business gains the benefit of this market experience right away.

Which ever approach you decide, you also need to consider a solution that covers the entire customer journey, can respond quickly, and is able to improve itself overtime. In a previous article, we also highlighted 10 questions to ask yourself when choosing an antifraud system, which can help narrow down your options.