There are lots of metaphors used to describe the fight between fraudsters and fraud prevention teams: cat and mouse, tug of war, Whac-a-Mole, and so on. In all of them, the basic idea is this: action and reaction. One side acts, the other reacts, the first reacts to that reaction, and the cycle continues forever. Fraud prevention teams want to stay ahead of fraudsters as much as possible, because being behind them means having to let fraud happen before you can respond; fraudsters want to stay ahead of the game for the same reason.
Unfortunately, when it comes to speed, fraudsters do have an advantage over fraud fighters. That doesn’t mean staying ahead of the fraud curve is impossible, but it does make things more complicated.
Fraudsters like to poke around for vulnerabilities in an app’s policies and operations, looking for a lever they can pull to profit. Once they find a lever that works, they can start exploiting it right away; there’s no need for a fraudster to conduct any additional testing or get buy-in from stakeholders to craft the specifics of their scheme. They just get to work—at their chosen victim’s expense.
Naturally, things don’t work quite this devil-may-care on the fraud prevention side of the equation. As professionals with standards, procedures, and management teams to navigate, fraud teams can’t just go with the first seemingly viable solution they find, the way fraudsters can run with the first viable type of abuse. It takes much longer to grow a tree than to cut it down—in the same way, it takes longer to nurture a new fraud solution than it does to find the newest viable fraud type and jump on it.
In a webinar with AboutFraud called “The Real Full Stack: People, Technology, and Processes,” Incognia CEO Andre Ferraz talked about how the speed problem manifests itself in the operations of a platform. “If your process to test new solutions is too inefficient, and you're not able to move quickly, the fraudsters will always beat you. When you finalize testing that solution and deploying it, the fraudster is already two steps ahead with a new attack. And then you have to go through the same process again.”
The problem only gets worse if the procedure for testing new solutions is poorly defined or gets bottlenecked by the need for interdepartmental approvals (when exactly does legal get involved, do we need an NDA, what sort of authorization from the cybersecurity team do we need, etc.)
Kyle Caldwell, Senior Vice President of Fraud Product Management at M&T Bank, also pointed out some roadblocks even at the fundamental level of language used to describe types of fraud between platforms experiencing and the vendors they try describing their difficulties to. “...We're not speaking the same language. And what ends up happening is everything that you just said, right? Which is when we get on a call and we start talking about scams, it’s all ‘What kind of scam?’ And then you have a fifteen minute conversation to align around what type of activity you're talking about.
Fraudsters don't have that problem, right? They share vernacular. They don’t necessarily care what they call it.”
Caring about standards and procedures is good, and it’s one of the things that sets fraud prevention apart from fraudsters. The downside, of course, is that not having professional standards to uphold is a massive speed advantage for fraudsters looking to cash in as quickly and easily as possible. With that said, though, there are still ways for fraud fighters to come out ahead in the rabbit-and-turtle race.
Fraud prevention and detection professionals will always have more red tape to deal with than their fraudulent counterparts, but that doesn’t mean that the fraudsters’ speed advantage can’t be overcome.
Fraudsters are constantly adapting in response to the latest technologies and fraud prevention measures designed to catch them. When one hole gets patched, they find another. When they find something that works, they burrow in as quickly as they can, and expand to make as much profit as possible.
Prioritizing agile fraud solutions that can be applied to a range of use cases is one way to ensure that even when fraudsters switch gears, your solutions are never so far behind that you can’t intervene before they can get footholds in your platform.
It’s true that any new solutions testing takes time, but some processes are certainly more efficient than others. Having a clearly defined process and chain of communication for implementing new tests and solutions can save a lot of time when you’re on the clock against new emerging fraud trends. If you have to spend time playing email tag because you’re not sure what clearances or buy-in you need from other departments, that’s time you lose to the fraudsters.
Meeting emerging fraud trends head-on is much easier if you’re working with vendors who keep an ear to the ground in the fraud world. For example, Incognia has customers all over the world, across different markets and use cases, and that enables us to use the knowledge we gain from one client to help another. Many of the fraud schemes we see today with American food delivery platforms, we’ve also seen with Brazilian food delivery companies, and that advanced knowledge gives us an edge that helps us stay ahead of the newest fraud threats across global markets.
While fraudsters definitely have a speed advantage, it doesn’t mean fraud prevention is doomed to trail behind them forever. By adopting agile solutions, refining testing processes, and leveraging the collective intelligence of vendors familiar with global fraud trends, it’s possible to close the speed gap.
It's a challenging race, but with strategic adjustments and a commitment to evolution in the face of new threats, the turtle can catch up to the rabbit and keep platforms safe and comfortable for users.