Chris Thomas, Managing Director EMEA, Emailage Corporation, spoke to Gambling Insider at this year’s ICE London about how a player’s level of risk can be worked out purely through tracking an email address, and how operators can sometimes lose players by implementing the wrong fraud-prevention systems.
Can you give an overall summary of what Emailage does and how you help the gambling industry?
Emailage was formed out of the financial services industry. The company was founded in 2012 and I joined last June. One of our senior executives worked for American Express in Phoenix, and they realised they had all this data, but the one thing they couldn’t do anything with was the email address. They could look at ID data, device data and all sorts of other things, but details about the email were unknown. The initial issue was trying to work out how old the email is. If an email was created yesterday, it’s inevitably higher risk than an email address that is six years old. From there, it grew very quickly.
The realisation is that an email is your digital persona. Whenever you make any interaction online, whether it’s logging into iTunes, your Google account or your bank, you have to present your email address. That’s probably the first piece of data, and it’s mandatory.
Your email is 100% unique; only you have your email address. We realised this is a global, unique identifier. People have tried different things like this for years, like social security numbers or device IDs, but none of them are unique. None of them are transportable globally and a lot of the time, they can very easily be hacked or stolen. Identity data is easily accessed via the dark web. I can buy 1,000 identities for a few dollars. But when you actually analyse how a fraudster operates, they will take my identity, be it my card data for example, but they can’t use my email, because the first person who knows it’s being used is me.
We will then look at the details behind that. How old is this email? How many interactions has it had? Is it linked to any social media accounts? If so, how long has that social media account been active? Does the name link to the applicant name? What type of job title does the applicant hold? Where does the IP originate from? How does that interact with our network? Has this IP address been associated with hundreds of emails in the space of two hours? Has it got historical connections to other things?
The email address may have booked tickets for events hundreds of times, opened accounts or been used to wager online. You can then bring all that publicly-available information together. If you present your email to us, we can then say it’s been active for several years and that nothing negative is associated with it. We can tell the operator this is a really safe person to do business with, and we can equally help our customers catch any potential fraudulent activity as quickly as possible.
What would class as an overall risk score a player would want to be hitting?
We generally class from risk bands one to six, but that’s customisable. A player in risk band one would just show as auto-approve, whereas with risk band six, we would tell them there is a 92% risk of fraud and the customer would more than likely auto-decline. They are actually trying to squeeze out all that manual review work. They want to focus their energy on the good ones and get the bad ones out as quickly as possible before they’ve spent even more marketing dollars and all that money on KYC for someone who is just a bad actor. It’s a recommendation from us based on the customer’s requirements. It’s a sub-second response. Last year, we launched a high-speed version of our product and it was launched on the request of some of our high-volume customers.
Based on any involvement you may have had with the gambling industry so far, how well protected is the industry from online fraud?
From what I’ve seen, I think it’s mixed. We’ve had conversations over the last few days where some really focus their energies on it and understand it, whereas others don’t truly understand it. Some can actually be so focused on preventing fraud that they do it to the detriment of the customer experience. On the other side, you have some who let the fraud go and focus too much on the customer experience. We’re there to provide a balance to both.
In this industry, there are a lot of different types of scams. It’s not just card fraud or application fraud. Based on my 20 years in the fraud space, if there is one thing I can tell you, it’s that where there’s money, there’s bad people. Bonus abuse is obviously huge in this industry, because it’s a very simple way to access funds; it’s low risk for the fraudster and it’s very attractive to bad actors.
How do you think gambling operators can improve in this area?
I think improving the customer experience while remaining secure against fraud is the main issue. I don’t try online gaming much, but the only time I tried to open an online poker account was in a hotel room after seeing a TV advert. I tried to sign up, and I was asked to provide my passport. I’m in a hotel room, travelling locally. I don’t have a passport, so it’s game over – you’ve just lost a customer. I don’t know what customer lifetime value represents in poker, but if it’s $1,000, you’ve just turned that away, because you’ve put too complex a system in place in your attempt to catch fraudsters. You’ve sacrificed the customer experience for the sake of less than 1% of players. That’s archaic and there are much better ways to do it than that. Also, the bad ones will just walk through it, because they’re armed with a passport and are ready to go. They’ve just bought it off the dark web for $7.They know exactly what your controls are.
I actually see this in many industries, where companies block good customers and the bad customers are still coming in. Look at your processes. You’ve got processes in place which aren’t fit for purpose. I think that’s applicable to all industries, if I’m honest.
So how do you create a process that’s more simple for a recreational player, like yourself, and protect against fraudsters at the same time?
I always say if you want an example of a company that’s really nailed this, it’s Amazon. Amazon have the most simple enrolment process. How do they do that? It’s not witchcraft. Amazon have got a lot of data and they’ve got very good analytics and data science. I’ve been in this space a long time, and what I know is you can’t make fundamental decisions without data.
Would you know roughly how many cases of online fraud we see in gambling every year?
It’s impossible to know, because people don’t report it. What we will see with the Second Payment Services Directive – PSD2 – is that card issuers will have to report it. I think it’s going to open a lot of people’s eyes. I remember the first UK fraud reports about 10 years ago showed there were about £60m worth of fraudulent transactions in the UK, but the latest reports suggest it’s way over £1bn. People would often wrongly categorise fraud as bad debt. If you do that, how can you possibly understand the root cause of the problem? PSD2 will give us more insight into the genuine cost of fraud. The last global figure I saw was that there was $1.2 trillion worth of fraud, but I think it’s probably bigger than that. It’s very attractive to the bad actors.