With millions of transactions happening online at any given moment, someone has to keep an eye out for fraud. Fraud analysts work hard to weed out those taking advantage of stolen information or deceptive practices and spot criminal trends to prevent them in the future.
Image by Ira Yapanada (Shutterstock)
To learn a little about how this seemingly indomitable work happens, we spoke with Gilit Saporta, an analyst at fraud prevention startup Forter.
First, tell us a bit about who you are, your current position, and how long you've been at it.
My name is Gilit Saporta, and I'm the mother of two adorable infants and a fraud analyst at Forter, a fraud prevention startup. Essentially, I spend my time researching the various ways we can distinguish between e-commerce transactions by criminals and e-commerce transactions by legitimate buyers, and training others to do the same.
Forter works with retailers to prevent fraud on their websites — not everyone knows this, but if fraud goes through on an online store, it's the retailer who pays the price. That makes fraud prevention crucial for e-commerce merchants. I've been at Forter for about six months, but I've been in fraud analysis for nearly 10 years now.
I started working in fraud prevention as a student, while studying theatre directing, and although fraud analysis became my chosen career path, I've kept the theatre running alongside it almost all the time — one of the great things about being a fraud analyst is that having passions outside your work actually helps to develop your skills as an analyst. The more perspectives you can appreciate, the more depth to your vision, the better you'll be at the job.
Forter's fraud analysts are a multidisciplinary team of behavioural specialists and forensics investigators. We think of ourselves as 'fraud philosophers' because we relish contemplating complex scenarios to form Forter's expert-driven decision system.
What drove you to choose your career path?
I was looking for an interesting part-time job I could do to help fund my degree, and in a way I almost fell into it. I was attracted to the flexible hours, the intelligent people and the feeling that there was always another hill to climb. On the other hand, it was a natural fit — I've always loved solving puzzles, I had experience in military intelligence, and my pre-college test results showed that I had a high level of analytic ability.
The job I had as a student was for a company called Fraud Sciences. We were a small startup with big ideas. They introduced me to the challenge that still fascinates me today: how to distinguish between a legitimate buyer and a fraudulent one.
After university, I knew I wanted to keep working on that challenge. I'd got the bug — fraud analysis was intellectually stimulating, enormously satisfying and came with an adrenaline rush I had never expected to find as part of an office job.
How did you go about getting your job? What kind of education and experience did you need?
Not many people realise the diversity of fraud analysts' backgrounds. People often imagine you need to have a PhD in statistics and maybe some police experience, but that's just not true.
What you need is an inquiring mind, determination to see things through, and the creativity to uncover new sources of information, and leverage the data you have in different ways. A degree is beneficial, because it helps train your analytical abilities, teaching you how to think, but it's not essential. And it needn't be in a 'relevant' field — look at me and theatre directing.
As for how I got to my current role… well, Fraud Sciences was famously acquired by PayPal for $US169 million when the payments giant saw the kind of results we were capable of getting. I enjoyed being part of PayPal, but missed the startup vibe.
When I heard that three profoundly impressive individuals I'd known from Fraud Sciences were starting their own company, I jumped at the chance to work with them again. That's something I'd say is vital if you'd thinking about working in fraud analysis. Choose the company, and the team, wisely. I've seen fraud analysts at other companies restricted by a culture that doesn't encourage innovation, that won't consider new ways of doing things. There's no red tape at Forter, and that makes it much easier to have a real impact. I have independence and flexibility, allied to responsibility. I'd advise people to look for that.
What kinds of things do you do beyond what most people see? What do you actually spend the majority of your time doing?
Well, people imagine that I spend most of my time going through transactions and working out whether they're fraudulent or not, and it's true that many companies do employ fraud analysts for that. But it's not a part of my job.
Although I do spend a lot of time going through transactions, the purpose behind it isn't to decide whether or not fraud is present — the system will already have done that, and done it well, and in real-time. What I do is treat the transactions as research material. I pick out and analyse all the separate elements, and think about which ones could be useful in helping us develop our automated fraud detection algorithm, and in what way.
I spend a lot of time talking to different members of our fantastic team of programmers, as well as our ingenious data scientists, working out how to turn my ideas into reality. Thanks to them, we can take the process that guides excellent fraud detection and scale it. I now know a lot more about the technical aspects of developing a system than I used to!
What normal people don't realise is the mindset that's involved. You have to be open to what the data is telling you — we say, to 'see the story' behind the transaction. That's both the story of fraud and the story of a real transaction, and you have to see both at the same time, and balance them. It's definitely had an impact on me. I've reached the stage of having continual internal dialogues. I always see two sides of any question - I'm terrible at winning arguments, as a result.
Can you give me a typical example of the kind of fraud you might find? (Stolen credit card transactions or what?)
Fraudsters are by nature creative — they have to be, to get around the safeguards erected against them! So 'typical' is hard to define. But let me give you an example I encountered recently.
There was a customer who had tried to purchase a Mac. On the surface, it looked like an ordinary purchase — but our automated system had rejected it. Why?
Well, for one thing, although the IP address looked like a good match for the same location as the billing address on the credit card, it was actually reached through a VPN. The purchaser was really somewhere quite different, which we can tell with proxy piercing. The shipping address looked convincing, too, but it was actually to a reshipping address which happened to be in the right neighbourhood.
Fraudsters will use every trick they can think of, including technology designed for their use by other criminals, to succeed. In a way, there's no such thing as 'typical' fraud or transactions. You always have to keep an open mind.
What misconceptions do people often have about your job?
Nobody knows anything about my job! People think 'analyst' means a financial analyst. Or, if they stretch their imaginations to work out what a fraud analyst might do, they assume you're the person who calls them about their credit card when you've spotted a discrepancy there. They never think about the stage before that — the people who stop fraudsters from using their credit card details in the first place!
What are your average work hours?
A full-time fraud analyst would probably be working 45 hours a week. But there are plenty of part-time analysts around, and that could be anywhere starting from 20 hours a week. Flexibility is built into the job, because you're working as part of a team and you can all rely on one another.
Very occasionally there will be an especially busy time, and then some of us might choose to put in extra time over the weekends or evenings, but that's not a standard thing. Additionally, working from home part of the time is easy, thanks to our devoted IT and infrastructure folks.
What personal tips and shortcuts have made your job easier?
I would say that the most important one is to let go of ego, and be open to criticism. You're always learning on this job — the criminals come up with new techniques, and you have to catch them before they become a problem, or a new payment system presents fresh challenges.
And there are so many different aspects to fraud analysis that you're never going to be the best at all of them. The newbie who's been here two months might outpace you in one area. The important thing is to realise that being surrounded by experts in different areas is an amazing opportunity. Just accept that your job is to learn, all the time. We look for people who are smart yet humble — and I think that says a lot about the nature of the job, as well.
Connected to that, I would say that asking questions is crucial. You have to let go of the idea that some questions are silly or might make you look stupid. Asking questions requires courage, but it's always worth it.
If you're analysing millions of transactions for fraud, you obviously aren't doing so manually. What sort of tools do you use?
This is actually a very interesting issue in fraud prevention today. Believe it or not, there are retailers who review many of their transactions manually. The average is more than a quarter of transactions manually reviewed!
I know that sounds completely crazy when you consider the number of transactions in e-commerce in the modern world, and in many ways it is; it means a slower and more frustrating process for customers, it's expensive, and it sounds like something out of another decade.
But it's a common fraud prevention practice, and it leads to conservative behaviour, turning away relatively large numbers of good transactions. That's the kind of attitude that makes other departments resent Risk so much — it seems like they're always saying 'no'.
I've seen risk teams all over the world working like this — eyes glazed over, automatically clicking to approve or decline depending on how high or low the score is, since many of these teams use 'risk engines' which give scores for the probability of risk. I hate seeing this. There are highly intelligent people trapped in this kind of environment, rushing to complete manual reviews as fast as possible, loathing Mondays because of the backlog of transactions that builds up over the weekend, terrified of the holiday periods…
Forter, where I work, provides a system that's 100% automated — meaning every single transaction receives an instant approve/decline decision, in real-time. It's better for customers, for retailers and for fraud analysts. We do use an in-house system, something we designed, created and maintain ourselves, thanks to the support and ingenuity of our fantastic team of developers. We use it for research — it helps us pick out patterns between important attributes, provides a structure for considering transactions, and so on.
What's the worst part of the job and how do you deal with it?
I sometimes feel bad that we're so good at what we do. I mean, we can trace a lot of the fraudsters we block back to developing countries, to areas where poverty is rife and it's hard to rise out of it. I see why they use one of the few assets available — the internet — to try to make more money in a day than they'd probably otherwise ever see in a year.
But I still want to make our system as good as it can be, because even though it's understandable, it isn't right. It's not a victimless crime, after all. The retailers we work with shouldn't have to pay for fraudulent transactions, and they shouldn't have to let the fear of fraud hamper their growth.
I do also get irritated by how difficult it can be for people to purchase online — you see people doing all sorts of odd things to get around fraud blockers that mark them as false positives — people who look like fraudsters but aren't.
I hate seeing signs that people have encountered this kind of attitude in the past. They tie themselves in knots trying to look legitimate, which they really are anyway. We know it, without their painful efforts, and I wish I could just tell them so. It's a constant reminder that we live in an imperfect world.
What's the most enjoyable part of the job?
I would say that a highlight of my week is always the weekly team meeting. Sitting with the whole team, everyone bringing their knowledge and expertise — electricity is in the air.
I also love talking to our customers, the retailers we work with, and helping them see new things about the way fraud impacts their business, and exchanging tips and ideas.
Also, strange as it may seem, I like that the stakes are high. Forter is so confident in our system that the company offers a 100% chargeback guarantee — which means that if the system gets it wrong, and lets in fraud, Forter pays for it, not the retailer. We approve more transactions than most systems are able to do, so the guarantee reassures our retailers that we're not doing that at their ultimate expense. That makes my work as an analyst, refining the system to ever-increasing levels of accuracy, both crucial and exciting.
Do you have any advice for clients who need to enlist your services?
I tell new analysts to ask me all the questions in the world. I'd say the same to new customers. Maybe they want to jump to conclusions about fraud and fraudsters, based on their past experience, but what we need is to open a dialogue, and together work out their priorities and find ways to help them improve their system and grow their business as a result.
Being a fraud analyst really does require the ability to listen to the customer. Different retailers have different priorities — one might want to approve more transactions, and be willing to accept a slightly higher risk of fraud to achieve that, while another might want to avoid chargebacks at all costs. Our job is to listen, to hear their problems, to advise, and to adapt to their needs.
Forter was originally called Risk Academy — and that idea of sharing knowledge, and researching fraud and fraudsters, and helping business grow with the insights we gain, that's still very much a part of our motto and motivation. We study this area, we work out what's going on. We're the criminology department of e-commerce.
What do you do differently from your coworkers or peers in the same profession? What do they do instead?
A crucial difference is the manual review versus automation question. Forter is very unusual in its dedication to automation, and as you can imagine it has a direct impact on the way we work as fraud analysts. We don't review; we research.
One of the things I love so much about the job is that I get to work closely with our developers and our data scientists, so what I do is research which is acted upon very quickly. If I have an idea, and it proves to be effective against our data, it could be part of the system within days or even hours.
Most companies don't do it this way, but having seen it in action, I'm a complete believer. You just can't rely on statistics and control groups — you'll always be three months behind the fraudsters. Whereas we can work out ways to counter a new threat, a new fraud technique, after the very first time it's been seen. Is it surprising that I find my job exhilarating?
Aside from that, I'd say something that's unusual about working at Forter is that the fraud analysts are encouraged to develop a business sense as well as fraud intuitions and understanding. Things like how the experience of fraud prevention will be for the customer, how it will affect conversion rates… Most fraud teams don't have to focus on these issues. Their primary role is to prevent fraud. But the way I see it, best practice fraud prevention doesn't just block fraud — that's a given. Best practice fraud prevention makes anti-fraud into a business asset.
We can accept more orders than most systems, and we care about making the process so smooth that genuine customers never even notice. All this has a direct, positive impact on a company's revenue — which reinforces, for me, how critical our work really is.
How do you "move up" in your field?
Fraud analysis is a booming field in general. Here are Forter, we're growing rapidly, so new teams are being built, who need new managers, so that's one way.
But I wouldn't underestimate the value of specializing. We have analysts who have "evolved" into expert developers, we have 'undercover' analysts who focus on the fraudster community, we conduct many different types of research, we have analysts who focus on the business impact of fraud prevention.
What I would say is: play to your strengths. Choose the area that fascinates you, focus on it, and become an expert.
What do your clients under/over value?
I like that we can give our customers a very impressive bottom line. For example, with one retailer, one month after joining us their decline rates went down by an enormous amount. Plus, their chargebacks quickly dived down to almost zero. That sort of result is not uncommon. And that's great. It's good that there's a nice figure at the end of the day, and I see why our customers focus on that.
But for me, it's more satisfying to explain that we spotted a very interesting kind of attack this week, using a technique never seen before. I think the level to which fraudsters are creative, and to which we have to innovate to catch them, is definitely undervalued. But on the other hand it's not something I want to emphasise too much, because I don't want to freak them out!
What's great is if a client has someone on their team who's interested, and you can explain without worrying them. But mostly, they think of us as a magic wand, the system that takes fraud worries off their shoulders.
People miss that we're actually focused on business enablement, that thanks to what we do our customers can expand to new markets, use new payment flows, optimise for mobile and so on.
What advice would you give to those aspiring to join your profession?
Teach yourself everything. Autodidacts do well at this job. Almost anyone who applies here receives a test, and it's that which determines if they move to a second round. That means that it really does come down to merit. Everyone has a chance.
In fact, at Forter, we don't ask much about your CV at interview. We set puzzles and ask questions, to find out how your brain works, and how you think. If you're open to that kind of process — well, the job might be for you, too!
I would say… don't try it if you're intimidated by smart people. There are a lot of smart people in this field. They probably wouldn't be good at it if they weren't. But you have to have enough confidence to learn from them, and to know that they can learn from you in their turn.
Career Spotlight is an interview series on Lifehacker that focuses on regular people and the jobs you might not hear much about — from doctors to plumbers to aerospace engineers and everything in between.