Never trust hyperlinks, says founder of anti-phishing company Segasec

Elad Schulman, co-founder and former CEO of cybersecurity company Segasec, recently acquired by Nasdaq-listed Mimecast, says visually inspecting a URL no longer cuts it, as attackers become more sophisticated by the day

CTech 12:1831.08.20
While we all know to avoid the Nigerian prince who emails random strangers to endow them with cash or the lawyer who notifies people of relatives they never knew existed who decided to leave them their unimaginable fortunes upon their recent demise, there are also far more sophisticated forms of phishing attacks out there.


They are variations on a theme, all meant to tempt innocent users to unwittingly provide attackers with access to their bank, PayPal, and email accounts, their personal devices, or other forms of private information that can be misused.


Segasec CEO Elad Schulman. Photo: PR Segasec CEO Elad Schulman. Photo: PR

Faced with simpler attacks, we have been warned to always visually examine the URL address any link leads us too, to make sure we are at the website we think we are. But attackers adapted to this new awareness and have found ways to mislead even highly attentive victims, according to Elad Schulman, co-founder and former CEO of Tel Aviv-based cybersecurity company Segasec Labs Ltd.


In a recent interview with 30 Minutes or Less, a Hebrew-language podcast dedicated to the Israeli tech scene, Schulman explained how some hackers create URL addresses that appear to be legitimate to the naked eye.


“You can get to a website that looks exactly like PayPal’s and even the URL address would appear to be in order but instead of a P in English it would use a character that looks the same but is in a different language,” Schulman said.


Some suggested the way to go would be for companies to buy every variation on their domains, Schulman said, but the number of possible variations is practically infinite and the cost to each company would amount to many millions of dollars a year.


Founded in 2017, Segasec developed a cybersecurity service that protects website operators, including financial institutions, insurers, and retailers, from consumer phishing scams. In January, Segasec was acquired by Nasdaq-listed email and data security company Mimecast Ltd. for an estimated sum of around $40 million-$50 million. Segasec now operates as a division of Mimecast and Schulman was appointed vice president of brand protection at the parent company.


Prior to the acquisition, Segasec raised $5 million from investors including Innogy Innovation Hub, the accelerator and venture capital arm of Berlin-listed energy company Innogy SE.


According to Schulman, one of the main difficulties with phishing attacks is that most of them are so easy to create. “A 15-year-old with a smartphone can launch an attack from the bathroom,” he said. However, while easy to launch they are hard to intercept, he said. Billions of dollars a year are stolen through phishing attacks around the world, he added.


Schulman believes one way in which private users can minimize their exposure is to never trust hyperlinks. Don’t input passwords or otherwise private information into pages opened through hyperlinks, he suggested. It is always better, even if less convenient, to type in the URL yourself, in case someone has tampered with the hyperlink, he said.


If someone you know emails or texts you to send them money, even if they are your boss, Schulman said, never be afraid to pick up the phone and make sure they are really the ones requesting it. The potential embarrassment is far smaller than the risk of fraud, he explained.



The 30 Minutes or Less podcast is hosted by Navot Volk and tech entrepreneur Aviv Frenkel. The two interview tech founders, investors, and other key members of the Israeli tech ecosystem.