As part of the Emailage, a LexisNexis Risk Solutions Company, virtual event series, Eric Choi, Senior Vice President of Marketing interviewed Chad Gonzales Head of Fraud, Identity and Abuse at Lyft and Harshad Agashe, VP of Product at Emailage to talk about promo abuse. The transcript below features their conversation and has been edited for clarity and brevity.

Eric Choi: Welcome to Emailage, a LexisNexis Risk Solutions company: Outsmart Promo Abuse, insight from Lyft and Emailage.

My name is Eric Choi, I’m your moderator, I’m the Global Senior Vice President of Marketing at Emailage, a LexisNexis Risk Solutions company and I have the pleasure of joining this session with two distinguished speakers. Harshad Agashe, VP of Product at Emailage and Chad Gonzales, Head of Fraud, Identity and Abuse over at Lyft.

Promo Abuse Categories

Harshad Agashe: There are three different categories [of promo abuse] from my perspective. One is policy abuse: when customers, vendors or partner agencies bypass a policy or take advantage of it by using it in a way other than intended. It could be coupon abuse, it could be policies which one of your partners, or resellers are using and abusing, insider trading is example, retailer discounts on first orders. If somebody is creating multiple identities to get a discount on a first order. Or wardobing problem, which is a slightly different abuse problem, which is abusing the return policies and people ordering clothes wearing them with the labels on and then returning them. Some customers have such massive problems with people who are pretty well-off, and they had to remove those customers from the platform. So that’s what we call is policy abuse broadly.

Chad Gonzales: The wardrobing one is an interesting one, right? So that’s something like, you know, we we’re in the age of digital technology, but wardrobing problems is one that’s gone back to many, many years. I’ll be honest, I know some family members that would do that, you know, buy something, go to a wedding, keep the tags on and return it.

Eric Choi: What are you trying to say there, Chad?

Harshad Agashe: The other ones are more so friendly fraud. The definition is when the customer files a chargeback instead of trying to first obtain a refund from the merchant.  It could be a genuine issue. Like in this case, COVID-19. We have people who’ve ordered from online, they got the product. They supposed the only way they could return it would be a genuine return and either to go to the store, which is closed, or they could return it online, but then they have to pay ten dollars of shipping. So in those situations, these are people who have filed for chargebacks. And the reason is because not all the retailers have a clear policy on what to do with these items. It could be an issue with how we are communicating to customers. Or it could be just a genuine case of friendly fraud. You know, you have some family members ordering things on your behalf and then you’re just claiming that as a fraud transaction.

We had our customer advisory board recently and this was pointed out as a major problem for many of the people.

And the third flavor is more loyalty fraud, which is when you have points and then you’re double dipping. They’re extracting those points and converting into goods in two different channels. So they can benefit twice or fraudulently accrue points by attaching a reward number to a purchase they didn’t make.

The Sophistication of Promo Abuse

Chad Gonzalez: Let’s go through some examples that see these types of incentives and strategies that are abused at Lyft. And then give some examples of the environment that exists around gaming to really help emphasize the magnitude of this and the sophistication.

A lot of times when we think about gaming and abuse, we probably think of like we’ve all probably done it right? Great offers for signing up for a card…spend some money and pay it off. But we don’t necessarily think rings out there that are operating this way. There’s a lot of sophistication behind it.

Incentives are always born from a business need. And they’re all they really do have good intent. In the Lyft world, we’re always trying to balance driver with the rider demand. We want to make sure passengers don’t have to wait too long for rides, because if not, they’re going to end up going to Uber or other forms of transportation. We try to incentivize drivers to be on the road. We want to make sure that we know we can balance the demand with the amount of drivers. So basically, if you’re a driver, you could come onto the platform, and if you give over a certain threshold of rides, we will give you an extra incentive bonus on top of that. You give five rides, that’s an extra five dollars. So, the more rides you give, the more bonuses you earn.

We have another program where we partner with certain rental companies and you could rent a car and drive for Lyft. And the incentive there is if you give over X number of rides in a week, you’ve covered your rental fees. Then you begin earning much more beyond that. So again, there’s incentive to give a certain number of rides.

In general, most of the time throughout a day, you probably won’t see the same passenger in the same day. So when we see a driver with the same passenger multiple times and the rides that they’re giving are 0.3 miles and took 10 seconds… this is an example of what it looks like in the data when someone is gaming the incentives. Essentially what they’re doing is colluding with friends or family or potentially even creating new accounts and just pairing themselves up, giving quick rides to try to meet those bonus thresholds.

Chad Gonzales: But it may not scale that well. There’s not a lot of sophistication around it. There are people that operate in rings or in networks and stay in close touch about new offers out there.

Harshad Agashe: I think you should explain that. And share how you’re seeing it on the risk models on the backend. I never knew that people knew so much about how the risk model on the backend worked on approvals.

Chad Gonzales: Yeah, exactly. You’ll see this, some users asking, “Hey, anyone pulled this off over 6, 6 by 24?” So really what they’re saying is they’ve reversed engineered some of these abusing thresholds. And what they’re saying is if you have over credit pulls within the last 24 months. They’ve figured out one of the main variables in detecting this type of abuse on many different issuers ends is the number of credit pulls that you’ve had in the last X months, 24 months in this case. The banter goes back and forth on forums where people share things like, “Yeah, I was declined at seven out of twenty-four, five recent pulls.” They realize there’s velocity thresholds on the back end and they’re trying to work together and communicate to try to reverse engineer these thresholds.

And there are numerous guides, very detailed guides as to what are the offers out there.

Eric Choi: In summary what you guys are saying is, unfortunately, fraud never sleeps. It sounds like it’s very scalable. It’s very organized. And we should be concerned.

Best practices for outsmarting promo abuse

Chad Gonzales: What are some best practices in how to manage this, and obviously this will have to be applied in the context of everybody’s own situation, their own work environment, their own company politics. A lot of what creates these opportunities is customer growth goals. The business asks: how many new accounts are we getting onto the platform? A lot of companies get hyper-focused on acquisition rather than engagement. From a customer lifecycle, for these abusers, they’ll come onto the platform engage and spend in the first three months to get their rewards and then basically go away. There’s no real revenue brought into the company by these customers.

Here’s one example from a past role: We would look for variables like:

  • Is it the same device that’s applying for these accounts?
  • Is it the same IP
  • Is it the same phone number

Well, we started noticing a lot of these accounts being created that had linkages. But when we tried to resolve our concerns, customers are like, “Yep, I applied. That was me.” So it wasn’t really fraud. But it was a lot of people that were trying to game the incentives.

So when we actually went back and said, “How big is this problem?” Actually, if we go and look at this gaming space, it was actually pretty large. But again, a lot of it comes to customer growth. But more and more we’re trying to ask for less at the time of onboarding just to reduce friction. Lyft as an example, we essentially only require a phone number to initially sign up.

Harshad Agashe: It makes sense. I think a couple of points I would add is understanding where the customer is in that funnel and giving the right messaging to them is more important. When you do a blanket of giving incentives across the funnel without any engagement it doesn’t lead to profitable long-term customers. It is getting that new account created.

From a Lyft perspective, it was very interesting, when I onboarded Lyft and the coupon was like 10 percent or some discount for the next 20 rides. So I had to take 20 rides and get to make sure that I don’t just use a discount and close it. But it worked for me and I become a loyal customer.

Chad Gonzales: I might have had some influence on that one, but yeah, that’s a really good point. It’s telling the right story too. Let’s be fair, the story shouldn’t just be we have all these bad accounts, we shouldn’t be doing this. Let’s look at it holistically. What value is it really adding overall? How much revenue do we create, versus how much marketing spend? Turn it into something that appeals to whoever you’re trying to interact with as well. It’s not worth your investment, your marketing dollars to try to target these people.

Promo Policy and Internal Politics

Harshad Agashe: So as I talked about before, you must design the policy in the right way. But to implement the policy, you have to get to the identity of the individual to make sure you are getting to new customers. And when you look at identity you may have some friction collecting that data. How do you create your journey?

You could create your journeys with just a phone number. But as more engagement happens, you can make sure you get that identity sorted in the backend. So policy and identity have to go together. You must have the right KPIs. We should write promotions, the KPIs shouldn’t just be for new accounts being created. Sometimes you must live with the abuse because I think overall, they may still be profitable customers.Take control of your promo codes, make sure that you can track it as far as possible. Have them limited for the individual and accounts so only that account can redeem it. Have a limited duration. The strategy is to have a very short life span for a promo code. Limit duration and then personalize the set. And then link that promo code with the identity parameters.

Tactically, how do you implement this? We will talk about how we created identity on our end, but I think this is something which everyone should be thinking about in their organization: How do they create an identity for their customer and for a prospect?

Harshad Agashe: What we look at typically is history of the email. How long has it existed, what does the depth of their history? Is the email to name correlation working? Can that be established? Phone to owner address, can that be established? Billing address to multiple identities? So you know, if you have multiple credit cards being used, all of them the same billing address and you have multiple accounts, all of these are very good and easy indicators for figuring out if you have a problem with multiple consumers abusing the system.

Next is stricter customer onboarding process. If you do not know the identities of who is behind that customer, then it is very difficult to solve a problem and a fraud problem in general.

Look at the full customer lifecycle. What have customers done in the past and then decide the lifetime value of the customer and the experience they go to. Those are the strategic recommendations we’ve seen work. Identity is the answer.

Identify the scale of the problem. You must identify all the loopholes that exist, identify the scale at which the problem exists. Once you have that, then socialize the impact. As we said, don’t just say that you have these protocols, but how much of your marketing dollars are being wasted and what can be done with those dollars is probably the right way to position that conversation.

Addressing abuse in your business

Harshad Agashe: What can we do with people when we identify abuse? So there are a lot of cases where we issue warnings. For example, you may be kicked out of the platform. There are ways to limit the rewards. A lot of credit cards say you can only get rewards if you’ve not applied for a card in the last year or two years from the same issuer. Next, you can remove or ban abusers, which is probably the last resort, in my opinion. And then, taking no action. I think we look at that as an option determined by the true cost of abuse.

Chad Gonzales: We want to emphasize making the right decision is not necessarily a black or white decision. You must think about the impact on your company, as well as the ROI and the incentives.

Audience Q&A

Eric Choi: OK, Chad. So, what is keeping you awake at night?

Chad Gonzales: In general it’s kind of the proliferation of oddball activity and the sophistication around bots that we’re seeing. If you look at some of your standard detection methods in the space — device fingerprinting being one of them – there are programs out there where you can literally download somebody’s full browser profile. You could get their cookies, you could get their user agent, you could get their screen resolution, you could get IP addresses that they typically come from. And you load those up and then you go to activity on the web. So you’re essentially completely making yourself look like some other digital profile. From a sophistication perspective that scares me.

Eric Choi: Do you think there is a way to incentivize behavioral changes or is simply blocking identified abusers?

Chad Gonzales: There are ways to frame the awards so it’s not X dollars in the first few months…it’s X dollars over every month, for the first twelve months. But at the end the day, it still is going to be difficult to manage. From a marketing perspective, you’ll have the challenge of incentivizing growth for customers outside of the abusers. By the time you get to a point where you’re managing behavior you get to a point where it’s probably not even appealing to a good customer. So it’s a tough balance.

But I think if you design the policy correctly, like the Lyft example, it makes a lot of sense because people who are genuinely interested in that platform to solve their needs. Because the rewards are good enough for customers to onboarded to use the service, but it’s not like you’re getting things for free easily. But at the end of the day, the fight is between hyper growth versus losing dollars. I think that’s still a debate which you have to always answer internally in the organization.

Eric Choi: One last question and we will wrap it up. Fraudsters appear new to receive our promos through the use of virtual credit cards. Do you have any advice for ways to detect these types of payment methods?

Chad Gonzales: Yeah, so I think probably what you’re referring to a lot like is like privacy.com. That’s one of the most common ones. A lot of people use it for good, to sign up for things like gym memberships where they don’t want to be charged over a certain amount. Probably what you’d have to do in those cases is think about something like bin strategies with the way the card numbers are coming through. They must have some reserve bins or tokenization they’re using going through their partners like Stripe or something like that to tokenize. I would maybe look for some commonalities in the bins.

Harshad Agashe: As we look at digital identity, when we look at more holistic ways of tracking it, and as we look at the data set that we have from a LexisNexis Risk Solutions standpoint and even customers will have one. I think connecting all of those dots together does help. If you can get some linkages on billing and etc.

Chad Gonzales: Someone in the chat discussion brought up a good point. He’s saying some of these virtual cards have shorter expiration dates. There’s a lot of attributes that are anomalous from a standard credit card.