![Native[risk]](http://images.squarespace-cdn.com/content/v1/65704856a75e450a6d17d647/f3aa0ca7-8a4d-4034-992f-9ae514f1127e/Native+risk_logo-invert.png?format=1500w){kind=logo}
#85 - Stop letting fraudsters write your rules
Most fraud teams I speak with have a rule engine they're reasonably proud of.
They've built up a solid set of rules over time. They've survived a few attacks. And when a new fraud spike hits, they add a new rule, monitor it, and move on.
Fraud hits, they react.
Is it bad? Not necessarily. I’ve argued many times that being fast to react is what most teams need to focus on.
But it doesn’t mean you cannot run proactive efforts in parallel. And for cheap.
Because here’s the thing: You already did the work.
Your existing fraud rules are essentially a library of fraud patterns categorized by their type: strategy, behavioral, and trend rules. You already have the first dimension - typology.
But what if you can add more dimensions to this framework?
What I want to share today is a way to think about rule expansion that's actually programmatic - how to use your existing rule set as a map that tells you where to go next.
The use case dimension
So you've already built a directory of fraud patterns and signals. The question is: where are you actually deploying them?
Most teams deploy a rule where they first saw an attack. A fraudster abuses the payment flow? You write a rule for payments.
But that same underlying pattern might also show up at onboarding, at login, at profile changes, or at withdrawal. And there's a decent chance you haven't checked, because you weren’t attacked there yet.
The exercise is straightforward: take your existing rules, and for each one, ask where else in the product journey could this same logic be relevant?
Now, an important caveat: this is not an exercise in copy-paste. Each use case has its own quirks.
The data schema changes, the fraudsters’ particular behavior changes, and most importantly - the success criteria changes. For example, you want to be more accurate when blocking new signups than when you block an email change.
The economics of a missed fraud or a false positive are totally different.
But the point is that you already have the patterns. You already know they're relevant to your system.
The work is in applying them with appropriate adjustments, and in doing so before fraudsters show up in a new channel and force your hand.
The resolution dimension
Every automated rule has a secret twin. One that you’re likely not exploiting.
Here's the idea: when you write a rule that automatically declines or approves, you've set a high bar. The precision and recall need to be acceptable.
But what if you relaxed that bar slightly? Not so much that the rule is useless - just enough that it catches fraud your automated version misses.
And instead of auto-declining, this version flags for manual review.
You now have two rules for doing different jobs based on the same logic. The automated version resolves the clear cases, while the softer version catches the mid-risk population.
It works in the other direction too.
Take a rule that currently only flags events for your queue and tighten it, even if the recall is low.
Not only do you now auto-resolve cases that otherwise would have been needlessly reviewed, but you reduced your exposure time by acting against them faster.
Side note: Running similar clones of the same rule can be tricky if you’re not measuring your results holistically. I went deeper into incremental rule performance measurements in issue #35 if you’d like to learn more.
Now some of you might be thinking - what if you don't have any manual review operations at all? You still want to do this.
Instead of flagging for review, run the softer version in shadow mode.
It becomes a tripwire. If a fraudster finds a workaround to your automated rule, the looser version will often catch it first. You'll see the pattern re-emerging in your shadow logs and you'll be able to move fast because the rule is already tested and monitored.
A softer shadow mode rule also gives you a crude fraud pressure gauge.
For example, a sudden dip in the rule's fraud rate might mean your automated rule has drifted and is generating more false positives than before.
Side note: If you’re unfamiliar with the concept of Shadow Mode, I’ve written in the past how and when to use it, and what it cannot tell you.
Mapping your gaps
Here’s what I’d like you to avoid: don’t run and map these three dimensions, all the possible rule permutations, and work to release all of them.
The idea is not to have a complete system, but an efficient one.
Think about it like that - you already invested the effort in detecting and cataloging your fraud attacks. But can you, for a small investment, squeeze more performance from it?
Here’s how to be smart about it - pick your top 10 rules. For each one, ask:
Is this deployed across all the use cases where the pattern is relevant?
Do I have both an automated version and a review/shadow version of this logic?
Map your gaps, prioritize the order in which you want to close them, and start going at it.
The bottom line
Most rule systems grow reactively. A fraud attack happens, a rule gets added, the attack subsides, and the team moves on.
Being reactive is ok, but if it's the only mode you're in, fraudsters are dictating your roadmap.
The three-dimensional view is a way to take back the initiative.
When the waters are calm and fraud is under control, this is how you proactively expand your defenses along tried-and-true tactics.
The patterns are already there. The signals are already validated. The question is whether you expand them on your terms, or wait for the next wave to make the decision for you.
How are you proactively expanding your defenses? Hit reply - genuinely curious how teams think about this.
In the meantime, that’s all for this week.
See you next Saturday.
P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:
Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
Schedule a Discovery Call Now »
Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
Book a Consultation Call Now »
Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next.
Sign-up Now »
Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!
