It seems that at least once a year, there is a major data breach somewhere and the identities of millions of Americans end up in the hands of the wrong people.
Equifax was the most recent example, but the problem is so prevalent that the average consumer may as well assume that if they have a card, somebody who shouldn’t has the number. This has forced businesses to assume the role of gatekeeper, and to keep a watchful eye for fraud and identity theft.
While it is usually difficult or impossible to know for certain whether a person is committing fraud, there are some steps you can take to minimize the risk of fraud to your business.
Fraudsters often operate from foreign IP and physical addresses. Whether this is done through proxies or whether the fraudster is actually from another country, this can be one way to reduce the volume of fraudulent signups. Most small to medium sized businesses can only support local businesses or operate on a national level at best. If you do not do business overseas, there is no reason to accommodate these foreign inquiries.
If your services or products are offered internationally, or you are expanding into that market, make sure to have dedicated resources towards fraud prevention. Doing so will save yourself and your potential customers a headache.
Amateur fraudsters or bots may operate from a dedicated server. When taking online signups, make sure to enable IP Logging. If you are getting an unusual number of signups all from the same IP, and you’ve verified there isn’t a good reason for that (say – it’s an apartment complex where you do a lot of business), then block the IP. Keeping a phone number on your website and having agents on hand to take those calls will give an avenue for dealing with false positives.
Note that the above two methods will not work against somebody smart enough to route through multiple proxies and register from local IPs, but there are methods to handling that as well.
There are some email ‘hosts’ that provide disposable email accounts to use for signing up for services. These hosts ask for minimal information and use pre-generated user names, and so are popular among spammers. If you are signing up a new user and they’re using a suspicious e-mail address, flag the account and investigate the host. If the host looks suspicious or advertises that their intent is to provide anonymous emails, then further steps must be taken to verify the customer’s identity.
While some potential customers use these services out of a genuine desire for privacy or to avoid being spammed, others may be using it to commit fraud.
This is especially effective with automated attempts at fraud. Every signup should include some method of identity verification. Mobile phone verification is the most secure method available and involves sending a code to a person’s mobile number. Failing that, email verification is another option – while less secure, it is by far the most common method of identity verification and one your potential customers are most likely to expect.
CognitoHQ and other companies all specialise in finding tighter, more secure methods of ensuring signups are who they say they are. Always make sure you’re up to date to prevent fraudsters from finding ways around your systems.
When All Else Fails: Trust Your Gut.
It is not always possible to detect a fraudulent signup before it is too late. However, if an account seems odd but checks all the boxes do not leave it alone. Flag the account for an additional follow up and research. While it can be highly inconvenient for a customer to go through additional security steps, they will appreciate a company looking out for their identity. If the customer is, in fact, an identity thief, then the owner of that identity will appreciate you finding and stopping a criminal.
While it’s understandable that not every fraudulent signup will be detected, taking additional steps will improve consumer confidence in your business and minimize lost revenue that can result from fraud.