How to Build Smarter Rules for Online Fraud Detection

The world remains on high alert after last week’s ransomware attacks around the globe. But, the real and dangerous threat of a digital attack certainly shouldn’t come as a surprise to any company, knowing that U.S businesses and government agencies experienced a record 1,093 data breaches in 2016, up 40 percent year over year.

And, retailers have not been immune. Nearly one in three retailers have already suffered revenue losses as a result of a cyberattack, and retail organizations perceive targeted attacks as the greatest risk facing their businesses. However, only 52 percent of retail organizations consider their security infrastructure up-to-date and upgraded with the best technology tools (below other industries at 59 percent), and only 61 percent strongly agree that they are able to maintain full compliance with payment card industry (PCI) security standards.

Fraud has become an increasingly costly problem for retailers, which appears to only be worsening. Every dollar of fraud actually costs merchants $2.40 now (compared to $2.23 from the previous year). Additionally, the volume of fraud is continuing to rise―from a monthly average of 156 to 206 successful fraudulent transactions, and from 177 to 236 prevented fraudulent transactions.

Fraudsters Continue to Find Gaps in the Digital Retail Marketplace

While the EMV security innovations are working for Point-of-Sale (POS) transactions where the physical card is present, the chip technology is essentially ineffective in a digital retail marketplace. And, fraudsters are taking advantage. Online retailers are averaging 39 fraud attacks for every 1,000 web transactions.

The retail industry must continue enhancing security features, in particular for online sales. IP Intelligence and geolocation solutions rank in the top five of all tools merchants can use.

There are several suppliers and systems available that can determine where an IP is and, for a small investment, can provide that location―but is it the right one? Determining the correct location of an IP address and discovering other critical fraud-prevention data, such as proxies, requires advanced infrastructure analysis, as opposed to simply “scraping” internet registries or repackaging publicly available free data.

Invest in Smarter Rules

Building smarter rules around fraud detection and automating the process is proven to increase detection rates, reduce false positives and improve the shopping experience. IP Intelligence and geolocation technology can be used to automatically block suspect traffic, request verification (via email or SMS), or flag suspect activity for further internal review.

Geography is only part of the fraud-detection landscape. Smart merchants take IP geolocation further than just location, by using advanced intelligence parameters to identify proxies, VPNs, anonymisers, tors, mobile devices, ISPs, domains and hosting centers.

What Rules Should Be Employed?

Check IP Address for Country of Origin

A company trading internationally will often block common high-risk fraud countries such as Nigeria, India, Pakistan and Russia. Additionally, if a user is known to reside in a specific country, access to an account from another country could be deemed suspect. A basic “registry scraped” system will not be able to accurately determine the location of a user. Also, free IP data cannot identify if visitors are masking the country they are accessing the internet from (via a proxy or anonymiser), allowing potentially fraudulent activity to take place.

Domain Names

Reviews of known fraud domains and risky internet locations, such as public Wi-Fi hotspots, internet cafes and university/colleges, should be regularly conducted.

Bill-to/Ship-to IP Address Locations

If the bill-to/ship-to IP addresses do not match, an automated red flag can be passed for further review, or the account holder could be asked for verification via an email or text.


Understanding the type of proxy a visitor is connecting to the internet with, such as anonymous, transparent, corporate, public, education or AOL, can trigger fraud alerts. Responses to the type of proxy can vary depending on what type of proxy it is―for example, an anonymous proxy may warrant a higher fraud score than a corporate one. By identifying connections that obscure the end-user location or those that seek to portray a connection from an “acceptable” city or country can now be easily identified and categorized.


End-user traffic should generally not be seen from hosting or data centers as these types of facilities are designed for traffic to pass through, not originate from. Some cloud browsers do use these centers, but services are patchy and not widely developed. Reviewing these with other CRM data is highly recommended before order acceptance is confirmed.

Home, Business and ISP

Additional layers of intelligence can be added that identify whether a connection is a home or business as well as which ISP is being used. The data can be used to build profiles of previous connectivity to assess differences or anomalies over time.

When Should Rules Be Used?

The critical points of any authentication or payments system are during sign up, login, purchase, funds deposit or withdrawal.

Ideally, you should continually check the IP address at every stage of the purchase process to ensure the session has not been hijacked.

There needs to be more awareness and understanding about the value of investing in a multi-layered approach for fraud mitigation. Findings show that the right multi-layered approach can justify upfront costs of the solution investment as greater accuracy yields more positive results on a retailer’s bottom line.

Want to sign up for our Email Newsletter?

Sign Up Now