Using Cases to prevent online fraud by identifying customers with multiple accounts

DupZapper uses sophisticated machine learning techniques to process various technical data it collects and presents groups of accounts created and maintained by the same person together in a form simple to understand. Here's how.

Concept of a Case and its importance for detecting online fraud

Most of the ways to perpetrate online fraud and cheating in online games rely on a perpetrator being able to register and use multiple accounts. This is a core requirement for doing such common fraud types as bonus abuse, overcoming payment limits by criminals or skilled players, carrying out collusion and money laundering activities. Detecting customers that try to conceal real identity or own multiple accounts helps to recognise them before damage is done.

Cases is one of the core features of DupZapper, which allows to fight online fraud more efficiently than other means. Essentially, Case is a group of associated accounts, though to be created by the same person. Keeping extensive history about activities of each customer lets us to present the high-level view, focusing on details important to business.

When listed, cases are presented in a concise way that includes affected accounts and reasons why they though to be related or otherwise suspicious.

Clicking on a case lets to see full history how accounts were linked together. In this example all accounts in a case were put together because they have used same device, besides one of them accessed website from a location far away from address entered in registration details.

Sometimes accounts presented in one case are linked indirectly. For example, customers A and B might have used same password and customers B and C shared the same device. In this scenario, there is a high chance of A and C being run by the same person, although there is no evidence to support this directly. To visualise such cases, DupZapper offers a feature called Case Outlook. It shows which fields are shared across different accounts in same Case, highlighting the ones that are used by a few simultaneously.

Case Workflow

To track how fraud analysts are processing detected cases of online fraud, DupZapper offers fully-featured workflow, allowing to assign statuses to cases, comment on them and audit all analyst activities.

All new cases are created as Suspected.

When a comment is made, status of case changes to either Review, Confirmed [to be fraud] or Approved [as legitimate player].

Specific uses of these statuses depend on your needs. For example, you can select Review when an investigation is pending (for example, KYC requested), use Approved to close the case without bad activity and select Confirmed when at least one of the accounts has been blocked or factored.

These statuses can be integrated into your CRM and payments tool. For example, it could display warning if a withdrawal request is made by an account that has at least one case with status different from Approved.

If a case has Review, Confirmed or Approved status and a new account is found to be linked to the case, or extra evidence is found against accounts that are already in the case, it’ll automatically change status of the case to Reopened. This is the only automatic status change in the system.

Reasons for a Case

You may encounter following reasons for accounts to be linked to a case:
  • Duplicate Device ID. DupZapper is 100% certain that two or more accounts have used the same device to log in or register.
  • Duplicate Browser. Customers have used the same browser in same timezone with same OS language, same set of system fonts, browser plugins and screen resolution. Quite reliable on desktops, but if you see that its an Android or iOS browser then it is a false positive most likely.
  • Activity IP outside address. Means that MaxMind GeoIP database shows activity IP in a different location than address entered during registration by customer.
  • Phone country does not match address country. Phone number country code in registration is different from the country from address.
  • Duplicate … Another field of registration information is duplicated.