- Welcome to the Cyber5, where security experts and leaders answer five burning questions on one hot topic in Actual Intelligence Enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon Winkelvoss, co-founder of Nisos, a managed intelligence company. In this episode, I talk with the Allure Security CEO, Josh Shaul. We discuss how to make cybersecurity consumable for a small enterprise, particularly around account takeovers. We talk about the life cycle of an account takeover problem for small business, how to solve it, and truly make a problem go away that shows clear return on investment while making it more expensive for an attacker scamming consumers. We also discuss the conundrum of cyber security and that most technologies over marketed against advanced persistent threats, and under engineered to problems that really matter to small and medium-sized business such as account takeovers. Stay with us. Josh Shaul, welcome to the show, sir. Would you mind sharing a little about your background for our listeners? - Yeah Landon and thanks for having me on. My name is Josh. I'm the CEO at Allure Security. I've had been in the security industry for a long time. 20 something years, spent a bunch of time way back doing crypto, and the early days of VPNs and secure communications on public networks, and have been doing internet security around web applications and websites for almost 20 years now. So been hanging out around the denizens of the internets through my entire career. - No, I appreciate joining and look forward to this. You know, kind of starting out, describe a day in the life of the problems that you solve for clients. You know, I think when you think about account takeovers, it's more than just email accounts to your email. These can be web applications for clients. They can be internal portals, can probably be a range of things. I'm kind of curious what the problems you're solving, and you know, who are you usually solving for. Are you solving for small enterprise, are you solving for the fortune 500. - Yeah, thanks Landon. So we're trying to solve a problem that's been around on the internet forever, but has been basically unsolvable until now, which are impersonations, online impersonations that drive scams to steal information from folks who were using the internet. This is mostly a problem that targets the customers and the general public of enterprises, rather than the employees of the enterprises. At least that's what Allure is focused on is protecting customers, partners, folks that are outside of your organization from scams that leverage a company's brands and branding online to trick people into giving up their data. We're doing this for various size organizations, but most of them that we've interacted with so far have been fairly small to medium size enterprises. And I think the reason for that is that these impersonation scams, while they've been around for a really long time have just over the last year or two kind of expanded to go after a lot more enterprises than they'd been targeting before. In the past, it was just a set of top banks and financial services companies, but it's really moved both down-market and financial services to all different sizes of banks and crypto companies, and moved laterally to other industries. These scammers that know how to set up a webpage or a website or a social media page, or a mobile app that impersonates a known and trusted brand, have become really creative in the ways that they use those scams to get different kinds of data for different reasons that they can turn around and monetize. And so back to the day in the life question that you asked, we spend our time with software that's out scanning the internet at scale, looking for impersonations of thousands and thousands of brands that our software knows how to recognize. Our software is constantly given us these detections. They're saying hey, this site over here, it's impersonating this brand, but it's not that brand. And what our team is doing is working to find those, those impersonations fairly early in the life cycle. And then we're trying to remediate them. So we're working with partners like Google, like the antivirus vendors to get these scam sites and pages blocked using people's browsers and operating systems and existing security tools. And then we're working with the host and providers and the registrars to get these scam websites cleaned up and removed from the internet, all while we actually spend some time messing with the scammers themselves to make sure that they really can't get any value out of the scams that they're running. And we do that by giving them data that seems like good data, but doesn't actually turn out to be. So it's a lot of stuff that's happened. Finding these scams, blocking them so the victims can't get in, and then basically giving them a bunch of deceptive data that's designed to break the business model for the scammers, designed to make the cost of running these scams so high, that it doesn't make sense to run it. - You touched on a key aspect that I think that the industry really is struggling with. And that is how do you increase the return on investment for the attackers, understanding that probably, you know, 95% of attacks, you know, are financially motivated. You know, you have to be able to disrupt the return on investment for an attacker to really have them kind of go elsewhere. And so when you kind of talk about going elsewhere and increasing that cost on them, you really gotta be able to deliver that solution really at scale. There's hundreds of thousands, if not millions of applications on the website that a customer might be concerned with, particularly a small business or a small application, walk through how you do that really at scale. And of course I can see this being very viable for a small technology company that is just stood up, but I'm kind of curious also how that scales to let's say a medium size you know, financial exchange, right that might have hundreds of front-facing applications. Scammers are standing websites up. It's just a ridiculous scale. So kind of talk through how you kind of scaled to that level? - Let's talk through a few different scenarios. I think the first one that's interesting to talk through. Let's imagine a leather company that's maybe making jackets or boots. It's just got themselves a name. They've been running in New York for a few years, they've got a boutique shop, and now they're selling on the internet. And they've started to build a broad reputation for themselves. And they've got some desirable products. Company like that who hasn't spent much time doing business online, really traditional brick and mortar kind of business that's growing fast, brings the business online, and a lot of this has happened over the last couple of years, particularly with COVID right? So these companies, it was really difficult to do business in your boutique shop in New York. So bringing the product online made a lot of sense. And effectively these companies are waking up realizing hey, I'm starting to get a lot of customer service calls that are complaining that I bought product from your website, but I never got the product. But I did get charged. And as those companies go through that kind of phase, where they start to realize there's a lot of complaints, eventually they realized these complaints are sourced, not because of their website, and not because of orders that they didn't deliver, but because folks have set up websites that look just like theirs, and are offering their products, these boutique products at some discount that isn't available from the actual shop. That's typically the scenario that Allure engages with a company like a small enterprise. They built a business, started to do business online, but very quickly realized that doing business online was more complicated than they had expected. And it's because scammers are scamming their customers. Just setting up copies or fake versions of their online shop, putting up ads, typically driving folks to that saying hey, 35% off these great leather goods, and then taking the credit card and not delivering. So Allure's job in that scenario, first thing to do is to go identify where are all these scam websites? And then as soon as we identify them, get them blocked. What happens at that point is the scammer who's been running this scam, well they just set up new sites. Because they've been doing this for a while and they've been making a lot of money, and they know that every once in a while, they got to rotate their sites. But as they set up this next round of sites, our job is to find them right away, and shut them down right away. And that's a very different experience than what that scammer's felt in the past. They might've had sites that lasted for weeks or even months. Now they had a site that goes up and gets taken down and blocked typically within hours of it initially going up. That starts to cause the scammer, who's learned a lot about this leather business in New York, who really has spent time building a nice website with a set of nice product images and all to start to try to change their tactics. Hey, how are you finding me? Are you me by the domain names that I've selected? Let me select different looking domain names. Are you finding me by things like the page title that I put on my page? Let me put a much more generic page title. Are you finding me by identifying the logo on the website, let me manipulate that logo so that your automated logo matcher won't find it anymore. You start to see the scams mutate, and that's when the cost starts going up for the scammer, right? Because now, instead of just putting up these copies of willy nilly wherever they want, now they have to spend a lot more time thinking about what's happening here. And at the same time, the scams don't last long enough for them to actually get a meaningful number of victims, if any, into a scam to collect money, so revenue starts going down, costs start going up. We're continuously now chasing them as they set up new sites, and the they changed their tactics to keep finding them and stopping them before they're able to again, generate much revenue. So you see that cost of business going up. And then as we start to layer on top of that, at least for the folks that are looking for more than just transactions, but also usernames and passwords and things they can use for account takeover, we'll start giving them deceptive data, usernames and passwords that look just like the ones that they want, but aren't good. Don't actually allow them to log in, and in fact, allow us to catch them, to chase them and trace them. That again, levers up the cost of them doing business, because now they've got all this data that they can't use, and that's highly risky for them to even sell. So a few, again, a few components to the process here, but we're trying to make it so that the scams last a much shorter period of time, ideally less than an hour. So you get no victims at all. We're also trying to make it so the scammer has to work really hard to set up every scam in a unique way, in a different way to try to figure out what's being done to detect their scams, so that the cost of every individual scam setup goes up. And then we're trying to give them data they can't use. So now they've got to sift through all this data and try to figure out which we've done our best to make impossible. Like what data might be good, what data might not be good, if they use data that's not good, they risk themselves being exposed. We're ratcheting up the costs in a number of different dimensions, all with the general sort of notion that I really think of as like the foundation of most of these adversary based security situations is I don't really need to outrun the bear. I just need to outrun you. And I think that's the scenario that we face out here is as long as we continue to raise the cost for folks who are targeting our customers, and raise the cost to be much higher than it is to target other businesses in the same industry, the scammers will pivot to those other businesses as we've seen them do again and again and again, in all different areas of security. - I'm just kind of curious. Because if you think about intelligence, right, intelligence is data and information that analyzed, and that is you know, disseminated in which it's timely, actionable, and relevant. Everything that you're describing here really almost kind of feels like the entire intelligence life cycle with collection as well as analysis, as well as dissemination, kind of the full suite of services. I'm just curious kind of like from what you kind of described, how much of this is managed services versus pure automation, because I mean it feels like it's a lot of both, that's really bringing customers, not only that full kind of like stop the gap, but then when you're feeding fake information to the scammers to really increase their ROI, there's probably some, a little bit of legwork there. I'm kind of curious kind of how that works. - [Josh Shaul] Yeah, look the idea we had here was that we need to solve this problem comprehensively for the clients that engage with us, and we interact as a fully managed service. Please let a lawyer solve this problem for you. And we take on all the different aspects. My goal building and running the business is obviously to make the business as efficient as possible and to leverage automation as much as I can to make us efficient while giving us really good results. I've been doing this kind of thing for a long time Landon. And I've set up quite a few managed security services, businesses, and I failed plenty of times. And the failures as I've looked back on them in my career have mostly been because we made assumptions about how the process was gonna play out, and tried to automate these processes that we were, in whatever different problem we were trying to solve, before we had done the really hard, really expensive legwork, of doing the stuff manually. I learned from those failures. And what I realized was if you're gonna build something that's automated, if you're going to build a system that does basically what human analysts have done in the past, and you want to automate it, the only way to do that is to do it manually, and to really learn the ins and outs of the problem so that you can start to automate bits and pieces of it that you reliably know the automation is gonna produce the same result as the human analyst, but in a broader scale. And so that's sort of the mindset that we went into this with. We started with a very, very simple list of automation in our world. Let's just get together a list of sites that we want to start to examine. And let's hand them to a human to examine. The very simplest of automation. Let's look at new websites that are being registered on the internet that have a name that's interesting to us. And we started having a person analyze those sites. And as the person, they analyze those sites, and looked at them and said hey, this is what I see. These are the things about this site that make me think it's safe. These are the things about this site that make me think it's risky. We started to learn from that and build software that could make those same decisions. It started with simple things like analyzing URLs and certificates and who is data. Stuff that's a simple text based analysis, and then expanded to be much more comprehensive, to do a lot more perceptual image matching and processing where we're trying to replace humanize with image processing algorithms and machine vision. So that's been where we're at. Today, most of the work that our software does is automated. All of its analysis and detection is automated, and most of the remediation is automated, but there are human components that fit in. Every detection that our software generates is analyzed by somebody on my team before we respond. And that's critical. There's just so many opportunities for there to be a false positive in this world. And I'll give you an example, a customer comes to us and says hey, protect my website. Here's my website. They forget to tell us that they have three other websites that operate in different countries that have a different, that are in a different domain with a different certificate, but have the same content. They have the same basic, same logo, same products, or same kind of financial services products but different language. You know, we find the version of the website in Vietnamese. We don't want to respond to that if it's the legit company's website, they just haven't told us about that. So there's a little bit of human analysts time that gets sunk into every detection before response. And then our response process is inclusive of both automated and manual components. On the automated side, all of the work we do with partners, all of the submissions to browsers and operating system vendors and security vendors, that's all fully automated. Once we've made the decision that it's time to remediate, the take-down activities are partially automated. Our software does stuff like create the templates and write the take down notices and all those things. But it's my team that's making phone calls, sending emails, filling in forms, typing into chat boxes, and actually engaging aggressively with the registrars and the hosts, and the others who are involved in the landscape to get sites taken down. And then you mentioned that the deception stuff, that's almost entirely automated with the exception of deciding that we're gonna do it. So there's a person who sitting, again, an analyst who's sitting there saying hey, does this scam makes sense for us to do an injection into? And if it does, okay, I'm gonna go tell the software to do that injection. And there's a tiny bit of setup that goes with it, so that the software is really sure that the input box that it thinks is the username box really is, the input box that it thinks is the password box really is, that the submit button really is that right button. There's a little bit of confirmation that our analyst team does, but then the actual injection of data into these sites is fully automated and distributed in such a way so that the traffic that's actually hitting the scam sites looks indistinguishable from the traffic that would come from real victims. And that's one of the keys to this system is making it very hard for an attacker to differentiate our access to their scam sites, whether that's to inject decoy data or deceptive data, or even just to collect the site in the first place for analysis. We want to make our access look exactly like a victim access so that the scammer doesn't have some way of just blocking us or giving us different content, or trying to manipulate us because they see that we're coming from a network or with network traffic that again, doesn't look like victim network. - [Landon Winkelvoss] I love the fight against adversaries, particularly on the behalf of small business. It's just not done enough really in this industry. And you know, with that said, I think that much of technology is over marketed really toward the advanced persistent threats. You know, a lot of your EBR venders, you know, really is where we're talking about there. Often it's under engineered to the threats that really matter, which we've been talking about here the last 20 minutes. Would you agree or disagree? And what are your thoughts on you know, really how I think you've been talking about really how to address this, but I mean, you kind of generally agree with that sentiment that a lot of the technologies out there is just really completely under engineered to really the threats that really matter to business? - [Josh Shaul] I think there's a big buzzword problem in the cyber security industry, and there's been a big buzzword problem in cyber security since there was an industry, as far as I know, and I've been around for a little while, and these terms catch on. I remember when DLP caught on, and it was like in giant letters outside of a RSA, like this was the big thing. And then APT was what everyone was talking about, and you know, these sort of themes catch on, and then you have a lot of products and companies that pop up around these buzzwordy themes. Dark web was you know, for awhile like the big buzzwordy theme. And even though people didn't know what the dark web was, I still don't think people know what the dark web is, or can define it in general. But you know, you have all these dark web companies that come out and they just got asked by a customer, can you monitor the deep and dark web for us? You know, my response, a little tongue in cheek is what's the deep and dark web? And what do you want us to look for? You know, it's so interesting how this market is evolved. So I do, I think there's a ton of product out there. It's just built around buzzwords. And there's a ton of purchasing that's happening around buzzwords, where you know, somebody reads about the latest tech trend, maybe like an executive, and they go to their security team, and say hey, what are we doing about the deep dark web monitoring? And it's like oh my God, we got to go buy some deep and dark web monitor. Not necessarily driven at all by these are the top risks, these are the top costs, these are the top issues that are happening for the business. Now, I don't mean to say that just because like the company uses buzzwords, that their products are not right or are right. There's nothing about the use of terms that really even means anything in security anymore. And I find that to be another sort of scary, frustrating thing as you walk the halls of a major security conference. You know, it's been a while since we've walked the real halls most of us, but things haven't changed. So you walk around and you look at company after company that have these very generic messages. You can't even tell what they do. And oftentimes you go and talk to those folks, and they can't even describe what they do, at least not in the kind of technical terms that somebody who's responsible for information security can really consume and say hey, is this gonna help me, is this not gonna help me? I think that's scary. And I think that that's one of the major reasons why we have so many data breaches today, and organizations large and small, where they think they've got the problem covered, where they've spent a ton of money, where they've got some of the latest products, but you know, if you haven't really thought about what the threats are to your business, and then you haven't mapped technology with real capabilities to those threats, it shouldn't be that big of a surprise when you know, your fancy whatever buzzword system doesn't catch the attack because the attack had nothing to do with that buzzwordy problem. - [Landon Winkelvoss] Well, I think what you're talking about really is the business of security. And that is what is an appropriate risk based approach to defending assets that make the company money. I think that also us a company, us as an industry as a whole, often fall short really to do that, which I guess kind of begs the next question really, you know, how do you make intelligence outside the firewall actionable for SMB, right. Because like, if you really think about, if you talk to any SMB, they're you know, doing basic blocking and tackling right they're, you know, getting firewalls stood up, they might put a little bit of vulnerability management in, they're trying to get some access control, they're implementing two factor authentication, they're just doing the basics. That's all they can really pretty much afford. And you're really talking about a lot of businesses that are doing this really up to probably you know, a hundred million in revenue roughly, which is a large amount of businesses. So I guess kind of begs the question, you know, how do you make intelligence and really requirements outside the firewall, and how do you make that actionable for a small business? - [Josh Shaul] My perspective on this is you don't. You action it for them. Because there's too many things for a small business to be worried about when it comes to just running their own business. And when you get into even the cybersecurity programs, small business, small enterprise typically starts a cybersecurity program driven by insurance requirements. At least that's the way it's happening today. You get a handful of insurance requirements. You need to buy cyber insurance. The insurance says you need to have exactly what you listed out, two factor authentication, firewalls, vulnerability management, those kinds of things. And so organizations they'll go out and they'll hire a managed security services provider. That's the sort of local boutique shop, or maybe the bigger national brand. And they'll fulfill all the requirements on that list, or work together to fulfill the requirements on the list of things you need to get insurance, but has no bearing on what the business really needs to do to protect their business, to keep their costs down, to allow them to operate safely on the internet, to protect their revenue. And so the approach that we're taking is let's just acknowledge that the process that these companies are going through is already consuming all of their resources. They're already too busy to take on another security problem or even another technical problem in most cases. But that doesn't mean the problem's not there, and not causing them pain. And so for us, there's two things that we want to do. First we want to help educate the folks that we're interacting with of like these issues that we're identifying out there on the internet that are impersonating your brand, targeting your customers and partners. Here's how much it's costing you for this to happen. And most small to medium enterprises don't have a framework for thinking about those costs. They don't have a good framework for thinking through how many calls am I getting? What are those calls costing me? How am I interacting internally around those calls? Do I have incidents and take downs, is my legal team involved? Do I have external counsel involved? Sometimes there's just a lot of steps in this process. And so we try to help organizations understand like here's the cost. And then here's the impact. If somebody goes and buys a fake pair of sunglasses on a fake sunglasses shop and gets their money taken, well, that money is no longer available to buy the real sunglasses from the real brand. And so there's real revenue loss that these scams are driving. It's not just no customer service costs, and take down costs, and customer dissatisfaction. You're losing money when somebody else is selling your product, either counterfeit or fake, not getting it at all. This is dollars that are flying over the window there. And so helping folks to understand that. Here's the problem. Here's what it's worth to us. That doesn't put them in a better position to solve it, because they've already got their hands full, but at least they know what they're dealing with. And then we offer them the opportunity to outsource the problem, outsource this problem to us. And we'll solve the problem for you for you know, hopefully less money, significantly less money than the problem's costing you. Right, if it's not less money, it doesn't make any sense to engage with a company like ours. But that's generally the approach for the small to medium enterprises. Get educated on what it's costing you and how much resource you're already putting into this that you probably don't want to be. And then look at how much time and money you could save by having the problem solved without any effort. And that without any effort piece is really important to us. For the small to medium enterprise, or even the large enterprise during most of the time, there is no resources available to start another project, to integrate more technology, to rack and stack more gear, to put another line of code in the application. So we just don't ask for any of that. We get along and try to help companies and say hey look, you really don't have to do any integration with us at all. We go do our job completely out there on the internet for you. We can start today, no effort on your part. And that's not to say that we can't do more and better if we do some integration with a company over time, we certainly can. But that starting process with a small to medium enterprise who has a problem, who realizes that problem's costing them something, who doesn't have time to solve it, we allow them to exchange that problem for some money, and solve it for them. That's the approach that we're taking. So again, like you asked me about making it actionable, I just think that it's not really the right approach to try to make the data and the intelligence actionable for the small to medium enterprise, which is totally different from the fortune 100 enterprise that wants that data and wants to investigate it. But I think for the vast majority of the market, most of these security issues, fraud issues, scam issues are just things that if they can make the problem go away, that's the ideal way of dealing with it. - [Landon Winkelvoss] Let's dive into that. 'Cause I mean, I think that's absolutely a fascinating approach, but kind of if they're spending more time and effort battling the problem, that's got to cost more than ultimately your services and technology. I think that that's a critical aspect, and you know, just as a corollary right, you know, there's email security products, right, that exists, you know, if they're defending against a business email compromise, and they can say that they're reducing business email compromise and without their services, companies gonna lose $15 million on business email compromise. I mean, that's a pretty easy ROI type example. And that's kind of, you know, kind of what you're describing. I'm kind of curious from soup to nuts, you know, from beginning to end, give me a good case study you've tackled. And then what is that ROI? Larger organizations are probably, you know, wanting to take the information and kind of dig into it. And they go down various lengths of attribution to really find out if they're a target of attack or target of opportunity, whereas small business just wants it to stop, right? So I'm kind of curious, you know, just a good case study that really shows that you know, return on investment, where this is clearly costing us more money, we're gonna use your solution, that it actually does go away. - [Josh Shaul] Yeah, so local credit union, Idyllic, New England to Northern New England community, winter time, snowy, everything looks great. Every single day for a month, this small credit union has at least one up to three new impersonations of their website pop up on the internet. And this credit union has been around for a long time. Never seen one of these, or at least never heard of one of these before hitting their business. And they find out about it because they're getting calls from their customers. This is a company whose customers are special to them. It's a credit union that targets a specific market segment, and they really care about their customers, and their customers were calling and saying hey, I got this advertisement, this email that were very, this text messages that were various vectors, all sending me to a site that looks like yours, but I don't think it's yours. And what they found was that each one of these sites that were going up over this this month, it was February, they were getting two or three of their customers were actually being compromised, were actually giving up their username and password onto these scam sites. And their accounts were being taken over. So this credit union came to us, and you know, described this problem to us, said hey, this is you know, really, really an issue. And we've never seen it before. And you know, we don't really, does this happen, is this a thing? You know, we know this happens to bigger companies, but so we integrated actually into their website right away. With, for banks can be really effective if we drop a little bit of a single line of JavaScript into the company's website and for a small bank, not a major process to drop like a marketing tag onto the website. So we did that. And 12 minutes after we had put our little marketing tag on their website, our software detected the first impersonation of their brand. We saw it as it got set up. We saw it was being set up through a VPN that was being accessed from Japan, from Choda. We were able to capture some information about the at lease the VPN based access that the scammers were using to set it up. Then we saw them begin to distribute the links to the scam, and we could see the distribution because when you, as the links get sent out through email, there are inbox security tools like the email security stuff you mentioned earlier that will actually sort of click on links and look at what's there. And so we're seeing that activity of the inbox security tools scanning the site. And we were able to actually work with our partners to get the site blocked and eventually taken down. That process just repeated again and again, and for about a month, we saw that level of activity that they get seen for about a month. One to three new impersonations popping up every day with this really interesting pattern of, we always see the first request either from this network in Japan, or there were two or three other networks that we saw these initial requests come from, but they were always VPNs. Like we're always seeing the attacker come through the VPNs, but we're finding these scams, and we're finding them again, the moment they're getting set up because of the way our technology was working. And we were able to get them blocked by folks like Google and others, and then taken down in a timeframe where we were able to show that there were no victims, no actual victims were hitting the site. And our tech was interesting in showing that to this credit union, but the proof for them was the reduction in the calls. So for every scam that was going up, they were getting two or three calls where people were saying I got compromised, and a handful more calls of just like I think this is a scam, you should be aware of it. After we deployed, and we were there it's been 10 months since we deployed, they've only gotten one call, a single call. And it was very quickly after we had deployed about somebody being concerned about a scam that they had been involved with. And so this went from you know, a level of 9-10 calls a day, sometimes more, to one call in 10 months. This was just to make the problem go away, just to make it stop. We don't really need to know who the scammers are. We're not gonna pursue them. It's not that interesting. Just make it stop. But we had this pattern of accesses that came in through these set of networks. And then there was a first access that came from somewhere else. And that first access that came from somewhere else was clearly the scammer who'd forgotten to connect with a VPN, which you know, you've heard this story a million times in security. If you have to, you know, you screw up one time and you get yourself caught. Well, in this case, the scammer had, it made some mistakes that they'd forgotten to connect to the VPN. When they set up their site, we were able to get their local IP address, provide that to our customer, that the customer then decided you know what, maybe it's a good idea for us to call the FBI. They called the FBI. We provided the little bit of data that we had that was useful and the scam stopped. So that, and I don't think that's atypical. I think that's the kind of thing that we see happening in different variations. Although the scammer doesn't always reveal themselves, and have the opportunity to engage law enforcement. We do see this process of being able to sort of get in there as stuff is starting to happen, and really create an environment where just doesn't make sense for the scam to run more. And there's so many small credit unions they can go target, so they move off of this one, 'cause it's not working anymore, and go target the next one, which undoubtedly was where that story had started. Like the scammer didn't pick this credit union first. They must've been scamming someone else, and then they realized hey, I can do more of these things. They're not expensive to run. They're really easy to set up, at least at first when there's no real security program in place. - [Landon Winkelvoss] What was the order of magnitude of business loss that they were incurring from this? And I don't need to know specifics, right. But like range wise or, you know, kind of just in the aggregate, what was that looking like? Or that was a pain point that maybe needed solved. - [Josh Shaul] the way that we're measuring this was typical account takeover costs that they had experienced in the organization. And what kind of money is being wired out of the accounts? What kind of money is we moving, and what they found was that under five grand, under five grand was the typical amount lost. And think the reasons for that go back to how banks in the banking system deal with wire transfers that are smaller than $5,000, versus ones that are larger. They tend to have a lot more scrutiny on them. So what we saw was a little under five grand per loss. So we modeled $5,000 as the typical loss around these things. Then we added in a little bit of analysis on like customer service time. These calls when somebody is getting scammed are not the four minute customer service call you know, push the reset button, and everything's fine. These are 60-90 minute calls on average, where it takes a long time before you even realize that there's a scam involved. So we modeled some customer support costs based on the number of calls they were getting, although that's sort of diminimous compared to the $5,000 of loss. And then we looked at the frequency. So as they started with us during that first month, one to three scams a day, two to three victims per scam, they were looking at between two and 10 victims per day for about a month. That's big numbers. So if it's $5,000 per victim and you only have two victims a day, and you've got two victims a day for almost an entire month, maybe it's just 20 days in a month, that's $40,000, right. I'm sorry, that's bad math. That's, it's a hundred thousand dollars in a month in loss, just from 20 victims of scams coming through. And all that money has to be recouped and pulled back. And there's a lot of complexity that's involved there. But that though, that was the sort of volumed for a very small scale kind of situation where they're spending just huge amount of time, huge amount of fraud loss for a business of this size. And then basically consuming a full-time senior resource, trying to run around and play whack-a-mole to get these things taken down and dealt with, which is not that easy. So those were the general components. We looked at customer service time, the time spent by the senior security staff, and then the actual fraud dollars that were moving. And you know, you put those things together and it's a pretty compelling amount of cost that these scams are driving that you could, that you can cut into in a significant way if you can make the scams go. - [Landon Winkelvoss] Josh love what you guys are doing at Allure Security. I appreciate your time today. And certainly congratulations on all the success. And again, wish you guys well through the holidays, and success through the new year. For the latest subject matter expertise around managed intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane, and conduct high stake security investigations. Without the value of the team provides day in, day out, this podcast would not be possible. Thank you for listening.