Fraud Prevention in Payments: Through the User Journey - Ofer Golan, Wix
Fighting Fraud on the Front Lines: Shawn Colpitts, Senior Fraud Investigator, Just Eat
As Senior Fraud Investigator, Global Fraud Operations at Just Eat Takeaway.com, Shawn Colpitts sees — and stops — every kind of fraud. The company’s international presence means that he has a fascinating global overview of the state of fraud, combined with a data-focused understanding that remains grounded in day-to-day fraud analytics.
Working in the food delivery industry, Shawn is also highly sensitive to the balance fraud fighters work to find between fast, frictionless service, and fraud prevention. We were lucky enough to get to talk to Shawn about how he has seen fraud attacks evolving over the last year, his approach to promo abuse, and why he thinks collaboration within the fraud prevention industry is so key to fraud fighting success.
How did you get into fraud prevention? What do you find so interesting about it?
I found a fraud ring! It was back in the early days when I was working at Skip the Dishes, before they were acquired by JustEat, and later, Takeaway.com. I could see, looking at our orders and the payments, that there was something strange going on. I couldn’t let it go. I kept digging. I followed the patterns, joined the dots, and uncovered not only a fraudster but a whole fraud ring, working really hard at defrauding the company.
I still remember that feeling of euphoria, when everything came together — I knew right then that uncovering fraudsters was what I wanted to do. Fortunately, it was what Skip wanted me to do too, and they created a fraud team to do it right. That’s evolved over the years, and now I’m the senior fraud investigator for the global fraud team at Just Eat Takeaway.com.
It’s continually fascinating, because we see a huge range of fraud — promo abuse, credit card fraud, ATO — you name it, we see it — from all over the world. And that fraud ring I uncovered way back in the beginning still tries to hit us from time to time. They’re so organized and determined that we see them working internationally, coming back whenever they have something new to try.
In a way, I think my whole career was working towards fraud prevention. I’d worked in an analytical role, and then spent some time working in security and loss prevention — so fraud prevention was a natural evolution, combining these two strands of my interests and experience.
What’s the sneakiest trick you ever saw a fraudster pull?
I think, after a while, you don’t see really new tricks so much. Fraudsters are always masking their identities — they have obfuscation for everything, name, IP, address, device, you name it. What impresses me, though, is when you see them using the whole lot together, really well — making a coherent, clean-looking identity, where every detail matches and makes sense. Those are clever. Those really do look like genuine new users — clean IP, device, matching languages and time, everything. To distinguish between a good new user and a really clever fraudster is hard. You need a different approach. Fortunately, the really clever ones are pretty rare.
How do you catch the clever ones?
I keep up to date with what’s going on in the industry — roundtables, forums, conferences, reports, new tools. That’s how I get really important context.
But if I had to put it in a nutshell, I’d say, it’s patterns. People like patterns. That’s why we see pictures in clouds. And fraudsters are people too, and they can’t stop themselves from using patterns, even subconsciously. If you’re open to that and have ways to track them, you can catch a lot just like that.
That moment when you get them is great. Eureka!
So collaboration is important to you, as part of doing your job well?
Absolutely. I’m a big believer in community and community knowledge. How else can you learn? You can’t know it all, no matter how well you understand every nuance of your own company and business and the fraud that hits it. You need to learn from others — to work as a team, throughout the industry. Even if you’re in competing companies, the fraud prevention teams aren’t competing. It’s the opposite; we’re all together, against the fraudsters.
Giving is as important to me as getting — I really enjoy sharing the insights and experiences I’ve earned as part of my own journey. I love to feel I’m helping others, and I know a lot of other fraud fighters feel the same way. It’s a community that wants to help its members.
It’s crucial, too, because often you won’t realize how serious a problem is until you start hearing it from other people. Like with ATO, for example — I talked to people who thought they didn’t have an ATO problem — until they heard about it from the community, and went back to sift through their data, and saw it was just hiding really well.
I’m always especially happy to help people see or solve their ATO issues, because that really protects the end-users as well as the businesses.
You mean ATO is particularly upsetting for consumers?
Right, it’s scary for them, it brings fraud much closer to home, more than a data breach. It means a malicious actor has accessed their personal information. That’s really scary, especially now that people are online so much.
So businesses which are proactive about this problem are helping the rest of society too, protecting consumers from becoming victims in this unsettling way. And it removes a potential source of real anxiety and stress for people — and let’s be honest, people really don’t need extra stress, especially at a time like this. They need to know your company is protecting them and their data.
Since you mention it — have you seen things change over the last year or so, given the situation?
Sure. Many forms of fraud attacks have increased, I’d say. ATO more than stolen cards and that kind of thing. But the standout for me is promo abuse. That’s skyrocketed.
It’s sad, but it’s kind of natural, when you think about it. More people are using e-commerce, because they can’t go out as much, and more places are closed. At the same time, unfortunately, more people are struggling financially. So they’re looking for creative ways to make their money stretch further — if possible, without giving up too much of the lifestyle they had before.
Promotions are an obvious way for people to take advantage of a business. It doesn’t even feel like theft to them, it feels like cheating a bit. Only, if your business doesn’t have mechanisms in place to stop it, it can snowball and you’ll start bleeding money.
They’re pretty ingenious, too. They’ve got the time, and the incentive. If you can think of it, they’re doing it — maybe not on your platform, but somewhere, and it’s like that with all fraud types. That’s where industry collaboration comes in again, of course.
Case in point: I only knew from following the industry so closely and being a part of the community that refund abuse was growing and set to be a huge problem during the 2020 holiday season. Because I knew that, we were better prepared, and we were more vigilant at identifying it when it was tried, but I know other companies weren’t prepared, and so they weren’t as lucky.
Stopping promo abuse sounds like a priority, then. How do you catch it?
I wouldn’t necessarily say that it’s a priority, as it does not lose the company nearly as much money nor face as other frauds, but it is definitely a very large and growing problem across the industry.
The advantage you have here is that promo abuse is mostly carried out by amateurs, so if you’re willing to invest the time in some good analysis work, and work with other departments to decide what your approach as a company ought to be, you can shut down the huge majority of promo abuse with some fairly simple rules and blocks.
The first step is analysis: Find out how big the problem is. Make sure you’re looking at the full range of promotions your business offers — different products, geographies, that sort of thing — because you might find some interesting variations there.
Then, you narrow it down, to work out at what point a bit of cheating becomes a chronic problem. You might see that lots of people cheat twice, or three times, but that’s it, and that’s data you’ll take back to your discussion with other departments — probably that’s an acceptable cost of doing business. But maybe people who get away with it five times never stop — so you need to make sure people don’t get to that stage, because the loss can really build up.
It’ll be different for every company, and it might vary by market and product and type of offer, but you need this information in order to be able to formulate the problem clearly, and work out not just a solution but what problem you’re supposed to be solving in the first place. You have to find those thresholds — the places where it’s no longer acceptable loss. And that’s when you start your conversations with Marketing and Product and Finance or whoever it is you need in your company.
So fighting promo abuse is an inter-departmental effort?
It has to be. The fraud team isn’t running the promotion, and doesn’t set the goals for the promotion. So we can’t make all the decisions about it. I mean, from my perspective, I’d always close down every sign of abuse! To me, there is no acceptable loss to fraud. I hate seeing the company lose money to cheaters. It’s my job. But realistically, promotions bring in new business, and re-engage customers, and show loyal customers you value them — they’re important to the company and your relationship with your customers. And so some level of abuse has to be expected and accepted.
My role, as I see it, is to make sure that the relevant departments, which in our case is usually Marketing and Finance, are aware of the abuse side of things, and its cost. Then they can make informed decisions, with their eyes open.
That’s why having the analytics side sorted beforehand is so important — I’ve found that if you can show them concrete figures, for example, that someone who carries out abuse successfully five times becomes a serial abuser, then they’ll want to make sure people can’t do that. They’ll see the reality and the numbers behind it.
What advice would you give about discussing this sensitive issue to other departments?
The first thing is, as I said, make sure you have your numbers sorted. But don’t just bring reams of code showing how you got there. The first question they’ll ask is “How do you know?” You want clear spreadsheets and visualizations, so that they can engage with and understand the analysis. That’s the only way they’ll internalize it.
There are tools you can use to help you with that, it’s not something you need to do by yourself. Your company might even have a license for something like that already; you can ask your Finance or Data Science colleagues if there’s something that might fit your needs. Your fraud platform might have an integration for it.
The other thing is, I’d say, don’t come to the discussion with a fixed agenda. It’s a conversation, where you all work together to find the best balance between engaging customers through promotions and protecting the business from financial loss. You’re all on the same team, in the end. You all want what’s best for the business.
And for fraud professionals themselves, I’d say, don’t get frustrated, if they don’t understand at first, or you don’t get to limit loss as much as you’d hoped. It’s a long-term educational process.
Be happy about the gains you do make — and with promo abuse, it’s often substantial, because policies are things the business gets to set. The company is in charge. So a small change can have a big impact.
How have the changes in fraudulent activity over the last year affected your role?
Well, I’m busier than ever, which is good in many ways. And the truth is, we’re seeing a lot of interest in fraud and abuse growing elsewhere in the company, where once it might have been a siloed concern — far more people are aware of it. That’s especially true with promo and refund abuses, because other teams are becoming aware of how much they can affect their campaigns and KPIs.
So we’re seeing more interest and energy be given to these issues, which is very positive for us, and even more resources going towards finding the right balance between customer experience and loss prevention — and that applies equally to fraud and abuse.
On the other hand, I’m very aware that the reason we’re getting all this attention is that fraud and abuse have grown tremendously, tied to the current situation, and the struggle that so many are going through financially and in other ways. So that’s always a part of the picture for me.
But I try to stay focused on the positive aspects of my job, and what it does for my company and for our customers — I think that’s important for every fraud prevention professional, to help their team stay positive about their work, even in times like these. You can do that with attitude, and with a focus on the good stuff, and even by encouraging them to try out new things at work and explore new techniques.
There’s always more to explore in fraud prevention! Have you ever tried a new tactic to see if it would work, and been surprised by the results?
Yes, I have, and from both the positive and the negative sides.
Sometimes, it can be disappointing — you can think you’ve got it figured out, but it turns out that the data set you were using wasn’t broad enough. Or it can be surprising — you do find a real and useful pattern which helps you stop fraud, but then later on, you discover that that trend is becoming a genuine behavior, adopted by legitimate customers, or that it is being abandoned completely. Fraudsters evolve very rapidly. As fraud fighters, we must evolve beyond that pace to stay ahead of them. That’s why you always have to keep testing. Don’t make do with assumptions — analyze, and then, later on, do it again, to see if those findings still hold true.
Sometimes, it’s an amazing feeling, like when you pinpoint the credit card velocity threshold which indicates fraud — that’s great, you can do so much with it, get such great results. Times like those take a lot of work to achieve, but it’s worth it. We have an ongoing project started about a year ago which has almost removed ATO from our Canadian site altogether. It is a real enterprise, with a lot of levels and analysis and different people contributing, but the impact has just been astonishing, in the best possible way.
I know fraud fighters can get a bit jaded, with the constant need to balance business needs and loss prevention, and negotiate within the organization, and so on, so I think it’s important for fraud fighters in any role not to get too far from the data — you’ll have a firmer grasp of what’s really going on, and you’ll never run out of discoveries, which is the best part. It’s invigorating.
If you were asked to give one piece of advice to someone very experienced in fraud prevention, what would you tell them?
Try everything! Don’t get so focused on managerial work or daily duties that you don’t see the data. Explore your data really thoroughly, and listen to what it’s telling you. Talk to other departments and industry peers, try to work out what they’re doing that could be impacting your results. Look at new tools and technologies. Test your ideas. Try everything.
Also, make sure the rest of the organization sees the benefit you’re bringing. They might not appreciate it fully at the start, it’s an educational process, but if you keep at it, and use their language, they’ll come to be not only impressed but real partners for you. And that’s crucial, especially when you start thinking about evolving challenges that you may face, both internally and externally. Your biggest challenges might just come from within your company. Businesses want things optimal for their customer’s experiences. However, the less friction there is for customers, the more traction there is for fraud. Finding the balance there that works best for combating fraud and keeping customers happy is the hardest part of preventing fraud in this industry.
What’s a Rich Text element?
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
Static and dynamic content editing
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
How to customize formatting for each rich text
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Identiq is SOC2 Type II Certified - and Constantly Committed to More Than Compliance
Fraudology Podcast: Karisse Hendrick Discusses the Holy Grail of Fraud Prevention