Tackling Global Promotion Abuse on a Leading E-Commerce Platform

A global leading fashion e-commerce runs marketing campaign focused on viral growth strategies to attract new users such as flash sales, lucky draws and games. Their referral program also faced challenges from fraudulent exploitation by underground market operators and malicious competitions from rivals.

October 2, 2024

10 minutes

Yuqi Chen, Catherine Yu

Leverage on several machine learning models to detect orchestrated fraud organization and analyse various aspects of anomalies. The fraud management strategy has successfully intercepted 3.5 million risks and avoided $1.4 million in 30 days.

In 2023, a global leading fashion e-commerce retailer set its sights on global expansion, leveraging its on-demand business model, efficient supply chain, competitive pricing, and precision-targeted digital marketing

To enhance market share and user engagement, the company launched an extensive series of marketing campaigns, gradually expanding them to over 30 countries across North America, Europe, Latin America, and the Middle East. The campaigns primarily focused on viral growth strategies to attract new users, with a marketing budget of nearly 2.8 billion USD.

Building on this, they launched a promotional campaign featuring three key events: price slash sales, lucky draws, and a virtual pet-keeping games, with the goal to rapidly grow their customer base through a referral program, where existing users could invite new customers and earn points in each event.

However, the campaign faced huge challenges from fraudulent exploitation by underground market operators and malicious competition from rivals.

The Challenge: Promo Abuse

Promotion abuse occurs when individuals or groups exploit promotions like discounts, coupons, or referral programs beyond their intended purpose, leading to financial losses. As e-commerce grows, online promotions spread quickly across digital platforms, making them vulnerable to abuse by a diverse audience, including fraudsters. This results in businesses paying for what seems like organic growth, but is actually fraudulent activity, skewing marketing data and causing financial loss.

In this case, the company encountered significant issues with promotion abuse, as users created fake accounts, by-pass IP restrictions, alter devices, and collaborated with fraud rings to exploit rewards.

Fake Email Registration in Bulk

Fake email registration is a common tactic fraudsters use to exploit promotions in e-commerce platforms. Fraudsters create multiple fake accounts using temporary or disposable email addresses. These accounts are often generated in bulk through bots or automation tools. In this case, TrustDecision identified email related anomalies such as clustering of random emails, temporary domain emails, and similar email addresses.

Bypass E-fence: Cross IP Restriction

E-fencing is a digital boundary used to manage access based on geographic location, typically by checking IP addresses. It’s commonly employed to enforce regional rules, control content access, or limit promotions to specific countries. For this e-commerce brand, promotions were restricted to certain regions, like the U.S. However, a significant number of users from Asia and Africa bypassed these IP-based checks, exploiting promotions meant exclusively for American customers, resulting in unintended participation and potential financial loss.

Device Spoofing

Device spoofing is a fraudulent tactic where a bad actor disguises a device’s identity, such as altering IP addresses, user agent string, device ID, IMEI numbers, or MAC address, to bypass security protocols or impersonate legitimate users. They've encountered 3 key challenges from fraudsters in this case.

  1. Reset Low-Value Device: Resetting low-value devices refers to performing a factory reset, which erases all data and restores the device to its original state. Some users engage in suspicious behavior by frequently resetting certain device models or alternating between two devices to make them appear as new. This tactic is used to bypass restrictions on the number of accounts tied to a single device. Here's a summary of the key characteristics of suspicious devices observed in this case:
    • Device Model: 5-6 similar models are repeatedly reset and SM-A115U, SM-A215U, 5087Z are among the top three.
    • Available Storage Proportion After resetting, the available phone storage proportion is higher than normal devices and our analysis finds that more than 80% of storage  remains among the suspicious devices.
    • Screen Resolutions: Primarily 720x1560 and 720x1600.
    • Power-On Duration: Devices with shorter power-on durations (under 30 minutes) might be reset more frequently.
  2. Modify device: On iOS devices, users can jailbreak the device to alter its information and make it appear as a new device. This process involves modifying the device’s system and settings to change identifiers such as the device ID or MAC address.
  3. On Android devices, fraudsters can achieve a device spoofing effect by rooting the device and using Magisk to modify device parameters. This process involves gaining administrative access to the device’s operating system, allowing users to alter key identifiers such as the device ID to make the device appear as a new one.
  4. Both methods enable fraudsters to bypass detection systems by disguising the device, making it harder to enforce rules that limit device-based accounts.
  5. Cloud phones: Cloud phones, unlike traditional smartphones, do not require physical devices and allow users to access mobile operating systems like Android or iOS remotely. This flexibility facilitates the creation of virtual devices, which can be used to bypass account creation restrictions. However, because cloud phones are relatively straightforward to detect and mitigate with advanced risk control systems, they are not a primary method for fraudsters seeking to circumvent device-related restrictions.

Organized Fraud Gang

Organized fraud, or gang fraud, involves coordinated schemes that are harder to detect. In this case, influencers were found exploiting promotions by driving mass registrations and generating fake referrals through private networks. Although these appeared new users register with unique devices and emails, they are oftentimes low-quality participants completing crowdsourcing tasks and hardly return after claiming their rewards. To combat this, collusion detection models can identify large-scale, short-term registrations with similar behavioral patterns across different users.

Our Solution

To help a cross-border e-commerce fortify its defence against promotion abuse, TrustDecision developed a comprehensive strategy, integrating machine learning models and advanced anomaly detection and to identify and prevent fraudulent activity.

Machine Learning Model

1. Behavioral analysis model

This model evaluates user interactions such as login frequency, navigation paths, and purchasing behavior. By establishing a baseline of normal activity, it can quickly flag deviations like sudden spending spikes or irregular login times, which often signal fraud. It continuously compares real-time behavior with historical data to spot emerging fraudulent patterns.

2. Clustering Model

Using unsupervised learning, this model groups users based on shared behaviors, such as referral activity. It reveals hidden patterns, identifying coordinated efforts like fraud rings exploiting referral programs through mass registrations or synchronized actions.

3. User Profiling Model

The profiling model creates comprehensive user segments by analyzing demographics, purchase behavior, and interaction data. By categorizing users into profiles such as "high-value customers" or "potential fraudsters," it enhances targeted fraud prevention while ensuring genuine users aren’t impacted.

4. Organized Fraud Detection

This model excels at identifying fraud rings by linking users through shared devices, contact details, or synchronized behavior patterns. In a recent analysis of a promotion, the model detected nearly 300 fraud rings involving thousands of devices and accounts, improving detection efficiency by 15% compared to traditional methods.

Each of these models collectively strengthens the fraud prevention system, enabling S to address various fraud scenarios in real-time.

Anomaly Detection

1. Identity Verification

Monitoring for identity anomalies, such as multiple accounts sharing similar personal details (e.g., name, email, phone number), helps businesses detect suspicious patterns. Early identification of these anomalies can prevent fraudulent transactions from escalating.

2. Device Analysis

Fraudsters often use tactics like device spoofing or frequent resets to obscure their identity. Analyzing device data—such as frequent changes, altered configurations, or the repeated use of the same device across different accounts—enables businesses to uncover hidden risks and act swiftly to mitigate them.

3. Location Monitoring

Geographic data is another vital fraud indicator. Many fraudsters employ VPNs or IP spoofing to hide their true location. By tracking location anomalies—such as sudden shifts in geography or transactions from high-risk regions—businesses can flag and investigate suspicious activity more effectively.

4. Frequency Monitoring

High-frequency account activities, such as rapid purchases or bulk transactions within a short time, often signal fraud attempts, especially when automated bots are involved. By analyzing transaction and account frequency, businesses can detect and stop fraudulent behaviors before significant damage occurs.

5. Behavioral Analysis

Monitoring user behavior provides deeper insight into fraud detection. Deviations from normal patterns, such as unusual purchases, inconsistent browsing habits, or unfamiliar payment methods, can signal fraudulent activity. Behavioral analysis enables businesses to act on these early warnings.

Results

Over a 30-day period, the platform implemented the customized risk control system and closely monitored its effectiveness. The results were remarkable:

>3.5 million

risks intercepted

>1 million

fraudulent accounts blocked

>USD$ 1.4 million

revenue loss avoided

Conclusion

In cross-border e-commerce, the ability to detect and prevent fraud is crucial for maintaining platform integrity, ensuring customer trust and prevent financial loss. By implementing a comprehensive monitoring system that tracks key factors such as identity, device usage, location anomalies, transaction frequency and user behavior, businesses can effectively identify suspicious activities and mitigate risks. Advanced analysis of these data points helps prevent fraudulent schemes, ensuring smoother operations across global markets. A multi-layered approach to fraud detection strengthens the overall security of cross-border e-commerce platforms in an increasingly complex digital landscape.

Subscribe to our newsletter to get real insights, fraud analysis, innovative technology updates and latest industry trends

Related Posts

Let’s chat!

Let us get to know your business needs, and answer any questions you may have about us. Then, we’ll help you find a solution that suits you