Arun Buduri is the only person I’ve ever met who gets excited when someone tries to hook him with a phishing e-mail — one of those scammy messages that tries to trick you into sharing your password with some nefarious unknown party.
“I love getting phishing e-mails,” Buduri says with a smile, his eyebrows dancing. “I click a lot of them, so the hackers think I am susceptible. Then I get more.”
“Check this one out,” he says, holding his laptop in his hand like a waiter balancing a tray, and pulling up a prime example. Buduri estimates he gets three or four each week.
Buduri is building a startup, New York- and Waltham-based Pixm, that wants to help people avoid being duped by phishing attempts. The strategy is increasingly used by bad guys to trick people into giving up passwords to bank accounts and corporate e-mail systems, as a way to steal money or company secrets. The e-mails link the recipient to a website log-in page that closely resembles the real thing.
Pixm believes it can protect users better than the more established cybersecurity players, by flagging the phony page within a second — before you can get around to entering your credentials.
But it’s a tiny company, with just three full-time employees. Pixm has raised $1.6 million from investors since it was founded in 2015, though Buduri says he’s in the midst of raising a similar amount now, and has been on the conference circuit this year, showing the technology and hustling to forge alliances.
Cybersecurity is an industry sector in which Boston has recently had some major successes — like Carbon Black, a Waltham company that went public last year, and Boston-based Rapid7. But it’s also a sector in which the customers, often IT professionals or chief information security officers at big companies, have to cut through a lot of noise, since there are always a lot of startups trying to plug specific holes in the security dike.
Jeff Fagnan, a venture capitalist at Accomplice in Cambridge, which has backed companies such as Carbon Black, acknowledges “there are just so many security products and companies now. I just don’t know how anybody tells one from another.”
John Mulliken, the chief technology officer of Wayfair, the Boston-based e-commerce merchant, says he’s on the receiving end of about a dozen pitches a week in his in-box related to cybersecurity. Most are “very broad and vague,” he says.
While some cybersecurity software operates in the cloud — that is, the companies that sell it manage the service for their customers, much like Google Drive or Dropbox do — Buduri argues that is a weakness. When this cloud-based security software looks at your incoming e-mail and tests out a link to see if it is trustworthy, the bad guys can tell it is not you clicking the link. They can see that the link-clicker is actually a computer run by a known cybersecurity vendor, so they don’t show a fake log-in page.
“You have to be at the endpoint to see these phishing attacks now,” Buduri says. And the endpoint is your laptop, mobile device, or desktop computer. In other words, the bad guys need to see that it’s a real person using a real computer before they show you the fake log-in page.
So when you unknowingly click on a link and a log-in page is displayed, Pixm takes a screen shot and analyzes it, using computer-vision software, trying to identify logos and where the log-in area is on the page. Even if the page is designed to look exactly like the current Bank of America log-in page, Buduri says, Pixm checks a database for a list of Web addresses, or URLs, that are authorized to show the real Bank of America page. (Hint: They are mostly not located in Russia.)
By identifying whose logo and content is on the fake page, Buduri explains, that tells Pixm what URL should be in the browser’s address bar. If the page does match and everything’s kosher, Pixm shows a green bar to show that users can be confident entering their password.
Buduri has been traveling the world trying to build momentum for the company; this month he has been to San Francisco and San Diego. In February, when he needed to be in Boston for a pitch competition, he interrupted a family vacation in Nepal, hopped a flight, made his 15 minute pitch, and returned to Nepal. Round trip: 65 hours. Even Indiana Jones would have gotten jet lag. The prize: Ingram Micro, a major distributor of technology products, has agreed to help sell Pixm to its customers globally.
The good news for Pixm and startups like it is that most big companies know they are not perfectly protected from every possible type of hacker attack.
“Whether people are targeting nation-states, elections, or intellectual property theft from corporations,” Fagnan says, “it feels like this is going to be a damn fertile area for innovation for a while.” But Fagnan believes the space has been “overfunded,” with too many startups competing for customers. (His firm has not invested in Pixm.)
And “nobody really wants to try a half-baked security company,” he adds.
Often, companies need to raise tens of millions of dollars to develop a product that people will trust — and market it as trustworthy. “People want to feel like it is pretty bullet-proof and industrial-strength before someone trusts it and pays for it.”
Then there’s always the risk that a bigger player like Microsoft, Proofpoint, or Mimecast assigns a team of engineers to replicate what Pixm has built, says Rick Grinnell, a partner at Boston-based Glasswing Ventures. That would make life really difficult for the fledgling company. But Pixm could also at some point be an acquisition target for one of the larger guys, Grinnell notes. (His firm has not invested in Pixm, either.)
One early key, Grinnell says, will be landing recognizable customers — logos it can display on its website “showing that some number of banks and meaningful institutions have adopted it.”
Another tech exec at Wayfair, Steve Crusenberry, notes that while existing security tools are “good at catching the obvious phishing attempts,” the bad guys are always getting subtler and more sophisticated. Protecting employees from phishing is “definitely not a solved problem,” he says.
Those unsolved problems are what create opportunities for entrepreneurs to create successful companies — if they can make the right moves before the big guys match them.Scott Kirsner can be reached at firstname.lastname@example.org. Follow him on Twitter @ScottKirsner.