Manual Review Best Practices: What’s the Value of Assessing IP Address Risk?

In this blog post, we continue our discussion of best practices for manual review. Today’s topic is assessing IP address risk.

A fraudster (or indeed, anyone) placing an order on a website uses a device (computer, mobile phone or tablet) and this device is associated with an IP address.

In our last blog post, we discussed how the physical location of the IP address can be matched against other location information to see if anything looks suspicious. For example, it’s best to closely scrutinize orders where the location of an IP address is in one country and the billing address in another.

Fraudsters recognize the power of geolocation in identifying fraud, so they act to hide their actual IP address and, by extension, their geographic location. The best way for them to take cover is to connect to the Internet using a proxy server. Popular hiding places include open proxies, hosting providers and VPNs.

Since proxies are a place to find fraudsters, it stands to reason that identifying an IP address as a proxy increases the risk associated with it. But proxy detection provides only part of the picture. Proxies change frequently, so that an IP address that was a proxy today will not necessarily be a proxy tomorrow. And there are legitimate reasons to use a proxy. For example, while a fraudster might use a VPN to hide shady activity, corporations also use VPNs to provide access to corporate computing assets by geographically dispersed offices as well as to employees who work remotely or are traveling.

To provide a deeper understanding of IP address risk, minFraud generates a proxyScore* for each transaction. The proxyScore indicates how likely it is that the traffic from an IP originated from a fraudster. This score is based on data from the minFraud network, a database of over 500 million rolling transactions generated by a broad spectrum of merchants worldwide. Analysis of the history of traffic from the IP address takes into consideration more than proxy identification. For example, if a customer reports a chargeback in association with a transaction, the minFraud network uses this information to increase the proxyScore of that IP address.

minFraud assesses IP address risk and returns a proxyScore for each of your transactions. During manual review, refer to the proxyScore to get some sense of whether there are good or bad guys behind the IP address. But, as always, keep in mind that the proxyScore is one of the many data points to factor into your manual review process. To get a full picture of the risk assessment provided by the minFraud network, it’s especially helpful to take a look at riskScore in the light of the proxyScore for a transaction. Looking at these two scores together may prove conclusive – or compel you to weigh other factors before coming to a final decision.

* minFraud Insights provides an IP risk score in place of the proxyScore.