Julie Fergerson, CEO of the Merchant Risk Council, has hair-raising stories about fraud in the early days of e-commerce. She remembers how, back in the first decade of the century, a business opening up online was almost certain to see fraud during the first week - and, sometimes, even the first day. Business owners were initially pleased to receive the orders - and then horrified and utterly baffled by the unexpected influx of criminal activity.

At that time, few businesses were prepared for online fraud, and the costs could be catastrophic, building up appallingly fast before the merchant got on top of the problem. Things have changed, of course, and today the risks are far better understood. Fraud prevention is a necessary component of an online business. 

That doesn’t mean that fraud prevention in a high growth company is simple. In this blog post, we’ll look at some of the common problems faced by fraud fighters in fast-growing companies, explore why any vulnerability in the fraud department is a significant problem for the business as a whole, and look at the steps fraud fighters can take to ensure their department is not just an asset to their company, but is also seen that way internally. 

New Users, or Fraudsters?

If your company is growing fast, congratulations. You have lots of new users signing up every day, week, month. The rest of the business is delighted. Fraud fighters, though, face one of the toughest challenges of fraud prevention, at scale: How can you tell whether a new user is who they say they are? How do you know whether to trust them?

Of course the questions of identity and trust are central to all fraud prevention work, but it’s particularly pressing when it comes to new users, because, by definition, you don’t know much about them. Uri Arad, who was Head of Analytics and Research at PayPal's risk department for nearly a decade, recalls that over that time, despite huge progress on multiple fraud fighting fronts, the new user problem remained intractable. (Actually, that’s what led him to co-found Identiq.)

Why it Matters

Good new users are the source of the company’s growth and success. Fraudulent new users, at scale, can be disastrous financially, harm the company’s reputation, and give the company a false idea of what their true user base looks like, and how to target it. 

It’s not always clear to a business that more than financial impact is at stake. But imagine this scenario: A product line or marketing campaign that garners more interest from fraudsters than good customers could be extremely expensive, sure. But if the problem isn’t spotted early on, it could also send precisely the wrong message internally, suggesting that more such products or campaigns should be rolled out. The cost could be astronomical in terms of time, effort and money spent on this dangerously mistaken direction. 

What to Do

Keep doing all the things you’re doing already - behavioral analysis, regular analysis of your own data to pick out fraudulent patterns, and so on. But there are other things that can help with this issue that not every fraud team thinks about:

1. Close working relationships with other departments mean that fraud teams know to look out for the impact of new campaigns or products, and can feed that knowledge back to the relevant departments quickly. If necessary, the campaign can be refined until it hits the intended audience, with a tight feedback loop enabling efficient, effective agility. 
2. Fraud teams need to build rich customer personas, so that a new user can be analyzed according to whether they fit the persona they appear to be. If an elderly customer is acting like a mouse-whizzing teenager, there might be something fishy going on.
3. Collaboration with other companies is also valuable, both in your own industry and outside it. The customer might be new to you, but the chances are good they’ve been seen elsewhere on the internet… as long as they’re a real person. Using providerless technology, companies like Identiq can ensure collaboration that’s extremely impactful, while remaining anonymous so that no personal customer information is ever shared. 
   

The more you grow, the more you’ll need to deal with this problem. It can’t be put off until you have more time. You’ll never have more time. You need to prioritize it because it’s important, not because there’s nothing else more urgent going on. 

“We’re Always the Last to Know”

Company’s growing fast? Processes rarely speed up to match. Because fraud fighters’ work is primarily near the end of the funnel (account creation, login, checkout etc.) they’re not always kept up to date with news about new products, campaigns, target audiences, markets and so on. 

Why it Matters

I’m preaching to the choir, here, but fraud teams can’t protect their business if they don’t know what’s going on in the business. Fraudsters go after different products in different ways, and exploit vulnerabilities in campaigns wherever they can find them. Moreover the behavior of good customers varies depending on audience, location, product etc. 

Unless fraud prevention teams know what the company is expecting to see, they can’t tell if what they’re seeing is a suspicious anomaly, or positive validation that a new campaign is doing exactly what it was supposed to do. They could end up blocking many customers for the wrong reasons, mistaking a new user wave for a fraudulent attack spike, or end up letting fraudsters in because the fraudsters (mimicking what they know to be “normal”) look more legitimate than the new audience, who in contrast behave differently to what the site usually sees. 

What to Do

At the risk of making myself unpopular, a change of mindset might be in order. Yes, it’s tempting (and satisfying) to gripe about how fraud is always the last to know, and the rest of the organization has no clue what your team is doing to protect them each and every day. And you may be right about all of that. 

The thing is, to improve this situation, you need to take it into your own hands. Invest in educating other departments about the fraud facing the company, and the massive impact it could have on the bottom line. Explain to each department how their work impacts your work, and vice versa. Make them your partners in protecting the company from criminals. 

Then follow up. Develop relationships, and invest in those, too. Explain to the marketing team why you need to know about proposed campaigns, explain to product why you need to know about new product plans, explain to your strategists or upper management why you need to know about new markets you might be entering. Make yourself a part of the process. And remember to show everyone involved the great results that gets. 

The faster you grow, the larger you become, the more pressing this problem will be. On the other hand, if you really invest in these relationships, they’ll be there when you’re even bigger. When you have more departments. When the org chart changes out of all recognition. And everyone in that big, successful organization will know - the fraud team is central to our business. 

Promo Abuse

Promo abuse is a growing problem for all kinds of businesses - so much so that last year we had not one but two roundtables on the topic - but it’s especially likely to bite fraud teams at high growth companies. How do you become a high growth company in the first place? Among other things, you offer promotions to entice new customers to try out your site or service. 

We’ve written about promo abuse in more depth elsewhere on this blog, so we won’t recap everything here. What’s key to bear in mind, though, is that promo abuse is not a challenge when it comes to identifying the abusers. (Though identifying at what stage abuse becomes a problem is an analytical challenge, and worth investing in.)

Promo abusers are pretty amateurish, compared to professional fraudsters. Your team can identify them, no problem. But can you do anything about them? That depends on your organization’s attitude to abuse - something which can sometimes make fraud fighters want to scream. 

High growth companies often emphasize fast growth over everything else. They may not initially understand why letting promo abusers in to abuse the system is a problem. They’re new users, aren’t they? Or at least, they look like it?

What to Do

Again, this is an educational issue. Your mission, should you care to accept it, is to help other departments work out what they really want out of their promotions - and then help them get it. Do they really want all new users, any new users, at any price? Because the price tag can get very steep, very quickly. Help them see that. You’ve got numbers to show what you mean. Pull the data and help them understand the scale of the problem.

If what they really want is more active users, or more users who will still be customers in 3 or 6 months time, then promo abuse runs directly counter to that. It doesn’t matter how engaging they make their offering, the fake accounts set up just to exploit a promotion won’t be using it. They’re not real customers. 

You might think this kind of clarity should be obvious. You might think it’s not your responsibility. But if you aren’t willing to take on this educational role, you’re not going to get the license to deal with promo abuse, and the business will lose out. 

If you do take it on, you have an amazing opportunity to show the rest of the organization what a team player your team is, and how you have the real goals of the company at heart. You’ll also have significant impact on the business - you can help guide healthy growth, that will benefit the company in the long-term, as opposed to the empty calorie kind of growth. 

New technologies make it possible to collaborate with other companies to gain more clarity about which customers are trustworthy, and which are likely to be abusive. With more insight, you can be increasingly more precise about the advice you give other departments, and the decisions your team makes.

Remember those relationships we were talking about building? Done right, the promo abuse conversation is a great step as part of that journey. 

Inter-Departmental Collaboration

You may have noticed a certain theme linking these suggestions together. The fact is, being in a high growth company comes with challenges. It’s often enormously exciting, rewarding and fulfilling. But it can be hard, as you and your colleagues struggle to keep up with the changes that just keep on coming, from your customers, from the fraudsters, and from within the company itself. 

The fraud prevention team has huge responsibility, especially in fast-growing companies. Their work can literally be the difference between a business riding the wave and succeeding triumphantly, and sinking under the weight of chargebacks and lost consumer trust. 

Your fraud teams need to establish strong, positive inter-departmental relationships, so that those connections remain a consistent framework when everything else is changing around you. Those relationships will lead to, and maintain, effective processes to ensure you’re in the loop about plans, products and strategies - so that you can take them into account in your own plans. 

Never underestimate the power of educating the rest of your company about your work. Fighting fraud is fascinating, and people enjoy learning about it. They also appreciate coming to see that you’re all on the same side, and that by keeping you abreast of what’s going on in their department, and giving you a voice in the planning stage, they’re doing their part to protect the company as well. 

Fast growth is fun, but it comes with challenges. Rise above them by showing your company the work you do, and drawing them in to become part of it as well. Race, together, to the moon.

Want to dive into this topic with your peers? Disagree with everything written here and want to discuss? Attend our Scaling Fraud Teams Fast: Challenges with People and Processes roundtable, coming soon! Sign up here so make sure you don't miss it. I’d love to see you there. 

Shoshana Maraney is a veteran of the fraud fighting industry, with over 7 years experience under her belt. She is currently co-authoring a book for O’Reilly called Practical Fraud Prevention. She leads the Fraud & Identity Forums roundtable series, working with hundreds of fraud fighters to help them collaborate and share their ideas and experiences. She is a member of the Tel Aviv University CyberWeek FraudCon Conference, and has created numerous presentations for risk and payments conferences around the world. Her degree is from Cambridge University.