โ† All work
Fraud strategy Investment case Influence without authority

Making the step
change on fraud

Phishing-led account takeovers had become 73% of our fraud losses, and the defence was scattered across squads. I built the quantified case that turned "fraud is everyone's problem" into a funded, focused, five-month tiger team.

My role
Group PM, owned the strategy & the executive ask
Where
B2B spend-management scale-up
Scope
KYC tooling ยท Backoffice ยท Decision Intelligence ยท Fraud Ops
73%
of fraud losses (6 months) came from one typology: phishing-led account takeover
โ‚ฌ625K
of preventable losses quantified: the cost of not investing, initiative by initiative
2โ†’8
weakest fraud-lever maturity score, before โ†’ target after the tiger team

01Situation

One typology was eating the loss budget

Over six months, 73% of fraud losses traced to a single attack pattern: phishing sites lure customers into sharing credentials, the fraudster takes over the account, adds a device, issues a virtual card, and spends, all before detection. Off-the-shelf phishing kits had collapsed the cost of running these attacks, and the pattern was shifting from malvertising domains to spear-phishing inboxes.

Lifecycle of a phishing attack, and where defence has to act
Attacker Phishing site liveโ†’ Customer luredโ†’ Account takeoverโ†’ New device + virtual cardโ†’ Spend
Defence Detect & take down siteโ†’ Warn / verify customerโ†’ Flag login & deviceโ†’ Cooldown / block cardโ†’ Surveil & contain
Every stage the attacker moves through is a stage the defence can own. The strategy mapped each initiative to a specific point on this timeline.

02Problem

Capable teams, scattered defence

Detection, prevention and customer experience lived in different domains: security ops, customer operations, spend management, backend core. Each improved locally; none owned the end-to-end attack. Maturity scores told the story: Detection 4/10, Prevention 3/10, User Experience 2/10. Mostly reactive, nothing real-time, and the customer was the last line of defence without being equipped for it.

03Goal

A step change, not incremental patching

Materially reduce phishing-driven ATO losses by lifting all three fraud levers to high maturity (8/10 by end of Q3) through one coordinated investment instead of scattered H2 roadmap items.

04My role

Group PM for the KYB/fraud domain. I framed the three-lever strategy, quantified every initiative's preventable losses, built the executive narrative, and made the tiger-team ask. Influence across five teams I didn't manage.

05Team

Domain of ~19 people across KYC support tooling, backoffice experience, decision intelligence and fraud operations, plus the proposed tiger team: an execution lead, 2 BE, 2 FE, UX and a security engineer for five months.

06Diagnosis

Three levers, scored honestly

We scored the defence on a 0โ€“10 maturity scale per lever: what exists, what's staffed, what's real-time. The proof-points were real: 82+ phishing domains taken down with median takedown time cut from 48h to 1h10m after onboarding a specialist takedown partner; โ‚ฌ140K blocked by the upgraded in-house rules engine (~20% of phishing fraud); one precision rule cutting chargebacks 96% while flagging fewer than 20 cards a week. But gaps stayed open post-compromise: no login alerts, no cooldowns, no SSO, little user-facing trust UX.

Fraud-lever maturity: today vs after investment
Today Target (post tiger team)
Detection, today
4/10
Detection, target
8/10
Prevention, today
3/10
Prevention, target
8/10
User experience, today
2/10
User experience, target
7/10
Scored 0โ€“10: 0โ€“3 reactive, 4โ€“6 solid but not real-time, 7โ€“10 proactive and resilient. The weakest lever, what customers see and can act on, was also the cheapest to fix.

07Decision making

Price the losses, then price the fix

Instead of asking for headcount on faith, every proposed initiative was priced two ways: losses it would have averted in the last six months, and the investment needed. Login alerts: โ‚ฌ75โ€“100K averted. QR-based login: โ‚ฌ125โ€“150K. SSO: โ‚ฌ150K+. Session geo-IP blocks, cooldowns, anti-phishing phrases, warning banners, in-app calls: each mapped to the attack timeline with an effort tag and a euro figure. That turned a security wishlist into an investment portfolio.

The investment case, by lever
LeverKey initiativesLosses averted (6 mo)InvestmentEst. 12-mo reduction
DetectionLogin alerts on new devices, QR-based web loginโ‚ฌ225K~โ‚ฌ160Kโ‚ฌ200โ€“350K
PreventionSession geo-IP rules, cooldowns for new-device cards, SSOโ‚ฌ275K~โ‚ฌ220Kโ‚ฌ250โ€“315K
User experienceAnti-phishing phrase, login warning banners, in-app callsโ‚ฌ125K~โ‚ฌ100Kโ‚ฌ80โ€“150K
โ‚ฌ625K of preventable losses vs โ‚ฌ325โ€“515K total investment, plus the honest framing that year-one savings may not fully offset cost: this is a resilience foundation, not just an ROI line.

08Solution

One tiger team instead of six roadmaps

1
A dedicated 5-month tiger team
Execution lead, 2 backend, 2 frontend, UX and a security engineer, pulled together instead of scattering delivery across every squad's H2.
2
Phased ramp mapped to the attack timeline
Foundations & SSO groundwork โ†’ detection + early UX (login alerts, QR login, banners) โ†’ trust UX (anti-phishing phrases) โ†’ prevention deep-dive (cooldowns, session blocks) โ†’ tuning and rollout.
3
Customer as first line of defence
In-app fraud reporting had already hit 66% adoption and cut support replies per case by 47%. The strategy doubled down on equipping users, not just watching them.
4
Platform capabilities, not patches
Centralised fraud intelligence, SSO and session protection: enterprise-grade controls that also read as IPO-readiness.

09Trade-offs

The three-lever balance

Turning any lever up turns another down: more detection risks drowning in false positives; more prevention risks friction for every legitimate customer; more user-facing warnings risk fear instead of trust. The strategy made those tensions explicit, preferring precision rules that flag <20 cards/week over blunt rules that catch more fraud but punish everyone, and priced the trade instead of pretending it away. We also accepted that year-one savings might not fully offset the investment on paper.

10Impact

A funded mandate and a moving score

The quantified case secured the executive decision it asked for: a focused tiger team with a five-month mandate, targeting 8/10 maturity across all three levers by Q3, up to โ‚ฌ625K in prevented losses, and a projected 40โ€“50% reduction in fraud-related support load. The already-shipped foundations proved the approach: takedowns at 1h10m median, โ‚ฌ140K blocked, 96% chargeback reduction on the targeted typology, 66% adoption of in-app reporting.

11Learning

Executives don't fund fear. They fund priced risk

"Fraud is bad" gets sympathy; "โ‚ฌ625K preventable, โ‚ฌ325โ€“515K to prevent it, initiative by initiative, mapped to the attack timeline" gets a decision. The other lesson: fraud defence is a product problem. The customer-facing lever scored lowest and was the cheapest to lift.

"Turn a security wishlist into an investment portfolio."