During our third session of Fraud Office Hours, an attendee asked, "At what point do you deem Apple Store activity suspicious or fraudulent?" Watch this video clip and read below to see how Unit21's Head of Fraud Risk, Alex Faivusovich, responded.
How to Detect Suspicious Activity on the Apple Store
"It's really about understanding how your users use your ecosystem, how they use your product, and how they make transactions using the tools you provide to them.
This problem isn’t just specific to the Apple store; in general, big brands that attract many customers also attract many fraudsters. So for a fraudster, they see a big brand as a way (and an easy one at that) to take whatever associated payment method they have and turn it into money.
So when do you deem Apple Store transactions - or another big-name store - to be suspicious? It’s really around understanding how your users use your ecosystems, how they use your product, and how they make transactions using the tools you provide them.
For example, if you have a big customer base in the New York metropolitan area, you can analyze how users buy products at big brands and large chain retailers. You can investigate their behavior and see how they actually interact with these businesses.
You’d expect to see users make large purchases like the Apple Store at certain times throughout their life, but not regularly. For example, someone may buy a Macbook or iPhone once a year, but they won’t make those purchases regularly.
If you can see patterns where users buy from the Apple Store regularly, during certain days, at certain times, and at certain volumes, this may be a red flag for suspicious activity.
If you’re seeing this larger volume of transactions for big purchases at the Apple Store, you can start to see what activity may be criminal. You may even be able to link this to organized crime that is operating within the metropolitan area you’re exploring. If you can pinpoint organized crime operating in this area, then it would make sense that those fraudsters are operating in those stores.
This is where customer segmentation comes into play. If you have brand new users who just onboarded to your platform and the first thing they do is fund the account and then immediately go and use the funded value, that’s probably a red flag of suspicious activity.
If you know your customer base and how they behave, this behavior would likely stand out as an anomaly. While it’s not necessarily illegal, most people don’t fund an account just to immediately go make a large purchase, which makes it worth investigating as suspicious activity.
Most fraud associated with these big brand stores is coming from new accounts. It’s essential to have a good strategy for new accounts and to put added effort into knowing your users. This is challenging for users that you’re less familiar with; with less information on a user it’s harder to understand how they behave.
It’s also important to investigate whether account takeover fraud is associated with these big brands. For example, if some customers lose access to their account, will the fraudster use that access to make purchases from a big brand, such as the Apple Store?
This allows you to associate a non-monetary activity (such as changing the password or a new device) with suspicious behavior. Your team can then create rules that will look for this sequence of events and flag the behavior for you.
The key is understanding how your customers behave and whether or not you have active organized crime operating in those areas. This will allow you to flag potentially fraudulent Apple store transactions and activity."
Use Unit21 to Detect Malicious Transactions at Popular Retailers
To look for abnormal transactions, teams can use a historical deviation rule. This lets teams look for a user that is making a transaction (in this case, at an Apple store) when they haven’t previously exhibited that behavior. This can be used to identify abnormal transactions that could be indicators of fraud.
To do this, teams will need to build a finely tuned rule that looks at entities where the merchant name is equal to ‘Apple’, and then add additional filters to focus the search. First, we can filter the data to look for activity in the last day compared to activity in the last 90 days. Then we can compare where the difference is greater than an amount of 1, so that a single transaction—when none had previously occurred—would trigger the alert.
We can also add additional filtering if we want. We could drop the period down to 30 days, look at only recently registered users (i.e. those that have created their account within the last 30 days), and look for only high-value transactions. For example, if people are buying a computer, a phone, or a tablet, these could be suspicious. But someone buying a watch strap is not necessarily as risky.
Teams then need an internal policy that clearly defines when certain behavior is declined. But they can’t stop there, they also need a system defining what’s done after the transaction is declined. Should the business text the user, email the user, or communicate with them in some other way?
There needs to be some way to ensure that true customers are able to respond if this transaction was legitimate and intentional. That includes having a system for labeling this user so the transaction does go through in the future. But if there is no response, you want to be able to block the transaction, freeze or cancel the card, and then have a system for replacing the payment method.
Looking for more insights? Check out our third session of Fraud Office Hours on-demand for a deeper dive into how you can use technology like Unit21 to uncover suspicious activity.