Nobody Gives A Damn About Fraud Until It's Too Late
4 min read

Nobody Gives A Damn About Fraud Until It's Too Late

An exploration into the art of not getting robbed.

Anti-fraud is a niche B2B industry somewhere between payments and cybersecurity. It's a lot of fun while being kinda creepy, and as far as mission statements go "helping people not get robbed" is a pretty good one.

With that said, you generally encounter two kinds of potential clients:

  1. Someone with a shopping list who needs to tick off some expensive boxes for compliance reasons
  2. Someone with a look on their face as if they are in deep shit

The first one is easy to explain. If you deal with online commerce, you have to comply with regulations. Some niches have more than others - say, mandatory ID Checks for Know Your Customer procedures or Anti-Money Laundering processes that they need to have in place. There's an entire industry of "regtech" providers that you pay for, plug in, and your worries (for the most part) go away at a non-trivial cost.

The second type is the one who just realized that they are covered "only for the most part" and just got robbed, so their boss is angry and they have an ASAP project to complete because they still might be bleeding money. They look like someone who's been having a bad day for a couple of weeks now.

Funnily enough, the two types of buyers can be the same person at a given company with a time difference. As Patrick McKenzie explained, the optimal amount of fraud is non-zero. Once you have your anti-fraud stack together, you throw up a bunch of KPIs and fraud becomes part of your operating expenses. As long as it's not terrible, most businesses will be fine for months or years.

But. Online ventures don't operate in a static world, and one of the lesser-known moving parts of eCommerce is called the vast cybercriminal ecosystem that's everywhere, vacuuming up stolen card numbers and identities, building exploits and developing methods to rob businesses, constantly innovating against deployed defences. They also work like lions hunting prey: they'll target an industry that seems lucrative (fintechs or marketplaces) and start picking off the slow movers. Once they found a weak link, they'll scale their attack which turns your "not terrible" fraud problem into a potential business-breaking problem.

It's not just that they're going to eat your margins. It's that they can get you kicked off of card processing altogether, or burn a whole in your budget so big you could bury departments in them.

And when that happens, that's when the first person becomes the second person. Frustratingly enough, this is by design. If your task is to keep fraud at an acceptable level, then part of that is also optimizing your anti-fraud stack: don't overshoot what you spend on it, and be reasonably prepared for attacks that you expect to happen.

There are fancy charts for this too, which look like this (called the Hand Rule):

What this means in day-to-day terms is that any new investment in security needs some sort of a justification beyond just "this tool looks fun and we want to try it out". Getting robbed is a pretty good justification and an excellent project motivator.

That's the fun part about cybersecurity. It's not just businesses who innovate, but criminals as well, so everybody has to invest constantly to keep the thing called the Internet together. And fraud innovation is pretty astonishing. If you look at ad fraud for example, the whole thing looks as sophisticated as online payments itself - but you can read / listen to more about that on MQL.fm, where Augistine Fou did an excellent rundown.

In most industries that are mature, fraud is a "mostly solved" problem in the sense that everybody knows what kind of threats they are facing, and shit only hits the fan if there is some sort of breakthrough innovation / attack. The most vulnerable then, are startups in growth stages, who already have some sort of product-market fit, money is moving in (and out), growth targets are insane and fraud is the least of their worries. But you can bet the price of a small car that once your marketing campaigns launch, you won't just be grabbing the attention of potential customers - but cybercriminals as well.

(Coincidentally they also happen to be the most underserved segment by legacy anti-fraud providers. If everyone's gunning for enterprise customers, a growth stage startup that's basically an SME will have their eyes in tears once they get their price quotes.)

What can I say? It's a cruel world out there. Fraudsters routinely also monitor Product Hunt for new stuff they can abuse, which can be painful for an indie developer or a small shop who have no idea what hit them.

Based on that, you'd think the solution would be simply to think ahead, and to be conservative and over-protective early on rather than waiting for that bad day to happen. Unfortunately, people without anti-fraud experience tend to be pretty bad at correctly assessing risk, and if you're in move fast and break things mode, nobody really wants to get bogged down with speculating on edge cases of what can go wrong. While I personally endorse "what can go wrong" thinking as it comes with the territory, it should also come with some napkin math around what are the chances of this happening, what the potential fallout will be, and what would it cost us to mitigate against it - or in other words, we're back at the hand rule.

Nonetheless, having people early on who understand these kinds of risks or members of the team who keep an eye out on the shadier parts of the internet will always be an asset. It's the best insurance policy you can have for when that Really Bad Day inevitably comes, as at least you'll have an inkling of an idea of what to do against it. Remember: that bad day is really an incentive - or otherwise known as a budget allocation - for a shopping list that you either have at hand or you'll need to assemble quickly while the ceiling is collapsing.

So if the incentives are aligned in such a way that the business will get hurt inevitably, thinking in advance can at least save you a headache - for very little cost.