Donna – Your Personal Scam Detective

Inspiration

Scams and phishing are exploding in scale and sophistication. In 2024, the FBI reported $16.6 billion in losses from internet crime in the U.S. alone. Globally, around 1.2% of all emails are malicious — that’s on the order of 3.4 billion phishing emails per day. Meanwhile, invoice fraud, where attackers impersonate vendors to submit fake bills, consistently ranks among the most costly scam types: a report by eftsure notes that fraudulent invoices led to $132 million in losses in a particular year. Given this, protecting transactional emails (invoices, billing requests, vendor communications) is critical — one slip-up can cost organizations or individuals thousands or millions of dollars.

Existing email providers (like Gmail and Outlook) already use spam/phishing classifiers at scale. Gmail’s system applies layered filters and classification models to divert suspicious mail into the Spam folder. Microsoft’s Outlook/Office 365 adds a quarantine mechanism: high-confidence malicious mail can be held before delivery. However, they must run extremely conservative thresholds (nearly 100% certainty) before quarantining or flagging, because misclassifying a critical business email or an urgent invoice would not be acceptable, and they can’t risk taking responsibility for users missing valid messages.

This conservative stance means many fraudulent invoices slip through, or legitimate invoices get lumped into spam/quarantine. The trade-off is stark: fail to flag a fake invoice, and someone loses money; flag a real one, and a legitimate payee might be ignored or delayed.

What we do

We saw an opportunity: instead of treating all incoming emails the same, we built a system focused only on actionable, transactional emails (invoices, billing requests). Then we shift emphasis away from coarse classification (spam vs. not spam) and toward verification against real-world data — phone numbers, addresses, domain legitimacy, and external company lookup. In other words: weed out the noise early, then apply robust verification to the high-risk subset.

Donna is an intelligent email fraud detection system that combines AI-driven analysis with real-world verification. It first uses a minimal Regex classifier to liberally grab all incoming emails broadly transactional, and use Gemini API to read the selected emails, detecting billing intent, and then verifies the truthfulness through sender domain, extracts company details such as phone numbers and addresses, and cross-checks those details online through Google Custom Search.

Instead of a vague spam/not-spam label, Donna applies a three-tier decision system: “Legit” when billing details are fully verified, “Call” when partial verification requires a human check, and “Pending” when data is insufficient and human review is needed. This makes every decision actionable and transparent, reducing both false negatives and false alarms. When encountering suspicious emails with seemingly off domains, Donna will automatically search through available information in our database and the web to determine whether a call to the official number is needed, and verify the invoice legitimacy with a human customer service.

How we built it

Backend (Python/FastAPI)

Gmail + Google APIs (Gemini AI, Custom Search)
Supabase with PostgreSQL for storage and real-time auth
Custom fraud detection ML pipeline

Frontend (Next.js + TypeScript)

Responsive, secure interface with Tailwind CSS
Dashboard with fraud detection metrics and WebSocket live updates

Security & Privacy

End-to-end encryption, row-level security, API key management
Full audit logging for compliance and transparency

Challenges we ran into

One of the biggest challenges was dealing with incomplete or fundamentally limited data. Since there is no publicly available labeled dataset of fraudulent invoices, we had to engineer a hybrid approach that combines LLM (large language model) reasoning with research-backed metadata analysis and traditional NLP.

Another major difficulty was determining the right thresholds and prompt structures to ensure our evaluation was both seamless and fair — strict enough to catch fraud but not so strict that legitimate invoices were blocked. On top of that, we had to integrate AI features into each stage of the pipeline and the frontend simultaneously, all while working against tight time constraints.

Accomplishments that we're proud of

We’re proud that we designed and delivered a fully functional, well-informed fraud detection pipeline. Our call agent component was able to provide correct information and verification cues, even when the call recipient behaved unexpectedly or uncooperatively. And perhaps most importantly, we’re proud of the core idea itself: a system that unifies multiple verification methods to solve several persistent problems in the same domain, going beyond standard classification to real, actionable fraud prevention.

What we learned

Fraud detection requires layered verification, not just classification.
End-users value explainability as much as accuracy—knowing why an email is flagged is critical.
Combining AI with structured verification (phone/address checks) drastically improves reliability.
API orchestration and rate-limiting are real-world engineering bottlenecks.

What's next for Donna

Smarter ML: Continuous learning from flagged emails and user feedback.
Multi-language support: Broader fraud detection globally.
Native mobile app for real-time alerts.
Enterprise features: Corporate email system integration and compliance tools.
Open API marketplace: Allow third-party integration with existing security stacks.