Putting Email at The Core of Digital Identity
Emailage was founded in 2012. The company enables merchants to use customers’ email addresses as the core element in assessing transactional fraud risk, including a predictive fraud score. Emailage leverages a vast consortium of data and layered technology to combat transaction fraud, along with other use cases pertaining to account fraud. about-fraud.com had a chance to catch up with Amador Testa, Chief Product Officer at Emailage. We took a deep dive into his product’s value, discussing how Emailage verifies digital identity for today’s online businesses.
PR: Is Emailage primarily intended as an add-on service for fraud prevention platforms, or is it intended to be used as a standalone service?
AT: We position ourselves as the backbone that connects companies and platforms in the fight against fraud, using the best global identifier – the email address. Our services are consumed via our partners, the fraud prevention platforms or directly when the customer has an in-house fraud prevention solution.
PR: How many email addresses or people covered do you have in your system?
AT: Emailage is a global fraud prevention company, with decision science experts, we combine fraud data coming from our contributory consortium model (over 40 million fraudulent emails), with machine learning algorithms, email history (real time access to over 5 billion emails in real time), domain intelligence, IP intelligence, name ownership verification, phone, address and vast social media data.
PR: Does Emailage have global data coverage for emails or is the coverage better for specific geographies?
AT: We built a solution with global coverage. We currently process transactions for our customers in over 150 countries.
PR: What markets does Emailage serve outside of the U.S.?
AT: We have local offices in US, UK and Brazil, along with local resources in Mexico, Colombia and Greece, but we have customers in every continent, including countries like the United Arab Emirates, Australia, Japan, Germany, France, Argentina and more.
PR: As part of its global coverage, has Emailage done anything to comply with Europe’s General Data Protection Regulation (GDPR) ahead of its implementation next May?
AT: Yes, we have been working on the GDPR certification and also have several certifications, which includes SOC 2 Type II, EU-U.S. Privacy Shield and Cyber Essentials.
PR: Is email address and IP location enough to detect fraud risk? Are other data points less important?
AT: The email address is the core of our solution, since it is the best unique global identifier for an individual, we consider it the global digital ID. Starting with the email address we connect other elements to it like the IP address, customer name, phone and address to perform more robust and specific risk assessment. The IP address helps with more accurate geolocation and proxy risk when properly linked with the email, while name, address and phone helps to confirm an identity.
PR: How did Emailage create a risk scoring system? What characteristics receive what scores?
AT: We believe that fraud is an evolving problem, so in order to attack it from multiple fronts and ensure the score is relevant we combine several techniques, which includes machine learning (GBM models), safety net rules, linear regression, risk profiling (at customer, industry and network level), EHBM (Element Historical Behavior Monitoring, IAPD (Instant Abnormal Pattern Detection). The score goes from 0 to 1000, where a high score indicates higher risk, and it uses hundreds of variables associated with the email address to create a profile, which we score for fraud risk.
PR: How does Emailage move beyond transaction fraud to help protect accounts? Specifically, how does your solution address account takeovers and/or synthetic identity fraud that uses valid emails?
AT: Yes, we can add value anytime an email address is present in a transaction, which includes all online transactions, like card not present, account maintenance, account opening and listening abuse. For the compromised/ATO (account takeover) emails, we use the following checks to identify risk:
- email part of a recent compromise (we monitor the dark net);
- changes of behaviors on email activity (suggesting potential ATO);
- changes on data associated with the transaction containing the email (e.g. IP address, name, address and phone)
- velocity on transactions associated with the email (suggesting potential ATO);
- email reported as ATO fraud in our network
We have a customer that was having issues with ATO emails, and we were detecting around 50% of their cases upfront, and are now implementing additional rules tailored to their needs to pump the coverage above 70%.
PR: Are there any merchant verticals where the use of fraudulent emails is more prevalent than others?
AT: We add value anytime an email address is present in a transaction, which includes all online transactions. We are currently working with all major merchant verticals as well as the financial sector, our current network includes:
- Four of top six credit card issuers
- Five of top six credit bureaus worldwide
- Top four money transfer providers
- Top three personal computer manufacturers
- Top two ride-sharing companies
- Five of top 10 retailers
- Three of top five largest global airlines
- Three of top five online lending sites
- Top European airline
- One of top two global shipping companies
- Top bitcoin company