Rippling nabs $145M at a $1.35B valuation to build out its all-in-one platform for employee data

Big news today the world of IT startups targeting businesses. Rippling, the startup founded by Parker Conrad to take on the ambitious challenge of building a platform to manage all aspects of employee data, from payroll and benefits through to device management, has closed $145 million in funding — a monster Series B that catapults the company to a valuation of $1.35 billion.

Parker Conrad, the CEO who co-founded the company with Prasanna Sankar (the CTO), said in an interview that the plan will be to use the money to continue its own in-house product development (that is, bringing more tools into the Rippling mix organically, not by way of acquisition) but also to have it just in case, given everything else going on at the moment.

“We will double down on R&D but to be honest we’re trying not to change the formula too much,” Conrad said. “We want to have that discipline. This fundraising was opportunistic amid the larger macroeconomic risk at the moment. I was working at startups in 2008-2009 and the funding markets are strong right now, all things considered, and so we wanted to make sure we had the stockpile we needed in case things went bad.”

This latest round included Greenoaks Capital, Coatue Management and Bedrock Capital, as well as existing investors including Kleiner Perkins, Initialized Capital and Y Combinator. Founders Fund partner Napoleon Ta will join Rippling’s board of directors. Founders Fund had also backed Zenefits when Parker was at the helm, and from what we understand, this round was oversubscribed — also a big feat in the current market, working against a lot of factors, including a wobbling economy.

It is a big leap for the company: it was just a little over a year ago that it raised a Series A of $45 million at a valuation of $270 million.

This latest round is notable for a few reasons.

First is the business itself. HR and employee management software are two major areas of IT that have faced a lot of fragmentation over the years, with many businesses opting for a cocktail of services covering disparate areas like employee onboarding, payroll, benefits, device management, app provisioning and permissions and more. That’s been even more the case among smaller organizations in the 2-1,000 employee range that Rippling targets.

Rippling is approaching that bigger challenge as one that can be tackled by a single platform — the theory being that managing HR employee data is essentially part and parcel of good management of IT data permissions and device provision. This funding is a signal of how both investors and customers are buying into Rippling and its approach, even if right now the majority of customers don’t onboard with the full suite of services. (Some 75% are usually signing up with HR products, Conrad noted.)

“We like to think of ourselves as a Salesforce for employee data,” Conrad said, “and by that, we think that employee data is more than just HR. We want to manage access to all of your third-party business apps, your computer and other devices. It’s when you combine all that that you can manage employees well.”

The company is gradually adding more tools. Most recently, it’s been launching new tools to help with job costing, helping companies track where employees are spending time when working on different projects, a tool critical for IT, accounting and other companies where employees work across a number of clients. Other new tools include SMS communications for “desk-less” workers and more accounting integrations.

Second is the founder. You might recall that Conrad was ousted from his previous company, Zenefits (taking on a related, but smaller, challenge in payroll and benefits), over a controversy linked to compliance issues and also misleading investors. But if Zenefits was finished with Conrad, Conrad was not finished with Zenefits — or at least the problem it was tackling. This funding is a testament to how investors are putting a big bet on Conrad himself, who says that a lot of what he has been building at Rippling was what he would have done at Zenefits if he’d stayed there.

“Once you’re lucky, twice you’re good,” said Mamoon Hamid, a partner at Kleiner Perkins, in a separate statement. “Parker is a true product visionary, and he and his team are solving an enormous pain point for businesses everywhere. We’re thrilled to continue partnering with Rippling as demand for their platform dramatically increases in this era of remote work.”

“Rippling is not just a superior payroll company, but something much broader: they’ve built the system of record for all employee data, creating an entirely new software category. Rippling’s massive market opportunity is to streamline the employee life cycle, from software to payroll to benefits, and fundamentally improve the way businesses hire and manage their employees,” said Ta in a statement.

Third is the context in which this round is coming. We’re in the midst of an economic downturn caused in part by a global health pandemic, and that’s leading to a lot of companies curtailing budgets, reducing headcount and potentially shutting down altogether. Ironically, that force is also propelling companies like Rippling full steam ahead.

Its SaaS model — priced at a flat $8 per person per month — not only fits with how many businesses are being run at the moment (primarily remotely), but Rippling’s purpose is specifically geared to helping businesses both onboard and offboard employees more efficiently, the kind of software that companies need to have in place to fit how they are working right now.

Updated with commentary from an interview with Conrad.

Qualified raises $12M to make websites smarter about sales and marketing

Qualified, a startup co-founded by former Salesforce executives Kraig Swensrud and Sean Whiteley, has raised $12 million in Series A funding.

Swensrud (Qualified’s CEO) said the startup is meant to solve a problem that he faced when he was CMO at Salesforce. Apparently he’d complain about being “blind,” because he knew so little about who was visiting the Salesforce website.

“There could be 10 or 100 or 100,000 people on my website right now, and I don’t know who they are, I don’t know what they’re interested in, my sales team has no idea that they’re even there,” he said.

Apparently, this is a big problem in business-to-business sales, where waiting five minutes after a lead leaves your website can result in a 10x decrease in the odds of making contact. But the solution currently adopted by many websites is just a chatbot that treats every visitor similarly.

Qualified, meanwhile, connects real-time website visitor information with a company’s Salesforce customer database. That means it can identify visitors from high-value accounts and route them to the correct salesperson while they’re still on the website, turning into a full-on sales meeting that can also include a phone call and screensharing.

Qualified screenshot

Image Credits: Qualified

Of course, the amount of data Qualified has access to will differ from visitor to visitor. Some visitors may be purely incognito, while in other cases, the platform might simply know your city or where you work. In still others (say if you click on a link from marketing email), it can identify you individually.

That’s something I experienced myself, when I decided to take a look at the Qualified website this morning and was quickly greeted with a message that read, “👋 Welcome TechCrunch! We’re excited about our funding announcement…” It was a little creepy, but also much more effective than my visits to other marketing technology websites, where someone usually sends me a generic sales message.

Swensrud acknowledged that using Qualified represents “a change to people’s selling processes,” as it requires sales to respond in real time to website visitors (as a last resort, Qualified can also use chatbots and schedule future calls), but he argued that it’s a necessary change.

“If you email them later, some percentage of those people, they ghost you, they get bored, they moved on to the competition,” he said. “This real-time approach, it forces organizations to think differently in terms of their process.”

And it’s an approach that seems to be working. Among Qualified’s customers, the company says ThoughtSpot increased conversations with its target accounts by 10x, Bitly grew its enterprise sales pipeline by 6x and Gamma drove over $2.5 million in new business pipeline.

The Series A brings Qualified’s total funding to $17 million. It was led by Norwest Venture Partners, with participation from existing investors including Redpoint Ventures and Salesforce Ventures. Norwest’s Scott Beechuk is joining Qualified’s board of directors.

“The conversational model is simply a better way to connect with new customers,” Beechuk said in a statement. “Buyers love the real-time engagement, sellers love the instant connections, and marketers have the confidence that every dollar spent on demand generation is maximized. The multi-billion-dollar market for Salesforce automation software is going to adopt this new model, and Qualified is perfectly positioned to capture that demand.”

Behavioral AI: An Unbounded Approach to Protecting the Enterprise

A CISO wakes up to headlines with the company’s name in them.

Not the good kind of headlines. The kind of headlines that, say, talk about a company’s data winding up on Pastebin: a nightmare that’s happened to scads of entities. Singapore was one: 1.5 million citizens’ health records—including those of Prime Minister Lee Hsien Loong—were stolen by hackers in 2018.

…or then again, maybe the company’s systems didn’t actually come under attack by hackers or a nation state threat group. Maybe the headlines are about an employee who’s a jerk: what’s known in PR speak as “an ill-intentioned employee who acted illegally and betrayed the trust of their employer.” Say, the IT admin contractor from Hell who seized his client’s domain, demanded a $10,000 ransom and then redirected the site to teen[sexual orientation][bodypart].com when the company refused to pay.

There are myriad permutations of storylines that all lead to this kind of cybersecurity misery, when a company’s name gets into (bad) headlines that often lead to, or follow, a call from the FBI. The who’s, what’s and how’s are good fodder for journalists and for district attorneys, but what’s of far greater import to the company’s security operations center (SOC) are the storylines about how the attacks happened, who to blame and how to fix it if the problem hasn’t already been mitigated. Those are the stories that, too often, don’t get told because they’re difficult to pull out of a flood of data that includes system activity both suspicious and banal: the kind of data that turn out to be harmless system anomalies that nonetheless lead teams on wild goose chases.

Those complicated storylines often start at the endpoints in a company’s system. Endpoints are where an employee might have plugged in a USB device he found in the parking lot, curious to know what’s on it. Or maybe an employee opened a malicious PDF attachment she got in an email.

It makes sense to look to endpoints, where so many attacks happen, to gain visibility. According to a 2018 survey by the SANS Institute, 42% of respondents reported at least one endpoint exploitation that led to exposure, exfiltration, or business disruption. What’s more, encryption doesn’t get in the way at endpoints. Endpoints are where network and process activity are available, and where you can even do external device monitoring. Like, say, who was it that plugged in that USB? … and when, and where?

Too Many Data Points, Not Enough Answers

It’s not as if we don’t already have endpoint monitoring that will give us answers, though. We’ve got a lot more visibility into attacks than we had in the years with EPPs (Endpoint Protection Platforms): products that relied on virus signatures but were utterly blind to memory-based malware, lateral movement, fileless malware or zero day attacks.

But here’s the problem: EPP may protect endpoints, but it doesn’t give organizations visibility into the threats. First-generation EDR (Endpoint Detection and Response) tools were a byproduct of the need for the visibility that EPPs simply didn’t offer. This generation of EDR – let’s call it Passive EDR  – on the other hand, provides us with data but no context. We have the pieces of the puzzle, but no overall picture to pull them all together.

If you were to look at an example of built-in, passive endpoint monitoring, you might see that Windows Event Logs picked up on that USB compromise having led to a PowerShell launch from a virtual keyboard, that the attack may have used advanced techniques such as clearing logs, that it installed a backdoor to attain persistence, that it went on to steal credentials and use them to successfully login, that oops, at one point it failed to login, that it escalated privileges, that it cleared logs, that it successfully added a new local user and then admitted that user to an Admin group, and on and on and on. Good luck trying to figure it out.

It might have looked great in the demo, but what about everyday use? Who can make sense of it all? A small set of seasoned, skilled security analysts, perhaps. Unfortunately, there are too few of them to go around. Plus, bless their hearts, they need to do things like sleep. That means that when an attack hits in the midnight hours, those attackers are going to enjoy that much more dwell time before analysts get to work and untangle all the what’s, where’s, who’s and how’s.

What runs through a CISO’s mind isn’t a hunger for each and every scrap of disconnected data from an attack. Rather, it’s more like a game of Clue: Was it Colonel Mustard in the drawing room, a contractor with a  USB drive, a state-sponsored threat group? Has the threat been mitigated yet, and if so, how long was it active? Which of the SOC’s all-too-few analysts are analyzing that tsunami of data flooding in from their passive EDR?

What is Behavioral AI, and How Can It Help?

What happens after an attack? The story can go two ways, and most likely you’re familiar with the first, seriously problematic way: namely, security analysts have to sift through all of the alerts and anomalies produced by passive EDR. Those investigations take time and skill: a rare commodity, given how hard it is to find, train and retain personnel who have the expertise to operate the security platforms and the know-how to separate the wheat from the chaff, the real exploits from the random bugs.

There is another way the story can go, and, fittingly enough, it involves storylines: the contextualization of all the disparate data points into a succinct narrative. SentinelOne calls it ActiveEDR, a behavioral AI model that not only frees an organization from relying solely on difficult-to-source analyst skills, but which also does so around the clock, constantly recording and putting context around everything that happens on every device that touches the network.

SentinelOne’s behavioral AI engine creates what SentinelOne calls Storylines: a set of footprints that enable an organization to trace incidents back to find out who’s to blame for an indicator of compromise (IOC). It’s EDR, but it’s not the passive EDR you might already know about. Old-school EDR is about searching for an isolated activity and then trying to correlate it to another, and then another, and another, in a long-drawn-out, skills-intensive, after-the-fact attempt to understand the full picture.

SentinelOne’s ActiveEDR technology makes the machine do the work instead of the analyst, by tracking and contextualizing everything on a device and identifying malicious acts in real-time, automating the required responses. If and when the analyst does want to get involved, ActiveEDR enables easy threat hunting by allowing full searches from a single IOC.

Unlike other EDR solutions, ActiveEDR doesn’t rely on cloud connectivity to make a detection, effectively reducing the threat’s dwell time to run time. The AI agent on each device doesn’t need cloud connectivity to make a decision. It constantly draws stories of what’s happening on the endpoint, and if it detects malicious behavior, it can mitigate not only malicious files and processes; it can shut down – and even automatically reverse – the entire Storyline.

Why Is ActiveEDR Better At Stopping File And Fileless Attacks?

Modern adversaries have figured out a way to cut out their former reliance on files and instead leave no footprint, using in-memory, fileless malware to evade all but the most sophisticated security solutions. But because ActiveEDR tracks it all, it gives you a way to detect attackers who may already have credentials in your environment and who may be doing things like living off the land (LotL): a term that describes fileless, malware-less attacks that use a system’s own, perfectly legitimate, native tools to do their dirty work, thereby blending into the network and hiding among the legitimate processes to pull off a stealthy exploit.

Behavioral AI – A Real-World Scenario

Here’s a real-world scenario of how it works: the FBI calls to let you know your credentials are on Pastebin. You want to know how they got there, so you search the Deep Visibility Threat Hunting module. Deep Visibility is an output of SentinelOne’s Storylines that delivers rapid threat hunting by enabling users to search for references—in this example, references to Pastebin.

With Storyline, each autonomous endpoint AI agent builds a model of its endpoint infrastructure and real-time running behavior and assigns it a Storyline ID: an ID given to a group of related events. By searching on “Pastebin,” you’ll find a Storyline ID that can quickly lead you to all related processes, files, threads, events and other data that match that single query. Deep Visibility returns full, contextualized data that lets you swiftly understand the root cause behind a threat, including all of its context, relationships and activities.

Each device agent can clean up from an attack, either automatically or manually, can roll back the system, can disconnect it from the network, or can do a remote shell into the system. It can be done automatically, as in, one-click simple. It takes place in seconds, isn’t cloud reliant, and doesn’t require data to be uploaded so that humans can pore over it. There’s no need for cloud analytics, because it’s all done on the agent.

Automating as much as possible solves multiple problems: first, by recognizing bad behavior, it easily convicts file-based attacks without the need to use signatures. As well, it can prevent and predict fileless attacks.

SentinenlOne’s endpoint protection works at the pre-execution stage to stop an attack before it runs, be it in the form of a rigged PDF, a Word doc or what have you. The first step is to analyze it, to figure out if it’s odd in some way. If it is, it will be quarantined. Next, if the code passes the first test and begins to run, that’s where ActiveEDR, the autonomous, automated threat hunting mechanism that includes detection and response in the agent, looks for odd anomalous behaviors. For example, it looks for things like somebody opening Word, which spawned a PowerShell and reached out to the internet to fetch something. In most cases, that’s not good, normal behavior. ActiveEDR will view the behavior as it’s running, and it will track everything that’s happening in the operating system as a set of stories, from inception to termination, be it 1 second long, a month or more. The technology constantly weighs the behavior to see if it’s “gone evil” in some way.

The Human Touch, with Behavioral AI Assistance

That’s good, but it’s not enough, because nobody will ever catch everything. That’s where the threat hunting capabilities of ActiveEDR—the feature that makes SentinelOne a superior approach for file and fileless attacks—come in.

Let’s say that you found one device that talked to Pastebin multiple times. Clicking on the Storyline ID in the SentinelOne console will lead you to the full attack story, with all the relevant context, drawing a high-level diagram of the origin of the attack and a process tree timeline showing the processes it spawned: a Microsoft Word document was opened, it spawned a Windows PowerShell, and that shell went on to spawn seven other processes. Storyline even includes full command-line arguments, which is what researchers need to fully understand the attack. It provides the full context of the attack, with context, all of it having been produced not with a full incidence response team but, rather, with a single query.

SentinelOne ActiveEDR Demo
Theat Hunting Redefined.

Clearly, having an AI assistant on hand—in fact, an AI agent resident on every device that touches the network—saves a lot of time. It relieves an organization of having to rely solely on people to analyze things that sometimes amount to nothing at all.

Go Back To Sleep: We Got You

Isn’t it time to stop scrambling? Now, you can.

Behavioral AI can be set to mitigate automatically—a seriously powerful gamechanger. The technology is capable of making a decision on the device, without relying on the cloud, or on humans, to tell it what to do. If ActiveEDR is set to Detect, you’ll get contextualized warnings. But switch it to Protect, and that boobytrapped Word document will simply be blocked. No human intervention needed. When a user tries to open the Word file, the threat is detected, blocked, and swiftly deleted. With ActiveEDR set to Protect, the attack Storyline will show that the attack didn’t get far: it was blocked before it managed to communicate externally.

Given that Behavioral AI agents are baked into every endpoint device, bad behavior can be stopped—immediately. Later, if you decide that something shouldn’t be blocked after all, it’s simple to initiate a roll-back. And, unlike humans, SentinelOne’s Behavioral AI – ActiveEDR – doesn’t need sleep, and it doesn’t clock out at 5:00.

The reality of automatic mitigation with Behavioral AI: no data exfiltration, no headlines, and no call from the FBI.

If you’d like to learn more about SentinelOne’s Behavioral AI and how it can help protect your organization, contact us or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Amid pandemic, returning to offices remains an open question for tech leaders

As COVID-19 infections surge in parts of the U.S., many workplaces remain empty or are operating with skeleton crews.

Most agree that the decision to return to the office should involve a combination of business, government and medical officials and scientists who have a deep understanding of COVID-19 and infectious disease in general. The exact timing will depend on many factors, including the government’s willingness to open up, the experts’ view of current conditions, business leadership’s tolerance for risk (or how reasonable it is to run the business remotely), where your business happens to be and the current conditions there.

That doesn’t mean every business that can open will, but if and when they get a green light, they can at least begin bringing some percentage of employees back. But what that could look like is clouded in great uncertainty around commutes, office population density and distancing, the use of elevators, how much you can reasonably deep clean, what it could mean to have a mask on for eight hours a day, and many other factors.

To get a sense of how tech companies are looking at this, we spoke to a number of executives to get their perspective. Most couldn’t see returning to the office beyond a small percentage of employees this year. But to get a more complete picture, we also spoke to a physician specializing in infectious diseases and a government official to get their perspectives on the matter.

Taking it slowly

While there are some guidelines out there to help companies, most of the executives we spoke to found that while they missed in-person interactions, they were happy to take things slow and were more worried about putting staff at risk than being in a hurry to return to normal operations.

Iman Abuzeid, CEO and co-founder at Incredible Health, a startup that helps hospitals find and hire nurses, said her company was half-remote even before COVID-19 hit, but since then, the team is now completely remote. Whenever San Francisco’s mayor gives the go-ahead, she says she will reopen the office, but the company’s 30 employees will have the option to keep working remotely.

She points out that for some employees, working at home has proven very challenging. “I do want to highlight two groups that are pretty important that need to be highlighted in this narrative. First, we have employees with very young kids, and the schools are closed so working at home forever or even for the rest of this year is not really an option, and then the second group is employees who are in smaller apartments, and they’ve got roommates and it’s not comfortable to work at home,” Abuzeid explained.

Those folks will need to go to the office whenever that’s allowed, she said. For Lindsay Grenawalt, chief people officer at Cockroach Labs, an 80-person database startup in NYC, said there has to be a highly compelling reason to bring people back to the office at this point.

EventGeek relaunches as Circa to help marketers embrace virtual events

EventGeek was a Y Combinator-backed startup that offered tools to help large enterprises manage the logistics of their events. So with the COVID-19 pandemic essentially eliminating large-scale conferences, at least in-person, it’s not exactly surprising that the company had to reinvent itself.

Today, EventGeek relaunched as Circa, with a new focus on virtual events. Founder and CEO Alex Patriquin said that Circa is reusing some pieces of EventGeek’s existing technology, but he estimated that 80% of the platform is new.

While the relaunch only just became official, the startup says its software has already been used to adapt 40,000 in-person events into virtual conferences and webinars.

The immediate challenge, Patriquin said, is simply figuring out how to throw a virtual event — something for which Circa offers a playbook. But the startup’s goals go beyond virtual event logistics.

“Our new focus is really more at the senior marketing stakeholder level, helping them have a unified view of the customer,” Patriquin said.

He explained that “events have always been kind of disconnected from the marketing stack,” so the shift to virtual presents an opportunity to treat event participation as part of the larger customer journey, and to include events in the broader customer record. To that end, Circa integrates with sales and marketing systems like Salesforce and Marketo, as well as with video conferencing platforms like Zoom and On24.

Circa screenshot

Image Credits: Circa

“We don’t actually deliver [the conference] experience,” Patriquin said. “We put it into that context of the customer journey.”

Liz Kokoska, senior director of demand generation for North America at Circa customer Okta, made a similar point.

“Prior to Circa, we had to manage our physical and virtual events in separate systems, even though we thought of them as parts of the same marketing channel,” Kokoska said in a statement. “With Circa, we now have a single view of all our events in one place — this is helpful in planning and company-wide visibility on marketing activity. Being able to seamlessly adapt to the new world of virtual and hybrid events has given our team a significant advantage.”

And as Patriquin looks ahead to a world where large conferences are possible again, he predicted that there’s still “a really big opportunity for the events industry and for Circa.”

“As in-person events start to come back, there’s going to be a phase where health and safety are going to be paramount,” he continued. “After that health and safety phase, it’s going to be the age of hybrid events — where everything is virtual right now, hybrid will provide the opportunity to bring key [virtual] learnings back into the in-person world, to have a lot more data and intelligence and really be able to personalize an attendee’s experience.”

Robocall Legal Advocate Leaks Customer Data

A California company that helps telemarketing firms avoid getting sued for violating a federal law that seeks to curb robocalls has leaked the phone numbers, email addresses and passwords of all its customers, as well as the mobile phone numbers and other data on people who have hired lawyers to go after telemarketers.

The Blacklist Alliance provides technologies and services to marketing firms concerned about lawsuits under the Telephone Consumer Protection Act (TCPA), a 1991 law that restricts the making of telemarketing calls through the use of automatic telephone dialing systems and artificial or prerecorded voice messages. The TCPA prohibits contact with consumers — even via text messages — unless the company has “prior express consent” to contact the consumer.

With statutory damages of $500 to $1,500 per call, the TCPA has prompted a flood of lawsuits over the years. From the telemarketer’s perspective, the TCPA can present something of a legal minefield in certain situations, such as when a phone number belonging to someone who’d previously given consent gets reassigned to another subscriber.

Enter The Blacklist Alliance, which promises to help marketers avoid TCPA legal snares set by “professional plaintiffs and class action attorneys seeking to cash in on the TCPA.” According to the Blacklist, one of the “dirty tricks” used by TCPA “frequent filers” includes “phone flipping,” or registering multiple prepaid cell phone numbers to receive calls intended for the person to whom a number was previously registered.

Lawyers representing TCPA claimants typically redact their clients’ personal information from legal filings to protect them from retaliation and to keep their contact information private. The Blacklist Alliance researches TCPA cases to uncover the phone numbers of plaintiffs and sells this data in the form of list-scrubbing services to telemarketers.

“TCPA predators operate like malware,” The Blacklist explains on its website. “Our Litigation Firewall isolates the infection and protects you from harm. Scrub against active plaintiffs, pre litigation complainers, active attorneys, attorney associates, and more. Use our robust API to seamlessly scrub these high-risk numbers from your outbound campaigns and inbound calls, or adjust your suppression settings to fit your individual requirements and appetite for risk.”

Unfortunately for the Blacklist paying customers and for people represented by attorneys filing TCPA lawsuits, the Blacklist’s own Web site until late last week leaked reams of data to anyone with a Web browser. Thousands of documents, emails, spreadsheets, images and the names tied to countless mobile phone numbers all could be viewed or downloaded without authentication from the domain theblacklist.click.

The directory also included all 388 Blacklist customer API keys, as well as each customer’s phone number, employer, username and password (scrambled with the relatively weak MD5 password hashing algorithm).

The leaked Blacklist customer database points to various companies you might expect to see using automated calling systems to generate business, including real estate and life insurance providers, credit repair companies and a long list of online advertising firms and individual digital marketing specialists.

The very first account in the leaked Blacklist user database corresponds to its CEO Seth Heyman, an attorney in southern California. Mr. Heyman did not respond to multiple requests for comment, although The Blacklist stopped leaking its database not long after that contact request.

Two other accounts marked as administrators were among the third and sixth registered users in the database; those correspond to two individuals at Riip Digital, a California-based email marketing concern that serves a diverse range of clients in the lead generation business, from debt relief and timeshare companies, to real estate firms and CBD vendors.

Riip Digital did not respond to requests for comment. But According to Spamhaus, an anti-spam group relied upon by many Internet service providers (ISPs) to block unsolicited junk email, the company has a storied history of so-called “snowshoe spamming,” which involves junk email purveyors who try to avoid spam filters and blacklists by spreading their spam-sending systems across a broad swath of domains and Internet addresses.

The irony of this data leak is that marketers who constantly scrape the Web for consumer contact data may not realize the source of the information, and end up feeding it into automated systems that peddle dubious wares and services via automated phone calls and text messages. To the extent this data is used to generate sales leads that are then sold to others, such a leak could end up causing more legal problems for The Blacklist’s customers.

The Blacklist and their clients talk a lot about technologies that they say separate automated telephonic communications from dime-a-dozen robocalls, such as software that delivers recorded statements that are manually selected by a live agent. But for your average person, this is likely a distinction without a difference.

Robocalls are permitted for political candidates, but beyond that if the recording is a sales message and you haven’t given your written permission to get calls from the company on the other end, the call is illegal. According to the Federal Trade Commission (FTC), companies are using auto-dialers to send out thousands of phone calls every minute for an incredibly low cost.

In fiscal year 2019, the FTC received 3.78 million complaints about robocalls. Readers may be able to avoid some marketing calls by registering their mobile number with the Do Not Call registry, but the list appears to do little to deter all automated calls — particularly scam calls that spoof their real number. If and when you do receive robocalls, consider reporting them to the FTC.

Some wireless providers now offer additional services and features to help block automated calls. For example, AT&T offers wireless customers its free Call Protect app, which screens incoming calls and flags those that are likely spam calls. See the FCC’s robocall resource page for links to resources at your mobile provider. In addition, there are a number of third-party mobile apps designed to block spammy calls, such as Nomorobo and TrueCaller.

Obviously, not all telemarketing is spammy or scammy. I have friends and relatives who’ve worked at non-profits that rely a great deal on fundraising over the phone. Nevertheless, readers who are fed up with telemarketing calls may find some catharsis in the Jolly Roger Telephone Company, which offers subscribers a choice of automated bots that keep telemarketers engaged for several minutes. The service lets subscribers choose which callers should get the bot treatment, and then records the result.

For my part, the volume of automated calls hitting my mobile number got so bad that I recently enabled a setting on my smart phone to simply send to voicemail all calls from numbers that aren’t already in my contacts list. This may not be a solution for everyone, but since then I haven’t received a single spammy jingle.