Some of my worst days with Sifter were centered around dealing with fraud and spam. In almost all cases, these are reactive situations. That is, you get hit by fraud or spam, and you have to drop what you’re doing to deal with it. The good news is that these things usually don’t affect you until you’re big enough to deal with them. The bad news is that they’ll inevitably hit you.
Fortunately, you’re not the first person to ever have to deal with it, and there are some great tools and advice available addressing how to handle it. Don’t over-optimize in an attempt to prevent and avoid it entirely, but take some basic precautions to mitigate it. Spam and fraud are two sides of the same coin. Luckily, some tactics go a long way to alleviating both.
Anecdote: Fraudulent Transactions at Sifter
Before we dive into specifics, let’s discuss what Sifter experienced and how I responded. A couple of years into working on Sifter, I looked over our merchant transactions and noticed a large run of failed transactions. After digging deeper, I discovered that someone was using our credit card form to validate stolen credit card numbers. As it turns out, this is incredibly common and almost a rite of passage for SaaS applications.
Having never dealt with something like this before, I wasn’t quite sure how to handle it. I wanted to put a stop to this behavior, but I didn’t want to introduce any problems for our customers. I went through quite a few iterations of playing cat and mouse with the fraudster. Over the course of a couple of weeks, I slowly locked it down more and more to try to stop the transactions.
Eventually, I thought I’d finally done enough. But then I received an email notification indicating otherwise (while I was at a close friend’s wedding, no less). And then ten more attempts. I could have sat down, pulled out my laptop and gone to work, but I didn’t. Instead, I started to mull over our remaining options, believing I had no choice but to make life more inconvenient for our customers.
I’m not sure why I didn’t try this sooner, but I finally began requiring the credit card validation code in addition to the postal code. (Up until that point, we had only required postal code for validation.) Fortunately, that was the last of it. Since then, I’ve chatted with a few other founders who’ve also had difficulties with this. It’s not a pervasive problem, but it’s worth noting that it could happen–so be ready for it.
In hindsight, I probably devoted too much time to the problem: we lost about $200 in credit card transaction fees for the card validation, but it consumed almost all my attention for two weeks. Reflecting on the fact that it didn’t affect our customers and only cost us $200, I realize I let this problem bother me way too much. Fraud happens. Take care of it, but don’t let it distract you from your overall mission like I did.
Enough about my experience, let’s look at how to handle it. Be ready to react, but don’t overreact. If you get too aggressive, you’re going to affect your legitimate customers, and frequently the true consequences of the fraud or spam aren’t that significant. Also, remember you don’t have to make things impossible for the bad actors–you only have to make it inconvenient enough to not be worth it.
That said, there are quite a few tactics you can follow when the time is right. Every application with its context is different, but these should provide you with enough ideas that you can apply the strategy that works best for your situation.
Use Logging to Find Bad Patterns
Extensive logging is one thing you should absolutely put in place long before any spam or fraud hits. Record key events like registration, payment form submissions, cancellations, and other important activity. Note the user information, IP address, user agent, and anything else that may be useful for finding patterns of bad behavior. Extensive logging around user-created content will help you uncover patterns and decide what to block in the future. You can even set up your logging to be more aggressive when the system recognizes certain patterns you’ve already found to be problematic. In those cases, you might log incredibly granular detail to detect even more subtle patterns.
Eventually, this information can help you recognize fraudulent behavior ahead of time and automate solutions to prevent it. With Sifter, I had tools to enable me to flag an account and automatically prevent any further registrations with that email address or IP address. We also blocked registrations from Internet Explorer 6 as it was commonly used for automated malicious behavior, but we never had any legitimate accounts use it. The key was that Sifter never said why it was blocking the behavior. Instead, it pretended to throw an error in the hope that the individual would give up. There was always a risk of affecting legitimate customers, but with the right amount of discretion, you can minimize those chances.
Implement Temporary Tactics
Over time, you’ll begin to accumulate tactics for fighting or mitigating spam and fraud, and some of these may be more assertive. You might not need to rely on them full-time, and instead turn them on and off when necessary. That way, you can turn up your security measures when you’re dealing with a week of increased spam, and they won’t affect your legitimate customers.
A great example of a temporary tactic is CAPTCHAs. These should always be a last resort, and you should turn them off as soon as the storm has passed. While CAPTCHAs have generally improved, they’ve also become more complicated and often create more problems than they solve. Keep something like reCAPTCHA as a nuclear option, but don’t turn to it as a first line of defense. Don’t leave it on long-term if you don’t absolutely have to.
Use Tiered Email Confirmation
Almost every type of registration revolves around email addresses. You can get a lot of mileage out of simply forcing users to confirm their email address. The downside is that this is an inconvenience for legitimate customers. It also sends them to their inbox where there’s a significant opportunity for them to be distracted by something else.
However, a great compromise is to enable new accounts to have access to most things, but not to sensitive functionality like credit card forms until they’ve confirmed their email address. Alternatively, you can limit access to more sensitive functionality until an account has aged enough.
Another option is not to require explicit confirmation, but to take the opening of your welcome email as a signal of a genuine customer. If your email service provider offers open tracking, you can add that as an implicit signal to be factored in with other signals to indicate a level of trust. Don’t assume that an account that never opens their welcome email is bad, but you can be fairly confident that if the welcome email was opened, the account is legitimate: a spammer wouldn’t be likely to check that address and open the email.
Another low-tech way to mitigate spam is by blacklisting email addresses. In the administrative tools you use to help with customer support, you can add some functionality to flag an account as spam or fraud. Then you can have it automatically add an email address or IP address to the database. This was one of the simpler tactics I used with Sifter. It definitely wasn’t a brick wall, but it helped reduce a lot of fraud from individuals with lazier tactics.
Another great feature that actually benefits customers is advanced bounce handling. While most bad actors will use legitimate email addresses, you’ll often see firstname.lastname@example.org or email@example.com and your welcome email will immediately bounce. You can then use the bounce as a trigger to lock down or secure sensitive features. This actually benefits all of your users by catching typos or other mistakes and proactively working to address them.
Gravatar is another great implicit signaling tool. You can’t be completely sure, but chances are pretty good that spammers didn’t take the time to add a gravatar to their email address. Add in signals like whether they opened their welcome email, how many times they have logged in, and how much data have they created, and you can get a pretty good picture of the legitimacy of a given account.
Blacklisting and Blocking
Just like blacklisting specific email addresses, you can also blacklist IP addresses. In many cases, the bad actors will just change their IP address, but quite often they won’t. Again, you don’t always have to stop them entirely, you just have to make things difficult enough that they give up. When you do this, make sure you don’t say that the IP address is blocked. Pretend to throw a generic unrecoverable error, and in many cases they’ll just give up and move on.
Anti-Spam and Anti-Fraud Tools
These are all fairly simple tactics that take relatively little effort and give you a lot of control. However, sometimes it’s best to lean on applications that specialize in detecting bad behavior. Tools like Castle, Sift Science, Cognito, E-Hawk, FraudGuard.io, and Akismet can help once you’re ready to pay for a service. Some payment processors have also begun offering their own built-in fraud tools. Braintree has partnered with Kount to offer their own fraud tools, and Stripe has created Radar for its customers. Keep in mind, though, that no service will be perfect. Evaluate the tools you choose and closely monitor for false positives. These tools make it easier to get started, but they aren’t experts in your business. Implement them in phases, and watch closely before you trust them fully in order to ensure you aren’t hurting legitimate customers.
Fraud and spam suck. I hope you never have to deal with them, but the odds are pretty good that you will. When it happens, don’t sweat it too much. Recognize that it’s a cost of doing business, and slowly but surely implement what you need to. Keep things in context. If there’s little to no real or virtual cost to your business, don’t invest months building systems to prevent it. Do what you need to to protect your business, and then watch, learn, and improve with time.