Inky CEO Dave Baggett On Catching QR Code Phishing — Before Other Email Security Tools

In an interview with CRN, Baggett also discusses why the typical approaches to email security are broken and how GenAI-powered threats could change cyber defense.

Email security vendor Inky may lack the name recognition of competitors such as Proofpoint, Mimecast and Abnormal Security. But that hasn’t prevented Inky from delivering phishing protection that is unmatched in effectiveness, according to Co-founder and CEO Dave Baggett.

Inky’s pinpointing of QR code phishing attacks in June is just one example of how the College Park, Md.-based company’s product has been able to stay on top of emerging threats and ahead of the competition, Baggett said in a recent interview with CRN.

“I don’t know for sure that no other email security vendor is doing anything on QR codes, but I’m guessing they’re not,” he said. “So all that stuff is just getting through.”

During the interview, Baggett discussed Inky’s differentiated capabilities for thwarting phishing emails, how the arrival of GenAI-powered phishing will impact cyber defense and the advantages for MSPs in working with the company. Baggett previously was the co-founder and COO of travel search company ITA Software, which was acquired by Google for $700 million in 2011.

What follows is an edited and condensed portion of CRN’s interview with Baggett.

What are the biggest differentiators for Inky on email security?

Something that we did I think that was very innovative — and is arguably the key selling point for our product now — is this idea of using the AI in not just a binary way to classify an email as good or bad. Instead, use AI as a way to give more information to the end user to make a better decision.

Obviously if the email is clearly malicious, just like every other mail protection system, we’ll send that to quarantine. And if it’s clearly good, we’ll send it to them and put a little gray banner on the email saying, “Here is the email address this is from, we think it’s safe.” But that middle category, which for us is about 10 percent to 12 percent of emails, we put a yellow banner on it that says one of 75 different things.

So it could be, “This is asking you to wire money. It doesn’t look illegitimate, but you shouldn’t wire money without confirming outside of email.” Or it could say, “This doesn’t look like something Dave would write. It doesn’t have his normal greeting and closing. We can’t prove it’s not him, but just use caution.”

Injecting this banner into the email is really transformative for users because, No. 1, it makes them slow down. And No. 2, it’s giving them help, using that AI component.

How are you using data and analysis in your product?

We have a data team, and our data team analyzes phish that we didn’t catch. This creates a feedback loop where the data team can understand the mechanism of action -- how is this phish getting through? What tactic is it using? This is where we first see new tactics like we saw with QR codes being used in emails to phish people two months ago.

The ruse was, here’s this QR code, you need to re-authenticate. But in fact, it was just a phishing link encoded as a QR code. It’s like getting the menu at a restaurant, which Covid made everybody think is totally normal. So everyone’s conditioned to do this. They click on it, they go to a phishing site. Now that could be credential harvesting, where it’s asking them for the email and password. Or it could just be some malware exploit.

How does that end up improving your product’s effectiveness?

We did a first version of detecting it. And it’s not as simple as we look at images. We actually had to write code specifically to decode QR codes. Email production systems don’t do this. We had to add that. And that probably took us a couple of days. We put it in production, blocked a bunch of it. But then maybe a month later, we got a flood of, “Hey, there’s more QR code stuff, and it’s not getting caught.”

So our chief scientist wrote a bunch of code with one of the data team people to do a more thorough job of finding QR codes in emails and rendering them -- rendering meaning, turning them into the link that they point to. And that rolled out [a few days ago], and we’ve caught 40,000 QR phish since then. So now I don’t know for sure that no other email security vendor is doing anything on QR codes, but I’m guessing they’re not. So all that stuff is just getting through.

Have you seen much impact yet from the arrival of generative AI, and GenAI-created phishing emails?

We have seen examples that appear to be targeted phish — [which were] very finely crafted with LLMs — that have been reported by end customers. I don’t think we’ve seen a lot of them. But this is clearly going to become a problem. Harder-to-detect phish are going to become more common.

I don’t think it’s at all rampant yet, but I’m just waiting for the week where it’s like, “Oh, there were 8,000 LLM phish yesterday. Yep, it’s here.” It hasn’t happened yet, but the ultimate outcome is, you’re going to get vast amounts of extremely well written phish. And you better have a system that will provide countermeasures against that.

Do you think Inky’s capabilities will do a better job of countering GenAI-created phishing than other tools?

Some of the countermeasures will be the prompting and coaching solution that we have, where [we tell you], “Hey, this is asking you to go buy gift cards from Target. Maybe don’t do that right away.”

But if you’re relying on [being able to detect] that machines are generating these emails, or that humans are generating these emails, one or the other, you’re not going to be able to rely on that anymore. You can’t have that be a distinction that you detect on. There are lots of “tells” in phishing emails. But I don’t think the idea that there are going to be “tells” in AI-generated text is right.

What is your message to partners about the advantages of working with Inky for email security?

Certainly we have unique and very powerful detection capabilities that I don’t think others have. We know that others will say they have something similar that, like copy the words from our web page or something like that. But I don’t see any evidence that those are real. That’s one big advantage. Another is this emphasis on supporting MSPs and making their lives easier. They don’t want to get 1,000 phish reports that they have to manually triage. We’ve done a really good job on automating all of that. That saves a ton of time for them. I think for the MSP cohort, it’s massive labor savings.

The other thing is, we’re the ones that’ve got this. We’re on top of this. When stuff happens that’s new, and it’s getting through every system, we’re the first ones to analyze it, publish it, get countermeasures in place for it and deploy it to production. MSPs are near universally saying, “This thing solves the problem. I don’t have to worry about it. I’m all set.” We’re on track to double MSP ARR year-over-year. I think we’ll continue that. The product really resonates.