Every day I read about data breaches, identity theft rings, malware, and other security risks that impact individuals and businesses alike. For individuals in the identity verification and fraud prevention industries it is easy to become paranoid. The reality is that it is impossible to completely eliminate the risk of fraud; the good news is that you (probably) don’t have to.
Most of these articles are missing key context, namely the nature of fraud itself. Fraud is a business, and while fraudulent operations may not follow the same set of rules as legitimate (legal) businesses, the goal is still to make a greater profit more efficiently. This context can help determine which threats are most likely to impact your business.
Additional layers of fraud prevention will certainly decrease the likelihood of fraud, but too many layers of fraud prevention can keep your products and services out of the hands of legitimate customers. Consider the value of what is at risk, within the context described above. If a fraudster has little to gain from a particular activity, then a couple of layers of fraud prevention may suffice. (Note: When evaluating value, don’t forget that data is of high value to fraudsters who can either sell the data or use the data for more advanced fraudulent activity.) Also consider the value your customers receive, as they are more likely to be accepting of additional steps being required where the perceived value to the customer is greater.
Some experts have advised that all a company has to do is be more secure than comparable targets to drive fraudsters away. I wouldn’t suggest that such advice is always true, but it does provide a good starting point for businesses that are looking to dive deeper in their fraud prevention efforts. If fraudsters can profit more efficiently elsewhere, they usually will.