Beg your pudding?

In global terms, online fraud isn't so much a cottage industry these days as one of those whopping great trading estates on the outskirts of Slough. In other words businesses have to be more vigilant than ever in detecting fraudulent activity. There's a growing range of tactics, says Eisen, but a combination - woven into a multi-layered, impregnable net - is the most effective.

 1. Check billing and shipping addresses
Online crooks often have goods shipped to addresses other than those specified as the billing address - so checking if the billing and shipping addresses are different is a good start. The use of "drop-shipment" addresses is another common tactic - if multiple orders are being diverted to the same drop shipment address, place it on a negative list until it can be verified one way or the other.

2. Increase device ID data
Establishing the true identity of the device being used to complete a transaction is essential, and so, therefore, is the construction of a comprehensive device ID profile that goes beyond single data elements such as the IP address. Comparing the time a transaction is made against the time zone and the language settings of the device it is made on can highlight inconsistencies for example. So if a device purports to be in, say, France, but is running a transaction in Russian language settings via the Pacific time zone, it's worth looking into.

3. Maintain standard checking systems
Address Verification Systems (AVS), Card Verification Values (CVV2) and Verify are all important security mechanisms. An important barrier that is nevertheless easily negotiated by legitimate consumers, such systems cut out a lot of low level fraud, especially from one-off, opportunist, and unprepared fraudsters.

 4. Remember... IPs can be spoofed
 More sophisticated fraudsters are able to fake their locations and appear as though they're anywhere in the world thanks to IP address 'spoofing' - so simply monitoring IP addresses is a less than fraud-proof approach. i.e. Where the IP address is one of the key assessment criteria, a fraudulent transaction can be made to appear entirely legitimate simply by quoting the IP address of the genuine card holder.

5. Check for 'lazy' keystrokes
Another tell tale sign of suspicious activity or a questionable customer profile is instances where names, email addresses, passwords and so on are entered using keys grouped closely together on the keyboard. Criminals rushing through vast amounts of data entry as they try to randomly 'guess' ID data often try to save time by using combinations of letters close to one another - a,s, d and f for example.

6. Be wary of anonymous email addresses
While "open to anyone" online email clients like Hotmail, Yahoo and Gmail are popular among many legitimate customers, they are also an easy way for fraudsters to set up multiple email addresses. Accordingly, a transaction cannot and should not be trusted simply because the quoted email address (just as easily created by a crook as the person themselves) matches the cardholder's name.

7. Watch for 'email tumbling'
Checking for sequential email addresses - aka 'email tumbling' - is another quick, easy way to spot organised fraud. Transactions assigned to, say, joebloggs001@, joebloggs002@, joebloggs003@ is indicative of a fraudster automatically generating email addresses.

8. Maintain manual investigations
While automatic analysis tools are certainly useful in picking out suspicious links and patterns in data that may not be obvious to fraud investigators, human review remains an important tool too - particularly in establishing themes computers would struggle to spot.
A computer would be unlikely to connect the names David Beckham, Wayne Rooney and Steven Gerrard for instance, while a human eye would very quickly identify such a pattern as suspicious. Human intervention should therefore still comprise up to around five per cent of all fraud analysis.

9. Look for the rest of the iceberg
The discovery of one fraudulent transaction can often be the key to unearthing a raft of similar cases. Use every information parameter relating to the original case at your disposal. Search for transactions that share the same or similar details - even if it's only in a single parameter. The similarities may be small - tiny commonalities in email and/or postal address, in phone numbers, in time zones - but such patterns often point to fraud.

10. Use free mapping tools
Free-to-use mapping services like Google Maps can be useful adjuncts when investigating cases of potential fraud. Is an address that claims to be residential actually a commercial premises? Are shipping and billing addresses close together? If not there may be cause
for suspicion.


The range of parameters and checkpoints you chose to set as a business will depend on a wide range of factors - from the characteristics of your customer base to the capability of your fraud team.  Remember though, that while each of the approaches described here is useful in its own right, none can in itself be regarded as a panacea.

In other words, the more measures and care you employ in monitoring your business's online trade, the less suspicious transactions can and will slip through the net.
 
Ori Eisen is also the former worldwide fraud director for American Express and director of fraud prevention at VeriSign.