Suspicious Account Activity Identification
Identifying suspicious account activity is essential for protecting both Niceazda and our customers from fraud, account takeover, and policy abuse. As a Level 2 agent or Team Lead, you play a critical role in recognizing patterns that indicate fraudulent behavior and taking appropriate action. This SOP provides comprehensive guidance on identifying, investigating, and responding to suspicious account activity.
Types of Suspicious Activity
Suspicious activity manifests in various forms, each requiring different identification approaches and responses.
Activity Categories
| Category | Description | Risk Level |
|---|---|---|
| Account Takeover | Unauthorized access to legitimate accounts | Critical |
| Payment Fraud | Stolen cards, fraudulent transactions | Critical |
| Identity Fraud | Fake accounts, impersonation | High |
| Promotion Abuse | Exploiting vouchers, referrals, rewards | Medium to High |
| Return Fraud | False claims, wardrobing, swap fraud | Medium to High |
| Seller Collusion | Fake orders, review manipulation | High |
| Policy Circumvention | Multiple accounts, ban evasion | Medium |
Account Takeover Indicators
Account takeover occurs when fraudsters gain access to legitimate customer accounts, often to make unauthorized purchases or steal stored payment methods.
Behavioral Indicators
Watch for these signs that an account may be compromised:
- Sudden change in delivery addresses, especially to different regions
- New payment methods added shortly before large purchases
- Unusual login patterns such as different devices, locations, or times
- Password or email changes followed immediately by orders
- Purchasing patterns dramatically different from account history
- High-value electronics or easily resellable items ordered suddenly
- Customer contacts claiming they did not place recent orders
Technical Indicators
System data may reveal additional takeover signals:
- Login from IP addresses in different countries from usual
- Multiple failed login attempts preceding successful access
- Browser or device fingerprint changes
- Access through VPN or proxy services
- Simultaneous sessions from geographically impossible locations
Payment Fraud Indicators
Payment fraud involves using stolen payment credentials or manipulating payment systems.
Transaction Red Flags
- Multiple orders placed rapidly with different cards
- Card billing address does not match shipping address
- International cards with domestic delivery to unfamiliar addresses
- Large first-time orders on new accounts
- Order value significantly higher than typical basket size
- Specific targeting of high-value, easily liquidated items
- Rush shipping requested despite premium cost
Payment Method Patterns
- Multiple cards failing before one succeeds
- Card details entered manually rather than saved or scanned
- Prepaid cards used for high-value purchases
- Virtual card numbers for suspicious transactions
- Payment method country mismatches with account location
Promotion and Policy Abuse Indicators
Abuse of promotional offers and platform policies costs revenue and creates unfair advantages.
Promotion Abuse Patterns
- Multiple accounts created with similar details to claim new user offers
- Referral chains with suspicious patterns suggesting self-referral
- Vouchers used at scale suggesting code sharing or theft
- Orders placed solely to earn rewards then cancelled or returned
- Exploiting pricing errors or glitches systematically
Return Fraud Indicators
- Unusually high return rate compared to platform average
- Returns frequently claim wrong item or damaged but patterns suggest otherwise
- Items returned showing signs of use inconsistent with claims
- Serial numbers or tags not matching original shipment
- High-value items consistently returned after brief possession
Investigation Procedures
When suspicious activity is identified, conduct systematic investigation before taking action.
Initial Assessment
Begin by gathering comprehensive information about the suspected activity:
- Review complete account history including registration, orders, returns, and contacts
- Examine all orders associated with the account or payment methods
- Check for linked accounts based on shared attributes
- Review customer service contact history for relevant interactions
- Document all suspicious indicators identified
Pattern Analysis
Look for patterns that strengthen or weaken fraud suspicion:
- Consistency of suspicious behavior across time
- Connections to other flagged accounts or activities
- Whether behavior matches known fraud patterns
- Alternative explanations that could account for the activity
Evidence Documentation
Document your findings thoroughly with screenshots and system records showing suspicious activity, timeline of events with dates and times, connections identified between accounts or transactions, summary of indicators present, and your assessment of fraud likelihood. This documentation supports action decisions and potential legal proceedings.
Response Actions
Take appropriate action based on the type and severity of suspicious activity identified.
Immediate Actions for Critical Threats
For account takeover or active payment fraud, take immediate protective action:
- Suspend account access to prevent further unauthorized activity
- Hold or cancel pending orders placed fraudulently
- Remove unauthorized payment methods
- Notify the legitimate account holder through verified contact methods
- Escalate to fraud team for investigation
Investigation Hold Actions
For suspected but unconfirmed fraud, place holds while investigating:
- Order holds pending verification
- Account restrictions limiting high-risk actions
- Payment method verification requirements
- Delivery address confirmation
Verification Outreach
When activity is suspicious but may be legitimate, verify with the customer:
- Contact through established verified channels only
- Ask verification questions based on account history
- Request identity documentation if appropriate
- Avoid revealing specific fraud concerns that could educate fraudsters
Escalation Criteria
Certain findings require escalation to specialized fraud teams or management.
Immediate Escalation Required
- Confirmed account takeover affecting multiple accounts
- Organized fraud rings or linked fraudulent accounts
- Significant financial exposure from fraud in progress
- Potential insider involvement suspected
- Legal or law enforcement coordination needed
Standard Escalation
- Complex cases requiring deeper investigation resources
- Cases where action decisions are uncertain
- Patterns suggesting systemic vulnerabilities
- Customer disputes of fraud determinations
Protecting Legitimate Customers
While identifying fraud, be careful not to harm legitimate customers through false positives.
Avoiding False Positives
Before taking restrictive action, consider legitimate explanations such as customers traveling triggering location changes, gifts or business purchases explaining unusual patterns, shared devices or addresses in families, and customers trying multiple cards due to technical issues. Err on the side of verification over immediate restriction when possible.
Customer Communication
When contacting customers about suspicious activity, be helpful and concerned rather than accusatory. Explain that you noticed unusual activity and want to protect their account. Focus on verification rather than interrogation. Provide clear next steps to resolve any restrictions.
Documentation and Reporting
Comprehensive documentation supports organizational fraud prevention efforts.
Case Documentation
Record all suspicious activity investigations with initial indicators that triggered review, investigation steps taken and findings, action decision and justification, outcome and resolution, and any patterns or trends observed.
Trend Reporting
Report emerging fraud patterns to the Risk team including new tactics or techniques observed, vulnerabilities being exploited, gaps in current detection, and suggestions for preventive measures. Your frontline observations help strengthen platform-wide fraud prevention.