While the email address is commonly collected, outside of a fraud blacklist it’s rarely leveraged as a piece of risk assessment data.
This approach has significant limitations and will never give you the clarity needed to balance fighting fraud with frictionless approval of trustworthy transactions.
In today’s landscape where fraudsters move more quickly than ever, it’s essential for companies to leverage every piece of customer data to its maximum fraud prevention potential.
The other side of the coin is that revenue can grow when resources are dedicated only to high-risk transactions, and low-risk transactions can be automatically approved.
The internal blacklist is an island of data
Here’s the biggest problem: An internal blacklist is static by nature. It only contains information on email addresses associated with fraud events that an organization has seen in the past.
That’s like a banker thinking she can prevent future robberies by using a list of every criminal who has ever tried to rob her bank in the past. Relying on a blacklist alone offers no way to prevent an initial instance of fraud. The model can never be improved because it exists outside of a networked and constantly refined repository.
Plus, once an email address is blacklisted, fraudsters can easily change it to an unrecognized permutation. For example, in Gmail users can add a period anywhere in the email address. The average blacklist isn’t able to tell that email@example.com, firstname.lastname@example.org and email@example.com are all the same email address.
Legitimate customers and your blacklist
This is the most dangerous part of relying too heavily on blacklists. Without being able to know if an email address actually exists, there’s no way to detect if a customer mistyped their email address. This can lead to customers being locked out of accounts, or missing order confirmations.
The limited nature of the blacklist also doesn’t account for the all-too-common occurrences of data breaches or account takeovers. This increases the odds that more transactions from legitimate customers will be held up in manual review. Or worse, blocked entirely.
In today’s consumer-centric marketplace, customer experience is paramount. Every time a legitimate customer is passed to manual review, or blocked, lifetime value hangs in the balance.
A better way forward: Email risk assessment
Every time an email address is used, it leaves traces. Over a period of time, those traces add up to a multi-layered story. This story can be examined to assess the risk present in a transaction. More than just data, email intelligence allows you to determine fraud risk with significantly less friction than other common methods.
Here are just a few of the unique data points that an email address provides and how they can work for you:
IP Address: An IP address is the internet location from which an email is sent. This data can be used to approximate where a customer is sending an email from and if that data matches the transaction information. IP addresses can also be compared to known fraudsters and risky countries.
Name Matching: Email addresses generally have a name associated with them. This name information provides an easy to compare data point to stop risky or fraudulent transactions.
Domain Information: Domain names are an integral part of an email address. By researching the domain information, a business may identify: the age of the registration, the registrar, the name of the registrant, the street address, and the email associated with the domain registration.
The best part of using the email address is that in most countries they are not considered sensitive information. This means that businesses will not need to go through extra legal work to use email as part of their risk engine.
Email addresses are already collected for almost every transaction. Businesses can and should do more with this valuable identification data.