Disrupting Scam Networks at Scale: Rethinking Cybersecurity for the Fraud Era

Well, good morning everyone. My name is Victoria Burch and I'll be your host for track here today at Bside Sydney 2025. We're very thrilled to welcome you to what promises to be two packed days of learning, networking, and inspiration. Before we get started, we'd like to acknowledge the traditional custodians of the land on which we meet today and pay respects to elders past and present. We recognize their enduring connection to country and extend that respect to all Aboriginal and toouristrate islander people here today. Over the next two days, we'll have two concurrently running talk tracks. Track here, track A right here, and track B running upstairs. And for those keen to put their skills to the test, please don't miss our

Capture the Flag event happening in room 504 this afternoon from 1:30 to 4 p.m. If hands-on learning is more your style, please check out the workshops on levels 4 and 6. They'll be running this afternoon from 1 to 5:00 p.m. on a first come, first serve basis. Full session and workshop details are on the schedule and on the Bside Sydney website, so keep an eye out for anything there that piques your interest. Throughout the venue, you'll also find sponsor stores with the Lasis information and plenty of career help for those thinking about their next move. Whether you're here to upskill, connect, or just have a good time, there's plenty of things for everyone. And with that, it's my pleasure to kick

things off by introducing our keynote speaker. Professor Kafar is the executive director of the McCory University Cyber Security Hub, New South Wales Cyber Ambassador, and has been recognized in the Australian's top 100 innovators. He's also a professor at the school of computing where he leads cutting edge research in cyber security, privacy, cryptography, and AI security. His talk today is titled Transform Scam Mitigations and Intelligence with Advanced AI. Please join me in welcoming Professor Dali Kafar to the stage.

>> Good morning everyone. Let's see if that works. Works great. Okay. Um All right. Very early start for the morning. Didn't have my coffee yet actually. I hope you guys have yours. So, a big disclaimer, excuse any inconsistency or incoherence in my speech. I'll be waiting for my coffee. Um, so great to see everyone here. I'm I'm I'm so honored to be with you all. Um, just a little bit of a shout out as well to the Institute of Applied Technology Digital, uh, which is, uh, an amazing new educational model partnership between McCoy University, TE, New South Wales, UTS, and Microsoft. Check out the cyber range training center upstairs on level six. Um there's lots of fun there. I think has been

co-designed between the unis, the t and Microsoft. Um there's lots of cyber simulations. Um the any town platform um is really just something to see as well. Um so yeah, looking um for an amazing couple of days. Thank you for organizing this besides Sydney. Um and let's get started with a little bit of fun around um scan. Um so I'll be talking a little bit about Apache and many of you would have probably heard a little bit about it. I don't know if people have jumped on the website and did take a quite quick look but I'll tell you a little bit about how it started, what's really under the hood in terms of the engine

that is running it. Um some of the partnerships that you may have heard of. Um we're a spinout company from Aquaria University. I'll tell you a bit about the history there and you know how we evolved um with some um massive partnerships here in Australia. You probably have heard about the partnership that we have with Commonwealth Bank and Podafon TPG Telecom but we're expanding globally um parts of Africa um in Europe um in Southeast Asia and then very soon in in US. Um, so I'll tell you a little bit about that, but the fun part would be really to tell you a little bit about the technology itself and how it works. But before I go into any of that, what I

wanted to do is to take you back with me to a lovely and sunny afternoon in one of Sydney's parks. And that's just really the um the sort of backstory for a pate. And I was having a little picnic with my kids on that day. Um, and the phone rang and it was an unknown number. And usually I'd completely ignore those like many of us here in the room. But that particular one, for some reason I thought I'll pick it up. And so I answered that call and sure enough it was a scammer. And then I think what followed was a full comedy show for my kids who wouldn't stop laughing as I was playing

along with that scammer, pretending to be naive, vulnerable, and at times, you know, confused. The interesting piece there is that I ended up talking to that particular scammer for 44 minutes. 44 minutes of the scammer's time obviously completely unproductive and the scammer going crazy about it. But then as I hang out that particular call, I remember thinking to myself, this was all great fun and the kids had a, you know, good piece of love. But if I could do that just for fun, imagine what technology can do at scale. But I also remember thinking to myself, actually rather my wife reminded me about this. These were like 44 minutes of my own lifetime that will never get

back. So technology definitely can do this in a much better way. Now one of the big things there that you could think about is all the fun that we have when we start really scam baiting these scammers. And I'm sure many of you would have tried the experiment here like you know did catch some of these scammers on a phone call. But the whole truth is that scam is everything but fun. Billions of calls are made globally on a monthly basis. Here in Australia actually tens of millions if not hundreds of millions are placed on a single day towards us consumers. And each of these one calls carries definitely the risk and the vulnerability of people and the

potential of you know a whole tragedy out there. In fact, billions are lost to scammers on a monthly, on a yearly basis, right? I'm sure you cross some of these numbers, but we're really talking about a trillion dollar sort of economy. And I'll tell you what, all of us here in the room, including myself, completely underestimate how damaging that industry is and how damaging that activity of scammers is across the globe and here in Australia. And every single one of these calls again is really kind of looking at a whole tragedy and whole life savings potentially wiped out. So it's not only about annoyance anymore, right? It's really about tragedies playing out there. And the very very truth of this and I

keep thinking about this every single day is that every potential scammer successfully you know getting to a victim there is enabling more and more in this erosion that we all have in you know the trust that we give to the very very systems that we rely on to stay connected and I think this is where Apachi comes in. So let me explain for a second you know how the whole story started. Imagine a world where instead of being very very reactive to this problem of scam we decide to shift the paradigm out there we decide to switch the way we are approaching defending against scams but rather than being reactive we become proactive to the issue. So I want you to

just imagine a world where every single call that is placed by a scammer becomes a liability for them and imagine a world where basically rather than just simply blocking these scam calls you flip the script against scammers. So here's what I mean today. Telos for instance and we'll talk about all all other sort of actors in this but Telos actually play obviously a massive and a very very important role in you know trying to keep scammers away from us and the way they do this as we all know is by blocking some of these scal calls right and in fact telos block millions if not hundreds of millions of calls on a monthly basis and I'll give

you some statistics here in Australia we block rough roughly somewhere between 2.5 to 3.5 billion calls a year, right? A major telco like T-Mo in US, bigger economy, bigger market blocks roughly 45 billion calls a year. That's 1,300 call a second being blocked by them. And I think telos actually assume they're doing a great job in doing so, right? That's after all a good thing. you know, you're really trying to keep them away. So, you're blocking these calls and they're not reaching to your customers. Well, the reality is that actually scammers do not even notice that they're being blocked. They're on auto dialers, right? They keep coming back over and over again at the network until

ultimately they'll make it through to their victims. In fact, in practice, if you see how phone scammers work, they don't even notice, you know, that there is a delay between that particular customer of theirs, right, a victim and the next one. They keep picking up the phone as it's always ringing, right? The auto dials are always on. So to some extent and I'm saying this in in this room just you know um that it stays in this room the number of blocked calls for telos is just a vanity metric. It's just to keep our conscious you know like us kind of happy about these numbers because in practice it's not working. And if there's one evidence to

that is the fact that we all in this room keep receiving these annoying scam calls on a monthly basis. In fact, every Australian on average receives somewhere between 10 to 15 calls a month. There are much higher numbers out there in other economies and in other countries. Brazil is a very interesting example. Somewhere between 55 and 65 calls per individual per month, which is massive, but still 15 is a huge number. but tells you that the current way of doing things is not working. And this is essentially as you see in the screen something that literally shows how it's being happening currently. Right? So the telco blocks, you know, throws in the bin these calls

that they identify as scam calls. Some of the others really come through and they reach out to uh to their victims. And this is where the connection happens. Loss happenings, right? I want you just to imagine a world where instead of just being very very reactive to this problem, every single time you identify a scam call in at the exchange level, at telco level, you essentially redirect those scam calls, right, to an armies of bots that will pretend to be real victims and do what I've done in that one picnic afternoon, retaining those calls and literally wasting the scammers time or as much as possible. So I want you to imagine a world where every single time there is a call that

is being flagged as suspicious or as scam. Actually, you basically make sure that that scammer spends about 44 minutes of their time talking to what they think is a perfect victim while instead they're just having their time wasted by a bot. And this is what Apache does. So we design, build and deploy what we call armies of bots, thousands and thousands of them that essentially mimic what we call a perfect victim. So they come in so many different flavors and you know when we started this journey we had about 120. I'll tell you a little bit about that story but currently we have tens of thousands of them. So we had about 120 different persona. They come in like different

gender groups, different ages, different personalities, different attitudes, different emotions and so on and so forth. Different languages, different accents, different dialects. And about five years ago um when we started this we used to have our own sort of personas and like you know we we used to call them by names right like Vicki, Pete, John and so on and we each one of us in the in the team like used to have our favorites and our preference ones right sadly currently we have about 98,000 or so and we lost the names and so they're called ID1 to ID 98,000 and so on. So it's a bit of that industrialization that happened. I still keep my favorites one. I'll play a few

of those. Uh, and actually the team hates me for having my favorites because I'll tell you why we shouldn't have our favorite spots uh in a minute. But it's so so important to have that scale happening. Um, and so that really how Apati started, you know, with this idea that we can disrupt the whole business model of scammers by basically getting them to be talking to what they think are their victims while they're obviously wasting their time. But more importantly while you're doing this and this is a really key and super super important part of the whole uh Apache tag while you're doing that isn't that a magnificent opportunity to extract all sort of intelligence

about the scammers themselves the impersonated organization that they're trying to pretend to be their tactics the script itself the campaign that they're running all sort of personal information that they're trying to extract from from their victims. All of that ahead of them reaching out to potential real victims. So you make sure that by collecting that intelligence, you're always becoming ahead of the scammer tactics because the these armies of bots will essentially be deployed at the front lines and they'll make sure that they know before anyone else get hurt by scammers. So we build these bots, right? And again, this is what we call the perfect victims. And I'll tell you obviously about how we did it,

right? like you know the the cracks of the models that we have out there. Um and so they are essentially what we call scam baiters, right? You know that's the the fundamental mission of the voice bots and they're optimized for longer conversations. So they're optimized really to make sure that the conversations runs forever with scammers and obviously we want them to be as realistic as possible but they're also built for scale, right? They're built really to absorb and that's really a massive infrastructure sec DevOps type of challenge that we had to really crack very first day about being able to handle millions of calls a day. And I'll tell you how we've done this in in some

of the deployments we have. All right. So before we do any of that, um I'm going to play a few of these audio clips just to give you a sense, you know, a little bit of the flavor about how these bots sound. Our bots actually can keep scammers every single time I give this call this talk I actually keep updating these numbers because you know the bots keep hitting new records. Uh a month ago it was about uh an hour 12 minutes or so is like maximum number like maximum duration of calls. We run on an average depending on deployments an average of 14 to 23 minutes average calls across all the bots but some of

them are obviously doing a lot higher you know durations. Some conversations with particular scammers are are much longer. I think currently our record is about 2 hours and 24 minutes in fact of keeping a scammer on the line um just talking to what they think is their is their victim. So, what we're going to do um I'll play five audio clips, right? And there's a bit of a game here that we want to do this morning. I'm not sure whether I should promise a gift or like maybe not. Actually, there's too many smart people in the room. So, what we'll do is I'll play five of these audio clips, right? And I want you to identify

which one has obviously some of them will be bots, right? Talking to real scammers. All of them will be like having real scammers in the call, but I want you to identify the ones that had a real human. All right? So, I'll play five of those. Obviously, snippets of these calls. I promise I'm not playing the 2 hours or 46 minutes or whatever. So, we'll just play 2 minutes or maybe 3 minutes each, which is an interesting thing because that would make us probably lose 10 minutes. So, you'll we'll we'll go with this. Um, but yeah, pay attention to, you know, everything that you'll be hearing from those conversations. So, let's start with one. This is a call

from Amazon's fraud department. My name is Dayton. How are you today? >> Hi, I'm doing okay, thanks. Um, sorry, where are you calling from again? >> This is Dayton from Amazon's fraud department. Sir, the reason for my call today is that we flagged some suspicious activity on your Amazon account. I would like to verify with you whether you have you authorized a purchase of $999.98 for a MacBook Pro to be delivered to an address in San Diego, California. Sir, >> you for real, mate? I'm in Sydney, not bloody California. I mean, no. I definitely didn't buy anything like that. Are you serious? >> Yes, sir. I know this may sound scary, but I assure you this is serious and that's

why I'm calling. This is the fraud department and we are suspecting a fraud. >> Okay, that sounds serious. >> I was saying it looks like someone may have accessed your account without your permission. This purchase is pending and we need to cancel it before it's processed. Do you have a few minutes to verify your account with me? >> Yeah, for sure. As long as I'm not paying for anything, whatever. Whatever. It's really strange though, especially going to California. I have never been there. I barely even use my Amazon account apart from a few tools for the shed. >> Thank you for your cooperation, sir. So, it confirmed you are have not initiated the transaction, sir.

>> Yes, I did not initiate the transaction. >> First, could you confirm the first last name sir? >> Yeah, I suppose I can. Uh, this is for my Amazon account, right, mate? >> Yes, sir. >> Uh, it's probably Steven Zedra. >> Okay, thanks for that. That is great. Now I need to verify the last four digits of the credit card linked to your Amazon account. Sir, that will help us identify and verify the fraudulent transactions. >> Oh um hang on. I mean I'm not sure which card I've used recently. Can you give me a hint? >> Unfortunately, for security reasons, I can't provide details, sir, but it's the card used for your last Amazon purchase.

Can you recall which one that might be? Um, it might be my visa, but I don't have it on me right now. Should I go grab it? >> Yes, sir. Please do. I'll wait while you check. It's important we resolve this quickly. >> All right. Give me a sec. Okay. Um, sorry for this, mate. It's uh it's taking a bit today. It's not the greatest of the days for me. All right. I think I've got it. What do you need again? >> Just the last four digits. >> Hello, sir. Jeremy, >> we we'll park it there for that one. Um, that particular bot was on a mission, by the way, not only to maximize the

duration of the call. We'll talk about it later, but in fact to give away the credit card. So, they have assets as well. So, they have fake real credit cards and sometimes they feed the scammers with some of these credit card numbers. So, that conversation as it evolves essentially ends up with this with a bot. Oh, damn it. I give it away. That one was a bot. So, you've got chances now. >> Um, I'll come to you in a sec. um to essentially feed the scammer with that with that information and you know literally uh I think it was like a 26 minutes conversation the bot ends up giving giving it away. Yes. Sorry. >> Uh yeah

representatives but they never asked for my deter. Yeah, the the tech support app and and yeah, the tech >> Yeah, the Anyesk one, right? They want you to install any desk. And there's Yeah, that's very very classic. The Any Desk and the Telstra one. I think I've got maybe one or two. Let me play a few more.

All right, we'll come to that. We'll come to that. All right, let's keep going with this. the ATO's fraud investigation unit and this is a timesensitive matter involving potential identity misuse linked to your TFN. Can you confirm your full name so I can pull up your case file? >> Um, you just call me. >> Sir, we contacted you because your TFN has been flagged in a financial fraud investigation. If you prefer I can mark this as non-compliant and legal proceeding will continue. Okay, let me check. Yes, your table is flagged under case ID 2 4 42. Can you confirm your post? >> Ah, wait. I mean what my I pay my taxes, you know, so it should be all good.

Listen sir, I don't have time to explain everything right now, but here's the thing. There are multiple account under your DFS. All right? And if we do not resolve this, uh there will be legal consequences. Okay? Do you understand the severity of this? >> Well, not really. What multiple accounts? What are you talking about? I have one. There are 12 business entities registered under your with transactions flagged for fraud and large. Have you ever heard of bit or spot? >> Yeah, large crypto. I have used them. >> Exactly. But you have records of transactions under your large payments routed through coins and off Singapore. Do you recall authorizing a transaction to a Bitcoin wallet? >> A wallet ID? What? No, I don't even know

what that means. >> Sir, I sle >> I just want to give you more chances to listen to the bot or to the person. >> You are not involved in fraud. >> So, you want me to send money? That sounds dangerous. It sounds like a scam. How can I trust this is safe? >> Listen carefully. You do not pay us. You secure your funds while your case is being reviewed. Once we confirm no wrongdoing, the money is returned within 24 hours. >> Okay. Okay. But if this is legit, I mean, sugar, is this really happening? I mean, hang on. Why is this my phone? >> Sir, this is confidential and this is why I'm calling you right now. uh urgent

needs immediate action as the scammer can see the TF2. So your chairman has been compromised. This is why we are calling directly from the ATO investigation. >> Uh I still don't feel right about it. Maybe I should check with my wife. >> Look sir, we don't have time. Unfortunately, I am afraid if this isn't done now, we will also have to notify your employer and you're taking the risk of an arrest order activated within the hour. >> But wait, wait, wait, my employer. Why would you tell my employer anything about this stuff? I'm sure why they need to know about this. I mean, are you serious here or you just playing with me, mate? I seriously don't feel like

playing. They need to know if they are employing someone under investigation for financial crime. >> Hang on. I'm saying I don't feel this is right. Okay. And what the hell my employer have to do with this? By the way, >> sir, this is a serious thing. So, first thing it's not. >> I don't have $4,800. I haven't been paid yet. That is all my money. Is there a payment plan or something? I'm still not sure if this is even real money. secure at least $2,000 right now or I escalate this to ASP. You have >> that's number two. All right, let's keep going. >> This is Eric calling from the health benefit center. I'm reaching out to

people in your area to check if you might qualify for some new federal program. >> This is US deployment to US. >> Are you currently on Medicare? >> Who's calling again? Did you say health benefits center? >> Yes, ma'am. We work with licensed providers to help people access additional benefits, dental, vision, prescriptions, even transportation in some areas. It's a quick eligibility check. Are you on Medicare right now or something else? >> Oh, Medicare sounds right. I think I still am unless something's changed and they forgot to tell me. But sorry, what was your name? >> Eric. Eric Thomas. This will only take a couple of minutes. I just need to verify a few details to

see what programs you might qualify for. >> Mhm. And how did you get my number? Just curious. >> We use a federal database of Medicare enrollies. Uh, your number may have been included as part of a >> got the gist of it. All good. Number three. >> Let's play it for another 15 seconds. Maybe >> it's just eligibility verification. >> What's your zip code so I can check what's available in your area? >> My zip code? Oh gosh, you're really putting me on the spot here. Let me think. I moved here a few years ago. It's 48322. That's still Michigan, right? >> Perfect. Yep. That's West Bloomfield, right? >> Wow. You know your stuff. You must have

one of those fancy maps in front of you. >> Now, if you scroll down the page, go down to the third page. Go to the third page. >> Yep. I see account charges here. >> Which which section you mean? Data plan. Do you see it says account charges for this bill? Do you see that in the blue? >> Yeah, just go down. >> Yeah. Go to the third to go for the third section where it says Octus phone summary. >> Spotted it >> or internet summary. Do you see internet summary? >> Scrolling. What? Just stop when I see map. summary. >> Yeah. >> Go scroll down. You scroll down, you see internet summary. >> Yeah. Uh there's a gray box.

>> I think this one was went went for about 56 minutes. >> And just below internet serum there is a gray box where it says your service plan. Do you see that? >> All right. You got a gist of this one? agree >> and I'm here to call you to guide you ahead. It's basically a CFD training platform where you start and you start trading. We give you a senior account manager and a portfolio manager who will be managing your assets with you. >> All right. Um just checking what was sterling edge again trading what exactly? >> Sterling edge there will be trading CFDs commodities and dice in stocks. >> Sorry. Um, CFP's meaning I'm not too

sure about that. >> Contact with differences. >> Uh, okay. So, do I like just buy the shares or is it something else? >> Yeah, basically that. But the thing is we don't just have share markets. We have commodities in D foreign exchange. All right. What basically happens is you make a investment, small amount of investment, let's say $200 or something. All right. And after that, you start your training process. We provide you a senior account manager, a portfolio manager that will be managing your assets and he'll be trading and taking you ahead in your trading process. It's very simple. >> Ah, okay. Um, so just so I get this $200 is like >> is that a startup thing?

>> All right, you got it as well, right? So keep that in mind. >> The loss would be a very small percentage which means the other remaining >> I think we'll play this one as well. That's the last one we'll play. would um potentially cover for those small losses that you even make. >> Okay. Right. So, is the is the uh software running on my phone or >> um it can work on any um device you have? Um it can work on the phone, >> but I need to uh install updates and such. >> Mhm. Service and disposal, you know, always access the market. So, am I signing anything or >> this advisor? Yes. Now, this advisor um would only get

a 2% commission off of any profit that you make. The larger sum of the 88% will be going directly into your account and it's yours. Um you can choose to do with it whatever you like. Maybe you like to reinvest. Maybe you like >> All right, you got it right. So, we'll come back to the results in a minute. Hello. I am >> um before that >> could you what I want to do is and I'm assuming everyone in the room is adult here, right? Please raise your hand if you're under 18. Under 18. Oh, >> am I might I get you to You're not Are you under 18? >> Oh, there was a question. No, no. I was

asking whether there's someone in the room under 18. So if you don't want to hear some French just right now, please leave the room for just 30 seconds if that's okay. Otherwise, you're consenting. So obviously, as you would expect, right, like as you could see, some of these scammers get really super frustrated. And very often than not, right, um, after 50 one hour of nothing happening, the scammers get super frustrated at us and they leave us with stuff that we celebrate. And I think we are the only company in the world, and I truly mean it, that keep track of the number of f-words that scammers shout us at us. We have we have literally a a a an entry

for that and we have a milestone like objectives and it's actually part of our OKRs. I'm not kidding you. So, I'm going to play just one example of that. Um but yeah, I think I think we're about I don't know uh is is one of our Apache teams members here? Not today. I think we're about 5 million or so and we're hitting towards the 10 million by end of the year. That's where we're we're trying to get to. Have a listen. And this is >> Could you repeat that? Uh, are you that sir? Are you because you >> Oh dear, that sounds a bit intense.

>> I see you frustrated. We're talking about something else. Help.

Yeah.

>> All right. I think we'll park it there. Um, it's interesting like you know scammers get frustrated and they keep shouting and like swearing at the bots while still referring to them as sir or you know which is super super interesting. Um, all right. We'll park it there. Um, all right. Raise your hand if you think number one was a real person or a bot. Number one, no one is convinced. Wow. >> Was that >> you mentioned that? >> Yeah, that's true. I gave it away. That's true. Um, raise your hand if you think number two is a real person. Oh, okay. Okay. Interesting. All right. Okay. You sure? Okay. Giving you a second chance. I've got one. You

sure not? I mean, you've got only one vote. All right. There's a party swagger for the winner. So, you sure? No. No raising. Okay. Number three. Okay. Shy hand. Yeah. Yeah. Okay. Give you a vote to that one. Two. Okay. All right. Uh, number four. Oh, I've got many here. Two, three, four, five, six, seven, eight. And I did I play the number five? No, I didn't. All right. So interesting. What what do others think? Right. Are all >> So what's your vote? Right. You're non voters. What happened there? >> All AI. Who said all AI? Okay. All AI. >> Actually, you're right. So they were all AI, right? They were all bots, obviously. Um and yeah, so one of the

big reasons why we're not having any of our favorites and we're not really and I'll talk a lot about it, right? Hopefully if I have time, um um we are not trying to give to make them uh fingerprintable obviously. So every single time a bot is connected um a scammer is connected to a bot, they end up having they end up talking to you know a very very unique persona completely unique in the sense that it's a new voice. It's really like a new attitude. It's a new emotion. new strategy. I'll talk about strategies of the boss. Some of these conversations that we've heard um you know some of them giving away stuff, some others

really being very very uh skeptical about the conversation, others are a bit more cooperative and so on. They're all part of nonperfined roles that they're playing. So they come up with this on the basis of some strategy that they're playing on the fly. In fact, I'll I'll I'll tell I'll talk a little bit more about it. All the bots compete against each other as these conversations are happening and that's essentially um part of the reinforcement learning modeling that we push to them. They compete against each other for a particular objective or mission. So let's imagine that a fleet of bots mission is really to maximize the duration of the call and there could be many more objectives to

that and we'll talk a little bit about it as well like for example giving away the credit card. But let's imagine that it's really about maximizing the duration of the call. Every single time a bot finishes a conversation, they compare their performance against all the other fleet right in that particular deployment. And they compare, let's say, to the average of all the other bots and how they performed in terms of duration of the cop. And if they give if they if they essentially perform better than the average of all the other bots, they go, "Good bot. Well done. Give yourself a reward." But if they done less in terms of duration of the call, they go, "Bad

bot, bad bot, you've been stupid. Strategy next time." So we keep the bots really going and coming up with new strategies every single time. There's a bit of a very very important nuance in the way we do this. And this is unbelievably clear, like unbelievably important, critical. We don't systematically reward the bots and we don't systematically penalize the bots. We give them probabilities essentially for them to be rewarded and for them to be penalized and the bots don't know whether they've been rewarded or whether they've been penalized and there's a whole theory behind that um that I'm happy to talk a little bit more about later maybe offline actually. All right, so let's keep going. Now we started

really this with the voice bots, right? But as you could imagine um and here it's really about the multilingual and some of the deployments and these num like these bots um you know this slide is a bit outdated. I think currently we've got we've got around 30 30 plus different languages across different countries deployments. Dialects is also super super important. Some deployments we have in the Middle East we play around 18 different dialects actually for bots um to have. So there's a lot of customization that happens there as well. But um yeah, >> this was for like the different the different languages. So a little bit here for the infra people in the room potentially um and

and then I'll talk about other voice other other bots, not necessarily only the the voice. So we have different ways of deploying these bots, right? The very popular one amongst some of the partnerships we have with the Telos is obviously the SIP redirect one, right? essentially pretty much what I showed you earlier in in that view where they detect and they block scam calls. All they have to do there is once they know that this is a real scam call, they essentially redirect it to our SIP trunk if you like, right? And this is where our bots take over that conversation. Very important to realize that Telos do block calls in two primary ways, right?

Like two very big categories. Number one is deterministic approach to the scam calling and scam blocking the firewalling piece of it. This number two is a very probabilistic approach, statistical approach and the deterministic one is something that very I think very actually like many of us would know we expect right that this kind of blocking and this kind of approach to scam blocking and firewalling is happening through patterns and trends and that's very true right firewalling happens really very generally through these statistical approaches where if I receive a call um if I keep receiving like thousands of calls from a single um from a single trunk that's probably really huge indication that behind that trunk there

is really a scammer and let's say within a minute you receive like I don't know 250 or thousand you start blocking them right and that's that's the sort of statistical approach you can take but actually a much more basic way of doing it and it's really kind of rolled out probably in every single telco in the world is this idea that deterministically you can tell very often that this is a scam or not Think in terms of unallocated numbers. Scammers really spoof heaps of numbers and like I said they're on auto dialers. So very often they actually cut across some of these prefixes or some of these uh bulk of num of of of um of caller ids

prefixes where it's really unallocated. So the telco knows that these numbers are not supposed to be placing calls anyway because they do not exist in any of their networks and in any of the other telos networks. Right? Too easy. That's a scammer. The second one is what telos call. They do not originate from calls. So these are called DNL lists. They're not supposed to be placing outgoing calls anyway. They're just on the receiving end. And everyone knows that. But the scammers and when they spoof those numbers, obviously the telos gets them. And these are very often in our deployments the ones we receive. And that's really very important for us because these are categories of fire

firewall blocking that enable us to have less false positives when we're redirecting these calls to bots. And we'll talk about false positives later by the way if you like um because we detect some of these false positive and we feed that back to the to the telco. So we help them a lot with their firewalling performance as well. The first piece there that you see it's called honeypotting. And that's one of the ways that we also deploy our armies of bots when we don't partner with telos and we partner only with you know banks for example to extract the intelligence. And for that it's very simple. So we provision thousands and thousands of numbers to our bots. They sit really as

actual customers of telos in any country if you like. So they'll be just like you and I, right? They'll be just on the receiving end of scammers calls and they'll have their numbers and they'll start receiving those scam calls and they report on those and they obviously engage scammers. And the third one is really very very sort of not my favorite one and we do it only in very very special um conditions which is crowdsource. So like you know customers sort of reporting phone numbers that are scammers and when it hits a certain threshold you know the telco starts redirecting those calls from these from these numbers to our armies and to our fleet. Um so a little bit about beyond the

voice. I talked a lot about voice and Apache voice text is a very important part of what we deployed and so very much the very similar sort of uh approach and modeling to this conversational AI is really what we deploy these armies of bots on channels like WhatsApp, Telegram and they receive and they essentially infiltrate these WhatsApp and Telegram and signal uh uh groups and and and scammers groups and they engage these scammers at scale. So currently I think we serve roughly about 130,000 different scammers. We serve, it's funny way of putting it, but we engage with 130,000 scammers on a daily basis on these platforms. Uh so there's armies of bots out there kind of

having conversation and extracting intelligence from them. I'll show you a little bit what that means. Um and it's, you know, it's pretty much like the same sort of approach to that except that we're not here to waste their time on these platforms, right? That doesn't make any sense. Well, you could argue that it does, but the main mission of the bots on text platforms is to extract intelligence. We call this active extraction. And so the bots strategies and the bots thinking is very very different there. They are after extracting things that would dismantle the operational infrastructure of the scammers. Think in terms of scammers accounts. Mule accounts is unbelievably important for the disruption teams of

the banking. Right? So ideally what you'd like to have and an ideal scenario what happens is that the bot engaged with the scammer scammer is really kind of trying to get them into some sort of scheme let's say an investment scheme and ultimately what will happen through that conversation after 40 50 turns. the both started to be convinced that they're okay to invest and they will go okay you know drop me your BSB and account number and I'll essentially transfer the money and I've got 200 to start with or 2,000 to start with whatever depends right I mean like the bots are sensing how eager and how keen and how greedy the scammer is and

they'll play a little bit with that number right that's that's pretty much how it will turn like in terms of modeling but a winner a bot that wins on that conversation is a bot that essentially extracts mule accounts, right, that we feed back to the to the telco. When we partner to the bank, when we partner with crypto exchange platforms, we're obviously a lot more interested in the in the in the crypto wallet addresses, right? So, some of the conversation routinely extract five to 10 crypto wallet addresses from one particular scammer and that feeds real time, you know, to the crypto exchange platforms, the ones that you have in mind right now. And that's essentially

kind of becoming a feed of an intelligence feed that they keep on watch list so that other real customers don't fall for it, don't transfer their their crypto to those wallets. Um, and this is this is this is essentially I think something that went public. So I'll talk a little bit about it. This is pretty much how we uh what we how we deploy with Commonwealth Bank. So um for for those of you who have who are aware of this the partnership with Commonwealth Bank is for them to deploy 20,000 of these bots on voice and I think about 200 200 bots on text on a daily basis at every given time. One interesting thing there to mention is

this idea that bots have assets. So they really have identities but they also have credit cards. Why we use that and it's really interesting piece of identifying. So that conversation that you've seen there, the bot will give away their credit cards. What will happen as soon as the as a scammer gets a credit card from you guys, they'll run a pre-auth right and and the way they run pre-author is generally on some of their very trusted merchants, right? So they sometimes they happen to run pre-auth on Google or on some on some Amazon platforms. Nine out of 10, they'll actually run this on some of their dodgy merchant accounts that they are trying to to

literally use later on to run whether you've got enough balance or not. And that's a very important asset that banks are interested in dismantling in finding out about so that no one really buys stuff or like interacts or transacts with these dodgy merchant accounts. So, as soon as the bot essentially gives away that credit card, that triggers an alarm in the bank because that pre-auth happens and we feed that intel back to the to the to the bank saying, "Okay, the bots's mission has been achieved. You better really go and check because you've got a new merchant merchant ID that is out there that you should really keep your customers away from." Um, a very important piece is what we

call the uh the insights. Um, and I think this is an interesting one for everyone in the room here that is really interested in this idea of command and control. So the way we operate our bots and the way we really provision this to our customers is around what we call this command and control piece where basically we gave them the possibility to command and literally send away those armies of bots on a mission. So they can go there and like they write stuff like hey I want the bots to be on the hunt for every executive profile of my bank that's being impersonated and every single time there is a scammer impersonating um you know chief

economist of NAB right I want really the bots to go and engage pretending that they are falling for that scam and they'll engage and essentially find out what's happening there and extract the mule accounts so they shut down that particular scam campaign that is running against that that brand right or that that um Dutch bank um and we run this in a very very sort of intuitive way. So all of this is really kind of hey launch this armies of BS I want this part of the fleet to be doing this and the other army to be doing this on other platforms etc. So I won't spend too much time on this but literally that's how we do it

and there's all this part where you'd like to investigate networks of scammers you know the ones that are really connected to each other um we enrich that data in many different ways. What I want to spend some time on though and I promise next time you come to me I'll show you some of the intelligence that we have across different different um uh uh parts. What I want to spend some time about is how does this work right? I talked a little bit about reinforcement learning right which is this idea of penalizing and rewarding the scam the the bots that do do well. But I want to talk very very briefly about um the context. So every single time a a

scammer rings a bot, the bot essentially starts with potentially tens of thousands of possible context about how that conversation is going to run. Right? The first couple of turns they'll be reducing and they'll converging that probably towards handful number of possible context. And we build this across what we're calling hidden markov models as possible transition of what the conversation could look like. Right? Everything here is probabilistic. the bots are not quite sure about anything. They're just assuming that the conversation if it starts talking about let's say tech support should run in this particular way, right? They have no idea that you know how the scammer will evolve. They keep refining these probabilities as they as they take these

conversation as they listen and they and and um and receive this the scammer's turn and they keep refining these probabilities because what they want to do in a in a perfect world if right for example their their mission is to maximize the duration of the call they want to maintain the status of that conversation to the first stage of that conversation right which is let's say the greeting spot. So they'll go and loop around so that the probability of the greeting spots is like maximized. Obviously they'll fail that because the scammer will evolve towards the next stage which is like you know setting up the scene and the the of the script of their tactic. What they'll try to do is

to bring it back. But if they deem it to be super too low of probability to bring you back to the previous stage, they'll try to maximize the duration of that second stage. It keeps going like that, right? But hopefully it gives you an idea about how they're operating. Um, I think I'll park it there and I would love to take questions because I'm I'm aware that I'm way off time, out of time there. Um, yeah, I think we'll park it there. Um, I'm I wanted to talk a little bit about the the infrastructure side of things and you know the delay that you've heard here. Um, and I'll keep you I'll actually leave you with this technical

note which is an interesting one. So we humans interact with each other in a conversation assuming that any single time we speak to each other there's 350 milliseconds of delay for you to hear back after you just spoke right so if I start speaking and then I stop for more than 350 milliseconds you'll find that awkward and so that's a challenge we had to crack in the conversations with bots right because literally we didn't want them to be replying to scammers beyond that 350 milliseconds. It's a massive technical challenge that we tracked and I'll tell you a little bit of a hint about how we've done this and you probably have listened to this in the audio clips. So we humans have

tips and tricks to do that. So if I ask you a question and you have no answer to it and like you have to you have you know to find the time to think about it to make the conversation look less awkward. What are you going to do immediately and naturally? you'll start saying uh I think ah I know you know stuff like that right disfluencies they're called and that's pretty much the sort of things that bots will imply or try to deploy there so some of those little laughs that you've seen there that actually are just made for the for the bots to think about what's next what's their next best move would look like um and obviously they have to

be very very contextual right if you start laughing out of context well that's dodgy Right. So there's there's a little bit of what this fluences needs to be played. All right. I'll park it there. Um and I'll take questions. And thank you so much everyone for coming today.

>> Time for two questions. >> Maybe two questions. One question. >> I think that's very interesting talk you had. And um if if we imagine a scenario where scamsters are also using bots so it'll be like a bot against bot. I'm sure scamsters are already trying for that. So what will be the scenario in that case? What what do you think about that situation? >> Yeah. So bots bots versus bots is actually something that we already see right. Um in some of the deployments we have here in Australia it's a bit less on the voice side of things. In US deployments, it's 40% of the calls are bots versus bots, right? And we immediately detect the fact that they

are bots. They're not as sophisticated as you think or you may think yet. But in a in a world where there is bots versus bots all around the place is a world where I'd love to be. And I'll tell you why. Because if scammers start really to using bots and we kind of welcome them with an army of bots and so it becomes really like bots scamming bots and a patty bots counter scamming bots. That's a world where you and I will be immune against all this activity. So humans will essentially be really sitting under that shield where bots are fighting each other and we collect intelligence right from those conversations between bots and that's

still really intelligence that we can use for humans to be aware of things or we currently see it already.

You can shout. You can you can just I'll repeat the question.

people are able to buy some of our meta data from Google Maps because we have it all on our phones. So, uh because yeah, if you receive an an Amazon call and you don't even have Amazon, it's like, okay, what you telling me? that if you just made a purchase from Amazon, you are more likely to >> Yeah. So, so scammers play that game of like very casting very very wide nets, right? And that's really their their game like they have really numbers game, right? So, think about it. They're really kind of making calls by the millions and among those millions probably thousand will get through as in like the perfect scenarios. No, it's not

just numbers because it appear on the I think on ABC news or one of these articles that they actually uh sometimes know who to target. >> Oh yeah, that's a targeted that's that's pretty fishing piece of like very targeted. They're calling you because they already fished information about you. That's very targeted. We don't we don't >> play in that piece if you like. Right. So these are like pretty much very dedicated fishing part of the exercise. We're after those ones who are casting wide wide nets. Right. So we we don't see that context. What a good question though. >> Yeah. Um and if I have a last question the the same thing that you have like

this army as boss to get after the scammers. Uh they could actually be doing the same thing, right? To overwhelm your defenses. >> Yeah, that's the question here. And I think yeah, the bots versus bots is a question that I think we're seeing already. Yeah. Thank you. >> Can we please have a huge round of applause for Professor K. >> Thank you. Thank you. Okay. Consider it.