Fraudsters adapt. So should your fraud prevention strategy.
Outlining a framework for the economic downturn and beyond with Yigit Yildirim from Socure
We asked Yigit Yildirim, Socure’s Vice President and Head of Fraud & Risk, to offer his perspective on the modern identity fraud stack, paths to optimize fraud efficacy, and consider how forward-thinking fraud teams should prepare for changing economic conditions.
With economic uncertainty looming, companies are seeing fraud attempts escalate at elevated levels. Financial institutions (FIs) that take a proactive approach to risk with a comprehensive approach to identifying customers – legitimate customers – will be armed with the tools to transform fraud from an inevitable threat to a competitive advantage.
Is fraud inevitable?
We should start with the understanding that every organization has a fraud problem. Even if you think you don’t have a fraud problem, it’s likely that it either hasn’t yet reared its ugly head, or it’s just invisible to you. Why does that matter? Regulators can come calling, and financial loss can start to pile up, hurting the bottom line and introducing additional reputational risk with customers potentially going elsewhere.
When it comes to attack vectors, it’s fair to assume every system is being tested for its exploitability - that’s just a reality of any digital environment. The challenge for organizations is to be prepared for all types of fraud, at all times. That’s a tall order, but it’s totally doable with the right solution.
Let’s consider the scope of available solutions to address fraud that Alloy mentioned in a recent blog post— document verification; phone, email, address verification; behavioral analytics, multi-factor authentication, risk scores, and alert lists. That might seem like a lot of components, but they all serve as critical pieces of identity verification, but they are most effective when they operate as part of a comprehensive fraud and risk ecosystem.
Let’s look at some of these tools and the value they bring to preventing fraud:
- Behavioral analytics: When behavioral analytics are applied alone, the value is limited. Behavioral data can’t account for changes in human patterns. Yet, native behavioral signals ingested into your models provide a powerful benefit in detecting anomalies and establishing a trusted network.
- Device intelligence: Device intelligence provides an additional core element with implicit risk signals, encompassing things like device ID, IP to geolocation, and whether a VPN is being employed to hide detection, which when combined with every other dimension of an identity–name, SSN, email, address, phone number, and network velocity–-and natively ingested into machine learning (ML) models materially improves fraud detection accuracy. This critical piece feeds what can become a network of trusted identities–the “Holy Grail,” if you will–and part of the basis for the future of digital IDs.
- ID document verification: Document-centric identity verification alone has shortcomings. It can create friction for customers and force expensive, manual processes on organizations. But if you aren’t able to passively verify an individual, or if you don’t have a ton of data for thin-file or hard-to-identify populations, ID document verification is an ideal step-up authentication method.
- Velocity: Looking at velocity signals across an expansive network of customers and industries is an especially important aspect of identity verification in new account opening, particularly with third-party and synthetic identity fraud use cases. In instances of stolen credentials and PII, there is an incentive for fraudsters to monetize that information as quickly as possible, across service offerings. Velocity intelligence enables you to identify when multiple applications, using the same personal information, are simultaneously being used by someone to register accounts at ten different banks, five different crypto companies, and a handful of gaming applications. That velocity data will only be usable, however, when it’s persistently processed, analyzed, and correlated against every facet of an identity. A robust consortium network that uses known fraud outcomes is required for this type of data to be effective.
- Risk scores: You cannot have an effective fraud solution without risk scores. They take into account a lot more variables and patterns than a human eye would ever be able to catch. Manual reviews can never keep pace with automated risk scoring, which uses ML-based decisioning to deliver information about fraud potential faster, and with far greater accuracy than anything else. But here again, risk scores cannot be treated as independent solutions. They have to be part of a holistic solution that orchestrates new data to constantly improve the accuracy of those risk scores. Every new piece of data, when analyzed against other data, delivers a more accurate risk score.
- Denial lists: Organizations like denial lists (such as anti-money laundering and adverse media lists) because they provide a comprehensive directory of people they need to avoid, either because of compliance regulations or because they simply don’t want shady characters in their system. It’s important to operate with these lists to prevent fraud, but they must be dynamically updated and correlated against risk scores and other profile data points.
Each of these tools can strengthen your ability to prevent fraud, but the only truly effective solution is one that combines them seamlessly and persistently as it orchestrates and analyzes the data they each provide.
Fraud patterns change on a persistent basis, regulations are always being updated, economic factors shift, and organizations modify their business models. A fraud approach has to be capable of addressing all that change by being holistic in its approach, agile in its structure, seamless and comprehensive, and always inclusive of the necessary technology to adapt to a changing landscape.
What are the benefits of having a flexible and holistic stack for fraud decisioning?
The most important factor in fraud is change – fraud methods change, ecosystems introduce new tools, vulnerabilities mutate, new regulations get adopted. All of this is happening, and the organization needs to react to it. As fraud becomes more rampant, a strategy that just applies more disparate tools to deal with attack vectors as they become an issue isn’t going to give you the accuracy or coverage you need.
However, if you use an ML-driven solution that applies all of these elements through a broad approach, your system can adapt and react on its own, giving you much greater control over your fraud. A seamless and dynamically-applied fraud stack is the best defense.
Think of it this way – the less you have to react, the less you’re going to have gaps in your fraud coverage. As more fraud attack vectors emerge, organizations will seek out new solutions to put in place, but that takes time and implementation, and it also takes the attention of your fraud team away from existing issues they need to address. No organization can afford to have a lag in their fraud prevention strategy. By already having these tools in your toolkit, you’re starting a step ahead.
What are the essential components of a flexible, adaptable fraud solution?
Start by eliminating rules. A rules-based system, by definition, won’t adapt, and at a time like the current global economic situation, when we’re expecting much more fraud, rules-based solutions will be looking for fraud attack types that quickly become irrelevant in favor of newer, more sophisticated ones.
Your optimal solution has access to good data that is continuously updated and persistently orchestrated through ML and artificial intelligence (AI.) That gives you the benefit of models that are always getting smarter because they’re orchestrating all this data about individuals in a graph-centric way, their risk scores, actual fraud decisions, and other identity elements that give fraud teams an accurate idea of who they’re doing business with.