How Attackers Weigh the Pros and Cons of BEC Techniques

Security researchers discuss attackers’ evolving methodologies in business email compromise and phishing campaigns.

RSA CONFERENCE 2021 – Business email compromise (BEC) and phishing attacks make up a big chunk of security issues plaguing today’s organizations, and they continue to prove a threat as attackers find new ways to blend into victims’ inboxes and manipulate them into sending funds.

In its “2020 Internet Crime Report,” the FBI Internet Crime Complaint Center (IC3) found Internet crime led to reported losses exceeding $4.2 billion. Of the 791,790 complaints received in 2020, 19,369 involved BEC and email account compromise (EAC) and caused $1.8 billion in losses.

“As the fraudsters have become more sophisticated, the BEC/EAC scheme has evolved in kind,” officials wrote in their report. 

In 2013, attackers often began these campaigns by breaching the email accounts of chief executive officers or chief financial officers and sending emails to request wire payments that were sent to fraudulent locations. Now BEC/EAC attackers breach personal email accounts, compromise vendor emails, request W-2 forms, and ask for gift cards.

The wire transfer is “an evolving staple” of BEC, said Crane Hassold, senior director of threat research at Agari, in a talk at this week’s virtual RSA Conference discussing the various forms that BEC can take. Social engineering is “extremely effective,” BEC often has a higher return-on-investment compared to other attacks, and most defenses focus on the more technical attacks.

Wire transfers have some notable pros for attackers: They can lead to much higher payouts, for one, and they lend themselves to more sophisticated pretexts designed to trick their victims.

As an example, Hassold described one BEC attack that appeared toward the end of 2020 in which the attacker used a capital call as pretext for requesting $42,080 from a target business. A capital call is a request made by a firm to receive money promised to it by an investor.

“We’ve seen these types of payments go upward of $1 million,” Hassold said, noting that investment-themed BEC attacks can usually demand higher amounts without seeming unusual.

In another recent BEC attack, the attacker impersonated a CEO during an acquisition. They emailed a member of the finance team to contact another attacker impersonating a legitimate attorney. Following this “handoff,” the target employee was asked to make sizable payments as part of the acquisition, which was ultimately intended to go to the attackers.

“These are the types of sophisticated pretexts we see becoming more and more prevalent in the wire transfer/BEC space,” Hassold said. 

Scammers spend more of their time creating emails that look legitimate. In doing so, they have credibility to demand more money in wire transfers.

While the wire transfer technique has its benefits, it also comes with downsides. These attacks often have slower payouts and require transfers between money mules before funds get to the attackers. Most scammers don’t receive the money directly, Hassold noted, so they need intermediaries in the same location as their targets.

Counting BEC Cashout Methods
Payroll diversion is another BEC technique undergoing evolution as attackers seek new ways to be effective. These attacks involve an email to human resources requesting an update to an employee’s bank account used for direct deposit.

Here, an upside to attackers is delayed detection. Employees only get paid once every couple of weeks; if their direct deposit doesn’t come in, it’ll take some time before they realize something is wrong. Another benefit is the type of mule accounts they can use. Most accounts used in wire transfers are normal commercial checking accounts. In payroll diversion, researchers see more prepaid accounts being used to receive funds, which enables a faster laundering process.

These prepaid cards are a key factor driving BEC today, said Hassold, noting that apps like CashApp are also becoming integral to the BEC ecosystem because they are a primary way funds are moved out of the country.

“CashApp lets someone convert funds to cryptocurrency very quickly,” he noted.

There are also downsides to this technique. Employee salaries are unknown to attackers, so they don’t know the payout unless an attack is complete. They also have a more limited range of targets because they can only email someone on the company’s HR team.

Payroll diversion has, in many cases, eclipsed wire transfer as a percentage of BEC attacks, Hassold said, but it has fluctuated as companies implement protections. This tactic declined in early 2020 due to a change in mule accounts attackers were using. A primary organization used to receive payroll diversion attacks through 2019 put mitigations in place that forced attackers to seek new ways to receive their funds.

The third most popular tactic for BEC is the gift card scam. More than half (57%) of all BEC attacks Agari saw in 2020 requested gift cards as a form of payment, he noted.

Unlike payroll diversion, gift card scams have a much larger pool of potential targets. 

“There’s a much larger population of potential employees that can be targeted in these attacks compared to other kinds of BEC attacks,” Hassold said of gift card scams. 

Another pro for attackers is they are nonreversible. Once they are received, they are quickly laundered.

But unlike wire transfers or payroll diversion, the payout is smaller. A successful gift card scam will net the attacker $1,000 to $1,500, Hassold said. They’re also less convincing to employees, who may be unlikely to purchase gift cards, snap pictures, and send them to attackers. 

“It has the potential to raise a lot of red flags as you go along,” Hassold noted.

What’s Next for BEC?
Scammers continue to think ahead and develop stealthier forms of attack, Hassold said.

He pointed to vendor email compromise as an example. In these attacks, the criminal sends a phishing email with the goal of capturing a victim’s credentials in a phishing website. With the credentials, they can log into a target inbox and forward themselves information about invoices, payments, and other financial details. With this, the attacker is equipped to send a fake invoice to the company, posing as a customer and requesting money they expect to pay.

“A lot of BEC attacks we see in the news today are going to be these vendor email compromise attacks,” Hassold said.

Another upcoming tactic involves the aging report, or a financial report that lists outstanding payments due for a vendor or supplier. It contains data on payments overdue, points of contact for each customer, and other information. Some BEC attackers now request an aging report instead of a wire transfer because they can use it to send convincing payment requests.

“What the attackers will do is they’ll use all this information to send an email to all the customers on this list to send payments for outstanding balances,” Hassold explained. 

In January 2021, more than 10% of all BEC attacks were requesting an aging report, “so we can see this is becoming much more popular in the BEC sphere.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

How to Get Employees to Care About Security

Want to a security awareness program that sticks? Make it fun and personal, and offer free lunch.

RSA CONFERENCE 2021- If you’re a security leader looking to improve your organization’s defensive posture, ask your human resources chief to have coffee. It worked for Steve Luczynski.

Steve Luczynski, currently the lead for the COVID Task Force at the Cybersecurity and Infrastructure Security Agency, told the story of how a coffee talk led to markedly improved security awareness when he was a new CISO working for a previous employer — a company he refers to as “well-established” but with just OK security. There was still plenty of work to do.

“What wasn’t fully developed was a security program,” he says. “People didn’t understand their role and importance they played.”

His mandate was to get an enhanced security program in place — and quickly. Luczynski soon began chatting with Valerie Utsey, currently chief human resources officer with T-Rex Solutions, and she suggested ways he could introduce culture to his program. While he had already added some security awareness changes, like monthly training instead of yearly, Utsey saw room for improvement

“Many employees were still responding the same way they always do with something that takes time out of day-to-day duties,” she says. “I thought Steve might learn from my experience developing corporate culture. “

In their session at RSA, titled “Partnering with HR to Build a Culture of Cybersecurity,” Luczynski and Utsey laid out how they worked together to make security more personal and meaningful to employees. The goal was to move security training and awareness from a process to an embedded part of corporate culture daily — a task Utsey felt could be accomplished only through collaboration.

“He had a heavy, unsteady thing he was trying to move on his own,” she says. “Regardless of the size of company, look to people you can partner with to further your cause.”

Some of the new initiatives put in place by the two included getting employees started with security right at the outset of onboarding. Rather than a forced, 60-minute security training video and test, Utsey started inviting Luczynski to speak to new hires in person at orientation. The two also started partnering on lunch and learn security events as well. While free lunch never hurts, Utsey says it’s the fun atmosphere and friendly competitions that keep employees engaged, interested, and motivated to learn.

The payoff was measurable. The company saw, for example, phishing click rates go from 30% to below 3% — and stayed there. Luczynski also notes he found employees were compliant about taking their training monthly and that repeat offenders — those employees who had clicked repeatedly on bad links in the past — improved and were no longer falling for phishing bait.

Employees Are Your Best Asset in Security
Another session in the Human Element track at this year’s RSA Conference echoes many of the lessons from Utsey and Luczynski. That is, security training needs to be frequent, personal, interesting, and engaging — and it takes time to accomplish all of those things in an awareness program. Great levels of awareness won’t happen overnight.

In “Leveraging Human Risk Data to Strengthen Cyber Resiliency,” speakers Masha Sedova, co-founder of Elevate Security, and Michelle Valdez, chief information security officer of OneMain Financial, discussed the transformation at OMF to a shift-left style of security awareness and an overall strategy that Valdez describes as “defending forward.”

“If you invest in educating your employees and taking time to teach them about good security decisions, you start to see a value add,” says Valdez. “We are now starting to spend more of our time on tuning and tooling so we can defend forward and less time cleaning up.”

Valdez says the way to defend forward is based on multiple components that aim to get in front of the chain of events that occur when an employee makes a poor security decision. They are:

  • Understand your human risk at an individual and org level. What good and bad security decisions are your employees making?
  • For areas of strength: Reinforce and spotlight good performance to create a positive security culture.
  • For areas of improvement: Gave tailored guidance on what employees need to do better and why.
  • Adjusted controls and security tools based on individual areas of risk.

“Take time to understand the risk employees are introducing to your environment, both at an individual level and a team level.”

Valdez says with that information security leaders can focus efforts on rewarding good behavior and correct bad behavior with targeted training. Targeted being the key word as the presentation also suggested gathering data that breaks down risky behavior by department and offering training specific to each team if needed.

Left unaddressed, employees will continue to be what the talk referred to as the “shifting sand” in security defense. When given personal and proper training, they can be the security team’s greatest asset in defense.

“This is one of the most critical areas for innovating in security today,” says Sedova.

While many security leaders may feel employees are the biggest risk to an organization, Valdez advises flipping that script around. “If you take the time to help them understand what their role is in helping to protect the company and how everything they do on a daily basis can make a difference, that can transform a company to have a strong, cyber-resilient workforce.”

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Recommended Reading:

More Insights

Everything Google announced at I/O today

This year’s I/O event from Google was heavy on the “we’re building something cool” and light on the “here’s something you can use or buy tomorrow.” But there were also some interesting surprises from the semi-live event held in and around the company’s Mountain View campus. Read on for all the interesting bits.

Android 12 gets a fresh new look and some quality of life features

We’ve known Android 12 was on its way for months, but today was our first real look at the next big change for the world’s most popular operating system. A new look, called Material You (yes), focuses on users, apps, and things like time of day or weather to change the UI’s colors and other aspects dynamically. Some security features like new camera and microphone use indicators are coming, as well as some “private compute core” features that use AI processes on your phone to customize replies and notifications. There’s a beta out today for the adventurous!

Wow, Android powers 3 billion devices now

Subhed says it all (but read more here). Up from 2 billion in 2017.

Smart Canvas smushes Docs, productivity, and video calls together

Millions of people and businesses use Google’s suite of productivity and collaboration tools, but the company felt it would be better if they weren’t so isolated. Now with Smart Canvas you can have a video call as you work on a shared doc together and bring in information and content from your Drive and elsewhere. Looks complicated, but potentially convenient.

AI conversations get more conversational with LaMDA

It’s a little too easy to stump AIs if you go off script, asking something in a way that to you seems normal but to the language model is totally incomprehensible. Google’s LaMDA is a new natural language processing technique that makes conversations with AI models more resilient to unusual or unexpected queries, making it more like a real person and less like a voice interface for a search function. They demonstrated it by showing conversations with anthropomorphized versions of Pluto and a paper airplane. And yes, it was exactly as weird as it sounds.

Google built a futuristic 3D video calling booth

One of the most surprising things at the keynote had to be Project Starline, a high-tech 3D video call setup that uses Google’s previous research and Lytro DNA to show realistic 3D avatars of people on both sides of the system. It’s still experimental but looks very promising.

Wear OS gets a revamp and lots of health-focused apps

Image Credits: Google

Few people want to watch a movie on their smartwatch, but lots of people like to use it to track their steps, meditation, and other health-related practices. Wear OS is getting a bunch of Fitbit DNA infused, with integrated health tracking stuff and a lot of third party apps like Calm and Flo.

Samsung and Google announce a unified smartwatch platform

These two mobile giants have been fast friends in the phone world for years, but when it comes to wearables, they’ve remained rivals. In the face of Apple’s utter dominance in the smartwatch space, however, the two have put aside their differences and announced they’ll work on a “unified platform” so developers can make apps that work on both Tizen and Wear OS.

And they’re working together on foldables too

Apparently Google and Samsung realized that no one is going to buy foldable devices unless they do some really cool things, and that collaboration is the best way forward there. So the two companies will also be working together to improve how folding screens interact with Android.

Android TV hits 80 million devices and adds phone remote

Image Credits: Google

The smart TV space is a competitive one, and after a few starts Google has really made it happen with Android TV, which the company announced had reached 80 million monthly active devices — putting it, Roku, and Amazon (the latter two with around 50 million monthly active accounts) all in the same league. The company also showed off a powerful new phone-based remote app that will (among other things) make putting in passwords way better than using the d-pad on the clicker. Developers will be glad to hear there’s a new Google TV emulator and Firebase Test Lab will have Android TV support.

Your Android phone is now (also) your car key

Well, assuming you have a really new Android device with a UWB chip in it. Google is working with BMW first, and other automakers soon most likely, to make a new method for unlocking the car when you get near it, or exchanging basic commands without the use of a fob or Bluetooth. Why not Bluetooth you ask? Well, Bluetooth is old. UWB is new.

Vertex collects machine learning development tools in one place

Google and its sibling companies are both leaders in AI research and popular platforms for others to do their own AI work. But its machine learning development tools have been a bit scattershot — useful but disconnected. Vertex is a new development platform for enterprise AI that puts many of these tools in one place and integrates closely with optional services and standards.

There’s a new generation of Google’s custom AI chips

Google does a lot of machine learning stuff. Like, a LOT a lot. So they are constantly working to make better, more efficient computing hardware to handle the massive processing load these AI systems create. TPUv4 is the latest, twice as fast as the old ones, and will soon be packaged into 4,096-strong pods. Why 4,096 and not an even 4,000? The same reason any other number exists in computing: powers of 2.

And they’re powering some new Photos features including one that’s horrifying

cinematic google photo

NO THANK YOU

Google Photos is a great service, and the company is trying to leverage the huge library of shots most users have to find patterns like “selfies with the family on the couch” and “traveling with my lucky hat” as fun ways to dive back into the archives. Great! But they’re also taking two photos taken a second apart and having an AI hallucinate what comes between them, leading to a truly weird looking form of motion that shoots deep, deep into the uncanny valley, from which hopefully it shall never emerge.

Forget your password? Googlebot to the rescue

Google’s “AI makes a hair appointment for you” service Duplex didn’t exactly set the world on fire, but the company has found a new way to apply it. If you forget your password, Duplex will automatically fill in your old password, pick a new one and let you copy it before submitting it to the site, all by interacting with the website’s normal reset interface. It’s only going to work on Twitter and a handful of other sites via Chrome for now, but hey, if it happens to you a lot, maybe it’ll save you some trouble.

Enter the Shopping Graph

Image Credits: Google I/O 2021

The aged among our readers may remember Froogle, Google’s ill-fated shopping interface. Well, it’s back… kind of. The plan is to include lots of product information, from price to star rating, availability and other info, right in the Google interface when you search for something. It sucks up this information from retail sites, including whether you have something in your cart there. How all this benefits anyone more than Google is hard to imagine, but naturally they’re positioning it as wins all around. Especially for new partner Shopify. (Me, I use DuckDuckGo.)

Flutter cross-platform devkit gets an update

A lot of developers have embraced Google’s Flutter cross-platform UI toolkit. The latest version, announced today, adds some safety settings, performance improvements, and workflow updates. There’s lots more coming, too.

Firebase gets an update too

Popular developer platform Firebase got a bunch of new and updated features as well. Remote Config gets a nice update allowing developers to customize the app experience to individual user types, and App Check provides a basic level of security against external threats. There’s plenty here for devs to chew on.

The next version of Android Studio is Arctic Fox

Image Credits: Google

The beta for the next version of Google’s Android Studio environment is coming soon, and it’s called Arctic Fox. It’s got a brand new UI building toolkit called Jetpack Compose, and a bunch of accessibility testing built in to help developers make their apps more accessible to people with disabilities. Connecting to devices to test on them should be way easier now too. Oh, and there’s going to be a version of Android Studio for Apple Silicon.

Android TV OS reaches 80M monthly active devices, adds new features

Google offered an update on its TV platform, Android OS, at its Google I/O developer event on Tuesday. The company said its Android TV OS now reaches over 80 million monthly active devices, including through its new experience Google TV for Chromecast, as well as other platforms like smart TVs. The company also previewed a series of upcoming features for Android TV OS, including a remote control feature for consumers and several developer updates around casting, emulators, and more.

The company repositioned Android TV OS last fall with the introduction of the Google TV experience. The new experience, which runs Android TV under the hood, now powers Chromecast with Google TV, smart TVs from Sony, and is coming soon to some TCL TVs. Over 80% of Android TV OS’ growth came from the U.S., Google noted, when announcing its 80 million monthly active devices milestone during the Google I/O event.

Google’s milestone may seem to put Android TV OS is ahead of rivals like Roku and Amazon Fire TV, with 53.6 million and 50+ million monthly active accounts, respectively. However, these are different measurements.

Android TV OS figures are actually calculated by counting the number of devices that were actively used in a month — which means a user with multiple devices could have those devices counted separately, but a family with multiple people watching on one device would be counted once.

Roku and Amazon define monthly active users as “accounts” that have been active during the month. That means, even if that account streams on several different devices during the time period, it would only be counted once. If Roku or Amazon were to calculate active devices as Google is doing, their numbers would be higher.

In addition, Roku and Amazon Fire TV power both their respective company’s own device lineup and select TVs from partners, but Google’s Android TV OS also powers devices and services from TV and streaming device brand partners as well as TV service providers. That means this global number includes operator-tier and set-top boxes also powered by Android TV OS. It’s a different type of market.

Google today also announced it’s adding remote control features directly in Android, so users will be able to control their TV even when their existing remote goes missing. This feature, arriving later this year, will make it easier to type in usernames and passwords or search for longer titles, Google notes. It will work for all users of Android TV OS, including Google TV.

Image Credits: Google

Meanwhile, for those building Android TV experiences, the company announced a handful of new features coming soon. A Cast Connect feature will allow users to cast from their Chrome browser on their phone or tablet to an Android TV app. Stream Transfer and Stream Expansion will allow users to transfer media to other devices or play audio on multiple devices.

Image Credits: Google

Google is also making its first Google TV Emulator available, running on Android 11, along with an Android 11 image with the traditional Android TV experience. And developers can now also use a remote that more closely mimics TV remotes directly within the Emulator.

Following developer requests, Firebase Test Lab is adding Android TV support, as well. Initially, Firebase Test Lab Virtual Devices will run the developer’s app in the cloud on Android TV emulators to scale a test across hundreds or thousands of virtual devices. Support for physical devices will come soon.

Image Credits: Google

Finally, the Android 12 Beta 1 is being made available for TV on its ADT-3 Developer Kit, starting today.

Dabbel gets $4.4M to cut CO2 by automating HVAC for commercial buildings

Düsseldorf-based proptech startup Dabbel is using AI to drive energy efficiency savings in commercial buildings.

It’s developed cloud-based self-learning building management software that plugs into the existing building management systems (BMS) — taking over control of heating and cooling systems in a way that’s more dynamic than legacy systems based on fixed set-point resets.

Dabbel says its AI considers factors such as building orientation and thermal insulation, and reviews calibration decisions every five minutes — meaning it can respond dynamically to changes in outdoor and indoor conditions.

The 2018-founded startup claims this approach of layering AI-powered predictive modelling atop legacy BMS to power next-gen building automation is able to generate substantial energy savings — touting reductions in energy consumption of up to 40%.

“Every five minutes Dabbel reviews its decisions based on all available data,” explains CEO and co-founder, Abel Samaniego. “With each iteration, Dabbel improves or adapts and changes its decisions based on the current circumstances inside and outside the building. It does this by using cognitive artificial intelligence to drive a Model-Based Predictive Control (MPC) System… which can dynamically adjust all HVAC setpoints based on current/future conditions.”

In essence, the self-learning system predicts ahead of time the tweaks that are needed to adapt for future conditions — saving energy vs a pre-set BMS that would keep firing the boilers for longer.

The added carrot for commercial building owners (or tenants) is that Dabbel squeezes these energy savings without the need to rip and replace legacy systems — nor, indeed, to install lots of IoT devices or sensor hardware to create a ‘smart’ interior environment; the AI integrates with (and automatically calibrates) the existing heating, ventilation, and air conditioning (HVAC) systems.

All that’s needed is Dabbel’s SaaS — and less than a week for the system to be implemented (it also says installation can be done remotely).

“There are no limitations in terms of Heating and Cooling systems,” confirms Samaniego, who has a background in industrial engineering and several years’ experience automating high tech plants in Germany. “We need a building with a Building Management System in place and ideally a BACnet communication protocol.”

Average reductions achieved so far across the circa 250,000m² of space where its AI is in charge of building management systems are a little more modest but a still impressive 27%. (He says the maximum savings seen at some “peak times” is 42%.)

The touted savings aren’t limited to a single location or type of building/client, according to Dabbel, which says they’ve been “validated across different use cases and geographies spanning Europe, the U.S., China, and Australia”.

Early clients are facility managers of large commercial buildings — Commerzbank clearly sees potential, having incubated the startup via its early-stage investment arm — and several schools.

A further 1,000,000m² is in the contract or offer phase — slated to be installed “in the next six months”.

Dabbel envisages its tech being useful to other types of education institutions and even other use-cases. (It’s also toying with adding a predictive maintenance functionality to expand its software’s utility by offering the ability to alert building owners to potential malfunctions ahead of time.)

And as policymakers around the global turn their attention to how to achieve the very major reductions in carbon emissions that are needed to meet ambitious climate goals the energy efficiency of buildings certainly can’t be overlooked.

“The time for passive responses to addressing the critical issue of carbon emission reduction is over,” said Samaniego in a statement. “That is why we decided to take matters into our own hands and develop a solution that actively replaces a flawed human-based decision-making process with an autonomous one that acts with surgical precision and thanks to artificial intelligence, will only improve with each iteration.”

If the idea of hooking your building’s heating/cooling up to a cloud-based AI sounds a tad risky for Internet security reasons, Dabbel points out it’s connecting to the BMS network — not the (separate) IT network of the company/building.

It also notes that it uses one-way communication via a VPN tunnel — “creating an end-to-end encrypted connection under high market standards”, as Samaniego puts it.

The startup has just closed a €3.6 million (~$4.4M) pre-Series A funding round led by Target Global, alongside main incubator (Commerzbank’s early-stage investment arm), SeedX, plus some strategic angel investors.

Commenting in a statement, Dr. Ricardo Schaefer, partner at Target Global, added: “We are enthusiastic to work with the team at Dabbel as they offer their clients a tangible and frictionless way to significantly reduce their carbon footprint, helping to close the gap between passive measurement and active remediation.”

TechCrunch’s Equity podcast wins a Webby Award

Today, the fine folks at the Webbys announced that TechCrunch’s flagship podcast, Equity, is the best of its kind in the technology category. We’re stoked!

Alex Wilhelm, Natasha Mascarenhas and Danny Crichton sit down in front of their mics multiple times each week to regale dedicated listeners with news and analysis from the money part of the startup world.

Led by the deft production touch of Chris Gates and Grace Mendenhall, the entertaining trio goes deep into companies, topics and news multiple times each week – while mostly in a good mood. And they’ve come a long way.

Check out the shortest acceptance speech in TechCrunch history here!

Equity launched in March 2017 in a back room — a veritable closet, if you will! — at our old San Francisco office. Alex would come down once a week from his then-digs at Crunchbase News to join Katie Roof and Matt Lynley. Other hosts on our fun ride have included Kate Clark and our very own Connie Loizos.

We’ve got all kinds of podcast goodies up our award-winning sleeves and we hope you and five of your closest friends keep coming along for the ride.

A new book aims to blow up some widely held assumptions about the best founding teams

There’s a lot of how-to guidance out there when it comes to starting a company, and much of it has reinforced certain beliefs, including that solo founders don’t get very far on their own, that the most successful founders attend a small circle of top schools, and that the best companies are created by people who launched them to solve a personal problem into which they had a particular insight.

Ali Tamaseb, who earlier studied biomedical engineering in London, attended business school at Stanford, and founded a wearable tech startup before joining the venture firm DCVC as an investor in 2018, says that lot of that guidance is, well, misguided. Tamaseb says he knows this because over the past four years, to improve his own decision-making, he amassed more than 30,000 data points about so-called “super founders,” from their age when their breakout company was founded, to the ranking of the school they attended, to how many competitors they faced from day one and in doing so, wound up discovering that much of what is espoused in startup circles is off the mark.

Tamaseb has now written about his findings in a new book called Super Founders: What Data Reveals About Billion Dollar Startups. We talked with him yesterday. Our chat has been edited lightly for length.

TC: Why write this book?

AT: When I was a founder, a lot of my perception was shaped through this lens of what the media tells us. Even now, when I’m on Twitter or Clubhouse, a lot of what I hear feels very different compared with what I see as a venture capitalist. Of course, nobody knows everything, and even the most successful venture capitalists have maybe invested in 10 of these breakout companies in their lifetime. So to get to the ground truth, and because nobody has collected this data because it’s hard, over four years of weekends and evenings, I began to collect this data, which breaks out to around 65 data points per company.

TC: What are some of these data points and how much of them were publicly available?

AT: The data includes the career path of the founder and whether their earlier roles were technical or not;  the founder’s education and degree and the school they attended; what the market looked like when their company was started, including what the defensibility factors were; how many competitors they had; their fundraising history — how much did they raise and when and from whom?

There’s a bit of this data in a Pitchbook or Crunchbase, but nobody had put [these other pieces] into [context]. I was going to their LinkedIn profiles, reading interviews, going to the internet’s Wayback Machine and other archives to read reports to understand what these companies looked like at the time they were founded. I also called a lot of these founders to ask them for answers where I couldn’t find the information. It was a very manual thing.

TC: How many founders did you research?

AT: I researched more than 200 unicorns, [launched by] around 500 founders. Because no study has meaning unless you also collect data on a control group, I selected companies that over the same time period had raised a minimum of $3 million in venture capital as my baseline group. I then compared the two groups based on these 65 different elements.

TC: You own research led you to invest in the primary and urgent care company Carbon Health on behalf of DCVC. What made you think this company was a surer bet?

AT: Specifically here, this founder [Eren Bali] had had built a bunch of companies before, and a bunch had failed or succeeded on a smaller level, then his last company was [the edtech giant] Udemy, where he spent four years. One of the key things that I observed in the data is that it’s all about these small steps, and even the small exits. Around 60% of these “super founders” started something earlier, and many actually lost a bunch of money; just 42% of them had a previous exit of $10 million or more, so the majority had “failed” in the world of venture capital. But [the data suggests that] practice makes perfect.

TC: You also found that solo founders aren’t doomed to run smaller companies, despite some earlier thinking by Y Combinator’s Paul Graham that you need at least two cofounders to do something big.

AT: Right, 20% of the founders in both groups — the unicorn and non unicorn group — were solo founders, so VCs are funding solo founders and they are building billion-dollar companies. Basically, one out of every five unicorn companies has a solo founder. So I think that’s another narrative that gets retold, including on Twitter, but that doesn’t match reality. Flexport, for example, has a solo founder [in Ryan Petersen]. So does CarGurus, which was founded by Langley Steinert, who, by the way, first cofounded TripAdvisor [and more recently founded ApartmentAdvisor].

TC: Your book also asserts that there are plenty of founders of billion-dollar companies that didn’t attend elite American universities.

AT: There are schools that founders attended more than others — Stanford, MIT, Wharton and Harvard — but as many of these founders attended schools that aren’t even at the top 100 [ranked U.S. schools] compared to those who went into the top 10. It’s a barbell distribution. Around 36% went to the top 10 schools, the same percentage went to schools not in the top 100, and there’s another 30% or so in the middle.

TC: Two other observations in the book that are interesting are that half the founding CEOs you researched were nontechnical and only 30% had domain expertise in the industry they were disrupting. The latter may surprise readers particularly.

AT: Yes, 30% of founders in consumer tech and 40% in enterprise tech did not come from the same domain [that their company now operates in]. And I see the same thing in startups that are just now getting funded. What it tells you is that domain expertise is not necessarily correlated to success.

Take Nat Turner of Flatiron Health [a cancer-focused start-up that sold to Roche Group in 2018]. These guys were serial entrepreneurs and they had a bunch of successes before, and they jumped from one industry to another, starting with a pizza delivery company they started in college, where they learned about the restaurant industry and deliveries and logistics. They also sold an ad tech company to Google. Then they go and start this company in the cancer oncology IP and data space, where they didn’t know anything, but they learned as much as anybody after spending two years going and talking with every oncologist they could find in New York to understand the space. So maybe founders apply their tech background to different industries or they apply software skills like resources and connections to learn about a specific industry rather than coming from that industry.

TC: What did your research tell you about funding? We’re seeing companies raise bigger rounds faster than ever before, including from Tiger Global.  

AT: I don’t specifically have any brilliant thoughts on Tiger or anyone else, but these unicorns that I studied — even in their seed round and Series A rounds, they had raised two to three times larger rounds than the companies that did not become billion dollar companies. The kingmaker strategy kind of works.

WalkMe is going public: Let’s stroll through its numbers

Hot off the heels of our look into Marqeta’s IPO filing and dives into SPACs for Bright Machines and Bird, we’re parsing the WalkMe IPO filing. Later this week, Squarespace will direct list and we’ll see IPOs from Oatly and Procore. It’s a super busy time for public debuts of all sorts.

Given how hectic the IPO market is, we’re going to skip our usual throat clearing and dig into WalkMe’s IPO document. As always, we’ll start with a brief overview of its product and then move into discussing its financial performance.

Image Credits: Alex Wilhelm

WalkMe is the second Israel-based technology company to file to go public this week: No-code startup Monday.com is also pursuing an American IPO.

Alright! Into the breach.

What does WalkMe do?

WalkMe’s software provides visual overlays on websites that help users navigate the product in question. I base that explanation on my time at Crunchbase, which was a customer during at least part of my time there. WalkMe is popular with marketing teams who want to introduce users to a new or refreshed experience.

Per the company’s F-1 filing, other elements of its service that matter include its onboarding system and what WalkMe calls Workstation, or its “single interface to the applications within an enterprise and simplifies task completion through a natural language conversational interface and automation.” We’re including that last feature because it says “automation,” which, in the wake of the UiPath IPO, is a word worth watching. Investors are.

At a high level, WalkMe is a SaaS business, which means that when we digest its results we are digging into a modern software company. Let’s do just that.

WalkMe’s numbers

From 2019 to 2020, WalkMe grew its revenues from $105.1 million to $148.3 million, a gain of 41%. In its most recent quarter, the company’s growth rate slowed: From Q1 2020 to Q1 2021, WalkMe’s top line grew 25% from $34.2 million to $42.7 million.

In SaaS terms, WalkMe calculates that its annual recurring revenue, or ARR, grew from $131.2 million at the end of 2019 to $164.3 million in 2020. In more granular terms, the company’s ARR grew from $137.8 million to $177.5 million in the first quarters of 2020, and 2021, respectively.

Skittish is what you’d get if you crossed Animal Crossing with Clubhouse

If the Instagram ads feel like they’re closing in and you can’t bring yourself to toggle your Zoom camera on these days, you’re far from alone. Well into 2021, many of the social apps and virtual chat tools that kept the world connected during the pandemic feel more exhausting than the real-life interactions they’re meant to simulate.

But what if hanging out online was… not miserable?

That’s the idea behind Skittish, a virtual browser-based event platform from XOXO co-founder Andy Baio. Skittish is a playful cross between a social audio chat app like Discord or Clubhouse and a cute video game, replete with round, colorful animal avatars to choose from. Unlike a Zoom call, Skittish is a place — one where its inhabitants can bump into one another, do activities together and wait for serendipity to strike.

Skittish is a natural extension of Baio’s interests, a sort of inviting, lightly indie-gamified space where creative people can showcase their work and hang out. “I think I’m just drawn to places where people can be themselves,” Baio told TechCrunch. “With Skittish, it’s been really important to me that people can engage at the level they’re comfortable with.”

Baio has a reputation for curating social spaces, though previously they were mostly IRL. In 2012, Baio co-created XOXO, a whimsical Portland-based festival for quirky people who make stuff. While the festival took a few years off due to Covid, the event lives on in a bustling online community full of indie game devs, offbeat podcasters and digital artists. Prior to XOXO, Baio worked on Kickstarter pre-launch and went on to serve as the crowdfunding site’s first chief technology officer. (Full disclosure: I’m a former XOXO attendee who is part of the community.)

The aptly named Skittish is meant to create an online social space that doesn’t put people on the spot. In Baio’s ideal virtual world, introverts could circle the periphery while extroverts could plunge right in and hold court at the center, just like they might in real life. That range of social styles that isn’t reflected in virtual environments that are either explicitly for work or modeled after work and it’s enough to inspire dread for a lot of people.



For Baio, audio chat hits a sweet spot. Taking the camera out of the equation makes people feel socially fluid, but audio still evokes a degree of social presence that text can’t compete with.

“There’s an assumption in a lot of virtual events that people want to be on camera all the time with strangers, which feels alien to me,” Baio said. “Skittish is audio by default, and uses spatial audio so that you can hear people around you and lurk a little bit before deciding if you want to jump into a conversation. Socializing anywhere, even online, can be really anxiety-inducing.”

Clubhouse might be synonymous with social audio right now, but its structure still doesn’t appeal to everyone. “I like the casual and conversational approach to audio, but [it] just feels like a series of conference panels and needs a strong moderator to be compelling enough to tune in,” Baio said.

How Skittish works

In Skittish, walking up to a group of people (animals, really — Skittish users can differentiate themselves by choosing one of more than 75 deeply cute animal avatars) allows you to hear a conversation just like you would in real life. Backing away, you’d hear that chatter fade until eventually it wouldn’t be audible any more. To have a more private side conversation, you and a friend (a crocodile, maybe?) could peel off from a cluster of other people and deepen your chat on a virtual walk.

Inside a Skittish room, event participants can walk around, chat with others over a mic, place virtual objects and even hop through portals to other rooms. Anyone running a Skittish space can stream videos and music from YouTube or Soundcloud to a virtual screen. Event organizers can also broadcast themselves or other speakers to the full room, overriding the normal proximity rules that let you hear what’s around you.

Skittish avatars watching a video

Baio doesn’t imagine Skittish as a persistent social space, but instead wants it to provide a flexible, playful platform for all kinds of events, everything from live podcast readings and tabletop games to larger company events. Baio says the core target audience for Skittish is “anybody with a Patreon,” and larger company events will offset costs for creators who use Skittish to connect with their communities. Anyone hosting an event can choose to either populate a virtual space with pre-designed virtual objects (think pirate ships and giant doughnuts) or dream up their own environment from scratch.

By designing a service that only exists when people need it, he hopes to avoid the harassment and toxicity that abounds on big social networks. Skittish will still pack a set of tools that allow a space’s creator to mute, kick or even ban users, but ideally, it won’t need it.

“I’m a big fan of dark social, in general, where people can feel more like themselves and moderation is much more human and manageable,” Baio said.

Skittish mod tools (mute, kick, ban buttons)

Beyond Zoom

The pandemic shed new light on what people really want out of online social spaces. Zoom’s novelty wore off quickly, and by late 2020 group video chat felt like an entrenched fixture of virtual work, not virtual play. It shouldn’t be surprising that a gentle social simulator with light multiplayer features emerged as the game of 2020.

“It’s a bit of a cliché, but Animal Crossing: New Horizons became a reliable escape for me during the pandemic, a daily source of comfort and routine when we couldn’t go outside,” Baio said. He was charmed by his first foray into the series’ famously soothing rhythms and the game helped him envision Skittish.

“… I think what inspired me most were the simplicity of the controls and camera, the overall tone of the game, and the social features, limited as they are,” Baio said. “You’re capped at seven visitors and it takes forever for people to fly in, but despite that, it’s just a joyful experience to have a bunch of people over to your island.”

With the Nintendo Switch sold out everywhere and Animal Crossing racing up the console’s all-time sales charts, it was obvious early on that something resonated. People who wouldn’t normally consider themselves gamers bought Switches and spent hours shaking virtual trees, chatting with squirrels and touring friends’ islands for interior design tips. With Skittish, Baio hopes to capture a little of that same magic.

Games that double as social networks are booming right now — and with good reason. For many people it’s more natural to socialize when you’re ambiently doing something else together, whether that’s teaming up for a Fortnite duo, building a viking longhouse in Valheim or sampling user-built games within Roblox.

Socializing online with avatars also lets you express yourself in a meaningful enough way that Epic built an entire business around it, with sales of skins (virtual outfits) and emotes (dance moves and gestures) making up the lion’s share of Fortnite revenue.

Skittish - Asset Editor

Building Skittish and what’s next

Skittish grew out of a $100,000 grant awarded by Grant For The Web, a fund created by Coil, Mozilla and Creative Commons to distribute grants to projects that incorporate micropayments for online creators.

Baio began prototyping Skittish last July, imagining it as a pop-up space for events rather than a persistent virtual world. The 3D world’s simple, colorful visuals were built with React-Three-Fiber (R3F) and three.js. For its high quality spatial audio chat, Skittish uses an API from High Fidelity, the latest project from Second Life creator Philip Rosedale. Amazingly, Second Life added spatial audio to its online worlds all the way back in 2007fourteen years ago.

Skittish spaces initially accommodated up to 120 mixed voices in a single room, but the audio capacity is even higher now. Though he’s still testing what the new limits might be, Skittish is getting closer to Baio’s goal of hosting 1000-person events. Skittish rooms can now be password protected, invite-only or public, and Baio imagines special “cozy” 3-5 person spaces in the project’s future.

Skittish will host its first paid events this month as a test, with invites to follow after that. Baio plans to rely on paid events for revenue and he’s on the fence about offering a free tier due to moderation concerns and the costs associated with hosting hundreds of simultaneous conversations between virtual elephants, zebras and raccoons.

A walk in Skittish

I met up with Baio in Skittish to chat about the project and it immediately felt less awkward than a Zoom call or Google Hangout. As a noble trash panda, I followed Baio’s owl around the colorful polygonal virtual set like we might have walked around a park having coffee together.

Skittish looks like a video game and you can move around using WASD if you want, but it’s straightforward enough that anyone can get the hang of it right away. The world’s simple graphical style sets a chill, creative vibe and the avatars even have a gentle idle animation, a kind of bounce that brings your respective elephant, raccoon or zebra to life.

Like experiences I’ve had in a few other innovative avatar-based virtual worlds (AltspaceVR comes to mind), the sense of really being there, just hanging out, feels revelatory. Multiplayer games have been miles ahead of traditional social networks on this phenomenon for ages; it’s no wonder that Fortnite and Minecraft are de facto social networks for a huge swath of younger people. In Skittish, the high quality spatial audio and playful sense of presence offer something similarly transporting.

Virtual owls aside, Baio says says Skittish will be a success when people start make real connections there that follow them beyond the virtual world he’s created.

“Just like the events I’ve run in real life, I’ll know it’s working when I hear stories about people meeting each other in a playful environment and making new friends,” Baio said.