Dec
14
2012

The difficulty in finding “average” fraud rates

While it is a common question or discussion topic, the concept of an “average fraud rate” is an elusive one. Here are several reasons why.

Natural fraud rate versus production fraud rate

The natural fraud rate is the number of fraudulent attempts divided by overall attempts in a given period. Many businesses don’t know their natural fraud rate, simply because in order to measure it accurately, you need to let every single customer pass authentication regardless of fraud risk. However, who wants to sacrifice their bottom line for the empirical purity? So the question becomes, “If I stop a transaction due to fraud risk, how do I really know if that was fraud versus a legitimate customer that I have turned away?

What most businesses can and do see, however, is their production fraud rate — that is, the fraud rate of approved customers after using some fraud prevention strategy. If your fraud model offers any detection value at all, then your production fraud rate will be somewhat lower than your natural fraud rate. Since everyone has their own specific fraud-prevention strategies in practice, any attempts at finding an “average” are muddied.

How do you count frauds?

You can count frauds in terms of dollar loss or raw units. A dollar-based approach might be more appropriate when estimating the return on investment of your overall authentication strategy. A unit-based approach might be more appropriate when considering the impact on victimized consumers and the subsequent impact on your brand. If using the unit-based approach, you can count frauds in terms of raw transactions or unique consumers. If one fraudster is able to get through your risk management strategy by coming through the system five times, then the consumer-based fraud rate might be more appropriate. In this example, a transaction-based fraud rate would over-represent this fraudster by a factor of five. Any fraud models based solely on transactional fraud data would thus be biased toward the fraudsters who game the system through repeat usage. Clearly, then, how you quantify your fraud impacts how you measure it. Therefore, another sticking point for determining the “average fraud rate” is based on what makes up the numerator and the denominator.

Different industries. Different populations. Different uses.

Experian’s fraud-risk and authentication tools are used by companies from a wide variety of industries. Would you expect the fraud rate of a utility company to be comparable to that of a money wire service? What about online lending versus deposit account opening? Furthermore, different companies use different fraud prevention strategies with different risk buckets within their own portfolios. One company might put every customer at account opening through a knowledge based authentication (KBA) session, while another might only ask the riskier customers out-of-wallet questions. Some companies use authentication tools in the middle of the Customer Life Cycle, while others employ fraud-detection strategies at account opening only. All of these components further complicate the notion of an “average fraud rate.”

Different levels of authentication strength

Even if you have two companies from the same industry, with the same customer base, the same fraudsters, the same natural fraud rate, counting fraud the same way, using the same basic authentication strategies, they still might have vastly different fraud rates. Let’s say Company A has a KBA strategy configured to give them a 95 percent pass rate, while Company B is set up to get a 70 percent pass rate. All else being equal, we would expect Company A to have a higher fraud rate, by virtue of having a less stringent fraud prevention strategy. If you lower the bar, you’ll definitely have fewer false positives, but you’ll also have more frauds getting through (false negatives). An “average fraud rate” is therefore highly dependent on the specific configuration of your fraud prevention tools.

Natural instability of fraud behavior

Fraud behavior can be volatile. For openers, one fraudster seldom equals one fraud attempt. Fraudsters often use the same techniques to defraud multiple consumers and companies, sometimes generating multiple transactions for each. You might have hundreds of fraud attempts from the same fraudster. Whatever the true ratio of fraud attempts to fraudsters is, you can be confident that your total number of frauds is unlikely to be representative of an equal number of unique fraudsters. What this means is that the fraud behavior is even more volatile than your general consumer behavior, including general fraud trends such as seasonality. This volatility, in and of itself, correlates to a greater degree of variance in fraud rates.

The value of feedback

One of the best tactics you can take to better understand your fraud rate, and more importantly, to win against those that would commit fraud against you, is to close the feedback loop on the outcome — what was fraud and what wasn’t. As a client, one easy way to realize more value from the services and products you employ is to share that — confidentially of course — with the product analysts who know them best and can provide invaluable analysis and recommendations on optimum settings to ensure you protect yourself.

Conclusion

For the reasons described here, claims of an industry average fraud rate should be considered very subjective, and any claims of an authoritative average should be taken with a grain of salt. At the very least, fraud rates are a volatile thing with a great deal of variance from one case to the next. It is much more important to know your average fraud rate, than the average fraud rate.


  1. No comments yet.

  1. No trackbacks yet.