ECOMMPAY’s Counter Fraud Team Lead Daniel Sevskis spoke to PaySpace Magazine about risk assessment, fraud prevention, finding the optimal balance between security and conversion, and protecting people’s rights and wallets.
This is the second interview in a series. Read the first here.
How do you prevent fraud and assess risks when you start working with a new client?
We read tea leaves! No, of course not – when we connect with a new partner, we assess the fraud risks according to our onboarding policy, which takes into account the potentially dangerous aspects of various industries. We put the merchant through our online screening process, checking whether they have the necessary documentation, which policies are displayed on their website, who the beneficiaries are, etc. In terms of onboarding and anti-fraud, we’re doing quite well. We wouldn’t integrate anyone we’d be ashamed to talk about!
Monitoring is a bit different. It’s more creative, because more things are in flux. Fraudsters are using new approaches, but technology is likewise endowed with new capabilities, tracking things it couldn’t before through new methods, such as fingerprinting.
You can’t just rely on intuition in this. All incoming payments are analysed by our proprietary antifraud system. It holds each transaction to an agreed standard, isolating the most suspicious activity and routing them through a machine learning module. These transactions are then reviewed by real human beings (members of our anti-fraud team), who make their expert recommendations.
The data collected is then passed over to the merchant. The merchant conducts their own research, communicates with the customers in question, reviewing the user activity, and, finally, comes to a decision. We apply the information provided by the payment systems – whether the transaction turned out to be fraudulent or not – to increase our effectiveness and improve our systems.
What technologies do you use to conduct anti-fraud monitoring? You mentioned machine learning, what about passive biometrics?
The thing is, we’re not a merchant or an app. We can’t authorise users in that way. All we know is what the merchant knows. We know if an authorisation check was conducted by the bank and whether it was successful or unsuccessful. That means we can only work with transactional activity. There are methods of tracking certain behavioural signs of fraudulent activity, but we don’t track ordinary biometrics – passive or not. We’re aware of how this can and should be done, but, so far, the level of fraud we’re dealing with (and its percentage in relation to turnover) doesn’t necessitate such complex methods.
It's also worth bearing in mind that if the payment page is weighed down with excessive security metrics, it will work more slowly, which can affect the speed of payments. A millisecond of delay in China, for instance, increases the chances that the payment will vanish into the ether. That’s why it’s essential to keep everything to a minimum at checkout.
Balancing Defence and Convenience
How effective are modern technologies (blockchain, biometrics) when it comes to anti-fraud?
They can be helpful, but it’s important to remember that it’s not about technology, it’s about people, even when it comes to fighting fraud. You might have the most advanced technology in the world, but if you don’t know when to press ‘Go’ or which settings to configure, it won’t work. The truth is that many places just aren’t ready yet. Blockchain was a real breakthrough 5 years ago – everyone went crazy – but right now the world isn’t running on blockchain. We’re now in 2020 and the number of projects supporting this new technology hasn’t grown considerably. The same can be said of machine learning. It’s just that we as humans are not quite ready to deal with it all the time. The barrier to entry for these technologies is too high right now, and for most places they aren’t yet necessary.
Is it possible to strike the right balance between security and conversion?
Certainly. There are two things to consider here. First of all, it’s not a one-and-done thing, it’s a continuous process. It needs to be supported constantly, and opportunities for improvement need to be sought out all the time. If you don’t make it better today, you’ll make it worse tomorrow.
Second, with anti-fraud tech, it all depends on your appetite for risk. Everyone understands that conversion sometimes has to be sacrificed in favour of security, or security in favour of conversion. For one business, that balance will be 80/20, for another it will be 70/30, and both of them are – in their own way – right. I believe that there is no perfect formula. Each business requires its own solution. If you’re engaged in a high-risk business, you should be ready for the fact that you’re going to experience a lot of fraud, and to counter it you’re going to have to cut back conversion. Or embrace the fact that your business is only going to last a year. Sure, you might earn enough to start a second business, but it’s still inevitable that it will one day cease to exist. You can’t build an empire like that.
An alternative solution: if you’re focused on long-term work and you have safe customers, you can work without all the anti-fraud tech weighing you down, at least until the indicators begin to flash and you need to take action. I don’t think good business and risk-taking are mutually exclusive. We all work for the same goal, aimed at the well-being of the company. The fact that people have different understandings of what that means is down to a failure of communication, more than anything.
A Little Fraud-fighting Advice
Is there any universally-applicable business advice on defending yourself from fraudsters and scammers? What part of the budget should companies allocate for this kind of protection?
It all depends on resources. Not just financial resources, but the expertise you have available as well. A lot of large companies are developing antifraud systems. Still, many of them, including several large companies, cooperate with payment providers. By doing so, they receive not just acquiring and processing of alternative payment methods, but anti-fraud tech too.
When a company runs its own anti-fraud, it’s definitely a plus. But it’s worth noting that the market already has payment providers ready to adapt their risk management systems to meet the needs of individual businesses. This antifraud system may well be more reliable and progressive than the one that an online merchant develops themselves. Why? Because developing antifraud technology is one of the fintech market’s specialties.
What is your main anti-fraud advice to consumers?
I have three recommendations with it comes to anti-fraud techniques. First, remain vigilant and don’t panic. Social engineering tricks in particular work if the user reacts hastily. “If you don’t reply in the next 5 minutes, your account will be deleted!” Panicked, you respond, thereby accepting the rules of the game the scammer has laid out. Or you could get, “Send the code you’re about to receive on your phone” and the fact that the text says “Payment for such and such” doesn’t register, you just know that you’ve received a code and have 2 minutes to send it. Don’t panic!
My second recommendation is to use virtual prepaid cards. For example, I use Revolut, and when I’m not intending to make a payment (including on the physical card), I block it. The vast majority of time, my card is blocked. The virtual card I use to pay online, I delete after using and create a new one. It’s not high-tech, it’s all done within one app. Any user can do the same if they want. Nothing more is required of them. If there are unsuccessful attempts by fraudsters to access funds on my blocked card – I will see them and realise that somewhere my data has been hijacked. That’s never happened, of course, it’s just a precaution.
The third recommendation is: don’t forget your rights. If you are really deceived, if something’s really been stolen – contact your issuing bank. Explain the situation as quickly as you can, and if the card was used without 3DS, you’re entitled to compensation for the chargeback. If the scammers know your numbers, you can ask the bank where they keep the data on your customer agreement and whether or not they have experienced a leak. Don’t rush to write off the money and immediately consider yourself guilty. If you get scammed, you don’t have to pay for it.
For more on ECOMMPAY’s anti-fraud security measures, click here.