Email risk is a low-cost but powerful risk signal you can use in your onboarding process to help prevent fraud. In fact, when I was a junior fraud operations manager, I got to see first-hand what a huge difference this risk check can make.
I was tasked with mitigating onboarding fraud for the company’s deposit accounts. My team was expected to review approximately 33% of the daily volume and decide if accounts should remain in good standing or be closed. Any less volume would have meant ancillary tasks to ensure the analysts had a productive day mitigating fraud, whereas any more volume than normal was a recipe for disaster.
Cue the Expected Disaster
Unfortunately, fraudsters had identified that the company’s portal was susceptible to bot attacks. These automated, scripted attacks used lines of code to ping large amounts of credentials against our online applications. Device intelligence was a great first line of defense and certainly helped identify some of the less sophisticated attacks, such as a large amount of credentials coming from one IP address, or attacks occurring from similar geolocation regions. However, once the fraudsters tested and exposed gaps within the coverage, like jumping IP addresses and changing the names of the customer, we needed stronger fraud prevention measures.
In one such attack, we had 70 accounts opened daily that had different names, addresses, Social Security numbers and even IP regions. This occurred daily for two weeks, and having to review approximately 1,000 additional accounts (on top of the normal activity) caused us to fall severely behind.
Consequences of Fraud
With our process, a risky account would not have access to full functionality until a fraud review had been completed, which negatively impacted thousands of legitimate customers. This poor experience led many customers to stop using their accounts, and what should have been an exciting journey between the bank and the customer came to an abrupt end.
Additionally, branch visits and call center volumes increased drastically. For call center staffing, there is often very little wiggle room allocated outside of the normal call volume. Even a small increase of call volume can create longer than normal hold times. Once on the call, the customers are irritated by the wait and also that their account is constrained. Conversations on explaining next steps, waiting for escalations to resolve and checking the manual for extenuating circumstances often led to longer call times, further exacerbating hold times for the next customer.
In order to mitigate the risk of fraud as well as the poor customer experience, we offered overtime to our fraud analysts. This led not only to increased salary costs for the company but also burnout and demotivation for the employees.
It’s one thing to come to work knowing that you are going to stop fraud when your systems are performing adequately. Fraudsters will try new things and the fraud analysts get to root out these new tactics. It’s engaging, much like a puzzle. However, when the puzzle has already been solved, putting the pieces together day after day becomes monotonous and disengaging. Demotivation can quickly drain your team of productivity and creates additional risk to the business.
Overall, this fraud scheme cost the organization approximately $6,000 a day in salary, operation and fraud loss. Over two weeks, this equated to $84,000.
Once we added email risk checks to the onboarding process, we were able to root out much of this repeated fraud. Even though the fraudsters were utilizing different names, addresses and geolocations, they still had one shortcoming: patterned email addresses linked to identities that had little to no history. With the email risk service in place, we were able to risk-score these emails much higher than before.
Fortunately, most fraudsters will look to maintain their current scheme instead of drastically adapting to new changes in a workflow. Once these cybercriminals realized that 99% of their accounts were being stopped before creation and the other 1% were being caught upon review, they quickly jumped to a different organization with lesser controls. Within one month of implementing the solution, volumes were back to normal across departments, and teams were happy and engaged again. The small per-transaction cost of these email risk checks were more than paid for by the savings in overtime, lost business and damage to morale.
Jumio provides two types of email risk services: a lightweight check that determines the validity of the email, and a more comprehensive global database check that returns many more data points on the email’s age, behavior and reputation that you can write rules against to establish risk. Genuine email accounts are often aged and used as a prime source of contact for individuals, whereas fraudsters tend to create ranges of new email accounts that are “tumbled” (e.g., [email protected], [email protected], etc.), so this can be a very useful risk signal. To learn more about which service is right for you, contact us to start a conversation.