The Biggest Cons, And Why They Work - Sarah Armstrong-Smith

morning all the people at the Top If you want to come down there's loads of spaces um I've got to be careful because I keep being told not to move around too much I've got to be told to stay in this Lane because normally I work I walk the room and do all the kind of things um so my day job in essence I'm Chief security advisor at Microsoft so what's one of those my role in essence is to leate of Microsoft's largest Enterprise customers across Ross Europe so what's keeping them up at night um in essence I'm also the author of two books this is actually my second book um my first book was

effective crisis management um which is really looking at some of the biggest incidents that we've had over the last 20 years and really questioning how bad does it have to get before we make an effective change so this book my Shameless plug understand the Cyber attack and mindset was actually released in March um against Shameless plug alert uh also at number one um on Amazon uh best sellers list for computer security in the first week uh of launch thank you uh so why what is it in essence so when we think a lot about cyber security we always look at it from a technology perspective like well yeah hang on M you work for Microsoft it's all about the

technology but actually what we really need to think about is there's a million and one ways in which I can attack you so fish is malware Ransom wear there's all these kind of things but actually there's only a finite reason why I would want to attack you and that's really what this is trying to get to it's understanding the humans behind the attacks why they do what they do and what's their objective in essence so part of that part of the book is also looking at a number of case studies there activists organized crime nation state factors insiders and really kind of looking at those different motivations but really what I want to talk to today so biggest cons and why

they work and they do work so when you're thinking about social engineering in particular and uh manipulation I need you to do something um whether that's I'm trying to get you to open an email I'm trying to get you to download something I'm trying to get you to transfer money whatever ever the case may be there's a level of manipulation behind it so I'm going to kind of start with in essence the kind of a Nigerian prce and we're going to really dig into this now for everyone in this room who either works in security has an interest in security studying security you'll look at this and go this is the most stupid most ridiculous emails I can possibly imagine

how in Earth does anyone take any notice of this ridiculous stories and how they kind of come up with these things how on Earth do they extract any money from these ridiculous emails but actually they do work and I'm going to tell you why they work and I'm going to be digging into I'm going to do there some maths there some science there some psychology that kind of sits behind it now actually the Nigerian prince email has been going on for quite a number of years but it's Origins kind of go backwards to The Spanish Prisoner in essence the Nigerian prince The Spanish Prisoner these are all examples of advanced payment fraud so in essence I'm trying to get you to give me

some money on the pretense I'm going to give you something even bigger back so the whole thing around The Spanish Prisoner you go back a couple of hundred years so Victorian Pub and you when you have to do fraud back then there was no computers you have to do it in person now the interesting thing I actually interviewed an ex fraud star and they said you need to have a lot of balls let's say um to do a fraud in person right in front of someone's face um rather than doing online which we see it when you don't actually see the victim you're still manipulating them but doing it right in front of their face really

does take some effort so The Spanish Prisoner in essence is really trying to tell people about this Rich Aristocrat in Spain who's been wrongly imprisoned he's a massive billionaire he has all this money and in essence what I need what I need help with and I going need a favor from you if you could just give me a little bit of money to help get him out of prison to get him some some help some a lawyer whatever the case may be and if you can do that for me just give us a little bit of money when they're out they're going to give you a share of the fortune and this in essence has continue to build and grow

over the years you've got frauders swindlers snake oil purchasers and pedlers and this is the whole thing is I'm trying to convince you to give me something of yours and in return you'll get something back now the interesting thing when we think about kind of the stats in the UK so this is an amalgamation of every single police force in the UK and what's interesting is over half of crime in the UK right now is cyber and fraud related and that's a kind of really frightening but only 1% of the police force is actually allocated to deal with it and when we kind of look at kind of where where these kind of things stack so we've got

online shop in an auction Advanced payment fraud there we go um is actually the third most reported crime now again just caveat that reported crime now you imagine how many crimes particularly cyber crime fraud does not get reported to the police and there's again there's a rationale for that if you feel like oh my goodness I've been duped I willingly gave them that money they didn't even have to steal it from me I gave it to them how stupid am I I'm not going to tell the police I'm not going to tell my bank I might just write that off unless it's a huge amount of money and I don't have a choice so actually that number

and the fraud number is probably hugely a massive up than that so I want to kind of give you that contact in Ence but even when you think about how much money 2.1 billion or reported cyber crime and fraud in this country over the last sort of 12 months kind of what's going on so we need to kind of look at that psychology if you like the psychology of persuasion particularly when we're talking about these Advanced payment frauds now the interesting thing there's a kind of a number of different things now when we kind of think about um again when we think about wording of emails uh fishing emails spear fishing emails whatever the case may be now reciprocation

is kind of the oldest thing in the book you may have had quid pro quo a favor for a favor in essence that is exactly what we've been talking about this exactly what's been going on for the last hundreds of years and kind thinking again in that modern era you might be G given a discount code if you click this link I'm going to take you to a new sign up for this thing and I give you something back in return this in essence is one of the biggest areas of persuasion there like that's you I'm going to get something back by doing something for you the consistency is I do it more than once if you get multiple

emails or multiple messages or engage in a conversation you start building trust you start building rapport with those people in particular now consensus really kind of comes down to the fact that if there's someone you I've given someone a message from somebody who I quite like who who's trusted in the world maybe it's a charity or something like that so if I pretend to be a charity well it's say something really bad's happening in the world there's lots of Wars going on there's lots of famines and I'm collecting money for the needy and the poor um and people naturally want to give uh in particular love liking if I like you um a friend or a family member

in particular I'm more than likely going to do something because I trust you this is why they break into your social media accounts this is why they then connect to all of your friends and your family or they pretend um to be a family member on WhatsApp whatever the case may be so the authority really then comes down to someone in seniority now this could be a government official particularly when you get that warning to say you haven't paid your taxes or I'm the police or whatever the case may be and if you don't do something something bad is going to happen to you in return so again something good is going to happen I'm

going to give you some money something bad's going to happen I'm going to arrest you you're going to get put into prison or whatever the case may be but someone in seniori asking you to do something you're more likely to do it and there scarcity it's a one-time offer you want this big discount and if you want to get this money right now you need to do it by Friday because by Friday day the price is going up or the offer is no longer there people panic because people like a bargain people like special services um particularly when you're thinking about that kind of quid pro quo as we were talking about so these are the kind of all the things

that are going on in the background how enticing you I could use more than one of these that's something to be mindful of now I said there's a little bit of math and a little bit of science uh behind this now this people are not really aware sometimes that Microsoft actually has a research facility um so we' got our technicians we've got scientists and they're really trying to think about some of these big world problems and I'm talking about AI in particular or Quantum so what is the kind of repercussions of some of these things and so naturally they write a lot of white papers we're in a university you're probably seeing all of these

things now I have read this it is quite in it's it's quite hard going if I'm honest there's quite a lot of formulas believe it or not some formulas behind the Nigerian print now for you guys it's going to be kind of too long didn't read I'm not going to print this out and expect you all to read it and do a quiz at the end so I'm going to tell you exactly what it says in a roundabout way to help you understand the why these big cons work as they do so the first question we have to ask ourselves is who to attack now being in cyber security you you're used to this whole true

positive false positive thing I'm in essence a true positive is I've attacked you in one way or another I've done all this social engine I've manipulated you you have handed me your cash data assets whatever it is that I need now the false positive if I still attacked you but I got nothing from you and that's a kind of a bit of a waste of time from my perspective how much effort am I prepared to put in therefore this kind of brings us some of these dilemmas is how do you actually distinguish between the viable and nonviable in particular I kind of attacker dilemma number two is how many victims do I have to go through

to 100 thousands hundreds of thousands before I get that one payout and what does that payout look like so I then have to kind of think about how am I going to work this out Believe It or Not There is a Formula behind it so how to attack attack a dilemma three so we're kind of sort of seeing a lot of the objectives of some of these to put malware onto your devices now most malware isn't that clever to actually be able to extract any cash from your bank accounts so i d is how do I actually go to the next level in essence so yes I can steal credentials and I can do all these

fishing emails and so we have axis Brokers now they're actually going to do a lot of this donkey work particularly if I'm trying to attack a company but actually it's expensive even when I have I've got to have all of these scammers I've got to have all of these attackers they kind of want to wait so I'm not going to do it for free I need to know at some point I'm going to get it payout and even when I get that that money what am I going to do with that money because I need to kind of actually do a little bit of money laundering because if I just put that money in my bank account

people are going to notice people are going to start asking some awkward questions and so I really need to kind of think about therefore um who am I attacking and why and is it a good investment decision well this is where the the paper gets into the math and the science and so you've got kind of n number of users whatever that n is and I'm trying to extract how many of those are viable in particular and I don't actually know if they're viable unless I try now days of old if I'm doing it in front of your face I can probably Hazard a guess how engaged you are in I'm actually having a conversation I'm

having a conversation with all of you I can actually look at all of you combined and one of you may actually go to the next level but I don't know that do I if I'm online I have no idea who any of you are and so I kind of have to kind of figure it out now I could do some background checks on social engineering maybe some attackers might actually do that so I want to know who you are where country you're in have you got any money are you worth attacking but actually rich does not mean viable and actually if you're quite Rich depending on where that money got you got it from you're

probably quite Savvy as well I would have thought in terms of Investments and looking after that money in particular so for me to be successful it's not just case I know you have money I actually have to extract it from you and this is the way it gets very complicated and so actually yeah I could get malware onto your machine but I still need to get money out of it so it's not an easy task and so this is where it gets a little bit more complicated because that's a false positive I have wasted a huge amount of money and effort to get this malware onto your device CU I think you've got some money now what so this is kind of

where we then need to take it to the next level so I now need to think about optimal operating profit because everything has a return on investment so I have to have this Balancing Act between how many people I attack how many are the viable how much money do I extract is it even worth my time and so I have to get better at classifying Who's Who and who's going to give me some money so actually it's not just enough that you've got a that you have money uh I need to go to the next uh Next Level I need more than one variable so not only do I need the fact that you got money you've got a particular

vulnerability I can get onto your device I can move the money I can kind of do all these things oh my God that is a lot of work particularly if I don't have a lot of money myself now this might work if I'm going after a big Target like a company has lots of money but I don't have a lot of money and investment to go out with so I need to figure out what I do next and this is where we get to the interesting part in essence this is the litmas test this is how I go about extracting the viable and nonviable I'm kind of talking about the Nigerian prints in particular and some

of these countries some of these African countries they don't have a lot of money so the average um take-home wage is significantly less than the UK or any Western entity so if I'm a budget constrained attacker I'm not a nation state actor I'm certainly not an organized crime uh what am I going to do and this is where the Nigerian prince email comes into a world of its own this is the qualifier if you like for the budget constrained attacker so the last thing let's go part one so the first thing is the red I need to weed some of the first round out so if I'm a scammer and you all know about the Nigerian

prince emails and how ridiculous they are why would I actually say I'm from Nigeria in that email why would I make it more convincing if I'm trying to get you to extract some money why wouldn't I say I'm from Switzerland or somewhere a bit more trustworthy doesn't make sense does it if I'm you know why would I make up why would I just say I'm a different country alog together you kind of think I couldn't pick a worst country if I'm trying to actually scam somebody but actually stupidity is not the answer as we said these people are very very good actually at extracting money they understand the English language oh very very well they

know the difference between English and American English in terms of their spelling um and they know exactly how to launder money um in particular so you know why would I come up with something so ridiculous innocent so the actual Nigerian P's email is on purpose now do you remember when we used to tell people what to look for in in their emails that poor grammar bad spelling that is on Purpose By the way that is not because they're from an African nation or a different Nation with a different language they want you to think that it's actually somebody from Nigeria who's sending you this email so the bad grammar is done on purpose to get you to

think that that person that person is actually real so okay so the next goal so I need to attack as many people as possible why wouldn't I make the email as convincing as possible why wouldn't I just go down you know just have it so ridiculously stupid just I'm just something easy we have we see all these gift card scams we have a you know I have a parcel for you just give me2 and come collect your parcel it's 2 to thr that's nothing but for somebody living in this country where it's not a lot of money I do that multiple times over I'm going to clean up so why don't I just do that doesn't

make sense right so this is why I need to get to my operate my optimal operating profit and the labor intensive is not just a case of I send you this email actually the real work happens when you respond to me now most of us as I said in this room we get that email and laugh show it to our friends maybe or just delete it and go what a load of um can't again can't believe people are falling for this stuff um and so this we then kind of think about again how do I engage someone in this conversation how do I know where the true positives are versus those false positives in particular

this all comes down to the wording of the email so the goal of the of a Nigerian prince email is not to attract the viable is to attract the nonviable detract the nonviable in particular so how do we do that so in essence uh the whole purpose is how do we need I need to identify the most doable stupid people in our whole environment now I don't know that just by looking at you or looking at you online or social media kind of need you to self-identify in essence and in essence that means when I send you this ridiculously worded email whatever that is you respond to me because you believe it now the interesting thing again we

have another group within Microsoft called our digital crimes unit um and this is where we do Mass takedowns of fraud ulent sites um fake domains all this kind of thing and then what is quite interesting is a lot of the people who kind of fall for these scams are not interested in the money it's not about the money they actually feel like they're helping somebody they believe the substory behind it and it's that story in particular that reels them in so let's have a look at some of these definitions of doability tell me what you think about it in particular they're easily persuaded they have a lack of will experience critical thinking they trust people Beyond doubt some of these

people might also be quite religious so they're actually taught that we should trust everybody no matter who they are no matter what's been said and if they have a really difficult situation I just want to help you I really just want to help now the other problem we have as well is imagine how many people have been distraught through a relationship that's broken down they no longer trust somebody whe they they desperately want to be in a relationship again in particular so some of these are easily deceived they're tricked they have low self-esteem um they have a tendency they want validation they want friendship they want to have this conversation with people maybe they don't have a lot of

experience in particular so this is that Gul ability that they're looking for but I really would challenge you in essence that actually these people are not gulli they are vulnerable these are the most vulnerable people in our society and these struggles that they're having are real really are when something goes wrong um they feel guilty they feel bad I can't believe this thing went wrong I want to be more cautious I've been called out but I don't know how to be um I feel immature compared to you you all know security I don't this is not what I do I have never been insecured I've never been in Tech I don't know these things and so I feel embarrassed I can't

believe if I've been deceived but I have a tendency as well to ignore those red flags and warning signs in particular so what are they what are those warning signs that we teach everybody else except the most vulnerable people in our society so we have the impersonal greetings we have the email from someone in seniority that foreign dignitary the promise of unrealistic amounts of money flattery safety don't worry or your money's safe with me you can trust me I'm a good person they had that poor grammar and awkward phrasing that we were talking about now here's some examples of various different um varying degrees of them this some of these are a little bit hard to read I'm going to

show you the one in the middle that literally takes every single box um we're looking at all of the things so we basically have the impersonal GRE the Beloved friend now we don't in the UK introduce ourselves as beloved dear beloved friend now if I'm going to enter a business relationship with you I kind of think I'm going to want to know your name you think I'd have done some research and so they have this foreign dignitary they're actually from the government they they kind of gone all of these different things unrealistic sum of money I'm going to give you 20% of two 4.2 million dollars just by you put a little bit of money into a

bank that's all you need to do don't worry but I'm going to give you kind of big sum back this sense of urgency you must respond without delay immediately respond to me whatever the case flattery you're reliable and you're trustworthy um in particular and uh we kind of have the kind of the religious thing remain blessed and various thing like as Assurance of safety is a kind of this is to help my education in particular this is an investment you're going to get the money back don't worry um and only normally have a little sub story about all of these things my parents died I'm such a I'm so I feel so down and so

miserable or I sign it by a woman probably more likely to respond to me than a man um but these are kind of the awkward phrasing permit me of my desire into business relationship with you they deliberately miss out some words so it makes you feel like this person is actually from where they say they are um in particular and you're probably wondering do they really make money from this and how much money uh in particular oh they do let me introduce you to the self-proclaimed billionaire Gucci Master used to call himself Ray Hush Puppy it's actual named Raymond abas now Raymond uh in particular grew up in Nigeria that's his home right up there this is where

the police found him in Dubai because when you're making so much money oh my God did he make a lot of money kind of people are going to notice when you're driving around in a pimped up Hummer and they do don't believe me because they have Celebrity Status they're making so much money but they give back they give back to their family they give back to communities so people don't really care you're making all this money you're scamming these people it's not in our country who gives a basically and even the police don't care cuz they're getting a little bit of a backhander as well in until the FBI again you you're kind of on our radar you are scamming

one too many people in America or the Western World you're going to have to do something about it so let me tell you a little bit about Ry and particular Raymond Ray Hush Puppy so he's making so much money he had to move to Dubai and to make this whole pretense about how he made his money he pretended to be a property Tycoon and that's how he makes his money you know and he had two .5 million followers on Instagram who all believe this in particular so at the time he was arrested in Dubai there was arrest warrant from the FBI 41 million in cash 13 luxury cars the email address of 2 million victims $24 million of crime it

cost people in particular not only that he got so good at what he was doing he ended up being a middleman for a lot of organized crime gas cuz he got to be very good at money laundering let's say so good he even laundered money for North Korea ah and so one of the things that he did he escalated upwards the Nigerian prince email to business email compromise I can make much more money if I attack a company rather than an individual uh in particular now this is kind of this is you know this is this Glory lifestyle but C kind it does it pay um so in November 2022 he was sentenced to 11 years in a federal

prison when you guys kind of think about I just think about that for a minute how much money they're making not from gullible people from vulnerable people so therefore what are the opportunities for individuals how can we kind of help them to help themselves in essence so it's about learning about how to deal with skepticism how to develop emotional resilience when something bad's happened what do I do about it how do I bounce back and so how do I develop critical thinking this is about education in particular and being assertive and one of the most interesting things believe it or not how you stop this is your ability just to say no um now the interesting thing again I

interviewed someone in my book who actually studies the language from romance scams and what she was basically looking at is that the way it's l the the language how they entice people how they coers people so it's a it's akin to domestic abuse you know with the language they utilize and everything else it's very very hard therefore to actually say no to these individuals if you do say no what happens next is the beer that's interesting because if they do actually care for you they are actually a friend and you can trust them they will understand that you don't have money you don't have the capability you're not able to send them money I don't have any money to give you but

actually if they are a scammer they will push push push push even harder and they don't care that you don't have the money go and get the money so what do we think about as as organizations so it's sort of that there's a lot of individuals as organiz when people on the reverse of the side of the fence when they fall victim to some of these scams what do we do we first off we need to stop that Vic in blaming shaming and scaping this all comes down to your culture if your culture is that bad that when someone makes a mistake you discipline them you put them on the repeat offenders list you call them the bad stupid user you

should have known better why didn't you know better why didn't you do all the things first and foremost if you're that way inclined whatever I say next does not matter because your culture is bad I just want that's something to really think about with regards to your culture so what do we do from an organizational perspective probably going a bit over time um so the main thing is how do we reduce the true positives and increase the Tacker costs in particular now some people have actually gone into scam baiting believe it or not they make this a actual job they actually go into fullblown conversations and reel that attacker in pretend to actually to play

them at their own game go through all the Motions me email after email message after message month after month sometimes and then they drop out right at the end because in essence they're building up that cost to the attacker so the fasting mes therefore think like an attacker when it comes down to understanding the gaps and vulnerabilities and how they can be exploited understanding human emotions and how they can be manipulated in particular cannot underestimate the impact of Education in particular or just the type of threats that we talked about fishing malware ransomware but how they get you to click that link how they get you to transfer money how they get you to build

trust at all levels and we have to invest in technology because we have to assume taking into consideration the last slide for the best well in the world people are going to get manipulated happens to all of us at some point in our lives and so when I do click the link when I do do these things this technology has to be the safety net so I have to make sure I'm prepared that you're going to give a credential away I'm prepared that you're going to download malware I'm prepared that you're probably going to enter into a relationship that's going to swap out a invoice or a different bank account for business email compromise or one of

these things so I need to build all those processes in in particular and the kind of the last point that I will leave you with is empowerment I need Empower people to say no and that means also in a business context remember I said about seniority I'm impersonating somebody who's pretending to be your boss your boss's boss or the CEO and I'm telling you to do it right now if you don't do it right now there's going to be consequences you're going to get reported to HR and so you need to be Empower I don't care if you're the CEO that doesn't sound right to me I want you to prove who you are and I'm just

going to go and check with my boss and boss is boss and boss and if it's correct remember if it's really the boss they're going to understand that you need to check the processes because they're the ones who put the processes in the first place because we've got a good culture that checks these things and allows people to check these things so that's an important thing is the empowerment um now probably I don't think we have time for questions so five minutes cool okay so um then just tipped the literally the top of the iceberg this is financially motivated threat actors most of them are and not all of them some of them don't care about money they're

activists they just want revenge they want social justice some of them are nation state actors no money involved at all I just hate you that's it just hate you just because of the country you live in it's got nothing to do with you as individuals you're just Guilty By Association and so that's again something to be mindful of and then we got the Insiders who have kind of got to the point they're so fed up with this company the way you treat people I've been watching you the whistleblowers um with your bad processes and the scapegoating and the victim blaming and everything else so I'm going to do the attack from inside because I can because

I understand your processes and how bad your process and so that in essence is the whole kind of pretext of of my book there is a book signing I will be upstairs but I let's have some questions if you got time you can cut them off as well if it need be yeah questions oh yeah please at the data is it getting worse or is is it is getting worse because the problem you have as technology get better and better identifying anomalies particular talk malware blocking malware and all the things why again we looking about optimal operating profit why am I going to waste my time trying to get into your network when you're probably going to

stop me at the first past second if I start laterally Moon you're going to block me I got to do all the things and so unless I'm a persistent highly resourced actor is complete waste of time so actually what I can do is I'll do the social engineering now the interesting thing as well that you might be aware of already we're seen a huge increase in internal fishing so in essence when you talk again when you talk about how to educate people you're probably telling them to look for this is an external email you don't normally get an email from this person check the header just in case so if I'm a threat actor and I want you to do something I'm

going to impersonate someone in seniority remember I said in your company because imagine it's bonus time and you're going to oh you've done such a great work team well done extra special bonuses for you guys all you need to do is open this spreadsheet put in your credentials and it will tell you what your extra special bonuses now that in essence is putting malware into your environment because people can't help themselves it's like qu Pro what's in it for me I'll open this if you give me some money and so the way it's worded and because it's from someone in seniority you naturally do it but you don't get any of those warning messages but I've just put a

fishing email to everyone in your company and downloading malware right in front of your nose so this they are going to that M degree and that effort so yes it's going to get worse and this is why we need the education at all levels we really need to kind of think about V when I talk about vulnerable this is not just old people it's young people it's people with learning difficulties it's people who do not not spend time online like us and inse security and so we actually need to us the empowerment people knowing what to do how to report things and I think the interesting thing as well is Advanced payment fraud in particular people don't

even know it's fraud people just feel like I sent you money so how can I you didn't steal it from me I gave it to you this is misrepresentation it's going again it's one of the oldest things from law in particular because I fooled you I did not give you the backs and therefore you transferred this money I effectively lied we did and this contract that we had um and therefore under that law it is fraud so that's where the education comes into knowing that this is fraud how to report it and actually having sharing victim stories as well at the same point yeah yeah um so we understand the language they us using those to

so so yes so the interesting thing is actually we think about AI benefit of AI so we have seen some threat actors using large language models to refine the language in their emails so as we sort of said if English is not your first language how would I write this as a is I'm add dressing an English person or American person even in a Canadian Australian we all speak English but we all have different cultures we all have different dialects so how do I can how do I write it in such a way so it's going to not just sound like it's coming from whatever country or whoever I'm speaking to that's going to get them to

think that I'm addressing it um but also then um how do I write it in such a way to get you to click the link that's what I need to do I need you to click this thing I need you to reply I need you to do what ever the next stage is so you use reverse engineering use the same large language model in essence to detect that detect the language the the the type of language the mannerisms of the language and what it's getting you to do does this look

suspicious it's a bit of both it's a little bit of both um in terms of um so let I give you an example 25% of all emails that Microsoft sees never sees gets anywhere near the recipient so we've already done the initial scanning of those emails um to first round if you like in terms of spamming and where the addresses is coming from of scanning the emails kind of where and everything else so we've already removed the first 25% the next round goes in and it all justes come a little bit comes down to the technology that's being utilized um so even if again I'm not trying to do an advert for Microsoft just an just an

example but even then if you were to click something inadvertently um we have safe links and safe attachments so it's all launched in a sandbox environment in essence it doesn't nothing actually launches into your environment and even scanning across the URL so this doesn't look right you know that kind of thing this is going to a different address so there's stuff that's built into the email technology that you whatever it is purchasing so there's that and then there's add-on services that you can also look at with particularly the AI where it's kind of look it's going to that fine level of granularity look down into that M degree on some of the language mof I would I would

say you know you got to kind of think out people at different price points you know with your small individual 's a big massive Enterprise whatever technology doesn't matter if it's Microsoft or Google or whoever you need to understand the builtin capability first of all and are you actually using it because again I can never a stat if you like stats um so all the companies I'm talking companies now not individuals um of all the companies in Microsoft our customers um that have the ability to have MFA multiactor authentication built in part of their service they've already paid for it only 26% of them have actually turned it [Music] on now that being said we are going to

default it on because we get into this we have it's already defaulted for individuals so if you're get Xbox or your own one drive or whatever MFA is already on by default it's not already on default for some other Enterprises but it's going to we are turning it on by default whether you like it or not fast question so um I if everyone give sah we're not going to have time for another question so