The ROI of prevention vs. policy

Most websites and e-commerce businesses understand that there is an element to their transactions that involves professional fraud.  I’m not talking about the people who forget that they signed up for an online service and therefore do a chargeback on their credit card for their subscription.  Instead I’m talking about the criminal element that understands how to take advantage of a website for financial gain.

There are several ways to make money on websites.  For example, if the website represents a financial institution, you could steal the password for someone’s account and try to move the money to your own account (or the account of a trusted partner).  If the website sells goods you could steal someone’s password and send yourself “gifts” (which you would likely later sell).  Or you could buy a stolen credit card, open a new account and send things to yourself, knowing that it is unlikely that the site would detect that they will not be paid for the goods until after they have arrived at your door.

By accepting that some part of their business is going to be fraudulent, many of these websites create policies of how to handle the fraud once it is reported and clean up the incidents after they occur.  That’s a simple enough formula.

What if you could change the game, though?  What if you could detect the fraud as it is occurring and either prevent it from happening or take action quickly enough that your incurred losses are significantly reduced?  It seems like that is a no brainer.  Most websites would say “Of course I’d want to change my model such that I could prevent the fraudulent event from happening.”  Moving from this ideal to the reality can be tricky though.

The major complication comes from the fact that it can be difficult to justify the cost of implementing a new system.  In a hypothetical case, say there is already a system in place that costs $20k/month to deal with the fraud and absorb the fraud losses, and a prevention system will cost $200k to install and $4k/mo to use.  Given that the prevention system is so expensive, it can be difficult to justify spending money on the prevention system.  This is mis-leading for 2 reasons. First, as the bad guys are essentially “allowed” to perpetuate fraud (because the website does not try to prevent fraud but only tries to find it after the fact), the fraud will continue to grow and the website will become known as an easy target. Second, it’s important to consider the long term implications to the company.  A prevention system will significantly decrease the fraud losses experienced by the website and, given that customers will have many fewer negative experiences that they associate with the website’s site and brand, it is likely that the website will have improved customer loyalty and trust which often equates to more active customers and, therefore, a higher bottom line.  In the end, all of this can add up to a much higher return than focusing on cleaning up the damage after it has been done.

January 15, 2009 Posted by Laura Mather | Cost of fraud, Fraud, Online Fraud, Prevention | Cost of fraud, Fraud, policy, Prevention, ROI | No Comments Yet