Rip and roar so you can soar

Maximizing ROI on Identity Theft Prevention: Metrics for Success

The biggest challenge when improving your cybersecurity lies in finding a perfect balance between overinvesting and underinvesting. Like any other feature on your plate, you need to invest time, money, and effort to solve the problem of identity theft prevention.

If you invest enough of it, you can quickly minimize the risk, but this is not the only task on your to-do list. So, instead of solving this issue by over-committing, what you want to do is maximize the ROI.

This means you want to be as efficient with your methods as possible. Here’s how you can maximize ROI on identity theft prevention. Here are which metrics you should track for success.  

Three Major Fraud Types

In the online world, there are three major fraud types:

  • Account takeover
  • Synthetic fraud
  • Friendly fraud

Each represents an entirely different threat level and needs to be addressed accordingly.

Account Takeover

When a malicious third party gets a password and an access code to a customer’s account, they have an easy job using it for malicious purposes. Fortunately, account takeovers are also the simplest of the three.

First of all, the account will be accessed from a different device. So, if the device is not recognized, you can send a code to their phone or alternative email (2FA is the key here).

Second, you can track suspicious activity. This is slightly odd if they’re doing something they’ve never done before, like drastically increasing their order value for items in the category they’ve never browsed before.

The most relevant KPIs when it comes to reducing account takeovers are:

  • Account takeover rate: While this is often on the user, your brand can affect how hard it is to take over accounts on your platform. Some require minimal password strength, requesting a mandatory 2FA, and remembering the device. You can drastically reduce the account takeover rate by implementing and monitoring these.
  • Account recovery success rate: When the account takeover is reported (and proven), how quickly and successfully can you act?
  • False positive rate: Not every report is authentic. Sometimes, people just make a misclick or forget that they’ve changed their password.
  • Average time to detect rate: Time is of the essence. So, how long did it take the user to notice something was wrong? After all, your platform must warn them. How effective/accurate are you when it comes to this?

You can already make a massive leap forward by paying attention to these four rates.

Synthetic Fraud

Synthetic fraud is the most problematic of the three, mainly because there’s no “real” customer to react to. This happens when a hacker uses parts of accurate information (like an actual credit card number or SSN) to register an account and combines it with a lot of fake info (so that you can’t trace the original person whose data they’ve stolen).

You can learn much about this complex issue in SEON’s guide to synthetic identity fraud.

The primary way to combat this is to make your registration process more complex. Sadly, this drives away some customers. This is why you should incentivize registering but not insist on it. Ensure the incentive is good enough for those who try to register to stick to the end.

The KPIs to monitor here are:

  • Synthetic identity application rate: Some platforms attract more synthetic identities. They either have a lower detection rate or a higher appeal (for some reason). Learning where you stand on this scale is so important.
  • Average time to detect synthetic fraud: This is completely up to you and your system. How ironclad are your preventive measures, and how hard will it be to detect a problem?
  • Synthetic fraud losses: How much money did your customers lose due to synthetic frauds? How much money did your company have to compensate, and how many fees did you pay? This will show you (in numbers) just how serious of a problem you have on hand.
  • Rate of synthetic fraud account takeovers: There’s usually a certain degree of success when synthetic identities take over real accounts. It’s in your best interest to keep these as low as possible.

By tracking and understanding these metrics, you’ll understand how exposed you are to identity theft threats. You’ll also get a general idea of what to improve upon.

Friendly Fraud

The most problematic thing about friendly fraud is that no one’s identity was stolen. Your customer is deliberately scamming you. To make matters worse, they’re pretending that they’re the ones getting scammed. They’ll complain that:

Image3
  • It’s not what they’ve ordered.
  • They weren’t the ones to order it.
  • The item is not as promised.
  • They never got the item, or it was damaged in transit.

The real reason may be that they’re trying to scam you or that they’ve changed their mind because you forgot to update your prices.

This is problematic because there’s a chance that some of these concerns/complaints are genuine. This is why examining the habits and behaviors of your buyers, as well as accurate profiling, are so important.

This matters from the perspective of identity theft prevention because it often puts you off track. After all, someone has placed an order. You never know if it’s a friendly fraud with 100% certainty. So, if they weren’t the ones to place it, could it be an instance of an unsuccessful account takeover?

The KPIs to track here are:

  • Chargeback rate: This is the big one because it shows how much money you’re losing on chargeback. Sure, it won’t always be due to friendly fraud, but if it’s much higher, chances are that you are more commonly exposed to friendly frauds than before.
  • Dispute resolution success rate: This is how you combat friendly fraud. You dispute a chargeback that you believe is unjust.
  • Repeat offender rate: This is also big because it shows that the perpetrators aren’t discouraged enough.
  • Refund request rate: This one is problematic because it ties into so many different aspects of your logistical chain.  

You can never be certain about friendly fraud, but you must try.

Cost of Remediation

One of the biggest KPIs, and the most important to track when talking about the actual KPI, is the cost of remediation. What does this mean? When you slip up and your user’s identity gets compromised, you’ll have to fix the issue. You can do this in several ways:

  • Investigation costs
  • Legal fees
  • Reimbursement to the affected customer

Ideally, you want the number of these instances to go lower and the total cost to decrease. While no one wants their customers to be put in this kind of danger, let’s not pretend that there’s any form of altruism as a primary motive.

Other ways in which you can help your users recover is with the help of credit monitoring and identity restoration services. This is expensive, but it may save you a fortune in the long run.

While customer reimbursement is the one that sounds the scariest, the truth is that, depending on the circumstances, it may even end up being the preferred outcome. After all, it’s just an outright payment that settles the issue for good.

Image1

The thing is that reputational costs may be a bit harder to handle. The same goes for operational impact because a massive breach may immobilize your entire organization.

False Positive Rate

We’ve already warned you about the fact that people make mistakes. We’ve also stated that some genuine activities may seem like friendly fraud. A false positive rate is a situation where a legitimate activity is flagged as fraudulent for one reason or another. The error may lay in your system or be due to a mistake made by a customer.

Aside from preventing scenarios where you bother your customers for no reason, this also shows how good your prevention system is at noticing problems/difficulties.

Just remember that there’s also a bit of survivorship bias here. After all, you’re working with the alerts you’ve actually gotten in time (or alerts you’ve gotten). You do not know how many fraudulent activities flew under your radar.

The key things you reveal this way are:

Keep in mind that with the advancement of modern analytical tools, AI, and machine learning, these systems will become more and more dependable.

You Can’t Know How Close You are to Your Goals Without Measuring Your Current Performance

Identity theft hurts you and your customers, so investing in prevention will save you money. You just need to understand which KPIs to track to see how well you’re currently doing and figure out what’s there to be done to improve things. By focusing on each major type of identity fraud, remediation cost, and false positive rate, you’ll already make a great leap forward.

Veteran content writer, published author, and amateur boxer. Srdjan has a Bachelor of Arts in English Language and literature and is passionate about technology, pop culture, and self-improvement. His free time he spends reading, watching movies, and playing Super Mario Bros. with his son.

Jeremy Edwards
Jeremy Edwards
On Chain Analysis Data Engineer. Lives in sunny Perth, Australia. Investing and writing about Crypto since 2014.

Related Articles

Popular Articles