![Native[risk]](http://images.squarespace-cdn.com/content/v1/65704856a75e450a6d17d647/f3aa0ca7-8a4d-4034-992f-9ae514f1127e/Native+risk_logo-invert.png?format=1500w){kind=logo}
#81 - Stop investigating fraud. Start disproving it.
I've reviewed thousands of fraud cases in my career and I've watched a lot of investigators work through their queues.
Many of these investigators operated without a clearly defined protocol. And they did not so great. Some of them did have a protocol to follow, but most of them also did not so great.
How come?
We all know the story: tangential rabbit holes, wasted time, half-baked narratives, and contradicting evidence.
You can always check one more data point, or find one more thing that might strengthen your case.
Here’s what's crazy, the same phenomenon can be observed in both teams - with or without a defined investigation protocol.
Because it’s not about whether you follow a defined process. It’s about the model on which the process is designed after. And most of them are poorly designed.
Today I want to break down why investigation protocols fail, and introduce the design model that gets you out of this trap.
We’ll get into the theory first, but next week I’ll share a complete example walkthrough end to end.
Why every investigation process breaks down
Conceptually, investigation is simple: look at the evidence, weigh fraud vs. legitimate stories, and make a decision which one is more probable.
The problem is that the potential for evidence is infinite.
There's always another signal to check, another tool to open, and another hypothesis to test. And because fraud is contextual, the right evidence to look for changes with every case.
From my experience, teams respond to this in one of two ways.
One, they write overly specific playbooks that try to cover every scenario. These become too long to actually use and they're outdated within months.
Or they write generic ones: "review account history," "check device signals," "verify email." These give investigators so little direction they might as well not exist.
But both fail for the same reason - they're trying to standardize open-ended inquiry.
Here’s the thing, though: open-ended inquiry, by definition, doesn't standardize.
The investigation ends when the investigator feels confident enough. Since that's subjective, one person stops at 5 minutes and another goes for 25 minutes - in the same case.
These rabbit holes are the inevitable result of working without a finishing condition.
Decide first. Then try to disprove it.
Here's the shift:
Instead of: collecting evidence → building a case → deciding
Try: decide first → look specifically for what would change that decision
You're not speculating. You're forming a hypothesis, and then you're testing it.
You don't open-endedly collect data and hope a conclusion emerges - you commit to a position first, then ask: what would I need to see to abandon it? That question creates focus.
When an investigator runs this model, two things change:
First, every question they ask becomes specific and bounded. Not "let me look for more evidence", but "what would I need to see to flip my current ruling?"
That is a very different search. It has a finish line.
Second, they always have an answer. At any point in the investigation, they have a leading decision they're currently defending. If time runs out, they have a ruling.
How to form that first decision in under a minute?
Here's where most people push back: "If I can't decide confidently after 30 minutes, how can I rule in favor of a theory in 60 seconds?"
But your investigation never actually starts from scratch.
The case is in your queue because something flagged it: a rule, a score, a velocity check, or an anomaly. That flag is already a decision - the system looked at this event and ruled that "something is wrong here, and specifically this thing."
That context immediately provides two things :
What is suspicious about this event
Statistically, how often cases flagged this way turn out to be fraud
Then, your initial theory writes itself: "This case is fraud because [the specific pattern the flagging logic observed]."
I wrote about a version of this in my early PayPal days when we reviewed cases by hand. The short of it was:
A colleague had a case she couldn't decide on: American account and card, IP from Vietnam. The flag had already given us the theory to defend: a Vietnamese fraudster who stole an American card.
It also naturally formed the question I had to ask to flip my decision - how can I prove this is actually legitimate by showing the account holder is in Vietnam?
So I checked their Facebook page, noticed the profile picture, and matched the location to a known building in Vietnam. I flipped my decision within one minute.
Could I find more evidence somewhere? Probably. But I couldn’t think of a question I could answer that would make me flip my decision again.
I mean yeah, perhaps the owner is in Vietnam, their card got stolen and the user is indeed a fraudster. But besides that being improbable, I couldn't think of a way to prove that alternative.
And if I can’t flip my decision, no amount of evidence will change the end result.
Meaning, any evidence I collect from now on would be a waste of time.
That’s the finishing condition.
Here's what this means for your process
Most manual review queues run somewhere between 5% and 30% fraud rate, which means the majority of cases you're reviewing are not fraud.
Think about what that implies.
The statistically viable route isn't proving fraud. It's disproving it.
Starting with "this is fraud" and looking for evidence to the contrary puts you on the right path almost immediately because usually, it isn't.
And the evidence to show that will be specific and tied directly to whatever triggered the case. You know what flagged it. You know what "not fraud" would look like in that context. You have a clear set of questions.
And that’s the process.
You can't standardize open-ended inquiry, but you can standardize theory formation and disproval.
Knowing what flagged the case, committing to an initial theory, and pre-defining what would flip it - that's something you can write down, train on, and replicate.
Next week I'll walk through a complete investigation end to end using this approach - from the flag to the initial theory to the disproval questions to the final ruling.
In most cases I've run this way, resolution comes in under five minutes.
And more importantly - it’s the correct resolution.
Have I convinced you yet? If you’ve seen other models that work well - hit that reply button and let me know.
In the meantime, that’s all for this week.
See you next Saturday.
P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:
Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
Schedule a Discovery Call Now »
Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
Book a Consultation Call Now »
Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next.
Sign-up Now »
Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!
