Guest Post: Dane Jorgensen has been selling products online since 1999. He is currently involved with BgBng EMS (Enterprise Management Solution), which helps Advertisers get their online campaigns running faster. BgBng EMS provides fraud detection, traffic channeling, digital product authentication, subscription management, affiliate tracking, a/b testing, integration with physical product fulfillment & customer service in one simple hosted application. Contact BgBng EMS: sales at bgbng dot com, 800-305-8481.
Let me start with this, there is no silver bullet for fraud. Many fraud fighting techniques can produce false positives. A false positive means that the transaction is not fraud, but your detection technique tells you that it is. A few examples are provided below. By employing just a few of these simple checks, you can substantially cut down on fraud. Unfortunately, many fraud panel discussions I have attended or listened to can discuss the “why,” but can rarely pin-point the “how.” Here are a few techniques that can help you get the jump on finding and eliminating fraud.
1. Proxy Detection
An IP address is what identifies devices (computers, smartphones, iPads) on the Internet. Since many IP addresses are dynamic (can change), it is not a fool proof way to identify Customers. Another reason it is not a reliable source is that it can be spoofed or faked. Proxy detection is a technique you can use to determine whether an IP address is trustworthy or not. A proxy server is a server that acts as a “middle man” for internet requests. There are many great uses for proxies, but they can also be used maliciously. It can be used to remain anonymously behind someone else’s server. A hacker in Nigeria could use a proxy in California and make it appear as if they are placing an order from California. There are many great services you can use to check whether an IP address is a proxy or not, such as MaxMind. MaxMind will return a score and whether they think the IP address is fraudulent or not with their own formula.
If you are a more technical person, you could have a program request port 80 (a common web port) from the IP address placing the order. If the IP address in question answers on port 80 with an accepting response, you know that IP address accepts incoming internet requests and may be able to forward them on, hiding the original visitors IP address. If it is a publicly accessible and reputable proxy server, the proxy server will usually return headers that describe whether it is a proxy server or not. There are many services that check and provide proxy addresses for use. More information on proxy servers can be found on Wikipedia.
False positive example: Customers do not always have a static IP
Some cable provider’s/ISP’s (Internet Service Provider) randomly assign you an IP address when you log on to the internet. User 1 logs on, receives IP address 22.214.171.124, and spams 500k email addresses. The ISP would recognize the spam, and terminate the user. The IP address could be reported to several blacklisting services, like Spamhaus. Unknowingly, User 2 could log on 1 month later, and receive the same IP address 126.96.36.199. When User 2 attempts to purchase Widget A from Advertiser 1, Advertiser 1 could check Spamhaus, see that abuse is coming from that IP address, and decline the order. User 2 would not understand why their order was rejected. Another false positive is that many AOL users will come from proxy servers, as that is how some of AOL’s services work.
2. Transaction Velocity
Transaction velocity describes how many transactions happen in a specific time frame. Depending on your product, it is unlikely that a customer will order your product 5 times in 1 day or 5 times in 1 hour. If they wanted 5, it would be more likely they would place 1 order with a quantity of 5. Make sure you have the ability to limit transactions by credit card, IP address, email address, or another unique factor against a specific time frame. All product re-order time frames can be different, so be conscious of how often someone would realistically order your product. If your product is perishable (can go bad, will be consumed), a customer could come back each month and order a 30-day supply. In this scenario, 1 order every 30 days would be a reasonable velocity. You do not have to set your thresholds at this (once every 30 days), but if you know customers order every 30 days, it is unlikely they will order every day.
Watching transaction velocity can help identify trends in your traffic. Another velocity trend to watch for is if a new traffic source picks up your offer, runs 200 orders at 2:00am in the morning, and never sends any more traffic. The velocity (rate) in which the orders come in becomes very important, as 200 orders at 2:00am in the morning is not usual. Although, running an infomercial at 2:00am could produce these results, so be conscious of your typical results. Setting reasonable velocity limits will help protect yourself from this type of fraud.
False positive example: A Customer loves your product
Grandma is watching TV at 9:00pm at night. She is just blown away by how awesome the Slap Chop is and she wants to order for her 3 Grand-kids. She orders one and puts her personal information as the billing address and Grand-kid 1 information as the shipping address. With the transaction velocity set to 1 an hour, she will not be able to submit orders for Grand-kid 2 and 3. Grandma will be very sad.
3. Publisher and Sub-publisher tracking
Many (most) Ad Networks will provide a “Pub Id” and “Sub Id” to your offer or website. These are referred to as the Publisher ID and the Sub-Publisher ID. The variables will be passed in the URL to help identify where the traffic is coming from. As an example, if you are selling Widget A, your tracking URL might look like:
From this tracking URL, you would know the Publisher is 1234 and that their traffic source is PPC (Pay Per Click). As you view performance and customer retention reports, make sure your software can distinguish and segment your traffic by these different ID’s. It will show up quickly if Publisher 1234 has a 3% refund rate and Publisher 5678 has an 80% refund rate.
Another thing to note with this type of tracking is that Publishers can have different ID’s at different Ad Networks. A Publisher in Nigeria (sorry Nigeria, I’m sure you have great traffic, I’ve just never received any of it), could have pub id 1234 at Ad Network 1, and have pub id 5678 at Ad Network 2. By watching your traffic regularly, you can identify similar patterns from different traffic sources. Malicious Publishers will jump from Ad Network to Ad Network attempting to hide themselves and deceive your offer or campaign.
4. Geo metrics
Geo metrics is a pattern of geometric figures (nerd speak for measuring things), usually referring to geography in fraud detection. Using information the Customer and their computer provides, you can determine whether the Customer meets typical criteria. When a Customer places an order, they will usually provide a shipping address, billing address, and phone number. The Customers computer will provide an IP address (assuming it’s not spoofed). With this information, you can:
1). Use a Geo-location piece of software that locates where the Customer’s IP is located
2). Look up where the area code on the Customers’ phone number is located
3). Look up where their billing zip code (credit card) is located
4). Triangulate (measure) the distance between these 3 points
As you accept more and more orders on your product, you will have a good indication of what the average distance should be. After 500 orders, you may notice that the average distance between billing zip, area code, and IP address is 20 miles. When you get an order with a distance of 500 miles, check it out. You don’t need to reject the order, but have a way to flag it for manual review.
Check the shipping address against the billing address. It is unlikely (but possible) that the billing address and shipping address will be hundreds of miles apart on average. It will happen on a few, but it would not usually happen 100 out of 100 orders.
False positive example: Grandma orders products for her Grand-kids
Jumping back to a previous example, if Grandma lives in California and places Slap Chop orders for her Grand-kids in Washington, New York, and Florida, you will get results outside your typical settings. Again, you don’t have to reject these orders, but have a way to verify them.
5. The Human Touch
No matter what technology you use to detect fraud, you still need the human touch. Many of these technology checks can be emulated and simulated. You need to manually check the orders regularly to find discrepancies. A person that knows your offer only accepts traffic from the USA would only need to find a proxy in the USA to successfully place an order. When you take hundreds of new orders per day, it is very time consuming to verify each order. Set a certain percentage of orders to check randomly to help ease the burden. Do follow up calls to verify billing information is correct. Call the customer with a few basic questions and say, “Hello Customer, we received your order yesterday, and I’m just calling to verify your billing information.” From a simple 30 second phone call, you will be able to tell if the order was real or not. If you get a response like, “I have no idea what you are talking about,” mark the order as fraud and refund the credit card.
Many fraud detection techniques are related to trending and identifying patterns. By establishing acceptable and normal patterns for your campaign (conversions, refunds, cancellations), it makes it easier to find items that fall outside typical settings. If your website converts at 10%, but you have a traffic source that converts at 100%, it is worth checking out. None of these techniques are fail proof by themselves. Get into a regular habit of checking orders and Customers for patterns that fall outside the norm. Every Friday morning, randomly call 10 customers from the last week and verify billing info, or email your Customers and ask what they thought of the product. By contacting a small portion of your Customers, it will give you a very good indication of your traffic quality. By using a few of these techniques, it will save you a lot of money and headache by finding fraud today versus finding fraud one or two months down the road (or not finding it at all).
By defining and monitoring your normal campaign patterns, watching for proxies, segmenting your reporting by traffic sources, and regularly checking on your customers, you can quickly cut down and eliminate fraud. Fraud detection takes time and work, but it is definitely worth the effort.