#19 - How to stop losing sleep over potential fraud disasters

Do you ever lie in bed, trying to fall asleep, but can’t help feeling anxious?

Do you ever wake up at night worrying you’ll wake up in the morning with $20mm in fraud chargebacks?

It seems silly, right? There’s no reason for you to feel this stress.

You know it’s not rational, and yet, you just can’t stop obsessing over it. I myself have lost many hours of sleep over such irrational fears.

It has been a few years since I had PnL responsibilities, but I recently spoke to a CEO who asked me about this exact scenario.

And it triggered me.

Here’s the thing:

Managing fraud is not only about performance and KPIs. Sometimes it can be about managing our emotions and – more importantly – our fears.

Today I want to share what I do to help me sleep better at night (quite literally), without worrying about that “worst-case scenario”.

Did you guess it already? Yes, today we’re going to speak about safety net rules.

Safety net rules are not there to stop fraud

Ever been to the circus and watched a daring acrobat balance on a tightrope?

That’s you, trying to balance growth, experience, unit economics, and compliance.

But what’s there beneath them, where the spotlights don’t shine?

A safety net.

Just in case.

And this is what I implement as well: safety net rules. I’m not expecting to use them, but they are there. And I feel much better knowing they are there.

The point of safety net rules is not to stop fraud, but to protect you from the worst-case scenario. That’s an important distinction.

Practically speaking, the best way to set-up safety net rules is to use ​velocity counters​ with high thresholds.

How high? We’ll get there in a minute.

But the idea is to use every counter you have available, preferably both by unit and amount, and set a safety-net threshold for each one.

The purpose is simple: we want to make sure that single fraud attacks cannot scale to epic, business-threatening proportions.

Therefore, using velocity counters to limit specific accounts, users, or devices is a good practice.

How is that different from “normal” velocity checks, you might ask.

Normal velocity checks aim to manage fraud according to your target KPIs.

They are likely to fire daily.

Safety net rules aim to make sure large attacks don’t turn disastrous.

They are likely to fire once a year at most. Preferably never.

Setting up your thresholds

How do I configure a rule that will stop disastrous fraud attacks yet will likely never fire?

Sounds a bit contradicting, right?

It’s actually quite simple.

We start where we always start: by looking at our data.

Here’s the thing though: you are not searching for past disastrous attacks. The fact you’re still in business means you likely never experienced any.

Instead, we’re measuring what’s the highest velocity our user-base has ever exhibited.

Found it? Good, now set the threshold for your safety net rules slightly above it.

Lastly, make sure you repeat this exercise with every single velocity check you have available.

You might be thinking: but I already set thresholds for all my velocity checks, and they are lower. How would these new thresholds change anything?

Wouldn’t these attacks get stopped way earlier by my “normal” velocity rules?

Well normal velocity rules are usually not that straightforward, especially if you want them to perform well.

You might set different thresholds for different populations. You might entirely exclude some cases/flows. You might even have “fast lane” exclusions that would admit your “approve list” users or control group population through.

The point is this: high performance requires complexity, and complexity creates vulnerabilities.

We want to make sure there’s no way that fraudsters can find a loophole and exploit it.

These things happen more than you’d like to know. I myself have seen millions of dollars go down the drain because an analyst forgot to turn back on a small rule they’ve tinkered with.

These are the scenarios you want to be prepared for.

When you can’t trust your data

The limitations of the above approach are very evident: you need to have a (relevant) dataset you trust.

But what if you’re launching a new product? What if you’re expanding into new territories? What if you’re planning on a major overhaul of your fraud system?

You would be right to hesitate using your past data to infer what future behavior might look like.

In that case, here are the steps I would recommend to follow:

First, set up your entire system of safety velocity checks with very high thresholds. How high? The lowest figure you can think of, which you’d bet $1,000 that it won’t trigger in the next 12 months.

Second, when you set up your monitoring system (you are setting one up, right?), make sure to include a view on your safety net rules as well. For the first month you want to watch it daily to make sure it didn’t trigger.

Thirdly, after a month you should already see some patterns in terms of user behavior. Ask yourself: should I adjust my thresholds? It is more likely you’ll need to adjust them upwards (to eliminate false positives) than downwards.

After a month, you’ll be able to switch to weekly and then monthly reviews of your safety net checks. After 12 months, you should feel quite confident with the thresholds you’ve put in place.

The critical part here is the second step. A robust view of your system will allow you to keep tabs on it without spending too much effort or attention.

Side note: Keep in mind, this isn’t a prescription for how to manage fraud in a high-uncertainty environment. This is how you set up safety net rules for it.

The value of a good night’s sleep

It can be difficult, preparing for the eventuality that we’ll fail at our mission to keep our business safe.

I get it.

But a good strategy is one that has accounted for all scenarios – especially the worst-case one.

If you’re a bit like me, knowing that you are prepared for it, means you’ll likely sleep better at night.

And sometimes all it takes are a few lines of code that will never get executed.

If that’s not a good enough ROI, I don’t know what is.

Have questions or feedback? Reply to this email, I read all messages.

In the meantime, that’s all for this week.

See you next Saturday.

P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:

Fraud Strategy "Power Call" - Book a consultation call with me to get clear, actionable recommendations that fit your budget. Guaranteed.
​Book a Call Now >>​

Fraud Strategy Workshop - are you an early-stage Fintech that needs to move fast and with confidence? Book this 1.5-hours workshop to get instant insight into your vulnerabilities, optimization opportunities, and get clear actionable recommendations that won't burn through your budget.
​Book Your Workshop Now >>​

Fraud Strategy Transformation Program - are you a growth-stage Fintech in need for performance optimization or expansion of your products offering? Sign up to this 6-8 weeks program, culminating in a tailored made, high-ROI roadmap that will unlock world-class performance.
​Schedule a Call Now >>

Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!