5 Fraud Prevention Tips for SMBs

If you’re a small ecommerce business owner looking to expand your fraud prevention footprint, you’re not alone. According to the MRC’s 2023 Global Payments and Fraud Report, small to mid-size businesses (SMBs) doubled their fraud prevention spending from 2022 to 2023.

Year-over-year tracking shows that increased spending on fraud prevention correlates to decreased fraud indicators for these businesses. As fraud activity becomes more difficult on these platforms, bad actors are likely to migrate to other similar platforms – meaning those SMBs which do not improve their fraud prevention measures will likely be exposed to increased fraud attacks.

Scoping the SMB Fraud Problem

The fraud landscape for SMBs runs parallel to the fraud landscape for larger corporations, but the rate at which various fraud attacks happen may differ based on the size of the business. For example, the MRC report mentioned above puts card testing as the fraud attack type experienced second-most often for SMBs (after phishing, which is the most commonly experienced attack across the board), followed by first party fraud, refund abuse, and finally identity theft (which we generally call new account fraud). Conversely, new account fraud is experienced more frequently by larger businesses.

Regardless of attack rate, each of these fraud attack types could be a significant threat to SMBs, and – unlike many large corporations – SMBs may not have significant experience building or expanding a fraud prevention program. To help get you started, we’ve put together our top five fraud prevention tips specifically for SMBs.

Get to Know Your Data

As a small business, it may be difficult to determine exactly what data you’re collecting from your customers. But it’s hugely important that you dive in and find out the specifics – not just for fraud prevention purposes, but also because data privacy laws such as the EU’s GDPR require you to tell customers exactly what data you’re collecting from them and how you process and store that data. But even if your business team is on top of all that, they may not be thinking about how data collection can impact your fraud prevention team’s fight against bad actors.

The first step in getting to know your data will probably include having members of your fraud team collaborate with members of your business team to review what’s being collected. The next step is determining what isn’t being collected but should be in order to maximize your fraud team’s effectiveness.

Luckily, your fraud team doesn’t need as much data as you probably think – an experienced fraud analyst can determine fraud based off only a few data attributes – and those are usually things you’d already be asking for in order to process the transaction, such as email, payment information, and a billing address.

Geolocation indicators can also be a huge asset to a fraud prevention team, and this may or may not be something your business team is already collecting. Many business teams have location-specific policies that would require them to collect data of this kind.

Another thing your business team may not currently be collecting (but could work with your fraud team to implement) is device fingerprinting. Many large corporations develop fingerprinting capabilities in-house, but as a small business, it may be more practical to buy an off-the-shelf service. Aside from strategically budgeting to add these types of capabilities, there should be no customer impact as this data is passively collected and won’t add friction to your customer’s checkout process.

Set Strategic Goals

The other side of the data coin is determining business data (as opposed to customer data). How much is your business spending? How much is your business earning? How much is your business losing to fraud? These are the big questions you need to be able to answer before you can set strategic goals.

Fraud loss in particular can be calculated in a variety of ways. For example:

• How much does your business lose on the cost of goods on fraud sales?
• How much does your business lose on the cost of services rendered for digital products?
• How much does your business lose in revenue from fraud purchases (e.g. what would your business have made in profits if the purchases had been legitimate)?
• How much are fraud chargebacks and refunds costing your business?

Other data related to fraud prevention should also be tracked:

• Percentage of orders approved by your fraud prevention system.
• Percentage of orders rejected by your fraud prevention system.
• Percentage of orders approved by your fraud prevention system that turned out to be fraudulent.
  • You can track this using chargebacks data or subsequent rejections for that customer.
• Percentage of orders rejected by your fraud prevention system that turned out to be legitimate.
  • You can track this using reactivation metrics – usually generated by customer appeals and re-review.

If your fraud prevention system consists of multiple parts, you can track the above metrics for each part. Some examples could include:

• Percentage of orders sent to your manual human intelligence team by your automated fraud prevention model (if the model cannot make a clear decision without human intervention).
  • Percentage of these orders that are approved; percentage that are rejected.
• Percentage of orders approved by your automated fraud prevention model but determined to be fraud and subsequently rejected by your human team.
• Percentage of orders rejected by your automated fraud prevention model but determined to be legitimate by your human team.
• Percentage of orders approved by your human team that are later determined to be fraudulent.
• Percentage of orders rejected by your human team that are later determined to be legitimate.

Tracking this type of data is step one; these will make up your Key Performance Indicators (KPIs). Step two is setting goals, which could make use of the Objectives and Key Results (OKR) framework. Your business team may already be setting business OKRs related to sales and marketing, but if there are no existing fraud prevention OKRs, you’ll need to work on setting them.

Your OKRs should be strategic. One way to determine what’s reasonable is to review industry-wide norms. The MRC report referenced earlier shows that ecommerce SMBs lost 2.7% of their revenue to fraud loss in 2023, with a domestic fraud rate of 2.3% and an international fraud rate of 2.7%, and a fraud chargeback rate of 2.4%. This could be a starting point for your OKRs.

Have the Right Tools for the Job

A huge factor in successfully handling your fraud problem is selecting the right tools for the job. According to the MRC’s report, SMBs are most likely to use credit card verification services and identity verification services. One major example of a credit card verification service is the Address Verification Service (AVS), which verifies that the address the customer used during a purchase is consistent with what their bank has on file for that card. Card providers such as Mastercard also frequently offer services that check account status, address, and CVV, among other things.

Identity verification services are focused more on the customer than the payment method, with the end goal of verifying that the customer is who they say they are. This type of service can come in handy not just for linking payment and contact methods back to the name the customer supplied at the time of purchase, but also for evaluating background information about the customer in cases where certain products are aimed at particular demographics.

For example, if your product or service is aimed at young business professionals, your fraud prevention team can use identity verification to determine if a customer falls into that category; if they do not (if they are, for example, retired or do not work in the business sector), this may be one indication that their credit card information has been compromised or their identity stolen to purchase the product in question.

Other tools can also be useful. For example, link analysis tools can be highly effective when used to make connections between customer accounts. This may help your fraud team reveal purchase patterns across accounts that may have otherwise gone undetected. An experienced fraud team will be skilled at identifying account setup patterns, purchase history anomalies, and geolocation inconsistencies between unrelated accounts purchased within the same time frame (what we call fraud sweeping), but link analysis will also allow them to find these patterns in related accounts (those using the same phone number or same payment instrument, for example).

The best part about all these tools is that (even though larger corporations may choose to do so) you don’t need to build them in-house. Many fraud prevention tools can be purchased either individually or as a package set from verification companies. This evens the playing field, allowing smaller companies to make use of these tools for fraud prevention without having to dedicate the budget and staffing for creating a DIY in-house option.

Invest in an Automated Fraud Prevention Model

For very small businesses, fraud prevention can be handled entirely manually. But at the higher end of the SMB umbrella (which goes up to $1 billion in annual revenue), some automation may be required to keep pace with incoming orders. But like with most of the services mentioned above, fraud prevention automation can be purchased as an off-the-shelf service, meaning you won’t have to hire data scientists and build a whole automation in-house.

Of course, not just any automation will work – you need something that’s fast, accurate, and will integrate seamlessly into your existing checkout process. And then there are the add-ons; many fraud automation services now also offer at least some of the options we’ve talked about above, including device fingerprinting, geolocation tracking, address and account verification, and link analysis.

Find the Right Human Intelligence Team

Putting all these suggestions together into a comprehensive and successful fraud prevention system is no easy task. There’s a lot to keep track of, a lot to evaluate and assess. Which tools do you actually need to keep fraud from taking over your platform? Which automated system out of the tens or hundreds on the market is the best fit for your business? What plan of action do you need to take in order to reach your strategic OKRs?

And then we come to the big question – who is going to be running your fraud prevention system? Even the best automated system requires human intervention to keep it from going off the rails and to keep it updated on the latest fraud attacks. Your model will need trained, supervised, and adjusted. The best way to accomplish this is to have a human fraud team – a human intelligence team – monitoring the situation in real time.

SMBs commonly try to cut corners by making fraud prevention part of an existing team’s responsibilities, but this practice only ensures that fraud prevention is rushed or squeezed between other duties. As a business that cares about preventing fraud – and fraud loss – you need a team dedicated solely to fraud prevention. And as a small business, your most cost-effective option is to hire an outsourced fraud team.

But it has to be the right outsourced fraud team. Hiring a team with little experience may save dollars in the short term, but will leave your business exposed to continuing fraud loss and an inability to reach your strategic goals. A far better option is to hire an experienced team that can guide your business through the process of expanding fraud prevention operations and keeping pace with other small businesses as they do the same.

IP Services has over 20 years of fraud prevention experience, helping businesses like yours prevent fraud loss on their platforms. If you’d like to schedule a consultation with our skilled fraud prevention experts, you can reach out to us here.