When many people think of fraud, they imagine a solitary individual who compromises data, creates fake credit cards based on that data, and then uses the cards to make purchases. In fact, it is very rare to find this type of structure where one person does everything, simply because it’s not efficient.
Most successful fraudsters work in an organization very similar to corporations. They have individuals specialized in acquiring stolen data, others who manufacture the cards, and still others who make purchases with those cards. The most prolific fraudsters have several different sites set up to act as “disaster recovery” locations. If one site gets shut down, or if the targeted financial institutions close the gap the fraudsters are exploiting in the region, they can simply take their data to a new location with minimal down time.
This approach allows fraudsters to move fast and at scale, presenting a formidable challenge. That’s why one of the most important anti-fraud tools a business can use is a flexible rules engine that lets you adapt immediately to emerging fraud trends and modify rules in real time.
Kyle Caldwell, Product Manager at Jumio, experienced this first-hand when he worked as a Fraud Strategy Manager at a bank.
Overall, the fraud department was running smoothly. Our card fraud losses had been decreasing against projections, and we were comfortable with the balance we had struck between loss and customer impact. The institution had implemented the chip (EMV) technology on our cards the previous year, but many customers and merchants still had problems figuring out the new technology. This meant we had to approve far more swipe (fallback) transactions than I would have liked. Fraudsters knew that most issuers were still struggling with educating their consumer base and took advantage of this environment.
One morning I woke up to several disturbing escalations from our contact center, card fraud department and product managers. A fraud ring had swiped more than 25 cards at a big box retailer in Florida. The card swipes ranged from $50 to $200 and would often total $1,100 per card before triggering velocity rules, at which point the fraudsters would move on to the next card. Although we had velocity controls in place as well as counterfeit detection, there were a few things working against us. The biggest problem was that many customers were still learning how to use their chip cards. Additionally, merchants had a difficult time installing their chip processors into their Point of Sale devices. And because it was travel season, we had accepted the risk of loss to ensure our customers could still use their accounts while traveling.
We began adding rules, starting with blocking transactions over $50.00 at big box retailers in impacted ZIP codes. We fully anticipated this to lead to negative customer feedback and complaints, but we were empowered to mitigate the fraud by any means possible. The first several transactions by the fraudsters were denied, and we did not see any activity for a few hours. But then transactions outside of the ZIP code started to process for the same amounts. Knowing that the fraudsters were willing to travel throughout Florida, we updated the rule from “zip” to “state”. Once again we started to deny the activity within the state.
The next attack came from neighboring states Georgia and Alabama. The fraudsters also began targeting electronic stores in addition to big box retailers. We updated those merchant category codes and added all surrounding states into the rule. This stopped the fraud — for a time.
Within three days, the fraudsters had moved their activity over 1,000 miles away to Chicago, Illinois. We quickly updated our rules with the same approach that stopped the fraud in Florida. We also dialed back the rules in the southeast to ensure we reduced customer friction, and we prepared to apply rule changes in several different regions across our footprint at the first sign of trouble in those areas. Fortunately, after Chicago the fraudsters must have realized we would apply our approach wherever they went, and they opted to target a new bank.
All in all, about 70 cards were compromised, we lost about $15,000.00 and denied $20,000.00. Because of our rules engine, we were able to act swiftly and decisively to stop the fraud. If we hadn’t had the ability to adapt the rules quickly, the losses and compromises would have been much higher. Not only did we save the bank money from fraud losses, we also saved on operational costs by reducing the number of calls needed to file disputes, the amount of time it would have taken to work each case, and the number of planning meetings that would have been required to address the fraud trend if we’d had to work with engineers to update code-based rules instead of making the changes ourselves in real time.
How to Select a Rules Engine
Kyle’s story is just one example of how critical an effective rules engine is for deterring fraud. That’s why Jumio’s rule engine was designed to provide flexible, self-service rule editing for all industries. Along with the ability to create simple and complex rules with all the data attributes from our services, we provide over 200 preconfigured rules right out of the box, which makes it easy for you to modify existing templates instead of having to write new rules every time.
The Jumio rules engine also provides many powerful features that are essential to your success. Make sure the solution you choose includes
the following functionality.
Rulesets pack multiple capabilities into the same transaction workflow. These ruleset packages use a combination or chain of different risk signals to effectively prevent fraud in specific scenarios in banking, gaming and many other industries.
Real-time performance reports help you fine-tune your rules to maximize approval conversion while minimizing fraud. Rules analytics also help you isolate the transactions that are creating false positives, allowing you to analyze their metadata and optimize the rules with specific conditions that will make them trigger more accurately. An efficient rules engine should help you identify which transactions should be blocked as well as which ones should be allowed.
“What if” Reporting
Fraud departments must be able to evaluate the impact of each rule on good customers as well as fraudsters in order to strike the right balance. When creating a new rule, Jumio’s rules engine provides “what if” scenarios that proactively return how much fraud would have been stopped by the rule and how many good customers would have been impacted. This is critical information for discussion with other business stakeholders so everyone can work with the best information possible.
If you are still hesitant to implement a rule based on reporting and historic data alone, implementing a ghost rule may help improve your confidence in a rule before you implement it. To set up a ghost rule in Jumio’s rule editor, you can simply enable the rule and set the score to “0”. Every time a transaction triggers the rule, it will tag the transaction for future evaluation. This way you can observe the rule in a true environment without creating any negative consequences.
“Set and Forget” rules can be a hindrance to your business. A rule that was once effective may now be outdated, because fraudsters are always evolving their schemes by trying lower dollar amounts, changing geographies and trying different purchases. Without tuning your rules regularly, you may be negatively impacting your good customers without stopping any fraud. Make sure your rules engine makes it easy to evaluate and tune your rules.
To be truly effective, rules should be able to take specific actions when a transaction meets the rule criteria, such as sending an email/notification, creating a risk profile case or even deciding which path the transaction should take in the verification process. For example, it is a common practice to end the onboarding process if transactions are linked to a fraudulent device, as opposed to continuing the chain of verification signals and requesting ID verification for a transaction that’s already been identified as fraud. This helps businesses reduce costs and streamline unnecessary verification processes.
To find out more how Jumio can help you deter fraud and protect your business throughout the entire customer journey, visit jumio.com, or just fill out this form to start a conversation with one of our specialists.