How to reduce false positives in fraud detection

In the modern digital world, one of the main challenges for digital platforms is the balance between security and user experience.  For years, the mentality behind fighting fraud has been a “block first” mentality – if a user appears in any way suspicious, they will be denied access to a platform.

However, the downside to this approach is false positives. Any instances in which a legitimate user is denied access due to being recognized as a bot or fraudster results in a loss for that organization. Thus, to remain competitive in the digital world, organizations must move away from a mentality of implementing “looser rules” towards a mentality of implementing “better identity.”

The True Cost of False Positives

When we discuss fraud prevention, we often focus on the "True Positives"—the actual fraudsters we caught. But the "False Positives" (Type I errors) are arguably more damaging to the health of a digital platform.

Revenue Loss: When a user is blocked from signing up or checking out of the digital platform, they will more than likely not return to the platform in the future. In addition, a single false positive can equate to a total loss of customer lifetime value due to consumers having access to alternative products or services. 

Operational Bloat: Each false positive creates a customer service inquiry per false positive. As a result, the trust and safety team end up using their time to manually review users instead of identifying true threats. 

Model Degradation: If your machine learning models are trained on messy data where "blocks" are used as a proxy for "fraud," the system becomes increasingly aggressive and inaccurate over time.

When discussing ways to prevent fraud, oftentimes we only see the “True Positive” fraudster and not that of the “False Positive” (Type I) fraudster – which are even more detrimental to the quality of a digital platform.  

Why Legacy Signals Fail

Businesses that continue to use outdated signal sources that do not work anymore in today's complex threat landscape have many types of obsolete sources they continue to use to protect themselves. These legacy signals include:

IP Reputation: With an abundance of VPNs, iCloud Private Relay, and mobile CGNAT (where thousands of users share one IP), blocking based on IP is a recipe for high false positive rates.

Simple Geolocation: A user traveling or using a corporate network may appear in a different country, triggering a hard block that frustrates a loyal customer.

Basic Velocity Checks: While useful for catching unsophisticated bots, velocity rules often catch legitimate power users or families sharing a single device.

These signals are messy because they describe the connection, not the identity. To reduce false positives, we must look deeper into the hardware and behavior of the entity behind the screen.

Adopting a Device-First Identity Strategy

The most effective way to distinguish between a real user and a bot is by persistent, Device ID. By moving beyond cookies and IP addresses, organizations can establish a "Device ID" that remains stable even when the user changes networks or updates their browser.

The Role of Smart Signals

Deep ID can provide contextual information that legacy systems do not. Rather than looking at a single data point, Deep ID uses many different methods to examine multiple types of data in order to find a context for the transactions performed during the session like:

Browser Tampering Detection: Is the browser pretending to be something it’s not?

Emulator/Virtual Machine Detection: Is the session running on a real mobile device or on an emulator by a bot?

Behavioral Biometrics: Does the rhythm of interaction match a human user or a scripted attack?

Once you have a persistent Device ID, you can add that device to your white list of known good devices. Therefore if your returning customer logs-in from a device they have logged into on multiple occasions, you can entirely bypass your more intrusive security verification protocols and provide a seamless experience to almost all of your legitimate traffic.

Implementing Tiered Enforcement

One of the biggest mistakes in security architecture is treating every risk as a binary "Allow" or "Block." This lack of nuance is what drives high false positive rates. Instead, organizations should implement a tiered enforcement strategy.

1. The Green Path (Trusted)

If the Device ID can be verified and there are no Smart Signal Anomalies, the user will have 0 friction passing through the system. This will be the goal of the majority of the traffic through your security infrastructure.

2. The Yellow Path (Step-Up Authentication)

If there is a slight suspicion (new location, suspicious network, etc.), the Security Architecture will trigger a Step-Up verification. This can take the form of Multi-Factor Authentication or some other Secondary Authentication means like OTP verification. 

3. The Red Path (Hard Block)

Only when multiple High-Risk Indicators clearly show that the Device ID in question could be a scammer then a hard-block will be applied

By reserving Hard Blocks to only high-risk cases, you will see a significant decrease in the volume of false positives while still maintaining a solid defense.

Measuring Success: Metrics That Matter

To improve your identity verification process, you must measure the right metrics. If your primary KPI is "Total Blocks," you are incentivizing your team to block more users, which inevitably increases false positives. Instead, track the following metrics:

False Positive Rate (FPR): The percentage of legitimate users who are challenged or blocked.

Step-Up Completion Rate: If you challenge a user, do they successfully complete it? A high completion rate suggests your challenges are reaching legitimate humans; a low rate suggests they are hitting bots (or are too difficult for humans).

Net Conversion Rate: The increase in successful signups or transactions after moving to a device-first approach.

Support Ticket Volume: Indicates the level of frustration experienced by users.

Where to Begin Optimization

Rather than completely redesigning your infrastructure, start by implementing device intelligence into the least secure parts of your platform:

New Account Creation: Prevent "fake" signups without blocking real users on shared mobile networks.

Login & Account Takeover (ATO): Recognize returning devices to eliminate unnecessary MFA prompts for loyal customers.

Promo & Referral Abuse: Ensure that high-value rewards are going to unique individuals, not one person with mulitple virtual profiles.

Conclusion

Reducing false positives is not about "lowering the bar" for security; it is about sharpening your vision. By moving to a device-first approach and utilizing Smart Signals, organizations can finally stop punishing their best customers in an attempt to catch their worst enemies.

At Deep ID, we help technical teams build this bridge between security and user experience. By deploying persistent identification and tiered enforcement, you can protect your platform while maximizing your conversion rates.

Ready to see how your current false positive rate compares? Contact our sales team for a deep dive into your device intelligence strategy.