Wire fraud and payment security remain persistent challenges for organizations, with the FBI reporting a 33% increase in BEC losses between 2023 and 2024. The complexity of B2B payment processes creates multiple attack vectors that traditional email security solutions can’t fully address.
In this episode, Shai Gabay, co-founder and CEO of Trustmi, explains how their platform connects the dots across the entire payment ecosystem to prevent fraud before money leaves the organization. By integrating with existing payment workflows and leveraging AI to build behavioral baselines, Trustmi aims to eliminate the manual controls and siloed systems that make B2B payments vulnerable to attack. Joining him are Bethany De Lude, CISO Emeritus, and Adam Glick, CISO at PSG Equity.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Trustmi
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today, we’re talking about Trustmi and what they’re doing in B2B payment security. Now, the problem they’re addressing is seemingly an eternal one. It’s that humans are our weakest link. Helping us get some two of these questions are Bethany De Lude, CISO emeritus, and Adam Glick, CISO over at PSG Equity. So Bethany, let’s start with you. We’ve known humans are the weakest link since, I don’t know, Adam and Eve, Cain and Abel. You take your pick. Why are we still having a problem with it?
[Bethany De Lude] Yeah, I think it comes down to, Rich, it’s the profit motive. As they say, the love of money is the root of all evil. Look no further than the most recent FBI IC3 report. And it turns out that that love of money by largely evil people increased 33% between 2023 and 2024. So we need to continue to upskill in ways to make this profit motive not so profitable.
[Rich Stroffolino] And Adam, from your perspective, why are we still struggling with this?
[Adam Glick] Yeah, I mean, I think humans remain the most difficult variable to control or predict. Despite the advances in technology, human error, behavior, psychology, these things still continue to drive a lot of the breaches and incidents. Humans remain that major cyber security issue because they introduce risk through error, oversight, emotion. We continually see attackers exploit that. They’re exploiting trust and urgency and routine behaviors. And you got to click this right away or else we’re going to fine you a million dollars. You got to do this or we’re going to come and kidnap your dog. And I think while people are still susceptible to that, still going to be utilized as a method of attack.
[Rich Stroffolino] Well, today we’re going to be talking with Shai Gabay, co-founder and CEO over at Trustmi. Now, to start up, before we kind of get into the Q&A here, we need to answer three essential questions, help get our footing here. So, Shai, how do I explain the value of your solution to my CEO? How do we get that buy in? What does your solution do? And maybe what are its limits? What does it not do? And what is the pricing model? Can you help us out with these preliminaries?
[Shai Gabay] Sure. So first I’ll talk to what Bethany mentioned. At the end of the day, profit, it’s all the game. Cyber criminals, from since the beginning, they always were motivated by profit. When they realized that the easiest route is going after the finance people that has access to the funds, that’s what they’re doing. So basically to explain it to your CEO, the best explanation will be we’re protecting the bottom line of your business. We’re making sure that your payment go to the right place at the right time and the right amount, basically eliminate the payment of fraud and human errors as part of that process. Now, we’re in the area that it’s payment. So obviously a license won’t be based on seeds or anything like that. It’s based on volume, amount of transaction, and the total span of loss.
[Rich Stroffolino] All right. Well, we’ve gotten a taste. We’ve gotten those preliminaries. Thank you so much for those, Shai, but I’m sure we have a lot of questions from our panelists. So, Adam, let’s start with you. What other questions do you have about Trustmi?
[Adam Glick] Yeah, I’d love to learn a little bit more about implementation here. When I think about traditionally what I’ve done from a CISO standpoint and how I’ve worked with my CFO counterparts, how does a solution like this fit into the ecosystem? How does it integrate with my existing processes, my existing technology, and all the things that are traditionally outside of IT’s control?
[Shai Gabay] So, firstly, it’s a good question. And I think that I would answer it first by explaining the problem as we see it, what we believe the root cause, and then I explain how we integrate to that part, okay? So the reason that B2B payment becomes so attractive for the cyber criminals, it’s not only because of the profit. It’s also the complexity.
Think for a second about how payment evolved in the last few years on the personal side. Everything becomes super easy, fast and secure. Take your phone and that’s it. But when you go to your corporate office and you want to pay for an invoice, that’s not the same level of experience. It’s a very complex process because first it’s involved a lot of different people inside and outside of the organization. Most of the communication is going to be based on emails, and obviously you have email security and so on, but that’s not really solving the problem. But then in the final side, you have different system involved. You have both human, supplier portals, AOPs, the payment itself. Each one of them will be a siloed, and on top of that, your finance personnel basically, we’ll have different manual controls to try to address those type of problems.
So at the end of the day, it’s a very comprehensive process, each part of the organization doing their one thing, but no one connecting the dots. And that’s exactly what Trustmi does. We’re looking on the end to end and leveraging those different data points to basically protect your organization.
[Bethany De Lude] So kind of to pick up on what Adam said, I want to drill into this. Let me take it from a scenarios perspective. So when I think of the different scenarios that lead to a financial loss, it could be a business email compromise. It could be an executive impersonation. It could be poor processes like someone used information in the email to do the verification rather than going to an authoritative data store. So how does your product address these different commonplace fraud scenarios?
[Shai Gabay] So it’s going back to the same area, meaning at the end of the day, it’s a classic people process technology problem, okay? And what usually happened in those type of full cases, the attacker will compromise those type of processes. That can be by compromising your supplier, that can be by impersonating your CFO or the CEO of the company or it can be just an ERP attack, someone changed your bank details without any knowledge about it.
So our approach is basically we’re looking on the end to end, we’re building a baseline, we’re leveraging AI to build a baseline, and making sure that when you’re doing those type of payment, before it’s going out the door, we’re correlating everything that we’ve seen to a very simple risk goal. So basically allow the finance and security team to enable those type of controls in a very simple view.
[Bethany De Lude] So when something is flagged, who does the actual reviewing of the flag transaction? And does Trustmi provide a rationale? We flagged this because of X.
[Shai Gabay] Yeah. So I think that one of the things… by the way, my experience is ex-CISO as well and Offensive. And coming from those perspective, when we founded the company, we wanted to create a solution that going to be first effective, meaning I want to be able to block the attack or the mistake before the money is leaving the organization because after effect, it’s very hard to recover. And on the same token, not changing the way that you do your business because if there’s one thing that people don’t like to do is to change their processes.
So we inject ourselves to their process. So think about at the end of the day, when organization doing payment, they doing it in payment cycles. Can be daily, weekly, monthly, whatever is the frequent, we inject also to that process. So basically, when the AP team run their payment cycle, we’re part of that process. And that’s what make us very unique because we are not changing that way and we’re very effective to be able to block those type of mistakes and so on. More to that, basically, when we do what we do, we’re very effective because we’re looking on a very wide range of data set and super accurate. Till today, only last year, we processed around $200 billion for our current customers. We were able to prevent more than $5 billion of payment mistakes and human errors and more than $700 million fraud with zero false positive because of that approach.
[Adam Glick] Could you maybe walk me through that? I mean, I’m interested. I’m hearing a lot about theoretically how this works, but I’m not sure if you have a real world example or some sort of case study or something. I’d love to just kind of tell me in real world practicality what this thing looks like, how my team would respond to it. Any of that stuff would be great for me to hear.
[Shai Gabay] Sure. So let’s take a classic VC scenario, supply chain attack. That’s the most common example. So I’ll give you one for one customers, a Fortune 500 organization that basically what happened is that those specific cyber-criminal groups targeted them. So part of what they did, they learned what’s the existing controls. They use a different mechanism when they compromise their suppliers to compromise those controls. Most of the controls are usually manual controls around callback procedures, bank account validation and penny doc test. Those are the main controls that exist today in most of the organization.
So what the attacker did, they first compromised the supplier. They built an attack infrastructure to impersonate the supplier. They have the full context. But once they compromised the supplier, they went to their fines people, still different document that they use in the past to open their bank account. Now, they use that to pass the KRC of the bank, and they open a legitimate account with the same beneficiary, just different location. So they have everything they need from infrastructure perspective to execute the attack. So although it started in the email, later on they asked to change the contact details.
By the way, again, everyone concerned about changing the bank account. What about the contact details? Is that same level of suspicious? In most cases, no. So basically, they were able to come on as the entire process, click the callback procedure, do verification with the bank account with the penny doc test and complete that process. But we’ve seen all of that and we were independent payment cycle process to be able to block it, although it started in email.
[Adam Glick] I have a quick one. Is there any sort of warranty or guarantee here? I’d love to put a solution like this, but is there anything that says like, “Hey, if you have wire fraud, you’re going to cover it?” Is there you put in your mouth where your money is on this one or your money where your mouth is, so to speak?
[Shai Gabay] So right now, we are not open those type of guarantee yet, but that’s something that we’re working for part of our roadmap. But I can tell you for sure that part of what we are doing with our customers, we’re a big believer that the technology is working. And that’s why usually when we speak with CISO like yourself, we’ll promote you. Let’s do one week challenge that will allow you to show you that we are able to do what we are doing. Basically, our AI model is training based on your restore. So that one week challenge, we’re doing a stock analysis, showing you what already happened. And that’s basically doing two things. First, building the ROI story. If we can prevent X amount of money that you already lost in the last two years, it will be easy to build a business case. But second, if I can able to detect past incidents without any knowledge about that, it’s also showing you that it’s really working.
[Bethany De Lude] Since you mentioned the most famous I think two vows in 2025 or 2024 being AI, I’d like to kind of dip into that a bit. What type of behavioral anomalies are you looking for to trigger an alert or to signal that in the example that you gave that an attacker had built an infrastructure for fraudulent payment?
[Shai Gabay] So again, it’s going back to the connecting the dots. It’s not one area. It’s really connecting the entire picture. So you can see the email, something maybe happened there like a similar domain or the signature look different. There are a lot of different parameters that we’re looking on the communication floor. But then you can look on the files itself. A lot of the time what the attacker are doing in order to compromise the existing controls, they will tamper with different documents and provide fake documents.
So we are able to detect those type of documents that are tampered, but same with the payment itself. One thing that we are doing, we have a task network. Basically, it’s like a crowd sourcing platform that we can leverage different data sets that everything is anonymized and we can know, for example, if this bank account is legit, but not only that, we’ve seen it from other customers who we say this is legit or not based on the call source. So it’s different things that we’re connecting together, but at the end of the day, it’s the process itself.
[Adam Glick] So I’m interested in that, right? You mentioned the different things, disparate data sets. What does deployment look like? Is this just turn this thing on and connect a bunch of APIs? Can I enhance it with internal data that I have or other threat intelligence? I mean, is this thing a black box? Maybe help me understand that a little bit more.
[Shai Gabay] Yeah, sure. So first, the first thing that we thought about building a company was about how we can make it very efficient in deployment, especially with finance people. That’s been through technology. It’s very bad. These deployments take forever and cost a lot of money. So we are very easy to deploy. Usually our deployment end to end is two weeks, and it’s basically one week training, one week deployment. Most of that is based on APIs, obviously. And your point about the data set and so on, it’s not a black box because it’s a behavioral model where basically connect to the different system that you have. We learn the process that you already have and we leverage that. More to that, when we provide you a verdict like the green, yellow or red, you know exactly what was the reason behind it. I’m a big believer that in today’s world, it cannot be black ops, okay? People need to understand why you say what you’re saying and provide all this data in a very simple way.
[Bethany De Lude] Well, tying back to something Adam, he it really comes down to like ROI. He took it from the would you ensure that there isn’t transaction fraud in certain areas, but taking a view from a slightly different perspective, different companies have different tolerances for fraud losses so they might know in 2023, we lost this much, 2024, this much. Looking at your clients, are folks able to show the year we used your product we saw a decrease of X percent in fraud loss. Don’t know what the magic sauce was, but it sounds like Trustmi was part of it.
[Shai Gabay] Yeah, so I’m going to say that in most of the company that we’ve seen, they’re not really tracking for losses on the B2B side, mostly on the B2C side. I think that there is awareness that need to be happening there. But to your point, well, totally driven by ROI, and most of our customers today see between 10 to 15 X return of investment each year.
[Rich Stroffolino] All right, well, Shai, what’s one thing we didn’t ask about that we need to know?
[Shai Gabay] So, look, the reason that I went after this specific problem, again, as a CISO, I was a lot of the time expense center. And I can guess that you resonate with that as well. And I wanted to do something that I would be able to do, show real ROI, but not speaking about ROI, to show real dollar that I can save the business. And I think this is the one area that it’s become a very big problem and you mentioned gen AI, it only supercharged this area. And this is a great opportunity for CISO first to connect to the business, to be able to solve a real problem that they will be able to show ROI to the organization, but also to solve the problem for the CFO.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to trustmi.ai. If you have any feedback on the show, be sure to send it to feedback@CISOSeries.com. A huge Thank you to Bethany De Lude and Adam Glick for helping us learn more about Trustmi. And thank you so much, Shai Gabay, from Trustmi for your time and being game to answer all of these questions. And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOSeries.com, or just email us at info@CISOSeries.com. Thank you for listening to Security You Should Know, connecting security solutions with security leaders.