A dodgy email containing a link that looks “legit” but is actually malicious remains one of the most dangerous, yet successful, tricks in a cyber criminal’s handbook. Now, an AI startup called Bolster that has built a novel approach to tackle that trick has raised $14 million in funding to expand its work, both across a popular free phish-checking portal it operates called (appropriately) CheckPhish, as well as with its primary paying customers: brands and other businesses.
Microsoft’s venture fund M12 led the round as a new backer in the company, with participation also from Thomvest Ventures, Crosslink Capital, Liberty Global Ventures, Cheyenne Ventures, Cervin Ventures, and Transform Capital. Bolster’s not disclosing its valuation but it has now raised around $40 million.
Bolster’s business model is based around providing brand and URL checking services to businesses that spend a lot of time emailing their customers, and thus are prime candidates for malicious hackers to imitate in hopes of tricking people, or to simply copy with branding to sell products of their own. (Its client list includes big names like Dropbox, Uber, LinkedIn and Coinbase.) Phishing, according to the Cybersecurity Infrastructure Security Agency, is the start of more than 90% of all “cyberattacks”, which might include data breaches, network infiltrations, or device viruses.
The ability to set up suspiciously similar-looking domain pages for these companies, and to start using them to run malicious phishing activities, has become very cheap and easy to do.
“There are tools that you can purchase for $10 or $20 to launch phishing attacks,” said Bolster CTO Shashi Prakash (who co-founded the company with CEO Abhishek Dubey) in an interview. With malicious hackers now well versed in using AI, they create realistic login pages for banks, for example, and use phishing-as-a-service to launch these attacks “within minutes.”
These have become more sophisticated, and more targeted, over time, he said. One recent example was the incident involving the CEO of WPP, Mark Read, who was at the center of a scam to try to solicit money. It sounds improbable when you read that out, and indeed it was unsuccessful, but it is just a sign of where these scams are going.
Bolster’s approach uses machine learning algorithms and AI techniques to track the wider internet – URLs, domain registration databases, conversations in open and closed forums and social media platforms, as well as emails (when it works with a client) and more – to detect scam operations, which it does on a continuous basis. When it identifies iffy links, it then shuts them down at their root by way of automated takedowns.
The approach is notable because it complements the myriad email security products that are on the market today that are adopted by organizations to help filter emails as they come into a person’s inbox: that’s still important as one mechanism to halt phishing activity. But in cases where those bad links pass through the gates unencumbered, the idea here is that, if a person does click on a link, now that person might not get anywhere.
Considering that the wider funnel of email can be so complicated to contain, and hackers themselves makes themselves hard to find, identifying and shutting down the root of their operations becomes very valuable, one reason why Microsoft is investing.
“One of the advantages that Bolster has is its ability to automatically shut down where these attacks are originating from, they can shut down where those where those are hosted,” said Todd Graham, Managing Partner at M12, in an interview. “That is really, really important, given the scale at which these criminal enterprises operate.” Microsoft does not yet work directly with Bolster, Prakash said, but the idea is that this investment is a signal of how they will in the future.
Microsoft’s interest would be on a couple of levels: the company is a major international brand in itself, operating a number of services that would trigger emails to users (and I can personally attest to getting way, way too many “account login” emails from suspicious “Microsoft” links). On top of that, it’s a provider of cloud and managed and software services to numerous businesses, and thus an important link through to a large market of would-be customers. Lastly, it’s making a major move into putting more AI into all aspects of its business, and so threat protection inevitably has to be a part of that equation, too.
Graham added that while the company is effectively just a B2B business – with even the CheckPhish tool aimed at scanning websites rather than offering tools to individual users – the fact that it works with big brands by default gives it a consumer angle, in that it’s ultimately aiming at protecting the customers of the business in question.
“If you are getting an impersonated email that claims to be from Microsoft, but it probably isn’t, it’s in the best interest of Microsoft or Wells Fargo or whoever, to ensure that that email, if it does go out, gets detected.”