Making the step
change on fraud
Phishing-led account takeovers had become 73% of our fraud losses, and the defence was scattered across squads. I built the quantified case that turned "fraud is everyone's problem" into a funded, focused, five-month tiger team.
01Situation
One typology was eating the loss budget
Over six months, 73% of fraud losses traced to a single attack pattern: phishing sites lure customers into sharing credentials, the fraudster takes over the account, adds a device, issues a virtual card, and spends, all before detection. Off-the-shelf phishing kits had collapsed the cost of running these attacks, and the pattern was shifting from malvertising domains to spear-phishing inboxes.
02Problem
Capable teams, scattered defence
Detection, prevention and customer experience lived in different domains: security ops, customer operations, spend management, backend core. Each improved locally; none owned the end-to-end attack. Maturity scores told the story: Detection 4/10, Prevention 3/10, User Experience 2/10. Mostly reactive, nothing real-time, and the customer was the last line of defence without being equipped for it.
03Goal
A step change, not incremental patching
Materially reduce phishing-driven ATO losses by lifting all three fraud levers to high maturity (8/10 by end of Q3) through one coordinated investment instead of scattered H2 roadmap items.
04My role
Group PM for the KYB/fraud domain. I framed the three-lever strategy, quantified every initiative's preventable losses, built the executive narrative, and made the tiger-team ask. Influence across five teams I didn't manage.
05Team
Domain of ~19 people across KYC support tooling, backoffice experience, decision intelligence and fraud operations, plus the proposed tiger team: an execution lead, 2 BE, 2 FE, UX and a security engineer for five months.
06Diagnosis
Three levers, scored honestly
We scored the defence on a 0โ10 maturity scale per lever: what exists, what's staffed, what's real-time. The proof-points were real: 82+ phishing domains taken down with median takedown time cut from 48h to 1h10m after onboarding a specialist takedown partner; โฌ140K blocked by the upgraded in-house rules engine (~20% of phishing fraud); one precision rule cutting chargebacks 96% while flagging fewer than 20 cards a week. But gaps stayed open post-compromise: no login alerts, no cooldowns, no SSO, little user-facing trust UX.
07Decision making
Price the losses, then price the fix
Instead of asking for headcount on faith, every proposed initiative was priced two ways: losses it would have averted in the last six months, and the investment needed. Login alerts: โฌ75โ100K averted. QR-based login: โฌ125โ150K. SSO: โฌ150K+. Session geo-IP blocks, cooldowns, anti-phishing phrases, warning banners, in-app calls: each mapped to the attack timeline with an effort tag and a euro figure. That turned a security wishlist into an investment portfolio.
| Lever | Key initiatives | Losses averted (6 mo) | Investment | Est. 12-mo reduction |
|---|---|---|---|---|
| Detection | Login alerts on new devices, QR-based web login | โฌ225K | ~โฌ160K | โฌ200โ350K |
| Prevention | Session geo-IP rules, cooldowns for new-device cards, SSO | โฌ275K | ~โฌ220K | โฌ250โ315K |
| User experience | Anti-phishing phrase, login warning banners, in-app calls | โฌ125K | ~โฌ100K | โฌ80โ150K |
08Solution
One tiger team instead of six roadmaps
09Trade-offs
The three-lever balance
Turning any lever up turns another down: more detection risks drowning in false positives; more prevention risks friction for every legitimate customer; more user-facing warnings risk fear instead of trust. The strategy made those tensions explicit, preferring precision rules that flag <20 cards/week over blunt rules that catch more fraud but punish everyone, and priced the trade instead of pretending it away. We also accepted that year-one savings might not fully offset the investment on paper.
10Impact
A funded mandate and a moving score
The quantified case secured the executive decision it asked for: a focused tiger team with a five-month mandate, targeting 8/10 maturity across all three levers by Q3, up to โฌ625K in prevented losses, and a projected 40โ50% reduction in fraud-related support load. The already-shipped foundations proved the approach: takedowns at 1h10m median, โฌ140K blocked, 96% chargeback reduction on the targeted typology, 66% adoption of in-app reporting.
11Learning
Executives don't fund fear. They fund priced risk
"Fraud is bad" gets sympathy; "โฌ625K preventable, โฌ325โ515K to prevent it, initiative by initiative, mapped to the attack timeline" gets a decision. The other lesson: fraud defence is a product problem. The customer-facing lever scored lowest and was the cheapest to lift.
"Turn a security wishlist into an investment portfolio."