The following interview is a conversation we had with Josh Shaul, CEO of Allure Security, on our podcast Category Visionaries. You can view the full episode here: $6 Million Raised to Help Businesses Win the Battle Against Online Scammers
Brett
Welcome to Category Visionaries, the show dedicated to exploring exciting visions for the future from the founders who are on the front lines building it. In each episode, we’ll speak with a visionary Founder who’s building a new category or reimagining an existing one. We’ll learn about the problem they solve, how their technology works, and unpack their vision for the future. I’m your host, Brett Stepper, CEO of Front Lines Media. Now let’s dive right into today’s episode. Hey, everyone, and thanks for listening. Today I’m speaking with Josh Shaul, CEO of Allure Security, a cybersecurity startup that’s raised 19 million in funding. Josh, thanks for chatting with me today.
Josh Shaul
Million in funding. Wow. I wish we had raised 19 million in funding. Good to meet you.
Brett
Is that not the correct total?
Josh Shaul
Not at all.
Brett
What’s the total funding we have?
Josh Shaul
Relevantly? Raised about $6 million in funding.
Brett
Oh, got it. Interesting. CrunchBase has you guys at 19 million.
Josh Shaul
CrunchBase, that’s interesting. This company’s got a history that is maybe different from some other companies, tried some things, stopped doing them, just didn’t go out of business.
Brett
Got it. All right, well, let’s jump in. So before we start talking about the company, can you share a quick summary of who you are and a bit more about your background? Sure.
Josh Shaul
So, career cybersecurity person. I spent my whole life honestly just fascinated by computer security and how computer security can be bypassed, even to the point when I was like a teenager, I was the teenage hacker in my parents bedroom where the police were, like, knocking on the door, telling me to cut it out. So that’s where I kind of got started and just got focused in cybersecurity from early on. And I’ve always focused there. Spent a bunch of time helping organizations to figure out how to protect themselves and their communications and then how to protect their websites and their customers from various different types of thefts and scams.
Josh Shaul
And for the last couple of years, I’ve been really focused on fraud and on preventing fraud on the Internet and preventing people from becoming the victims of fraud and companies from being tied up in fraud with their customers and partners and whatnot. It’s a fun place to operate. It gives me the opportunity to constantly engage in what feels like an ongoing chess match with the folks on the other side that are dedicated to making the fraud happen.
Brett
Nice. And just to go back there a little bit. So what was it about cybersecurity that initially drew you in, do you think?
Josh Shaul
I think I’m the type of person that just has never been able to walk into a room without figuring out how to steal everything from that room. And I was just growing up at the right time where sort of computers and the Internet and those things were just being born as I was at the right age to become involved there. So I think I was just inexorably drawn to it. Electronics were coming out when I was a kid and I was the kid that was, like, tearing apart the electronics that my parents got me as a gift and just sort of went on from there. So I think I’ve just always been attracted to tearing stuff apart.
Josh Shaul
And the computer security world has given me an opportunity to do that and sort of have a playground where I could push buttons and pull wires and try different things and do that in a way that’s relatively safe from blowing yourself up and like, getting thrown in jail.
Brett
And how have you seen cybersecurity as a field evolve then? Over these last years, it’s changed so.
Josh Shaul
Dramatically, even though our mission hasn’t changed, like, one iota, but the tactics and the techniques and the level of sophistication of the attackers on the other side has just evolved nonstop since I’ve gotten into the industry in the beginning. And so we’ve just seen this constant evolution of new attacks and new defenses and new attacks and new defenses. And it’s all about always and always will be about the same kind of things. Generally, it’s about money. And folks are out there trying to make money, we’re trying to make money running the cybersecurity business here at all our security. And there’s other folks who are on the sort of on the hacker fraudster side that are trying to make money running their own business, albeit illegal on that side.
Josh Shaul
It’s been amazing to see the innovation and techniques and it’s also stunning to see how every change in the business landscape, every new technology, every new consumer trend also turns into a new security trend. Like the explosion of cryptocurrency turned into an explosion of crypto security related issues. It never gets boring.
Brett
Nice. Yeah, that makes sense. And just so we can understand what makes you tick as a leader, what book has had the greatest impact on you as a CEO?
Josh Shaul
There’s a couple that just jumped to mind for me. The book Mindset by Carol Dweck. Seminal in my life. I’ve been trying to get my children to read it since like early preteen age. I just think it’s just so impactful and I know a lot of folks have that on their bookshelf. The Talent Code by Daniel Coyle, another one of my absolute favorites that just kind of lays out how people become talented. And then the sort of pair to that is Daniel Coyle’s Leadership Code both just taught me so much. And then the last one that I’ll mention is David rocks your brain at work a little bit more into the physiological, how does your brain work kind of side. But I found it to be tremendously impactful for my ability to work than to get high performance out of other people around me.
Brett
Nice. That third one I haven’t read yet, so adding that to my list now.
Josh Shaul
Yeah, definitely. Check it out. Perfect.
Brett
And now, let’s talk about Allure Security and what’s going on there. So at a high level, what problem are you solving and then how does the solution actually solve it?
Josh Shaul
So Allure Security is trying to solve basically the oldest security problem on the Internet, which are scams. We’ve all experienced them in our lives. We all experience them almost every day in our lives. You get a text message or an email or a phone call that tells you that your package isn’t going to be delivered, but you have no package coming, or that there’s fraud on your account, but you don’t even bank with the bank that’s telling you that there’s fraud on your account. Those kind of scams have exploded over the last several years.
Josh Shaul
And what they do is leverage a brand that the general public knows and trusts in order to scam the general public out of their data, which is then used to pull their money away from them, whether it’s stealing money from their credit card or directly out of their bank account, or so on and so forth. What Allure security does is we work for enterprises and we help them to prevent their brands from being used to scam their customers and the general public. So we go out and we find these scams that use our customers branding. Then we shut them down in a way that prevents folks from actually running into the scams, giving up their data, and then the downstream impacts of fraud, customer satisfaction, and lost revenue on the businesses whose brands are being abused.
Josh Shaul
So we call ourselves an online brand protection and fraud prevention vendor.
Brett
Got it. Is that the market category that you’re in then, or what category would someone like Gartner place you in?
Josh Shaul
I think we’re sort of pioneering this category as a headline of its own. Gartner talks about online brand protection under the headline of digital Risk Protection Services, which lives under the headline of threat intelligence. When I think about those things, I think the order is flipped. When you talk to any corporate CEO out there about threat intelligence, they probably look at you a little confusing. Like, I’m not sure what threat intelligence really means. If you ask them more deeply about digital risk protection services and the dark web, they probably wouldn’t understand that very well either. But I don’t think there’s a single CEO out there of a single major business that doesn’t understand protecting their brand and protecting their brand online. And so I really see that in the future emerging as the headline.
Josh Shaul
But today, again, brand protection under digital risk protection under threat intelligence.
Brett
Got it. And then what are you guys actually doing then? Are you hunting on social media for fake profiles, hunting for domains? What does that actually look like?
Josh Shaul
Hunting is a great word. So we’re out there hunting around on the internet looking for online impersonations, and sometimes those impersonations take the form of a website that’s pretending to be a fashion brand or a bank. Sometimes those impersonations take the form of a social media profile that’s pretending to be an influencer or a brand. Sometimes they take the form of a mobile app. It’s like hey, download my banking mobile app or download this, stream my content for free instead of paying version of the mobile app. And sometimes they’re digital advertisements where somebody’s popping up an ad pretending to be somebody else and that ad doesn’t do it all what you think the ad is going to do for you and doesn’t get you to the place where you think it’s going to go.
Josh Shaul
So we’re hunting all of those things down and when we find those things we are then acting to eliminate them. And so we’ve got a network of partnerships with operating system vendors, browser vendors, security companies who we let know right away when we find these scams so that they can protect their customers and their users from being scammed. We work with the core of the internet providers to get these scams permanently removed from the internet. And while we’re doing all that, we like to mess with the attackers. So if somebody wants usernames and passwords, if somebody wants credit cards, our software knows how to generate those things and give them to the attacker. So we fill their bucket with data. Data that looks like what they want, data that feels like what they want. But brother, it’s not the data that they want.
Josh Shaul
And the idea there is we just want to make their life miserable. We want to break the business model, we want to make it more expensive by far to attack a client that’s protected by a lower security than to attack a brand that’s not nice.
Brett
I love that. So a real world example from my life that I’ve had to deal with now for probably the last eight years. So there’s a company I won’t name but they’re in the bitcoin mining space, they’ve been around for a long time, they’ve raised about a half a billion dollars so they’re a target. And every day we get complaints sent to us that there’s impersonators on social media. Sometimes they’re just seeking investment but we even have them pretending to be the CEO, offering job opportunities, all these different things that are essentially fraud against the company. And we have process that we follow where we go and report these profiles to Facebook, to LinkedIn, to Twitter and absolutely nothing happens. They rarely ever get taken down and even if they do get taken down they just pop right back up again.
Brett
So how are you able to get the social media companies to actually respond and engage and take down these types of profiles and then how do you avoid it from just popping back up again?
Josh Shaul
Yes, there’s a couple of pieces to that. First off is finding it and finding it requires some at scale detection where we’re constantly scanning and hunting for these sites with software that allows us to find the sites, the profiles, the pages, almost as they’re being constructed very early in the lifecycle. So I know it’s sort of the last part of your question, but you can’t stop them from popping up again. The key is finding them as soon as they pop up so that you can do something about it. That kind of takes me back to the beginning of your question, how do you do something about it? Because the first time we reported things to Twitter and to Facebook and to LinkedIn and to some of the others, we didn’t get any responses either and we didn’t have any luck.
Josh Shaul
But we learned over time that first off, these companies have they all have abuse policies, they all have reporting systems. And those reporting systems are often disjointed and very complex. And if you don’t use them exactly correctly for the right circumstance, then you get ignored. So if you’re reporting, for example, a copyright issue to something that’s interested in trademark issues, you’re not going to get any satisfaction. If you’re reporting fraud to someone who’s looking for trademark, you’re not going to get any satisfaction. So we learned how to just work the system the way that the system wants to be worked, even though there’s no real documentation for doing that. And then what you find over time is that you still don’t get that greater responsiveness when you’re just following the process the way it was designed to be followed.
Josh Shaul
And the only way we found it to deal with that was to build relationships, was to actually find the people in these organizations that are responsible for the programs that deal with abuse, to build relationships with them, to establish a reputation where we proved ourselves over hundreds and hundreds of submissions that our submissions were supremely high quality. And between the relationship and the trust, you can start to get much better results and responsiveness. The last piece, Brett, is you have to understand also when the platforms won’t take action, and they won’t take action unless there’s a violation of their acceptable use policy. And those acceptable use policies once again, are nuanced and somewhat complex. So for example, I couldn’t set up a social media profile that pretended to be like some well known bank and purported to be that bank in all ways.
Josh Shaul
Social media company would take that down and say, you’re a fake bank. But if I created the same exact profile with that same profile that I created, I call myself a fan. They would never take it down because that’s an acceptable use. It’s allowed. And what the result of that is, really, is that you got to monitor those accounts and then you got to wait for them to do something that is violating and deal with it at that time. So that’s kind of the approach that we take. We’re kind of waiting for a violation to occur, and then we’ll deal with it as soon as we actually are going to get some results.
Brett
Got it. That makes a lot of sense. And then in terms of the Whack A Mole problem, are you eventually collecting enough data to say, hey, here’s a pattern of clearly, it’s like a group that keeps doing this over and over again, and then eventually you pass that off to law enforcement, or what does that look like?
Josh Shaul
So we find a lot of patterns in what we’re doing and often can associate activities to not necessarily named groups or anything like that, but clearly patterns of activity, and we use that to help facilitate our takedowns and to help facilitate our response process. Once in a while, our clients want to engage with law enforcement directly, and they’ll ask us for assistance with that and provide assistance. But we understand our role out there is we’re not in the business of running down and chasing bad guys and then giving law enforcement tips so that they can do what they want to do with them. We’re really in the business of helping our customers to protect their brands. And when those brands feel like the only way to protect themselves is to put the fraudsters in jail that are targeting those brands, we help them.
Josh Shaul
But honestly, it’s kind of rare. Most brands don’t think that way. They just think of like, I just got to get them to target somebody else.
Brett
Got it. That makes sense. Yeah. The only way I would think about it is if they wanted to set an example maybe of, here’s what happens when you mess with Chase Bank. So that was my line of thinking there.
Josh Shaul
I think a lot of folks are afraid of if you set that example, somebody might turn around and set the opposite example against you. There’s a lot of fear of we’re dealing with criminals out there, criminals that are often in jurisdictions where you’re not going to be able to prosecute them, and if you really poke them hard, they may come back and retaliate. And I think that fear is not well placed.
Brett
Yeah. Because in countries like Russia, isn’t it correct that it’s not illegal for them to hack outside of Russia? I don’t know if that’s 100% accurate, but I think I’ve read something along those lines, and maybe that’s the case in other countries as well.
Josh Shaul
I don’t think it’s a legal illegal issue. In general, it’s illegal, but countries often look at, hey, the Russia example is a good one. If we’re able to bring Western dollars into Mother Russia’s economy, then that must be good. Well, I think is the way it’s viewed. So the same law is being broken. Whether you’re targeting a Russian company, you’re targeting, like, an American company, but the response to that is dramatically.
Brett
Got it. That makes sense. And then where are you seeing the most market adoption. Right now. I know you mentioned enterprise, but are there any specific industry verticals that you’re really seeing gain the most traction?
Josh Shaul
Yeah, for us the primary vertical where we’re seeing the most traction is in financial services, banks, credit unions, broker dealers, and even in the crypto space. We also see quite a bit of traction in ecommerce. Fashion brands are really heavily targeted by impersonation attacks where folks are selling, they’re pretending to sell those fashion brands products, but really you’re just stealing your credit card. There’s been a lot of growth for us in that market as well.
Brett
Interesting. One thing I was talking with someone about the other day. They were saying how maybe 20 years ago these hackers were just kind of individual dudes with their hoods up, sitting in their basement, hacking away. And now it’s really grown into this ecosystem. And they really run these things like businesses, and it’s like a real business, but their business is just criminal activity as opposed to adding value to society. Is that what you’re seeing as well? Are these like real operations that are run just like a normal business with.
Josh Shaul
A full supply chain and everything? So you’ve got criminals all the way up the stack from people that are building tools to help you host a scam website to people that are helping you get traffic into your scam website. They all operate as a supply chain just like any other industry would. These folks are purely profit driven. There are still hackers out there that are the hacker that’s doing it for notoriety. You’re the one who’s doing it for some kind of activist cause, but they are the minority by an extreme. The vast majority of the activity here is organized crime.
Brett
Got it. That’s crazy.
Josh Shaul
Yeah.
Brett
I think the article I read a while ago is saying how some of these ransomware groups have better customer support than a lot of Fortune 500 companies in America, which I thought was pretty funny.
Josh Shaul
Oh, totally. It’s like a lot of these the toolkits that you’ll buy to host like a phishing website, they come with 24 x seven customer support.
Brett
That’s so crazy. All right, well, let’s talk about traction. So in terms of traction, are there any numbers that you’re okay with sharing?
Josh Shaul
We’re a small series seed funded company and we’re seeing great traction. We’re just about to go out and raise a series A. We’ve got the sort of typical early series A metrics that you’d expect to see with the startup growing really rapidly, growing about 10% compound monthly growth rate right now, which is really exciting for us.
Brett
Nice. That’s really cool. And as you’ve taken this idea to market, which you know is not easy to do, what would you say has been the greatest challenge you’ve had to overcome?
Josh Shaul
The toughest thing for us has been that this problem has been around forever. 27 years ago, people were sending out scams targeting america Online usernames and passwords. And because the problem has been around since the Internet has been around, there’s a tremendous amount of disbelief that the problem is even solvable. And that’s the challenge for us. We go out to organizations, they recognize that this is a problem for them. They recognize that they have tremendous value in solving the problem. And then they look at us and like, well, we tried three different things already. Never come close to solving the problem. Why should I believe that your magic is the magic that’s going to solve it for us? And as a startup, that’s very challenging because you’ve got the great story, you’ve got the great vision, but you don’t have the proof points yet.
Josh Shaul
We’re now to the point where we have the proof points and we have a dozen or so publicly referenceable customers that will go out and say, you can believe that they’re going to do this for you because you can look at the results that they’re delivering for us. And that’s made it a lot easier for us as putting our customers in front of our prospects, but getting those first few prospects to believe that you really could solve this problem and that all the bad money that they’d thrown at this problem in the past, you could actually throw some good money at the problem and make a difference. And I think that’s been the real hard thing for us and something that I just didn’t anticipate.
Josh Shaul
I thought we would come out with like, here’s the solution to the problem we’ve all dealt with for all these years, and then market would embrace that. But it was really different from that. It was a lot of skepticism of like, I’ve heard that story too many times of solving that problem and I’m just not sure I’m going to believe anybody can.
Brett
I feel like that’s probably the case across a lot of industries, right? Every market category you can think of. I feel like there’s just been so much hype over the past five or six years with all these venture backed startups making these bold claims that I can see from a buyer perspective, it’s probably very hard to know what you can trust and what’s just VC backed BS and hype.
Josh Shaul
It really is tough, I think, for buyers to cut through it. And it’s particularly in the security industry. I remember not long ago I was a buyer in the security industry running a very large business and going to security conferences to shop around for like, what companies can we acquire and add to the portfolio. And the amount of noise, the amount of confusion with thousands of vendors operating in one space is mind boggling. It’s head spinning. I can imagine how tough it is to be on that side, on the entrepreneur side. You’ve got your hands wrapped around this problem that you know is exciting, you know, is impactful, and it’s hard to wrap your head around that, the skepticism you might see in the market, that, oh, hey, that’s really solvable. But then I think it becomes a slippery slope.
Josh Shaul
Folks start to believe it’s solvable, and then all of a sudden, they start running to solve it because there is that understanding of the real pain and business problem that’s out there, and the value of solving it totally makes sense.
Brett
I went to black hat for the first time this year. My first time going and walking around. It was just so funny. Everyone was saying basically the same thing. It was next generation this, reimagining this and that. It was all the same exact messaging, and everyone was kind of making the same promise, which I just thought was funny.
Josh Shaul
Yeah. Next generation threat detection. What does that even mean? I can’t tell what your company does. I had a lot of trouble with that. If I can’t tell what your company does by looking at the sign, it’s not enough time to even you could see it a black hat.
Brett
Right.
Josh Shaul
You can’t even go around and talk to every booth to find out what is it that you really do. It’s definitely challenging the market. That and the number of folks that will say things like, we stop all ransomware, and then when you dig in a little deeper, they’re like, well, we stop all ransomware if and when it comes in this direction and this angle. And that ends up causing a lot of skepticism in the market because there are so many partial solutions, so many corner cases, so many if when only if kind of circumstances that we see out there in security.
Brett
Isn’t that one of the things that really frustrates CSOs and security decision makers in general is like, that promise of absolutely eliminating a problem that’s I guess, what I’ve read online, but it sounds like is that essentially what you guys are doing? Do you promise to eliminate the problem or are you promising to dramatically reduce the problem?
Josh Shaul
You just can’t stop people from putting things on the Internet, so the ability to completely eliminate the problem just isn’t there. What we’ve done here is done everything that we can do to try to find these things early, stop them as early as we can so that we stop people from getting scammed. And then by going back and injecting that fake data into the scams that are actually up and running to try to give us an opportunity to kind of erase any value that a scammer could get. But even with all those tools, we can’t promise that no single customer, member, visitor will ever get scammed. What we can do, though, is promise that we can dramatically reduce the impact of scams on a business to the point that those scams aren’t having a meaningful business impact.
Josh Shaul
And it’s tough to walk that fine line when you know there’s somebody standing next to you who makes bold claims that are fantasy at best and to work through the marketing landscape of hey, my primary competitor loves to tell the market things about what they can do that they can’t actually do. Should we go say the same thing? Do we need to do that to compete or do we need to behave differently and say what we can do and do what we say? It’s a tough road to navigate. I’m going to say what you do what you say kind of guy. But I swear I miss a lot of opportunity as a result of it. And I know if I took that opportunity down the road, I’d regret it.
Josh Shaul
But sometimes those short term decisions of hey, we’re not going to take that business, hey, we’re not going to make that promise, hey, I know that the competitor is making that promise and they can’t deliver, but we’re not going to do the same thing. Sometimes that’s painful.
Brett
Yeah, I imagine. But I bet in the long run that pays off too because eventually it probably comes up at some point. These vendors who are making these promises that they can’t deliver on, I feel like that has to get them covered eventually.
Josh Shaul
The way that I live with myself when I say, hey, we’re not going to make those promises, is that I remind myself that somebody just made a promise they can’t deliver and they’re going to end up with an unhappy customer down the road who’s never going to want to do business with them again. And I’ll still be there as the one who is honest with them and hopefully that they’ll remember that nice.
Brett
I love that. And if we zoom out into the future, what’s the five year vision for Allure Security?
Josh Shaul
This problem of impersonation on the internet is a broad problem. It’s not just setting up a fake website to steal your username and your password or your credit card. There are sites that are selling fake products, counterfeit products that are just they look and feel like products that, you know, I think we can expand very quickly into being able to cover those kind of things and that spans across everything from fashion all the way to healthcare. And then when you see the big attacks that are targeting workforce recently there was a lot of news about attacks that were targeting Twilio and attacks that were targeting Okta infrastructure. When you look at those sort of attacks that are happening right now, those often rely on impersonation as well. It’s different from the brand impersonations that are targeting consumers, at least from a logical perspective.
Josh Shaul
But from a technical perspective, impersonation is impersonation. We see an opportunity for us to grow beyond protect your customers, protect the market into protect your employees using this very different approach than what folks like the security awareness training companies take today or the email security companies take today, who frankly have failed us dramatically. A lot. Of money is spent on security awareness training. A lot of money is spent on email security. A lot of attacks are avoided because of security awareness training and email security, and yet we still have a massive tens of billions of dollars a year of security loss problems driven through the problems that email security and security awareness training are supposed to solve. So the products don’t work and they don’t do what they’re supposed to do. They just don’t solve the business problems.
Josh Shaul
And so we see huge opportunity for Lord Security to step up and be another component in that overall solution set that organizations are using to protect themselves against these attacks that result in compromise that start with, oh, that looks like a place where I should put my username and password. That looks like a thing that I should trust. The more we can put ourselves into that equation over the next several years, the larger we’ll be able to grow.
Brett
Nice. I love it. Unfortunately, that’s all we’re going to have time to cover for today. But before we wrap, if people want to follow along with your journey, where’s the best place for them to go?
Josh Shaul
Best places to come find us alluresecurity.com? We have a great blog and put in a lot of great content there. Please come find us.
Brett
Sounds great. You have to give a shout out to your content marketing team. I was looking at some of the infographics you guys have put out. They’re really good.
Josh Shaul
Thanks so much, Brett.
Brett
All right, best of luck. Talk to you. Bye.
Josh Shaul
Appreciate it.
Twitter
facebook
linkedin