Email Age And Their Domains: Distributions as a Fraud Signal

An email address can tell a fraud fighter a lot about an applicant. From the syntax and structure to its age and length of association, a deeper understanding of this one identity element can provide valuable signals as to whether fraud is being committed.

As the use of disposable domains has become prevalent, recognizing that "not all domains are created equal" has become increasingly important. But it's not just the domain itself that can provide signals for detecting fraud. For example: There are about 1.8 billion Gmail accounts and about 1.5 million AOL users. Within these two very different email providers, what does the age of an email relative to all other emails across that same domain tell us about the likelihood that the email belongs to the individual whose PII is in the application?

AOL vs Gmail: What can email domain distributions tell us about fraudulent activity?

The potential for using the distribution of email ages with respect to a specific domain as a fraud signal relies first on two assumptions:

• First, is the assumption that an AOL email will have been in existence longer than a Gmail address. That is:

𝑃(𝑒𝑚𝑎𝑖𝑙 𝑑𝑜𝑚𝑎𝑖𝑛 𝑖𝑠 𝐺𝑚𝑎𝑖𝑙) ∩ 𝑃(𝑒𝑚𝑎𝑖𝑙 𝑓𝑖𝑟𝑠𝑡 𝑠𝑒𝑒𝑛 𝑑𝑎𝑡𝑒 𝑖𝑠 𝑟𝑒𝑐𝑒𝑛𝑡) = 𝑚𝑒𝑑𝑖𝑢𝑚 − ℎ𝑖𝑔ℎ
𝑃(𝑒𝑚𝑎𝑖𝑙 𝑑𝑜𝑚𝑎𝑖𝑛 𝑖𝑠 𝐴𝑂𝐿) ∩ 𝑃(𝑒𝑚𝑎𝑖𝑙 𝑓𝑖𝑟𝑠𝑡 𝑠𝑒𝑒𝑛 𝑑𝑎𝑡𝑒 𝑖𝑠 𝑟𝑒𝑐𝑒𝑛𝑡) = 𝑙𝑜𝑤

• Second, we similarly assume that users of AOL accounts skew toward an older demographic than Gmail users, namely:

𝑃(𝑒𝑚𝑎𝑖𝑙 𝑑𝑜𝑚𝑎𝑖𝑛 𝑖𝑠 𝐺𝑚𝑎𝑖𝑙) ∩ 𝑃(𝑎𝑠𝑠𝑜𝑐𝑖𝑎𝑡𝑒𝑑 𝑖𝑑𝑒𝑛𝑡𝑖𝑡𝑦 𝑖𝑠 𝑦𝑜𝑢𝑛𝑔) = 𝑚𝑒𝑑𝑖𝑢𝑚 − ℎ𝑖𝑔ℎ
𝑃(𝑒𝑚𝑎𝑖𝑙 𝑑𝑜𝑚𝑎𝑖𝑛 𝑖𝑠 𝐴𝑂𝐿) ∩ 𝑃(𝑎𝑠𝑠𝑜𝑐𝑖𝑎𝑡𝑒𝑑 𝑖𝑑𝑒𝑛𝑡𝑖𝑡𝑦 𝑖𝑠 𝑦𝑜𝑢𝑛𝑔) = 𝑙𝑜𝑤

Domain distribution analysis

To test the validity of this observation, we determined the cumulative probabilities for each domain across various points in time, i.e., what is the probability that a random Gmail/AOL email is:

- 1 day old or younger
- 30 days old or younger
- 2 months old or younger
- 6 months old or younger
- 2 years old or younger
- 10 years old or younger
- etc…

Below, we collected the cumulative probabilities for each time interval to build a curve that describes the distribution of email ages for a given month’s sample by domain.

N.b. The jumps are due to varying interval sizes at certain cutoffs

If we zoom into a single point on these graphs respectively, we note that for the population we studied:

• The likelihood of a random Gmail email address being 1082 days or younger is 20.2%

• The likelihood of a random AOL email address being 1082 days or younger is 3.8%

The analysis of this sample suggests that an AOL email address with a first-seen date of 3 years or younger is a less common outcome and therefore, potentially suspicious while a Gmail email address with the same date could be perceived as less suspicious.

Enhanced understanding without friction

Deriving insights from core identity data -- name, DOB, SSN, address, phone, and email -- is central to what SentiLink does. But providing our partners with attribute-level tools to sharpen their understanding of each of these inputs individually allows for richer context and a deeper understanding of an applicant. In this example, while knowing the age of an email address can provide helpful direction, understanding the implication of that email's age relative to all other emails within its domain can provide a Risk Team an extra edge to more confidently identify fraud.

While a single attribute can neither prove nor disprove the validity of an application, access to unique and novel attributes allows risk teams more sophisticated approaches to answering the question of legitimacy without adding friction to the customer flow.