Transcript
Hi Mike Matchett with Small World Big Data. We are here today talking about, you know, one of the things that's concerning most people, which is AI and how it might be being used against us or how we might use it to stop being hacked. Uh, basically, we're all being socially engineered, right? Day after day, we get spam calls, we get phishing, phishing. We get it's just people become the weakest link. And AI is really good at impersonating people. So it's a growing problem. I've got to Trustmi here today, though, they've got some solutions they want to tell us about, so just hang on. Hey, Shai, welcome to our show. Hi, Mike. Good morning. Uh, so. Trustmi, uh, AI, uh, is a company that. Tell us. Tell us how you got started with Trustmi or how Trustmi got started here. What what what caused you guys to get going? Sure. So, um, briefly about myself. My background is long time cybersecurity. I started to do hacking when I was 13 years old. When I was 18, I was 18. I went to the military, spent eight years doing offensive security. Then I realized that I can leverage my experience in the offensive side and go to a bigger challenge and play in defense. So I went to a bank. I've been there as a CISO for eight years, done this period of time. I work with a lot of early stage companies. I really enjoy the idea of innovation, of solving business problems using technology, and decided that I want to build my own company. So I was of course aligned to the dioxide, went to cybersecurity startup to learn how to build my own company. And then I started to ask me. Do you have a whole range of hat colors on your wall back there behind you? Right. And to your point, you asked me how we got to that point. So, you know, when I worked at the bank, I did a lot of work in the area of fraud prevention. Fraud in the bank is more focused on the banking side, B2C of the house, but we had also a lot of corporate customers. So I saw it happening more than once to our one Quobyte customer. And exactly, you know, it's become a very big problem. So I can attest, I know personally somebody who got hacked this year, you know, north of six figures. Uh, and some of that was social engineering right in the middle of fooling not his company, but the companies he was dealing with. Right. And just getting in the middle and going both ways. Uh, so. So you picked up a goal, uh, to eliminate social fraud. Uh, and when did you. When did how long? How long has, Trustmi been going? How long have you been in business? Almost four years. Four years. Okay. And how's that going? I mean, is it I mean, I assume business is growing. Growing fast. Yeah. So you started the conversation about speaking about AI, and, you know, the problem of social engineering fraud. It's not a new problem. It's here for a long time. If we go back to 2020, I'll give you the the biggest example with Google and Facebook, basically very similar to what you described just now. One of the suppliers in Taiwan was compromised. The attacker can use that to manipulate them, to ask them to change their bank details. And the result? They send $100 million just like that outside, right? And they lost. But when speaking about that, that's long time ago today when you're speaking about JNI, it's really super charged for the area. You know, we're all here speaking about AI. We all try to experiment what we can do with that. But while we are all playing with that, the cyber criminals already utilize it in a very effective way. So you mentioned you mentioned impersonation, right? Let's think about the example with the Hong Kong company. Basically a very big company that they had a shared service in Hong Kong. They had a case that one someone impersonate the CFO of the company. He asked some of the team to join a zoom meeting. It was already fake. By the way, how do you know that it's me, right? You don't really know. And this session, they asked for you. Why? Instruction. And the result was $25 million of loss. So I really played a big game here and that's we see it everywhere, like you see the volume that we come to to be much higher, but also the sophistication. So it's really a game changer in that place. Yeah, I saw an example the other day and I apologize. I can't provide pointers to it. Exactly, but it was somewhere on YouTube, I'm sure. Okay. Uh, I might have been saw some other thing, but somebody was actually on one frame, uh, talking and turning their head and saying something. And in the other frame was a completely skinned version of that person with the changed gender, uh, clothing, voice, background, everything. But it was seamless. And I was it was real time. And I was like, well, you really don't know. It's not even just it's just it's just so good at makeup today. Um, just just before we get going too far, when we say social engineering, obviously people think of email and phones is what else? What else can be involved in social engineering? A lot of things. So think about for a second before we understand how they using the social engineering. Let's break for a second about the B2B payment process. So as you know, payment evolve a lot in the last few years, most of that was on the personal side on the B2C. Think about how you're doing your own personal payment. It becomes very easy, automated, secured. Take your phone and that's it, right? But in the corporate world, in the B2B payment process, it's a very complex process. First, it's involve a lot of different people inside and outside of the organization. Most of the communication are based on email as the source of truth. Although we all know and agree that it's very dangerous, it's still the source for all evil. But everyone accept it as is, right? So that's the most of the communication, especially if you are a global company. But then you have a lot of different system involved, like you have a procurement system, um, a self-service portal, ERP, uh, the payment itself to a joint management. Each one of them are usually siloed. And on top of that, the finance people are doing a lot of manual controls and processes to try to address and mitigate some of those risks. So now you have a lot of people involved, and for the attacker, they need to compromise that process. So for them to do social engineering can be impersonate some of them internal employee. It can be impersonate someone uh that is outside of the organization. But they have so many different things that they can do in order to do a small change that no one will notice. And at the end of the day, the money will flow out. So I always like to say that this is a classic people process technology problem. Uh, because it's a very comprehensive process. There are a lot of technology involved, but at the end of the day, no one really connecting the dots to make sure that the process itself was impactful. And that's why it becomes super easy ground flow for the attacker to compromise that process. Is way too many vulnerability points, it sounds like. And yeah, too many complexity, I guess I would say. And people involved everywhere. Um, so I guess so. So when you were, when you were doing this, this work and you started to appreciate how just how many points of vulnerability there might be there, how did you start to think about a design and approach to defend what was what's sort of the overall thought process here going on and saying, how do I put my arms around that, and are you building a wall? Are you are you encrypting everything? What's going on? So, you know, again, I'm going back to the point that there are a lot of system and there are and it's it's a very comprehensive process. So we did what we know the best from cybersecurity. So in cybersecurity world the first thing that you learn to do is connect a lot of different data sources. And then you learn how to ingest a lot of data and create smart models around it. But we can also look on a process from beginning to end and protect it. And so we basically leverage all the experience that we had from the cybersecurity side, and we apply it into the B2B payment process. So we basically introduced the first end to end B2B payment security solution. We're using behavioral AI to basically connect all those different systems, different processes, and leverage the existing data to basically extract a lot of features and assemble a baseline of what's legit and what's not. Basically, we are trying to create and detect patterns. So I have young kids. I always like to give the example, you know, it's like those pictures when you zoom in, you don't understand what you're seeing. You've seen a lot of pixels, right? You don't you don't know what's going on there, right? But when you zoom out, you see a dinosaur or an elephant. That's because your eyes can see the bigger picture and detect the patterns. So when you do that in fraud, it's very easy to detect it. But most of the time, and go back to the B2B payment processing complexity, you have so many different people that each part doing their own thing, but no one really looking on the entire picture. Like for example, segregation of duties. Any company that you speak with, they have two different people that need to sign the transaction. Right. But do they know how the invoice was approved? What bank details are you sending to? There are so many different paths and information that they are not aware to. They are basically relying on a lot of other people to do their job properly. But at the end of the day, no one connects the dots. So we apply the end to end process. But also we really wanted to create the solution that's going to be fast, effective, meaning we want to be able to block the attack or the mistake before the money is leaving the organization. But on the same token, you know, if there is one thing that people don't like to do is changing their processes. Yeah, right. We believe that we need to be part of your process, your process, your way and will protect that. So that's why we thought how we can inject ourselves to the existing flow. And at the end of the day, in B2B world, payment being done in payment cycles, it can be daily, weekly, monthly, whatever is the frequent. So we become the copilot that oversee everything that's going on. And before the organization sending the money, we review it and approve it before sending it. Yeah, I can just you can sort of like that little angel sitting on your shoulder looking at everything and making sure it's coherent and consistent, uh, and, uh, in line with the things it's so true that, like, you get a large B2B organization or even even a small one, you start to get silos. And the silos each have their own area responsibility, and they don't necessarily talk and share the right data with each other, much less do the right things. Uh, so so you've got a couple of problems there. So I guess I'm curious when you when you talk about making these patterns and you talk about, uh, making the model, I guess that's the important thing, the model of the B2B payment system and the transactions and things going through it. What goes into that? What do you have? What do you have to what do you have to examine and ingest to make a good model of that? So it's mostly about um, input output I would say like how you communicate on overpayment, how you collect your invoices, and then the output is how do you do the payment itself. So usually we're connecting to the email part because that's the most common way for, you know, this is how you send invoices. This is how when a vendor want to change their bank details, that's what they're going to do. And on the other side is the ERP. But we're connecting to those type of system. But we are looking very deep into the process. Like how do people communicate with where are they coming from? Uh, what language they use, what type of, uh, context, uh, what files they are sharing, how those files look like, what are the payment details? So we are going very deep in each one of those aspects, and we are going back in this history to leverage what already happened to assemble this baseline. So basically when we go to organization, we always start with one week training. One of the most important part for us was to create something that will be frictionless and seamless. So now in the finance world, they know it as a very long project like ERP implementation. It takes forever. If it's ever done. Erp is almost never done right. Yeah, obviously because it phases and then they ask for more money for the next phase. Right. And then you redo it. But anyhow, our approach was we want to create something that will be very fast. So we're connecting a week later the model already trained and we're ready for production. Okay. So we took a week to really look at even a big company and get get get a big model built. Uh, and and how does that how does that model interact? I mean, how do people interact with the model or how does the model interact? I mean, what what does it look like day to day for someone who's got, Trustmi installed and, uh, the interact, are they interacting with it? Is it alerting? What does that look like? So we become part of the process. And again, going back to that point, usually when they're doing their payment cycle, they take a lot of transaction and they try to review it one by one. So we can collate everything that we've seen to give them a very simple dashboard, that they can see everything connected. They got the pro, the invoice, all the details from those different systems in one place, and a very simple risk score. Green, yellow or red? Green saying everything is good. Okay, go ahead and pay it. Yellow is suspicious and red. That's a fault. And we're going to block it. So obviously we can and we are alerting when we see something suspicious even before the payment is being part of the payment cycle. But because a lot of the time the attacker try to manipulate the process, even in the last mile, it's very important to be for us part of the payment cycle itself. All right. Do people question then your security if you're part of the payment cycle obviously. Yeah. Yeah. And how do you assure people that you're not you're not that you're not wearing the white hat. So I must say a big part of that is we when we design the system, we thought we're going to get access to a lot of sensitive data if how we can make sure that we won't become a vulnerability to the organization itself. First, not keeping the data. So although that we are connecting to a lot of this data, we're tokenizing, anonymized, all of that. So we are basically keeping only a fingerprint and metadata. We're not showing any information. And second, we become part of the process. But we are a decision support tool. So we can show you why we decided that that this is okay or not. And you at the end of the day, can override it. But in most cases, that's how we start. We start for a period of time in detection mode, decision supportive tool. But later on, after the company see, uh, how good we are, and they start to trust us, they start to really use it in automated way. Awesome, awesome. Uh, and, uh, I mean, you mentioned it takes like a week to get the model trained. Um, what does it take to get started? I mean, does someone does require, uh, a big process, an examination, architecture review. What are we looking at? Look, with big enterprises. Obviously there are a lot of different things that you need to pass. You need to do a security assessment to ensure that we can do that securely. But at the end of the day, we can be very fast, and we build a solution in the idea that we want to be very flexible, meaning we want to have all the heavy lifting on us. So whatever type of integration you have already in place will connect to that. We'll do everything in our power to make that simple and fast as possible for the organization. I mean, it sounds it sounds like, you know, we start off talking kind of broadly about social engineering and social fraud. Uh, but really, uh, come to understand as you were talking that like, the biggest reason hackers hack a company, social engineering is to get hold of the money, and the money is in the payment system. And I've got I know that because I've had I've had some, uh, anecdotal, uh, stories told to me about that. And you, you obviously have firsthand experience with your with people doing that. Uh, so this is really taking AI and putting it at the point of the sword, like really at the right place in a company and saying, here's here's a good way to really use models to look at behavior and find abnormal abnormalities, I guess, or inconsistency. I totally agree with that. And I'm going to tell you more like two more things. First, we start on the payment security and social engineering and so on. But when we started to protect organization we're also seeing that they have problem with fraud, but also with a lot of payment mistakes. And that's happening much, even much more. And just to give you perspective, in the last year, Trustmi, process $200 billion from our customers. So that's a Kron scale. From that amount we were able to save more than five billions of payment mistakes. Mistakes not even intentional. Yeah. And 1 billion of payment fold are okay. So there is a lot of other benefit to our customers as well. So that's one one aspect. And the other way one you know you just mention it, that, um, it's a good way to implement AI, right? Almost every organization we're speaking with, especially from the leadership today, and the board members start to speak and ask their leaders to implement more AI. And I really believe that AI can be very valuable to a lot of places, but you need to find the right use case to really make the difference. And I completely agree with you. I think this is one of the best use cases to give the organization very valuable technology that can really help them to impact the bottom line of the business. I mean, that's a great summary. I don't know what much more I can say on that. I, uh, if someone was interested then and Trustmi, Trustmi with an I am I ai uh, obviously that's your website. What what what would you have them start? What should be their learning path here? So, look, I think that we all need to understand that existing controller relying on manual work and a lot of processes Well in the area that AI can really improve it. So I'm just going to say choose the right path, protect something that really make a difference, and we will be more than happy to explain you much more how we do and what we are doing in our website. And just book a demo, whatever you want to do. But at the end of the day, we built this company to really make a difference, and there was nothing more meaningful like from really keep your money where it needs to go and allow your company go as, as needed. Yeah, just I again, I don't know how to summarize that better check out Trustmi AI folks, uh, you all have a payment system. You all are getting invoices and making payments. If you're any company of any size, uh, and you should be protecting that to the best of your ability. So, uh, check it out. Thank you for being here today. Thank you. Mike. All right. Take care folks.
