Like many other fraud professionals, I first got drawn into fighting fraud by dealing with chargebacks and failed (DNS) transactions at Uber. In our early stages, we sought out third party services to help defend and protect ourselves, services that are now common through companies like Stripe, Shopify, and others. We used those services to build a rudimentary rules engine to identify and block suspicious transactions.
But as we grew, we began to experience additional losses. We began finding that our third party vendors were not particularly precise, and were blocking far more transactions than our growth team liked, inhibiting our expansion, and generating an excessive number of customer tickets.
We also began to see novel forms of fraud and abuse on our systems:
- Customers would create duplicate accounts to take advantage of new user discounts
- Attackers would attempt to take over both rider and driver accounts to get free rides or to cash out someone else’s earnings
- Drivers would take fake rides with themselves to take advantage of bonuses and incentives
- Riders and drivers would make false claims in their support tickets in hopes of getting a ride for free or extra fee charged to a rider
- Customers would file “non-fraud” chargebacks reporting that goods were not delivered or weren’t satisfactory.
Though we had implemented basic fraud rules and some human review, we quickly found that we were investing significant time and resources to reduce chargeback rates, presenting evidence to dispute chargebacks, and negotiating with our payment networks. One of those negotiations involved the payment network asking us to collect physical imprints of customers’ credit cards and us spending time convincing their team that this risk management approach absolutely did not fit with our business model.
Eventually we were able to “put out the fires” and fight to get to a more stable state. From there, we were finally able to take a step back, and think through how to build systems that would better scale and meet the company’s ongoing and evolving needs. We frequently had to adjust our roadmap or build new detection mechanisms as fraudsters also grew their capabilities and attacked us on different fronts, with those iterations continuing today.
Over the course of a few years, we:
- Created a more sophisticated engine and configuration UI capable of handling thousands of rules and dozens of automated machine learning models that we could automatically retrain using the most recent fraud patterns and attacks
- Implemented risk checks at multiple points across the user lifecycle, increasing our effectiveness at stopping bad actors and reducing the cost/noise of false positives
- Integrated vendors that help could help us better verify and adjudicate that a given account was legitimate
- Created user profiles and segments that allowed us to tap into customers’ lifetime history and behavioral patterns to help determine whether transactions were legitimate - for example, a given $500 transaction could be allowed if the customer had taken those types of trips in the past and was operating from a trusted device/location
- Built comprehensive review tools to help operations and support teams track a given account’s history and help them determine whether or not a given customer had been incorrectly flagged for fraud
- Developed partnerships across the company’s growth, product, operations, and finance teams to increase awareness of how to prevent fraud and intelligently design incentives, promotional discounts, and support policies
- Submitted referrals to law enforcement agencies in situations where we had experienced substantial losses and had strong evidence identifying a responsible individual or group
Even as we built some of the world’s most sophisticated risk & fraud prevention systems, the fraudsters we fought evolved as well. Unfortunately they never quite go away, but can be contained. In 2021 the company still lost $246 million to fraud and chargebacks, or about 0.27% of its gross bookings. It’s a lot of money, but at a certain point we have to determine what is an acceptable loss.
So what should you do about it?
If you’re just getting started and working to make sure you’re not losing 1%, 5%, or even 10% of your hard-earned gross revenue, consider some of these key lessons from my time fighting fraud at Uber.
Think about the actions you can take to make life harder for fraudsters
You can always use the “sledgehammer approach” and ban suspicious user accounts. This is effective if the banned accounts can no longer operate on your platform and it is difficult to create a new identity or account.
Keep in mind you’ll want to keep an eye on how many accounts you’re banning and avoid an excessively high false positive rate. In many cases, your highest value customers may actually look like fraudsters and will become a support nightmare for you if you incorrectly ban them.
Another option is to block individual suspicious transactions. Depending on your service or product, this could mean refusing a customer’s request entirely or perhaps canceling the shipment or delivery of goods.
An increasingly popular option for reducing false positives and customer friction is to instead implement some sort of verification challenge. For example, you may choose to allow the transaction to proceed as long as the user has verified their identity or payment information or has successfully used multi-factor authentication.
Think about how you’ll implement both preventative and reactive actions
Most companies will implement some form of rules engine and/or machine learning model that will automatically ban users, block transactions, or trigger verification challenges.
In some cases, these rules engines will flag transactions and cases for human review, and hold the order or transaction until it has been approved by the operations team.
For companies without readily available product and engineering time to build these systems, the “rules engine” will often start with a member of the team getting daily reports & datasets, then investigating cases one-by-one using whatever customer or transaction data is available, then taking action on those accounts or orders using internal tools.
For some companies, it’s easier to outsource all or parts of this workflow, bringing in vendors like SEON, Ravelin, Sift, or Kount to evaluate transactions and sometimes review them on your behalf.
Even companies that build in-house rules engines will rely on vendors to provide supplemental data about customers. Device fingerprints, background/identity data, and address verification data can be pulled from third party identity vendors and used alongside your own data to determine whether a given account or transaction is trustworthy.
Bring the actions and the implementation together throughout the customer lifecycle
Once you get initial fraud attacks under control, you’ll be able to shift from a reactive mindset to a proactive one, and can identify checkpoints across your customer lifecycle where you can build appropriate verification steps.
You may be able to stop fraudsters from accessing your platform in the first place by implementing rate limits, bot detection, and multi-factor authentication at an “account login” checkpoint. Or you could prevent fraudsters from withdrawing funds from your platform through additional identity checks and anomaly detection for suspicious or new/updated payouts to suppliers.
By integrating your fraud checks at multiple checkpoints in the user lifecycle, you can reduce the pressure on your systems to identify every single fraudster at a single point in time (e.g. checkout), create a better user experience that reduces false positives, and more comprehensively protect yourself from the wide range of fraud attacks that plague the e-commerce industry.
Other References:
