A malicious email containing a link that looks “legit” but is actually malicious remains one of the most dangerous, yet successful, tricks in a cybercriminal’s handbook. Now, an AI startup called Bolster which has created a new approach to tackling this trick has raised $14 million in funding to expand its work, both in a popular free phishing audit portal that works and is (appropriately) called CheckPhishas well as with our main paying customers: brands and other businesses.
Microsoft venture fund M12 led the round as the company’s new backer, with participation also from Thomvest Ventures, Crosslink Capital, Liberty Global Ventures, Cheyenne Ventures, Cervin Ventures and Transform Capital. Bolster does not disclose its valuation, but has now raised about $40 million.
Bolster’s business model is based on providing branding and URL verification services to businesses that spend a lot of time emailing their customers and are therefore prime candidates for malicious hackers to impersonate in hopes of scamming people or simply copying with the brand to sell their own products. (Its client list includes big names like Dropbox, Uber, LinkedIn and Coinbase.) Phishing, according to the Cybersecurity Infrastructure Security Agency, is the origin of more than 90% of all “cyberattacks,” which can include breaches data, network penetration or device viruses.
The ability to create suspicious lookalike domain pages for these companies and start using them to perform malicious phishing activities has become very cheap and easy.
“There are tools you can buy for $10 or $20 to launch phishing attacks,” Bolster CTO Shashi Prakash (who co-founded the company with CEO Abhishek Dubey) said in an interview. With malicious hackers now well versed in the use of artificial intelligence, they are creating realistic login pages for banks, for example, and using phishing as a service to launch these attacks “within minutes”.
These have become more sophisticated and more targeted over time, he said. A recent example was the incident involving WPP CEO Mark Read, who was at the center of a scam to try and solicit money. It sounds unlikely when you read it, and indeed it was unsuccessful, but it’s just a sign of where these scams are going.
Bolster’s approach uses machine learning algorithms and artificial intelligence techniques to monitor the wider internet – URLs, domain registration databases, conversations on open and closed forums and social media platforms, as well as emails (when working with a client) and other – to detect fraud activities, which it does on an ongoing basis. When it detects incompetent links, it then shuts them down at their root through automated takedowns.
The approach is notable because it complements the myriad email security products on the market today that are being adopted by organizations to help filter emails as they enter a person’s inbox: This is still important as a mechanism to stop phishing activity . But in cases where these bad links go through the gates without restriction, the idea here is that if a person clicks on a link, now that person might not get anywhere.
Considering that the broader email funnel can be so complex to contain, and the hackers themselves have a hard time finding themselves, identifying and terminating the root of their operations becomes very valuable.
“One of the advantages that Bolster has is its ability to automatically shut down where these attacks are coming from, they can be shut down where they’re hosted,” Todd Graham, managing partner at M12, said in an interview. “This is really, really important given the scale at which these criminal enterprises operate.” Microsoft isn’t working directly with Bolster yet, Prakash said, but the idea is that this investment is a signal of how it will be in the future.
Microsoft’s interest would be two-fold: The company itself is a major international brand, operating a number of services that would trigger emails to users (and I can personally confirm that I get, a lot of “login” emails account” from suspicious “Microsoft” connections”). In addition, it is a provider of cloud services and management and software to many enterprises, and therefore an important link to a large market of potential customers. Finally, it’s making a major move to put more AI into all aspects of its business, so threat protection must inevitably be part of that equation as well.
Graham added that while the company is really just a B2B business – with its CheckPhish tool aimed at scanning websites rather than offering tools to individual users – the fact that it works with big brands by default gives it a consumer perspective, as it is ultimately aimed at protecting the customers of the company in question.
“If you get a spoofed email that claims to be from Microsoft, but probably isn’t, it’s in the best interest of Microsoft or Wells Fargo or whoever, to make sure that that email, if it gets out, is tracked down. “
