Preventing Fraudulent Submissions

The primary fraud we are aiming to prevent/detect is multiple submissions by single users in an attempt to game the system. Our secondary concern is bot behavior.

Best Practices – Prevention

What are basic, table-stakes, got-to-have measures in order to prevent fraud? How can these preventative measures be implemented from a technical standpoint?

  • Limit submission by more than just clicks.
  • Factor in additional meta data like network identities.
  • Factor in geographical location based on network IP addresses or traffic.
  • Leverage historic internet breadcrumbs or cookies.
  • Tie all these factors together and you can get a pretty decent picture of who’s using your systems (PII or not)

Best Practices – Detection

What are basic, table-stakes, got-to-have measures for detecting fraud? Which, if any, of these measures can be automated? How can these measures be implemented from a technical standpoint?

  • AI. Long story short: No one wants to manually validate submissions. Let systems do it for you, faster and more efficiently.
  • Machine Learning. While AI can help you work smarter, ML can help that AI adapt and keep up with undetected fraud-trends.
  • Consortium Data: Just like the BBB or FICO, this industry can have a HIPAA compliant ledger of bad-actors that any 3rd party system can integrate with to run their own fraud-detection scenarios.

Overthinking It

Are there any widely-used procedures/measures that go too far in hindering legitimate attempts at form submission?

Everyone loves policies and procedures.

  • Access Risk Management (ARM)
  • Governance, Risk, and Compliance (GRC)

As far as technology is concerned most people develop in-house. They keep their secret sauce secret. But for the common folk:

  • Captcha
  • Custom Captcha
  • Use honeypots to build historical threat data
  • Use WordPress anti-spam plugins
  • Block submissions by IP, email address, etc…

Fixes

If fraud is detected, beyond implementing the best-practices/procedures mentioned above – is there a general protocol or approach that teams should follow to solve the problem?

  • Create a potential risk profile
  • Pinpoint the possible indicators of fraud
  • Implement continuous auditing and monitoring
  • Increase organizational awareness of the monitoring activity
  • Deploy some form of artificial intelligence or machine learning
  • Encourage clinical-trial-abuse reporting
  • Deploy intelligence case management
  • Learn, adapt, repeat