Hi everyone.
My name is Ivan Prokofyev, I am a payment fraud lead and this is my first (hope not last)
HackerNoon post.
A bit more about myself: I have over 10 years of experience in the fraud prevention domain. In my career, I’ve spent time working at Tinkoff Bank, ForexClub(aka LibertEx), Gett, and Booking.com. I’ve also worked on a couple of projects with Sbermarket. I’m currently working in Bumble(Badoo).
Experience in these companies allowed me to work in different domains and different business models where fraud prevention was part of IT, Security, Marketing, Finance, and Operations. Most of my fraud positions were related to payment fraud (everything which relates to credit cards, PayPal, and the rest of payment methods such as Klarna, boleto, etc). I also have experience working with marketing abuse (coupon, loyalty fraud), collusion, resellers, etc.
In today’s post, I’ll aim to answer the following questions:
Let’s get to it!
Cybersecurity and fraud prevention are 2 different professions that respond to different aspects of a business.
Work in cybersecurity focuses more on access, DDOS attacks, protecting devices, networks, data breaches, etc.
Fraud prevention covers payment disputes, coupon abuse, testing fraudulent credit cards, reselling services or/and goods, etc.
There is of course overlap and both areas aim to protect companies from financial loss. However, expecting a cybersecurity expert to handle fraud prevention cases and vice versa is not the right approach and may cause issues for both sides because the focuses are so different.
This would be the equivalent of expecting a Backend Developer to work on the Front end — it might be achieved, but the time and resources wouldn’t be used effectively.
TL;DR point 1:
Cybersecurity and fraud prevention are 2 different professions.
Cybersecurity is about protecting your infrastructure, while fraud prevention is about protecting your business processes.
Payment fraud losses were ± 41B$ in 2022. This is only the number of confirmed losses that have to be opened to the public, the real numbers are expected to be much higher. It was ± 17B$ two years ago in 2020 and the prediction for 2023 is ± 50B$.
This should be reason enough! But let’s not stop there.
Whenever a company decides to start accepting payments there are several payment fraud prevention options:
In-house solution (An in-house fraud team).
Payment provider solution with a guaranteed high acceptance rate and low fraud decline rate.
An external solution that prevents all possible fraud.
However, it is important to remember when choosing one of the last two solutions that you need to have someone on your side. Otherwise, solutions will focus on their own success, not the protection of your interests.
Without regular communication, the company can face an increase in reject rate, decline payments from genuine customers, and chargeback(dispute numbers) will grow, which can lead to consequences such as fraud/dispute programs from Payment systems (Visa, MasterCard, Amex, etc) and as a result initiate even more declines from banks because the company becomes risky and on top of this there will be a monthly fee, starting from 10k $.
Fraud specialists will lead all conversations with providers, communicate about changes on the business side, feedback about false positive declines with requests to review solutions, and most importantly keep your company away from fraud/dispute programs.
You might think that if you’re not working with payments, you don’t need Fraud Specialists, and you might be right. It might be true. For example, in some regions even when you accept payments, domestic fraud is so low and you will never have a rate higher than 0.001%. But these markets have other fraud risks, which you might have never known about.
Let’s take as an example “Invite friends”. I believe each of you knows about these marketing campaigns. After launching the campaign most of the time all dashboards/charts show only the growing number of new customers. But if you start to analyze “new” customers you might find that 20 new users are related to one email or phone. The main account already has a super high balance and 20 accounts will never have any activities after being created.
In the end, you have misleading information and expectations from numbers. Businesses that work with 3rd party companies or people (for example delivery or taxi services) are faced with collusion and fake orders which cost a lot. For these cases, you have to have a fraud specialist, that will focus on analyzing all these areas, work closely with the product team and find and resolve cases that affect company revenue.
Also, preventing you from making a decision when you don’t have any fraud, but also don’t have any orders and customers. It is very difficult to prevent fraud and keep it under a specific level to make sure that the business is operating and all fraud prevention solutions aren’t affecting real customers and prevent only fraudsters.
TL;DR point 2:
I know some people who started out as Business Analysts and became amazing Fraud Analysts, but it’s not always the case. Usually, when Business Analysts are asked to work on fraud prevention, it starts with simple requests from the business side — define fraud or fish out fraudulent activity. This task doesn’t contain enough information or clarity about fraud and what fraud actually means. Analysts will usually start analyzing traffic and identifying anomalous activity.
For example, 20 orders in a specific area at a time you would usually find three. After a couple of these attempt approaches, the percentage of fraud (usually it is 5–7%, in some cases 17–20%) is erroneously defined, and the “party” begins. Everyone stops their work and tries to find out why we have so much fraud.
Unfortunately, finding anomalies is not enough even if it is a good process. But finding anomalies, reviewing the number of orders, finding a pattern, linking issues, and explaining why they are fraudulent is different. On top of this, fraud prevention requires manual work, most of the time, and it becomes boring for business analysts. They lose motivation and are ready to switch to another project. Finding a pattern is not the end of the story, the hardest part is to make a decision and say — yes it is fraud and we have to block these accounts and refund money back to prevent more losses.
Additionally, it's important to note that while business analysts typically rotate between departments, focusing solely on fraud allows for a deeper understanding of emerging trends and potential risks. With fraud, there are no established manuals or descriptions outlining how to identify it, so it requires sustained focus and expertise. Waiting three months to uncover fraudulent activity while calculating EBITDA can prove challenging without this specialized knowledge
TL;DR point 3:
Business Analysts can make excellent Fraud Analysts but the skills needed for the roles are very different.
Not every analyst wants to find fraud, review orders, and review conspiracy theories.
Fraud Analysts can’t be rotated as you’ll have a risk of missing trends.
It's much easier to detect issues and solve problems when equipped with the proper tools. For instance, identifying suspicious orders, analyzing historical data, and recognizing current trends can be done swiftly through SQL queries (or Python, R, etc.). Conversely, manually comparing multiple Excel files or examining orders individually and recording them in a text document can be a time-consuming process that may result in outdated information by the time the task is complete.
If you intend to employ a fraud specialist without SQL expertise, it may make sense under specific circumstances, such as: outsourcing work to an external provider whose primary focus is reviewing individual orders, having a dedicated analytical resource to provide full support, or employing junior specialists to assist a skilled individual who understands how to work with databases. While Python or R may offer additional options for data analysis and pattern recognition, my view is that SQL suffices. Nonetheless, some companies, including large ones, still require expertise in Excel, and SQL is viewed as an added advantage.
TL;DR point 4:
Without SQL, Python, or other tools that allow you to work with big data, you can work to a maximum of 50 orders per day. SQL is a must-have.
The information above is based on my experience and situations that I have encountered in different companies.
Also published here.
Lead image from giphy.