How an Ex-Twitter Adman Plans to Squash Business Email Compromise, One of Tech’s Most Pernicious Threats

On the other side of the country, a junior member of Greylock’s finance department in Boston had been exchanging email messages with a person he thought was Chandna. The request, which originated from Chandna’s email address, seemed believable enough: Wire $400,000 to a bank account in Singapore. The scheme unraveled when the employee sought to confirm the transfer with his boss, Greylock’s chief financial officer.

The finance chief spotted something fishy. He noticed the style of writing did not conform to that of the supposed author. Not to mention, Chandna would never make such an odd request, the finance boss thought. It quickly became clear: A hacker had infiltrated his colleague’s inbox. “Basically, somebody was in my email account, live, right then,” Chandna recalls.

Chandna—who specializes, ironically enough, in cybersecurity—was the target of an increasingly prevalent internet scam called “business email compromise.” The ploy involves fraudsters impersonating targets, whether by hacking or spoofing email accounts, and then tricking their contacts into forking over loot. Frequent prizes include unauthorized transfers of funds or documents such as wage and tax forms.

The compromises have gotten so out of control that the Federal Bureau of Investigation warned in a September bulletin that between May 2018 and June 2019 actual and attempted losses reported by victims doubled. Between June 2016 and July 2019, tens of thousands of companies have reported more than 160,000 incidents totaling $26 billion in actual and attempted losses, the bureau said. (And those figures only include publicly reported cases, meaning they’re likely conservative.)

Luckily for Greylock, Chandna’s team discovered the fraud and reclaimed control of his inbox before any funds flowed to Singapore. But not everyone is so lucky. In 2015, a San Jose-based tech firm, Ubiquiti Networks, said it lost $47 million in a similar attack. A year later, Austrian aerospace firm FACC lost the same amount in a fiasco that ultimately cost both the company’s chief executive and finance officers their jobs. Many others have fallen prey too—including Facebook and Google.

“Email is the lifeblood for most companies and it continues to be a key vector for attack,” Chandna tells Fortune. Having come face to face with the problem, he became convinced that more needed to be done to combat the growing threat. And like any good investor, he sensed a business opportunity.

Never let a crisis go to waste

Soon after the email compromise, Chandna found a receptive ear on Evan Reiser, then a product manager at Twitter responsible for its $2 billion-per-year ad business.

The men had prior ties. Greylock had been a major investor in TellApart, the advertising tech firm that had bought Reiser’s own small, personalized ad tech startup, AdStack, in 2013. Two years later, Twitter acquired TellApart for $532 million in what remains the microblogging site’s biggest deal to date—earning Greylock a pretty penny for its early bet.

But Twitter’s TellApart purchase didn’t pan out as hoped. In the months that followed, Twitter’s digital ad business faltered, and the company struggled to rally against the likes of a Google and Facebook duopoly. Year-over-year revenue declined to $638 million in the fourth quarter of 2016 from $641 million in the fourth quarter of 2015—a miss the company attributed to slippage at TellApart. In early 2017, Josh McFarland, formerly TellApart’s cofounder and CEO and then Twitter’s vice president of product, left to become a VC at Greylock, where he had initially incubated TellApart. A year later Reiser followed in McFarland’s footsteps—not as a Greylock investor, but as an “entrepreneur in residence.”

A major factor in Reiser’s decision to tackle the challenge of business email compromise was, he says, reading a Fortune investigation that found Google and Facebook were the victims of $100 million worth of scams crafted by a single Lithuanian man. That such sophisticated organizations could fall prey to such seemingly simple fraud “blew my mind,” Reiser says.

Since joining Greylock in April 2018, Reiser has been quietly building Abnormal Security, a startup that aims to put the kibosh on the very hacker tactics that nearly got the better of its investor. Greylock has poured $24 million into the startup in the hopes that it will counter the scourge—one which research firm Gartner listed this year among its top 10 priorities for the cybersecurity industry.

How to tell hackers apart

What do selling ads and combatting hackers have in common? Turns out a lot, Reiser says.

“We’re taking the same data science techniques we borrowed from the advertising industry to model behavior and look for abnormal patterns,” he says, explaining the company’s methodology as well as its name. “We suck up all the data inside an IT security system to create profiles of who employees are and what is their expected behavior, to look for suspicious behaviors indicative of frauds or scams.”

The tells are many. Abnormal uses machine learning-based algorithms to sort data into three buckets—identity, content, and relationships. Some key clues for sussing out imposters include unfamiliar domain names or IP addresses (identity), uncharacteristic writing styles or urgent payment requests (content), and frequency and type of communications expected between various contacts (relationships). Abnormal’s product parses “thousands of data points,” Reiser says, which feed each category and determine when a confluence of unlikely factors indicates mischief.

“All these things, individually, could happen 5% of the time, but the chances of all three happening at the same time is zero,” Reiser says, conjuring a hypothetical example.

Customers don’t need to wait long to benefit from Abnormal’s protections. The company’s product can ingest years’ worth of email records contained in archives, plot its baselines, and get up to speed within minutes, Reiser says. The product works with Microsoft 365 or Google’s G Suite, popular enterprise email services. So far Abnormal has 50 employees and a dozen customers, including Xerox and Vistra Energy, a Texas-based power company.

Ryan Kalember, head of cybersecurity strategy at Proofpoint, an incumbent email security firm, describes business email compromise as “probably the most expensive problem in all of cybersecurity,” surpassing even ransomware as a cause of cyber insurance claims. Kalember says Proofpoint has been prioritizing the threat for years by releasing products that specifically aim to address it and by, generally, funneling 20% of the company’s annual revenue into R&D.

But some customers see room for improvement. Joseph Kamau, chief security officer of Freedom Financial Network, a financial services provider based in San Mateo, Calif., says fewer social engineering attacks are landing in employees’ inboxes since the company began supplementing Proofpoint’s products with Abnormal’s. Impersonations that used to slip through the cracks no longer are, he says.

Much like in his advertising days, “the core technology is around understanding and predicting the behavior of people,” Reiser says. But the ambition goes beyond money. “For me, personally, I wanted to start the company to go solve a problem I think is meaningful,” he says.

“Greylock backed this company because we personally experienced a business email compromise attack,” Chandna says. And though many of his peers and other companies don’t like to admit it, “I know we’re not unique in that.”

More must-read stories from Fortune:

—Why the Midwest is a hotbed for innovation
—Nintendo’s Switch Lite helps capture new audiences—women and families
—A new Motorola Razr—and its folding screen—could bring phone design back to the future
—Most executives fear their companies will fail if they don’t adopt A.I.
—How giving thinkers and tinkerers room to experiment builds a better company
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.