Contents
Risk Academy

Account Takeover (ATO)

This is a form of sophisticated fraud in which fraudsters gain access to a legit customer’s credentials–usually as a result of a data breach–and use them to order goods. Because the fraudster was able to log in to the eCommerce merchant’s site,  these attacks are particularly difficult to detect. ATOs can take many forms, but the most common methods identified by RIskified are Loyalty Fraud, and “Mismatched ATO”. For more information on ATO attacks, check out our guide on the topic here.

About the Lexicon

Fraud detection is a science, and mastering the subtleties of the field necessitates an intimacy with terms and vocabulary. Whether you’re searching for a third-party fraud solution, evaluating the performance of your in-house team, or just getting acquainted with the ins and outs of CNP fraud, you’re likely encountering industry jargon, which can be difficult to decipher.
With this in mind, we’ve created this lexicon as a guide for merchants, to elucidate some of the most commonly used fraud terminology.

Anomaly Detection (aka Outlier Detection)

This term generally refers to the identification of items, events, or observations which do not conform to an expected pattern or other items in a dataset. In fraud prevention, anomaly detection is used to spot unusual shopping patterns that may indicate fraudulent activity. Riskified automatically analyzes all transactional data cohesively on an ongoing basis to identify fraud rings attacks in real-time. Our in-house experts investigate the statistically significant anomalies to determine if they are indicative of a fraud ring attack, fraud bots, or simply reflect an inherent shift in eCommerce trends.

Approval Rate

The approval rate is the percentage of approved transactions out of the total order volume over a given time period. (Riskified measures transaction volume and approval rates in terms of revenue, rather than in terms of transaction count)

AVS (Address Verification System)

One of the first mechanisms devised by payment processors to verify the identity of credit card holders in CNP transactions. Under this system, the zip code and numerical part of the street address provided by the shopper are compared to the corresponding data on file with the credit card issuer. The results of this comparison can be AVS Match, Partial Match, or Mismatch. Many payment processors encourage retailers to use AVS results as a fraud filter on the gateway level. Since credit cards issued outside of the US, the UK, and Canada do not support AVS, this system cannot be used to verify the cardholder’s identity in most global markets.

AVS Match / Partial Match / Mismatch

An AVS match means that the zip code and numerical street address in the billing address provided by the shopper exactly match those on file with the credit card issuer – supposedly indicating that the shopper is the true owner of the credit card. Partial Match means one of the two provided numbers – either the street number or zip code – match the number on file with the credit card issuer. A Mismatch means neither of the numbers match. Though an AVS mismatch is a potential indicator of fraud, many legitimate orders fail AVS screening for non-fraud related reasons. Similarly, a full or partial AVS match does not rule out the possibility of fraud, as AVS data is often sold alongside other stolen credit card information on the dark web.

Behavioral Analytics

This term generally refers to the field of data analysis that measures users’ behavior on web or mobile platforms. Riskified uses this term to refer to analysis conducted on data generated directly from merchants’ eCommerce sites and mobile shopping apps using our Storefront Beacon. A twenty-minute shopping session can contain thousands of data points, and when these browsing patterns are analysed and cross-checked against millions of other shopping sessions, they become an excellent indicator of the order’s fraud risk.

BIN (Bank Identification Number)

The first four to six digits of a credit or debit card. These digits indicate which bank or institution issued the card. For example, if the first six digits of a card are 317207, this means it is an American Express card issued by Delta Skymiles, in the United States.

Bots

Short for software robots, this term is used to describe tools designed to carry out repetitive tasks automatically. Tech savvy fraudsters may deploy bots to target eCommerce websites, by creating fake accounts and placing orders using stolen credit card details.  Riskified’s systems detect bot activity through order linking and anomaly detection.

Card Testing / Carding

A practice employed by fraudsters to check that their stolen credit card details are valid, before attempting a big heist. When testing cards, fraudsters tend to place multiple low-value purchases, in an attempt to ‘fly under the radar’ and avoid having the orders flagged by fraud scoring tools. Card testing often takes place on the sites of non-profit organizations. These sites are targeted because giving an online donation does not require a shipping address, and because fraudsters know non-profits are unlikely to have sophisticated fraud detection safeguards in place.

Chargeback

When a customer reports a fraudulent or otherwise unsatisfactory transaction to their credit card issuer, the issuer is legally obligated to refund the charge. The issuer then forwards this cost to the merchant, along with a code and reason for the chargeback. There are various chargeback reasons, including. item not received; item defective; documentation received was invalid or incomplete. Merchants who inadvertently approve fraudulent transactions incur chargebacks when the legitimate cardholder realizes that unauthorized purchases were made with his or her card. When merchants fail to identify fraud attempts and surpass a certain chargeback rate, they not only incur costly losses, but are also penalized by being enrolled in a an excessive chargeback program.

Chargeback Guarantee

Pioneered by Riskified, the chargeback guarantee is business model under which Riskified assumes liability for every approved order in case of fraud. Since Riskified extends its chargeback guarantee to cover all approvals, merchants using Riskified as their fraud management solution no longer have to worry about fraud-related chargebacks. If an order approved by Riskified turns out to be fraudulent, we reimburse the merchant for the entire chargeback amount within 48 hours.

Chargeback Rate

The chargeback rate is the percentage of transactions for which chargebacks were incurred out of the total approved order volume in a given time period. The fraudulent chargeback rate is the percentage of transactions for which fraud-related chargebacks were incurred (Riskified measures the chargeback rate in terms of revenue). These two KPIs are crucial for merchants who wish to avoid being enrolled in a credit card issuer’s excessive chargeback/risk program.  

CNP (Card Not Present) Fraud

A CNP transaction is one where the merchant is unable to physically examine the credit card, usually when a purchase is conducted via digital channels or over the phone. CNP fraud refers to a CNP transaction conducted without the cardholder’s permission. Typically, CNP fraud is perpetrated by criminal elements using stolen credit card details (often acquired on the dark web). Common forms of CNP fraud include account takeover fraud, package rerouting fraud, and friendly fraud (including so-called liar buyers).

Customer Friction

Any merchant activity that slows down or impedes the online sales process. Riskified usually uses this term to refer to fraud prevention measures taken by manual review teams for validation purposes, such as reaching out to customers via sms, email, or phone. Customer friction may also result from requiring shoppers to take cumbersome steps to verify their identity during checkout, like 3-D Secure.

CVV (Card Verification Value)

This is the 3 or 4 digit number printed on the back side of the credit card. The CVV was intended as a safeguard against CNP fraud – since in theory it ensures the shopper has the physical card in their possession. In practice, however, the CVV is usually sold along with the stolen credit card details on the dark web.

Data Enrichment

Riskified uses this term to refer to the process of supplementing the raw order data collected with additional details that allow our models to accurately assess the order’s validity. Riskified’s system automatically enriches raw order data with information from proprietary in-house databases, as well as with data from third party sources like Email Age, WhitePages.com, and social networks.

Dark Web

The Dark Web is a subset of the Deep Web (Internet content which is not indexed by search engines) that cannot be accessed without specific software or authorization. Although some Dark Web activity is legal, the anonymity it affords makes it a haven for illicit activity. Stolen credit card details sold on the Dark Web include not only the full card number, but also AVS, CVV, and full billing address.

Decline Rate

The decline rate is the percentage of declined transactions out of the total order volume over a given time period. When calculating the decline rate to assess fraud operations performance, merchants should take into account orders rejected due to fraud filters on the gateway level, orders automatically declined by in-house fraud prevention systems, and orders declined by the manual review team.

Disposable Email Account

Many online services allow users to create free email accounts without providing any personal information. These anonymous email accounts can also be easily disabled once they have served their function, hence the moniker “disposable”. Fraudsters often utilize disposable email accounts to avoid associating their personal email accounts with their criminal activity .

Device / Browser Fingerprinting

A device or browser fingerprint is information collected about a remote desktop or mobile device for the purpose of identification. Riskified’s Storefront Beacon generates this information, and our machine learning models then analyze it along with order data to determine whether the transaction is legitimate or fraudulent.

Email ‘Age’

This term refers to how long an email account has existed. The email age is a valuable datapoint when assessing the fraud risk of a CNP order. A recently created email account is much more likely to be associated with fraudulent activity, whereas an order placed with an email created several years ago is a positive indicator of legitimacy. As part of Riskified’s automatic data enrichment process, raw order data is often supplemented with email age information.

EMV (Europay, Mastercard and Visa)

A standard for ‘smart’ cards equipped with computer chips in addition to magnetic stripes, with the aim of authenticating transactions and reducing Point of Sale credit card fraud. Many warned that since EMV makes it more difficult to commit in-store payment fraud, rolling out this technology in the US would drive CNP fraud rates. However, a recent study by Javelin concluded that the recent rise in CNP fraud is not being influenced by the introduction of EMV cards.

Excessive Chargeback/Risk Program

Merchants who surpass a threshold chargeback rate set by credit card issuers are penalized by enrollment into an Excessive Chargeback/Risk Program. The terms of these programs vary between issuers, and depend on the degree and persistence of high chargeback rates, but most penalties include some combination of fines, higher processing fees, and mandatory risk education programs.

Exposed Fraud

Riskified’s term for fraud attempts where the fraudster doesn’t attempt to conceal his or her identity. For example, someone purchasing goods online using billing address details from a stolen credit card, but providing their own shipping address.

False Decline

When a retailer mistakenly rejects an order from a legitimate customer due to suspected fraud. False declines may occur for various reasons, including blacklists, fraud filters (such as AVS), data mismatches, or simply that the retailer has insufficient data to confidently approve the transaction. The majority of false declines can be avoided using a combination of data enrichment and machine learning.

Friendly Fraud

When a customer files a fraud-related chargeback, claiming unauthorized card usage, despite the fact that they actually purchased the item. This can happen for several reasons. It can be the result of an honest mistake, like a child using a credit card to place an order without the parents’ knowledge, or a shopper not recognizing the transaction on their credit card bill. It may be a circumstantial case of chargeback policy abuse which wasn’t premeditated and is unlikely to repeat itself. For instance, a customer books a hotel room for a trip that is subsequently cancelled. The customer reports unauthorized card usage to avoid paying for a booking that he or she did not benefit from. Finally, friendly fraud can occur as part of a deliberate, malicious plan on the customer’s part (aka Liar Buyer).

Fraud Filter

A screening mechanism that rejects orders that fail to meet certain criteria.  Fraud filters can be set on the payment gateway level – for example filtering orders with negative AVS match or placed with a card issued in a certain country. Fraud filters can also be applied within the merchant’s fraud prevention system, such as the immediate decline of orders above a certain ticket value placed via a device location in a risky geographic region.

Liar Buyer (form of Friendly Fraud)

Also known as Chargeback Fraud, this is a form of theft where cardholders exploit chargeback reimbursement policies. A customer purchases and receives goods or services, but then claims the purchase was unauthorized or that the item was not received. As a result, the retailer incurs a fraud-related chargeback and the customer is reimbursed by the credit card issuers.

Loyalty Fraud

A form of ATO fraud which can occur when there is store credit or rewards cash balance saved in a customer’s account, which fraudsters can use it to shop immediately. The most common examples of this are frequent flyer miles or hotel loyalty points, where it’s quite possible that a customer has significant value stored in the account. When a fraudster commits loyalty fraud, the merchant is responsible for reimbursing those stolen points, miles or other store credit.

Machine Learning

An advanced artificial intelligence technique which allows computers to refine their behavior (“learn”) without being explicitly programmed. Machine learning-based fraud management solutions have several advantages over rules-based systems. Machine learning models are less rigid than rules, and can continuously self-optimize simply by “learning” based on exposure to new order data. Riskified also leverages feature engineering to enhance the models’ accuracy. Rather than providing our models with only raw order data, we engineer features that encapsulate the knowledge and insights our domain experts have about CNP fraud patterns and about the relation between data points.

Manual Review

A process by which analysts manually review orders for fraud, usually after automated fraud detection systems fail to definitively determine whether or not an order is valid. Rather than relying only on statistics, manual fraud review teams make decisions based on judgement and experience. On top of approval rate, and chargeback rate, the effectiveness and efficiency of manual fraud review teams is often measured based on the review turnaround time.

Mismatched ATO

This is the most common ATO pattern that Riskified has identified. In these cases, a fraudster obtains account information, but not the associated credit card details. This attack has a high success rate; Many merchants, unaware of the scope of the ATO issue, decide that good login credentials are enough to essentially auto-approve an order. And even when merchants detect something suspicious in one of these orders, they tend to refrain from requesting additional identity verification steps to check the identity of this “loyal” customer.

Negative List (aka Blacklist)

This term refers to records of physical addresses, phone numbers, IP addresses, emails, or credit cards that merchants have identified as being associated with CNP fraud. These records are kept so that new orders containing details that appear on the negative list will be automatically declined. Riskified advises merchants to avoid using negative lists for fraud prevention purposes, as this practice tends to exacerbate the problem of false declines.

Order linking

The practice of cross-checking all data from new transactions against previous orders. Order linking can help prevent fraud, for example, when a new order is placed from a device and IP address from which a fraudulent chargeback was previously incurred. Linking also helps approve orders placed by good customers. For instance, it will allow you to identify legitimate shoppers returning with a different surname (due to marriage), or shipping to a new address. Using order linking, Riskified can help retailers approve orders from first-time shoppers (who previously shopped with other Riskified merchants). It also allows Riskified to easily identify and foil the activity of fraudsters and “liar buyers”

Package Rerouting

Package rerouting is the practice of changing an item’s delivery address after the purchase has been approved, sometimes after the package has left the warehouse and is already in-transit. Many retailers and shippers offer shoppers the option to change the shipping address after placing an order online. Unfortunately, this service can be exploited by fraudsters. A classic package rerouting fraud scheme involves placing an order with stolen credit card information, and providing the shipping address associated with the legitimate card holder in order to “trick” the retailer into approving the purchase. Then, once the order has been approved by the retailer, the fraudster reroutes the package to a different delivery address. This type of fraud can be difficult to prevent, because it requires monitoring shipments for aberrant behavior after the purchase has been approved. Merchants can ask the shipping provider to block the rerouting option. Another option is reassessing the order again given the new shipping destination.

PII (Personally Identifiable Information)

This term refers to any information which could potentially be used to identify an individual, such as full name, passport number, and so on. Companies holding PII on their servers must comply with government mandated security regulations to safeguard this sensitive information, and for good reason: PII is a very common target for cyberattacks, since possessing this data allows criminals to commit identity theft, and enables fraudsters to better imitate credit card holders, increasing their chances of successfully executing CNP fraud attacks.

Review Turnaround Time

The duration it takes to review an order for fraud and reach a decision as to whether to approve or decline the purchase. High review turnaround times can lead to shipping delays, damaging brand reputation and customer dissatisfaction.

Reshipper

Also known as a reshipping service, freight forwarder, or forwarding agent. A reshipper is a service that acts as a physical intermediary, receiving packages from retailers and then shipping the goods to the end customer. Though there are legitimate reasons to use reshippers, they are also heavily utilized by fraudsters in order to conceal the true shipping destination from the retailer.

Safe Approval Rate

Riskified defines this term as the percentage of approved orders for which fraud-related chargebacks were not incurred, over a given time period. For example, a retailer approves 98% of all CNP transactions. Several of the approved orders are actually fraudulent, and the retailer then incurs fraud-related chargebacks for these orders. Therefore, while the retailer’s approval rate is 98%, the safe approval rate is slightly lower, at 96.5%

Scoring System

In the context of CNP fraud management, a scoring system provides merchants with a ‘risk score’ for every order. Merchants relying on scoring systems often define rules to determine how to handle orders based on their score. For example, orders below a certain score threshold may be automatically approved, orders with a score above a certain threshold may be immediately declined, and orders with intermediary scores may be routed to manual fraud review. Merchants using scoring systems remain liable for fraud – meaning wrong approvals can generate costly chargebacks.

Social Network Footprint

This refers to the trail of publically available data that social media users inadvertently share when using networks like Facebook, LinkedIn, and Twitter. When possible, Riskified uses the social media footprint to approve orders despite data mismatches, and avoid false declines. This data can also be used as compelling evidence of friendly fraud or liar buyer when disputing a fraud-related chargeback.

Whitelist

This term refers to records of physical addresses, phone numbers, IP addresses, emails, or credit cards that merchants have identified as being associated with legitimate customers. Merchants may choose to automatically approve orders containing whitelisted data as a way to reduce review turnaround times. The downside of relying on positive lists is that, if details of a previously “whitelisted” credit card are stolen and used by a fraudster, the merchant will immediately approve the order, without reviewing it for fraud.

3-D Secure

A customer identity validation protocol designed by credit card issuers in an effort to prevent CNP fraud. To complete a purchase, shoppers are required to enter a code provided by their card issuer. Using 3-D Secure shifts fraud liability to the credit card issuer. However, this high-friction measure has been linked to high drop-off rates in key global markets such as the US, China, and Brazil.