This is the inaugural post of our Expert Spotlight on Fraud series, dedicated to featuring experts in the online risk management and fraud detection sphere. As a group, they encounter diverse challenges and mount their offenses in different and innovative ways, and in this series, they offer their learnings for others starting out in the industry and for those running risk teams.
On how he became involved in the fraud and risk management field.
At the time I joined Backcountry in 2006, the company was experiencing dramatic growth, and there were a number of new positions and new teams being created. I interviewed with a few and what intrigued me the most was the interview I had with the woman who was managing the fraud review team at the time. She was looking for someone to take some initiative on reviewing transactions, since what they had for fraud review at the time was fairly new and rudimentary, and I ended up as a review agent. By 2007, I was supervising the team.
Risk management was still very new with the company. It was a situation where internally, we knew we had an issue, we knew it had to be addressed, but nobody really knew how to address it or, for that matter, really expressed a lot of interest in pursuing it. I took the initiative and learned more the first three years at Backcountry than I would have elsewhere in 10 years.
On what tools their team uses to fight fraud.
We have a rules-based engine automatically filtering transactions initially. We have access to a large amount of data, and as I’m pretty good at manipulating and identifying high risk combinations, the feedback loop into the system—to create rules that will help sort transactions—is quite tight.
On top of that, we have a few peripheral tools for manual review, like Whitepages Pro for address lookups, and Emailage for additional email name analytics, as well as any social media/internet footprint tools.
Our approach on the tool side of things has been focused on tools that don’t require much, if any, technical innovation on our end. Anything that can either add to or upgrade to our existing capabilities through our rules engine, or on the manual side, anything we can access via web portal that we don’t have to create an API for on our end is something we’re interested in. Given limited resources, you can have good success there.
On the importance of customer insult rates over chargeback rates.
Soon after I starting working on the risk team, I noted that while chargeback rates were gradually decreasing, the cancel rate was still fairly high. Reducing chargebacks remained a key focus, but more than anything, we wanted to increase acceptance rates on legitimate transactions. While chargeback rates are measured in basis points, cancel rates are typically measured in full percentage points. Because of this, the slight shift in focus can pay off in a big way especially as it relates to long term customer retention.
On a fraud scheme that stands out in memory.
We’ve seen a fair amount of reshipper fraud lately. Effectively, some individual with fraudulently acquired credit card credentials (often international) will contact someone in the U.S. looking for help setting up set up an international shipping business. They just want individuals to help with any of the following: placing orders for packages, receiving those packages and then forwarding those packages on, etc.
We had an individual in Jacksonville, Florida that was a pretty sad case. An elderly gentleman, who was in contact with who he believed to be a model from the UK that he’d met on a dating site, had him forward packages on her behalf. He was also sending her tens of thousands of dollars to travel to purported photo shoots. We became involved when, to repay him for all this money, she sent him a credit card number to buy watches for him and his two sons. He attempted to buy those watches from Backcountry; of course, we flagged the transaction and contacted the individual to confirm the transaction details, and he explained all of this to us. It was clear that he was madly in love and the model turned out to be an individual in Nigeria. We had to break the news to him that it wasn’t a model.
It was a particularly sad situation, which is why it sticks out.
On his personal philosophy on fraud and risk management.
Fraud, especially card-not-present fraud, is a bit of an arms race.
When I first started, there was a lot of low hanging fruit—fraud that we considered very easy to identify. While we didn’t have the tools, the skills, or the process in place, it didn’t take long to adapt to what we were seeing and eliminate a lot of the obvious fraud.
As time went on, we were continually having to update processes and technology in step with the fraud attacks we were experiencing. The goal became implementation of proactive prevention measures rather than reacting to new types of attacks. It can be very difficult to be fully proactive but closing the gap, even a little, can help in a big way.
Essentially though, what happens is that you’re basically teaching the fraudsters how to become better fraudsters. If you have product that they want, they will try to find a way to get it. Then, the arms race begins—you develop your arms by putting tools in place that force them away, and they often come back with a bigger, better, faster, smarter approach. The strategies that have been taken on both sides to prevent and perpetrate fraud have dramatically changed and become more sophisticated in the nine plus years that I have been here.
Ultimately, perpetrating fraud online is much easier than in person. By creating an online store, we’ve essentially created another platform through which individuals can perpetrate credit card fraud. And, as we develop new platforms and new methods of shopping (whether it be mobile, social media, or marketplace), there will be more opportunities to perpetrate fraud. When those platforms and shopping methods change again, we will continue to see more types of fraud than ever before.
I absolutely believe that as we adapt and become more sophisticated, the fraudsters do too, and in the internet age, it’s a fact of life and a cost of doing business.
On advice to fraud review and risk analysts just starting out…
1. Focus on the legitimate customers. The vast majority of the order volume is legitimate transactions. Approaching transactions with the mindset that they are innocent until proven guilty can really improve the customer experience. If you can swing the needle one way or another in regard to insult rates, it has a much greater impact on the bottom line, and can really win you some friends within the organization.
2. Making friends with other groups in the organization, whether it be marketing, merchandising, or planning, can really pay off, especially as the company grows. In the early days, we would go live with a marketing program or some sort of merchandising program that would either boost our fraud or boost the amount of legitimate volume on historically lower risk combinations of data. If we know about these programs in advance, then you can proactively adjust the automated screening process to make sure volumes can be appropriately managed.
The other important side effect of making friends outside of your group is that you can boost the PR of your team. You should make sure that fraud is not seen as revenue prevention, but revenue retention.
…and risk analysts starting to build their teams.
My piece of advice, as it pertains to team management, is try to keep your team constantly motivated and constantly excited. Reviewing transactions all day, every day, can be a little bit monotonous. Try to find peripheral tasks that help get people involved in data analytics which help drive decisions around automated review rules. If your team has a hand in looking at data and making suggestions as to what automated rules should be in place and which should be modified, they’ll own the process and it keeps things more exciting.
Latest posts
