Insights that cut through the noise

Join the hundreds of other merchants who subscribe to the Primer newsletter and get practical payment strategies, real-world merchant stories, and fresh insights straight from the Primer team to your inbox.

Why low fraud isn’t always a win, with Galit Shani-Michel

6 min read

In this episode of Payments Unfiltered, Theo Spyrides welcomes back Galit Shani-Michel, VP of Emerging Products at Forter, for a deep dive into the critical link between fraud prevention and payment performance.

Together, they explore why outdated fraud strategies are hindering conversions, how pre-authorization checks can enhance approval rates, and why merchants should stop treating fraud and payments as separate functions.

Video

Transcript

Theo: Welcome back, Galit—It's great to speak with you again. Today, we’re focusing on how merchants can improve their fraud strategies. You’ve had extensive experience in fraud prevention, even before Forta. How do you approach building a fraud prevention strategy for a merchant?

Galit: That’s a great question. The most important thing to recognize is that technology has undergone significant evolution. Many traditional fraud-fighting methods are no longer best practices. A prime example is how much of the process was once manual.

When I managed fraud years ago, we relied on fraud rules and a team of analysts to review flagged transactions. These rules operated after authorization, meaning the transaction first went to the bank, and only then did our system flag it for manual review. Analysts assessed risky transactions, decided if they were fraudulent, and voided them if necessary. Back then, one key ask we had for our PSP was an extended period between authorization and capture to allow time for fraud checks.

Today, technology enables real-time decision-making through the use of AI and advanced fraud detection tools. Manual reviews are largely unnecessary. A small percentage of transactions may still require review, but the best practice now is to make fraud decisions before authorization.

By screening transactions pre-authorization, merchants can block fraudulent attempts before they reach the bank. This significantly improves authorization rates because issuers and acquirers see fewer fraudulent transactions from the merchant. When an issuer detects high fraud levels, they assume it’s their intervention is preventing fraud, leading it to the categorization of the merchant as high-risk, even if chargeback rates are low.

I recently spoke with Bank of America about a merchant with excellent post-authorization fraud management skills. Despite this, the bank still classified them as high-risk. When I asked why, they pointed to the fraudulent transactions they were blocking. From their perspective, their system was doing the heavy lifting.

The same merchant later adopted a pre-authorization fraud strategy, utilizing machine learning and real-time decision-making. Two months later, I checked in with the bank again. Their assessment had changed: “Oh yeah, this merchant is now low-risk.” The difference? The bank was no longer declining transactions due to fraud on their end. As a result, their perception of the merchant improved, and they started approving more borderline transactions, improving authorization rates.

So, fraud strategy directly impacts payment strategy. In many businesses, fraud, and payments are handled separately, sometimes by different teams. But we’re seeing more consolidation because optimizing payments requires a strong fraud prevention strategy.

Theo: Given today’s technology, is there still a reason to conduct fraud checks post-authorization?

Galit: Not really. Some merchants still prefer manual reviews for specific transactions, depending on the type of products they sell and their risk tolerance. But in most cases, everything can be handled pre-authorization.

If a merchant insists on post-auth checks, we advise them to conduct all fraud screening before authorization and, if necessary, add any additional post-auth reviews.

Theo: And that also reduces headcount costs, right? Merchants could reallocate budgets from manual fraud analysts to better fraud tooling.

Galit: Exactly. When merchants transition to pre-authentication fraud detection, they no longer need large teams to manually review transactions.

Beyond cost savings, automation scales far better. Think about peak shopping seasons like Black Friday or Cyber Monday—how do you suddenly double your fraud review team for a weekend? With automation, that’s not an issue.

There’s also a customer experience factor. Consumers today expect fast fulfillment. No one wants their order stuck in a manual fraud review queue for three days. Pre-auth fraud checks ensure transactions are processed instantly, improving customer satisfaction.

That’s why more merchants are embracing automation: it eliminates scalability issues, enhances fraud detection, and improves the customer experience. A robust fraud vendor should handle peak volumes efficiently without technical failures or timeouts.

This shift doesn’t eliminate their roles for fraud teams—it evolves them. Instead of manually reviewing transactions, they can focus on strategy, such as optimizing risk thresholds, refining fraud models, and analyzing performance trends.

Theo: You mentioned 3D Secure (3DS) earlier. How does pre-auth fraud detection enhance its effectiveness?

Galit: 3DS is another key reason for shifting to pre-auth fraud screening. The best practice is to classify transactions into three categories:

  • Clear fraud → Decline outright.
  • Borderline risky transactions → Route through 3DS for verification.
  • Good transactions → Allow a frictionless experience.

If your fraud screening happens after authorization, you can't effectively do it—it’s simply too late to apply for 3DS. By shifting fraud detection to pre-authentication, merchants can intelligently decide when to trigger 3D Secure (3DS) and optimize approval rates.

Theo: Beyond checkout fraud, are you seeing fraud shifting to other parts of the customer journey?

Galit: Absolutely. Fraud isn’t just a checkout issue anymore. It can happen anywhere, from account registration to post-purchase activities. As merchants tighten fraud detection at checkout, fraudsters pivot to account takeover and policy abuse tactics.

For example, account takeover (ATO) fraud is a growing problem. Fraudsters log into legitimate accounts, where payment details are already stored. They change the shipping address and order products fraudulently.

Other common fraud tactics include:

  • Return abuse → Customers claim to return an item but send back a fake or different product.
  • Item-not-received (INR) fraud → Customers falsely claim they never received an order.
  • Coupon abuse → Creating multiple fake accounts to exploit discount codes.

To combat these tactics, merchants need fraud detection across the entire user journey, not just at checkout. The key is understanding identity at every interaction:

1. Registration → Is this a real user or a bot creating fake accounts?

2. Login → Is the person logging in the actual account owner?

3. Checkout → Should this transaction be flagged for review or 3DS?

4. Post-purchase → Is this a legitimate return request?

The fraud strategy isn’t one-size-fits-all. Some merchants permit multiple accounts per user, while others strictly enforce a single account per customer. Some offer coupons at registration, while others only grant them upon the first purchase to prevent abuse.

Ultimately, merchants must decide their risk tolerance and configure fraud rules accordingly. Those who fail to consider fraud holistically will be vulnerable at some point in the customer journey.

Theo: It sounds like the fraud strategy needs to be approached holistically. You also made an interesting point about company structure—some businesses have separate heads of fraud and payments, but maybe keeping fraud in its silo isn’t the best approach. If you were advising a merchant, would you recommend keeping fraud and payments separate, or should they be combined under a single leader who oversees both strategies?

Galit: It depends on the merchant’s structure. Some businesses also have digital, customer experience, or e-commerce managers, adding more complex layers. Regardless of the setup, the most important thing is to ensure that fraud and payments work closely together and that their KPIs are aligned.

Let me give you an example. Imagine I’m a fraud manager, and my KPI is simply to keep chargeback rates as low as possible. I might apply 3D Secure (3DS) to every transaction to achieve this. That way, liability shifts to the issuer, and chargebacks aren’t my problem. From my perspective, I’m hitting my fraud KPIs.

But now, look at it from the payment manager’s perspective. Their KPI is conversion rate, and excessive use of 3DS is hurting conversion. Customers drop out due to friction, but the fraud team doesn’t see that impact. The payment manager, however, is stuck dealing with the fallout—lower approvals, more abandoned carts, and unhappy customers. When asked why 3DS is being applied to every transaction, they say, “That was a fraud team decision.” Now, the KPIs for fraud and payments are completely misaligned, and the business suffers as a result.

Theo: So you’re saying someone needs to take ownership of the whole picture?

Galit: Exactly. Someone has to own a holistic KPI—not just fraud prevention or payment approvals in isolation, but overall checkout success. A good metric for this is the “complete rate”:

  • Out of all the customers who attempted to make a purchase, how many were successful?
  • If the complete rate is 85%, 15% of transactions were lost. But why?
  • Fraud declines? (Blocking good customers by mistake)
  • 3DS friction? (Good customers failing authentication)
  • Issuer declines? (Banks rejecting legitimate payments)

Someone needs to own that 15% loss and have the authority to optimize fraud, 3DS strategy, and payment processing across all those areas.

Theo: That makes total sense. And there’s also a customer experience aspect, right? If you block good transactions or create too much friction, customers won’t return.

Galit: Exactly! If you make it too hard for people to pay, they’ll go elsewhere. And oftentimes, the customer experience team isn’t involved in fraud and payment discussions. That’s a mistake. False declines and unnecessary 3D Secure friction are detrimental to customer loyalty.

Here’s a personal story: Years ago, when I started managing fraud for a merchant, I proudly presented our low chargeback rate in a meeting. I expected applause from leadership, but instead, the CEO looked at me and said, “This is too low.”

I was shocked. I thought keeping fraud rates low was my job. But then he asked me, “How many transactions are you blocking for fraud?”

I didn’t have that number. I wasn’t tracking it. That was my wake-up call.

When I examined the data, I realized we were declining too many good transactions. I adjusted our fraud strategy to be more precise, and as a result, our average order value increased. Why? Because higher-value customers, whom we had been wrongly blocking, could finally complete their purchases.

That experience completely changed my view of fraud management. The goal isn’t zero fraud but finding the right balance between fraud prevention and conversion.

Theo: That’s such a great insight. So, if fraud rates shouldn’t be zero, what’s the right target?

Galit: It depends on the business. Fraud tolerance varies based on the following:

  • What you’re selling (Luxury goods vs. digital subscriptions)
  • Chargeback costs (How much does a fraud chargeback hurt your bottom line?)
  • Regulatory requirements (For example, in Europe, you need a low fraud rate to qualify for Strong Customer Authentication (SCA) exemptions)

So, instead of aiming for zero fraud, merchants should focus on acceptable fraud thresholds that maximize revenue while keeping fraud manageable.

Theo: And measuring false declines is key, right? If you’re rejecting too many good transactions, you’re hurting revenue.

Galit: Absolutely. Measuring false declines is tough, but it’s critical. Even issuers track this—they know when they’ve falsely declined a transaction because, after a month or so, they see that the cardholder never disputed the charge or attempted another transaction.

For merchants, one way to track false declines is to look at customer behavior after a fraud rejection:

  • Do they retry with the same card?
  • Do they switch to a different card?
  • Do they abandon the purchase altogether?

If legitimate customers are repeatedly failing, that’s a red flag.

Theo: The key takeaway is to focus on KPIs holistically, ensuring you don’t over-index just one metric. That makes a lot of sense.

It also sounds like minor adjustments in fraud strategy can have unexpected side effects, such as when you tweak your fraud approach and suddenly the average order value increases. That’s great to know in hindsight, but how should merchants iterate and experiment with fraud strategies? Should they apply changes to all transactions or just a subset? Are there tools available to assist with this type of testing? How would you approach it?

Galit: That’s a great question. Today, with the availability of technology and fraud prevention tools, merchants have more data-driven ways to optimize their fraud strategies. One of the most important things is understanding identity—who is behind a transaction.

This is difficult to do alone because, as a merchant, you only recognize customers who have previously shopped with you. But most consumers have shopped elsewhere before, and fraud vendors operating at scale can provide that network intelligence, helping you determine if a customer is legitimate, even if they’re new to your store.

That’s why many large enterprises are now outsourcing fraud management to specialized vendors instead of handling it in-house. Even a 0.5% increase in approvals from better fraud detection translates to direct bottom-line revenue. Some merchants we’ve worked with have seen a 2–3% increase in approvals by implementing a more effective fraud solution.

When it comes to testing and iterating, the key is always to measure impact against your KPIs.

  • A/B testing is critical. If you introduce a new fraud rule, compare its performance with that of a control group.
  • If you increase 3DS usage, track how it impacts conversion rates.
  • If you move fraud detection from post-auth to pre-auth, measure how it affects the complete rate.

It’s not enough to just look at auth rates in isolation. Yes, auth rates will naturally increase if you block fraud before sending transactions to issuers, but the overall conversion rate (or complete rate) matters. Are more legitimate customers successfully checking out?

Fraud prevention isn’t just about blocking fraud—it’s about approving as many legitimate transactions as possible. That means keeping a close eye on how different customer segments behave:

  • New vs. returning customers: Do they have different fraud risk profiles?
  • Geographical differences: Is fraud detection performing differently in India vs. Europe vs. the US?
  • Regulatory impact: For example, if Japan introduces new 3DS rules, how does that affect conversion rates?

Measuring the Right KPIs

To optimize fraud prevention, merchants need to track several key metrics at each step of the process:

  1. Fraud declines – How many transactions were rejected due to suspected fraud?
  2. 3DS success rate – Of the customers sent to 3DS, how many were successfully authenticated?
  3. Authorization rate – How many transactions were approved by the bank?
  4. Complete rate – The most crucial metric: out of all customers who attempted to buy, how many completed their purchase?

For example:

  • If 3DS performs poorly in India, check if banks have higher failure rates.
  • If auth rates are dropping, ask your PSP or acquirer for insights—they may see similar trends across other merchants.

The key is to continuously monitor and adapt. As fraud trends evolve, your strategy must evolve with them.

Theo: That’s a great insight. Now, if businesses listening to this episode could take away just one piece of advice about fraud strategy, what would it be?

Galit: Keep your customer at the center of your strategy.

It’s easy to fall into the trap of treating every transaction as suspicious, but that’s the wrong approach. Instead, assume every customer is good until proven otherwise, rather than assuming everyone is bad unless they prove otherwise.

Fraud prevention isn’t just about stopping fraudsters; it’s about ensuring an excellent experience for legitimate customers.

Consumers expect a seamless checkout. They don’t want to think about payments—they just want to receive their order quickly. However, introducing too much friction—such as unnecessary 3DS prompts, false fraud declines, or extra verification steps—will drive away good customers.

To illustrate this, my daughters no longer say “hello” when they come home from school. Instead, they first ask: “Did my package arrive?”.  That’s how excited people get about receiving their purchases. The checkout process should never dampen that excitement.

So when you build your fraud strategy, ask yourself:

  • Are you making it easy for good customers?
  • Are you minimizing unnecessary friction?
  • Are you blocking fraudsters while still approving as many legitimate transactions as possible?

That’s the key to an effective fraud strategy.

Want to learn more KEY FACTS?

To download, please fill in your email

Stay up to date

Subscribe to get the freshest payment insights.