If fraudsters were content to place a single order and then leave the targeted merchant alone, they would be less of a nuisance but much harder to detect. Looking at patterns of how different transactions are related in time can help highlight which orders are riskier than others.
Basic Velocity Check: How Much Money Has This Customer Spent in the Last Day?
The simplest pattern to look for is “How much activity has User X had lately?” Combinations of signals may point broadly to common fraud patterns. For example, conducting three or more transactions in the space of an hour might, for a given business, be something that most fraudsters do but legitimate customers rarely do. Dollars spent, rather than a count of orders placed, can be used as well.
You may want to track activity by something other than account, as well. Merchants can track how many transactions have come from a single device in a day, for example, or how many orders have been placed with a particular shipping address. Other attributes that a merchant may want to track the velocity of include email address, phone number, and credit card number. One attribute that could present too much noise would be an IP address since many legitimate users could be coming from the same IP. Another strategy is to combine different attributes to reduce noise. For example, only flagging transactions that share the same device AND email domain.
Advanced Velocity Check: How Many Accounts Have Been Seen on This IP Address in the Last 30 days?
It’s somewhat more technically tricky to track, but another strong signal is “How many unique instances of X have been seen that have Y in common in period of time Z?” One example of this might be how many unique accounts have placed orders sharing a single IP address in the last 30 days. There are a few ways to do this programmatically on the front end, and many fraud services do it by default. Again, the key is to find which signals are most closely tied to fraud.
If you can, experiment with different measures of velocity and monitor which most clearly differentiate trustworthy orders from suspicious. Some starting points for things to count (and to count by) are:
- User ID / Email / Email domain
- Device Signature
- IP Address
- Browser Cookie
- Shipping Address
- Billing Address
- Payment Method
- Item being purchased (e.g. gift cards)
In general, anything that you would be surprised to find that two users share is a good velocity to look into. If you have a loyalty program or are running a promotion, for instance, you might get a useful signal out of how many different billing zip codes have been seen sharing a loyalty number in the past month.