Building an internal system sounds daunting, I know. The specific details of building an internal system heavily depend on your company and the expertise you have at hand. In addition, the specific type of fraud should direct the approach. For this series, we focus on payment fraud in e-commerce.
A complex fraud prevention system is often the best practice.
A complex fraud prevention system entails a combination of using automated tools and manual review. Automated tools and services are used to discern riskiness of a user, then take action based on a set of rules. These rules should be derived from your chargeback data analysis. The rules dictate to process the order, reject the order, or hold for further verification. Further verification generally entails a human eye reviewing the case and analyzing whether it should be rejected or not and can include additional steps like email or phone calls to verify the order and/or the use of services to verify the user identity.
The following is a brief example of what a complex fraud prevention system looks like.
Step 1: An automated system scans new orders to see if they are suspicious
- Internal rules dictate what is suspicious
- Internal rules are created by chargeback/data analysts who review chargebacks to isolate identifiable trends between chargebacks. These trends, or order characteristics, indicate that a user is more likely to file a chargeback. These turn into rules that stipulate an order to be suspicious.
- Example case: User places several orders, all <$20. Internal system reviews the order metadata as part of that transaction and matches characteristics against Yes/No rules.
- User account created within last 30 minutes (yes), billing address >500 miles from IP (yes), IP address in China (yes), AOL email address (yes).
- Because these rules return a YES, the order is considered to be suspicious.
Step 2: An automated system has a response action against orders that qualify as suspicious
- Automatically reject orders that have X characteristic
- Example: If a new user account is connected (via device ID, etc) to a previously banned account due to fraudulent chargebacks, reject immediately.
- Place orders in a manual review queue if they have any of the suspicious characteristics XYZ
- Example: If new user account with no previous activity, the order is high value, and shipping address is a reshipment warehouse, hold the order for manual review.
- Automatically process orders that do not do not hit 1 or 2
Step 3: Orders that go to manual review queue are manually reviewed by a team
- manual review agent says: yup, that’s fraud > reject
- manual review agent says: looks like a good user > process
- manual review agent says: hmm this is weird, I don’t know > extra identity verification required
- One thing you can do is call these ‘grey area users’ and/or use services like Whitepages Pro to further validate that the user is who they say they are.
Step 4: Chargeback team periodically reviews false positives from new chargebacks.
This creates the new internal rules flagging suspicious orders
This basically explains what an internal system does, but the details depend on your company. Use this to understand the different pieces you need to start thinking about. Remember, your system does not need to be built 100% internally. You can integrate various services at any of these steps, or outsource the entire process to companies like Riskified.
If you would like to use this flow, but not build out the tech platform internally, there are some great products out there. Sift Science allows you to manage your high-level rules, process, and manual order review, while they provide the platform. I’ve seen both entirely internal systems, as well as systems that integrate with Sift Science for a blended process. The ‘Best Practice’ really depends on where your team is at, what type of bandwidth you have, and what type of expertise you have available. For further reading on how to actually build a manual review queue, check out my article ‘Building a Fraud Prevention Manual Review Queue.’