Use case · banking & fintech

Phishing triage as an API. Instead of 40 people in the anti-fraud team.

phishing@my-bank.de gets 6,000 customer reports per day - many harmless, some real. Let the classifier triage before your team opens a single mail.

Pilot with the regulator REST-Spec

"90 % of reports to phishing@ are real phishing we just archive. 10 % are false alarms. We want the 10 % immediately."- Head of Customer Trust, direct bank

BaFin readiness MaRisk-compliant audit trail, EU SCC for US sub-processors, full deletion cascade on request.

The problem

6,000 mails per day, reported by real customers.

Every one must be classified - either „known phishing, archived“ or „new variant, investigate“. Most banks do it by hand. It doesn't scale.

Your customers are the best early-warning system you have. When a new phishing template appears, an alert customer forwards it to your phishing@ inbox within hours. The problem is what happens after.

A human operator takes two to five minutes per mail. At 6,000 a day you need a 30–40 person team doing nothing else. Or you archive everything unchecked - and lose the early warning.

Scampilot classifies in under five seconds per mail, groups by phishing template, and surfaces only what's new to your team. 6,000 becomes 12.

Throughput 2880 req/day standard, higher by contract. Bulk endpoint POST /api/v1/scan/batch in preparation.

Privacy in the inbox Customer PII is masked before analysis on request. Configurable per API token.

Inbound-E-Mail You forward phishing@ to a Scampilot address. We reply per mail with the report and webhook-push to your system.

Workflow

What arrives at you, what arrives at us.

A concrete example pipeline, from forward to anti-fraud dashboard.

Customer forwards

Customer Bauer sees a suspicious Sparkasse-branded mail. She clicks "Forward" and sends it to phishing@my-bank.de.

Inbound email

Your mail rule forwards the mail (including all headers) to phishing-triage.x7q3@in.scampilot.de. We accept it within 500 ms.

Analyze + cluster

Scampilot inspects content, compares the signal fingerprint against the last 24 hours. If it matches a known template, we cluster it. If not, we escalate.

Webhook push to your SOC

One HTTP POST per report to your endpoint. Payload contains verdict, confidence, all signals, evidence strings, cluster ID. Secret as a path suffix - rotatable.

Dashboard for new only

In your anti-fraud tooling you only see clusters that first appeared today. Average: 8 to 15 per day. Plus an aggregation of known templates for your stats.

Compliance

Contracts your compliance team waves through.

We've already run the DPA past two German bank legal teams. Adjustments can be handled as an appendix.

Data processing	Standard DPA (GDPR Art. 28) + EU SCC for AI/email providers as sub-processors.
Retention periods	Configurable per tenant: 30 days to 7 years. Deletion cascade is automatic.
MaRisk audit	Append-only database log, available as a signed export on request for audit review.
Tenant separation	Row-level security in the database, one token bucket per tenant. No cross-tenant visibility possible.