#17 - The hidden time leaks in your fraud defense

As a military history buff, there’s one battle that shaped how I design fraud prevention systems:

The German conquest of France during WW2.

You see, in May 1940 the German army was advancing so fast that it caused a paralysis in the French command.

By the time their HQ received intelligence about German tank positions, processed this information, and sent new orders to their units, the German forces had already advanced far beyond those positions.

The French were quite literally fighting yesterday's battle.

Sounds familiar?

Reading about it made me realize - it’s not about tech, it’s not about accuracy, and it’s not even about data.

When you have an adversary, it’s about one thing and one thing only:

Your reaction time.

The 6-step reaction cycle

If I could measure only one KPI, I would measure this:

The time it takes me to learn and act against a new fraud attack.

Everything we do is encapsulated in this cycle: the tech we use, the processes we employ, the skill of our team, the tools that assist us. It measures everything.

I tend to think of this process as a 6-step cycle that is made of two phases: learning about a new attack and acting against it.

The Learning Phase

In this phase, we’re focusing on defining the attack. How much time does it take us to realize it’s happening, and until we understand why it’s happening?

1. Detect: How long does it take your team to realize a new attack has been targeting your business?

I’m not talking about the time between receiving the first chargeback and realizing it, Nor even the time between the first successful fraudulent event and realizing it. I’m talking about the first attempt.

Think about what this entails: You need to have basic reporting in place. You need to have someone actively looking at said reports frequently to see everything is in order.

Got that tightly screwed? Now worry about real-time monitoring and alerting.

2. Assess scope: If any initial fraudulent attempt would cause you to drop what you’re doing and slide down the fire pole, you’ll become paralyzed on day two.

To validate an event really requires our attention, we need to first quantify its scope, and likely, its future scope as well.

Do we have the tools and processes in place to quickly estimate exposure? Can we quickly identify impacted accounts? Is it clear how we prioritize “fire drills” and who’s responsible for doing so? During the weekend as well?

3. Root cause analysis: Once it’s prioritized, next we need to figure out why we’re leaking losses.

Are we seeing a new fraud pattern we never encountered before? Did we change something in our setup that suddenly lets known fraud through? Are we experiencing a production bug or data quality issue?

Without understanding why our defenses fail, we cannot fix them. But to do so, multiple teams (fraud ops, analytics, engineering, data science, product, etc.) will potentially need to self-analyze what went wrong. Are they all equipped to do so quickly?

The Acting Phase

In this phase, we’re focusing on stopping the attack. How much time does it take us from prioritizing an issue and until its fix is live in production?

4. Design solution: Different issues will require us to develop different solutions.

Sometimes it’ll be a new rule or a model refresh. Sometimes we’ll need to update a procedure or policy. In some cases, it’ll be more about shipping a code hot-fix. Worst case scenario, we need to switch to a different vendor.

It’s likely, though, that we’ll identify some common repeating issues that are solved by the same main vehicles for shipping solutions. For example: a rules engine.

How easy is it for us to develop fixes on top of these different vehicles? Which teams/resources are involved? Are they equipped with the right tools, process, and skill-set?

5. Test solution: different solution vehicles (e.g., rules, code, policy, etc.) have different testing requirements, complexity, and environments.

Some vehicles might require multiple teams to test different performance aspects.

Take machine learning models for example:

The data science team will test for score distribution, the fraud ops team will test for business performance, and the engineering team will test for latency, errors and other technical issues.

If it’s hard, expensive, or slow to run an experiment for performance validation, we lose time and money solely on being inefficient.

6. Deploy solution: I’ve written a new rule. Can I deploy it now or do I need to wait for my vendor’s weekly push?

I have a new model version. Is it pushed seamlessly by an MLOps system, or do I need to wait for the quarterly code release?

I want to change my investigation playbook. How many people need to sign it off, and how long before I can retrain all team members?

These are just examples, but they represent the most frustrating part of the entire cycle: sitting on your hands, with a validated solution, seeing fraudsters eat your lunch.

From Theory to Practice

Let me stress this one point: These are not just theoretical musings. These are business processes you should be measuring with clear KPIs and goals.

Don’t know where to begin?

Take the last fraud attack you experienced and do a post-mortem, going through all the steps above and documenting how much time they took.

Then do it again with the last attack prior to that. And again.

You don’t need to over-engineer it. Plenty of time for that later. First, figure out where you stand right now and more importantly - where you spend time right now.

I bet that if you go through this exercise and realize how much money you lose for having a slow reaction time, you’ll also identify some low hanging fruits.

These low hanging fruits? These are the highest ROI items you can prioritize on your roadmap.

Now -

Want to increase your accuracy? Decrease your reaction time.

Want to decrease false positives? Decrease your reaction time.

Want to onboard faster? Decrease your reaction time.

Want to reduce your losses? Decrease your reaction time.

It is that simple.

Have questions or feedback? Reply to this email, I read all messages.

In the meantime, that’s all for this week.

See you next Saturday.

P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:

Fraud Strategy "Power Call" - Book a consultation call with me to get clear, actionable recommendations that fit your budget. Guaranteed.
​Book a Call Now >>​

Fraud Strategy Workshop - are you an early-stage Fintech that needs to move fast and with confidence? Book this 1.5-hours workshop to get instant insight into your vulnerabilities, optimization opportunities, and get clear actionable recommendations that won't burn through your budget.
​Book Your Workshop Now >>​

Fraud Strategy Transformation Program - are you a growth-stage Fintech in need for performance optimization or expansion of your products offering? Sign up to this 6-8 weeks program, culminating in a tailored made, high-ROI roadmap that will unlock world-class performance.
​Schedule a Call Now >>

Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!