Our fraud detection algorithm scans your orders for a variety of factors, including behavioral data, payment data, and location data, then returns a single comprehensive risk score. We also single out specific user risk factors and list them on the Order Review page as part of our effort to provide you with as much information as possible. Understanding these user risk factors can help shed light on an order’s risk level and guide your decision-making to prevent fraud.
We’ll share some of the most common user risk factors we highlight in our app and what they mean. Keep in mind that although risk factors often indicate fraud, they aren’t a guaranteed indicator that an order is fraudulent. Be sure to examine all of an order's risk factors to better understand its threat level.
Certain user risk factors indicate issues with a user’s physical location. We gather this location data from the device that a customer used to place their order, not the shipping and billing addresses on file for that order. Some of these risk factors are:
Colocation: The user’s location originates from a server farm or data center, which are secured areas that are typically off-limits to humans. While there’s a slim chance that a human working in a data center placed the order, it’s more likely that this user is a bot. Although this is not the only risk factor that identifies potential bots, we use colocation signals to prevent fraud from bots that are designed to mimic human behavior and can be otherwise difficult to detect.
University: The user’s location originates from a university or college. There are plenty of people on college campuses who place legitimate orders. However, the relative anonymity and large pool of users on campus networks mean that university-based orders have a higher-than-average risk. If you know that your store caters specifically to college students, this may be less of a concern — knowing your audience is one of the most powerful tools in your fraud prevention toolkit.
Other user risk factors indicate issues with a user’s network or browser. At NS8, we monitor each user’s connection to your storefront and flag any factors associated with a high rate of fraud, such as:
The Onion Router (Tor): Tor is a web browser that uses multi-layered encryption to hide information about a user’s network and location. While there are legitimate reasons to use an anonymous browsing service like Tor, very few customers use Tor for day-to-day browsing. On the other hand, fraudsters have a strong incentive to cover their tracks and evade detection, which means Tor sessions come with a high level of suspicion. Additionally, since Tor can make it difficult for us to track a user’s browsing history and other crucial data, we encourage you to proceed with extra caution when reviewing these orders to prevent fraud.
Public proxy: Like Tor, proxy servers (including virtual private networks, also known as VPNs) allow users to send and receive data online without exposing their network and location information. Although proxy services are somewhat more common than Tor and have a variety of non-fraudulent uses, they still pose a moderate risk. This risk factor alone may not guarantee the presence of fraud, but it carries a higher level of suspicion if other risk factors are also present.
User ID rotation: Multiple sessions with unique user IDs all originated from the same IP address. Each IP address should only correspond to a single user ID. User ID rotation occurs when a bot or fraudster deliberately changes their credentials to appear as several different users, despite remaining at the same IP address. Fraudsters use this tactic to place many orders under multiple identities. If we flag an order for user ID rotation, it carries a high risk of fraud.
Some risk factors are related to issues with a user’s behavior while browsing your storefront. In addition to monitoring a user’s location and network connection, our fraud detection tools also analyze each interaction with your website and identify any significant patterns that emerge. These patterns include:
Fast click and Click count: The user clicked through your website too quickly or used an unusual number of clicks. Human beings have predictable and imperfect click patterns when navigating a website, but bots can click through pages with inhuman speed and precision. Bots may also use too few or too many clicks, either by avoiding clicks with code or struggling to navigate the website and using far more clicks than usual. An influx of interactions could also be a sign of click fraud. Both risk factors are extremely suspicious, especially in conjunction with other risk factors, so be sure to take them seriously as part of your fraud prevention strategy.
Known bot and Spam bot: In addition to tracking the individual factors that indicate bot behavior, our fraud detection algorithm can sometimes identify bots outright, either by analyzing combined patterns of behavior or comparing traffic to a known list of bot sources. If we detect either of these risk factors, the order is extremely high risk, and we recommend that you cancel the order to prevent fraud.
The final group of risk factors is related to issues with a user’s device. Like network-based factors, device-based risk factors relate to the way that users access your storefront but are more closely linked to a user’s physical device than their network connection. Among the risk factors are:
Viewability: The user’s device did not display your website or only displayed it briefly. Most human users need to see a website to browse, and users who employ visual aids like screen readers must still display the website on their device to use these tools. However, some bots can navigate a website by using scripts that don’t rely on visual elements, or through a headless browser that uses a command-line interface instead of a standard user interface. There are legitimate uses for headless browsers, especially in web development and search engine indexing, but human users are unlikely to use these browsers for online shopping.
Spoofed user agent: The user’s device information does not match their user agent string. User agent strings are like a nametag for internet users. When you browse the internet, your user agent string provides information about your browser, device, and operating system to help webpages optimize their content for your device. Web developers sometimes change this user agent string for testing purposes, but there’s no real benefit in spoofing for someone who’s shopping online — unless they’re a bot or fraudster trying to hide their identity. If a user’s device information and user agent do not match, their order carries a high risk of fraud.
Cookie rotation and User agent rotation: The user has changed device-related information to mask their identity, evade tracking, or appear as multiple users on different devices. Bots artificially change these identifiers every time they take on a new false identity, which means each session seems to originate from a new device but comes from the same IP address. Legitimate users have no reason to engage in this behavior, so cookie rotation and user agent rotation risk factors are grounds to cancel an order.
Incorporating user risk factors into your fraud prevention
Although these are some of the most common risk factors you’ll encounter, we screen orders for many other risk factors related to user data, payment data, and more. Familiarizing yourself with our scoring process makes it easier to build custom fraud prevention order rules based on your industry risk and comfort level. It’s also important to remember that risk factors increase the probability of fraud, but don’t guarantee it. Understanding common risk factors can help you make informed decisions and better understand the data on our Order Review page. To learn more, go to What to look for when reviewing an order for potential fraud.
Not an NS8 customer yet, but interested in learning more? Schedule a demo.