It’s our great honor and pleasure to introduce Paul Walsh as the next guest in our Executive Interview Series.
Paul has played a formative role in technologies that most people take for granted, such as the Mobile Web Initiative, the URL classification standard at the World Wide Web Consortium (W3C), and the account labelling framework that is used in X Verified Accounts. He also collaborated with Sir Tim Berners Lee on his “One Web” vision.
Paul holds multiple patents licensed to major tech and security firms. In 2017, his company helped eliminate phishing on Slack for the crypto community and pioneered Zero Trust URL Authentication, a major upgrade to web security that tackles phishing—a problem the industry has failed to solve for over 20 years.
He is Founder and CEO of MetaCert, which makes it easy for people to confirm when links are verified as legitimate. Unlike conventional security built on threat detection, MetaCert assumes every unverified link is a potential threat.
Paul is also a neurodivergent (ADHD and dyslexic) entrepreneur and a vocal advocate for normalizing these traits in the workplace, given that 40% and 35% of entrepreneurs exhibit them, respectively.
Our Executive Interview Series has included other excellent guests, including:
- Engineer and educator, Bill Newhouse
- Author and speaker Thomas P. Vartanian.
- Eric Cook from Cook Technology Solutions LLC.
- J. Trent Adams from Proofpoint.
- John Carlson from the ABA.
Although we edited this interview for brevity and clarity, Paul Walsh is a dynamic individual with deep knowledge – this conversation covers a lot of ground.
We hope that you find it entertaining and informative. Cybersecurity is now a technological white-water rapid that bankers must lead their teams through without capsizing.
The Genesis of an Accidental Cybersecurity Pioneer
Q: How did you get into cybersecurity as a career?
I don’t consider myself a cybersecurity veteran.
My journey began at AOL in the 1990s, where I was one of the first people hackers impersonated online. That was when phishing was first discovered on the web. It’s not a new problem, and it hasn’t really evolved much in over 20 years. After leaving AOL in 1998, I moved into the telecom sector and went on to found a telecom testing company in the early 2000s. That work eventually led me into web accessibility compliance, where in 2004 we created one of the first trustmarks on the internet. Around that time, I began thinking about how people could be given more information about a link before opening it—not just for security, but to help them find websites that were accessible, mobile-friendly, or carried trustmarks for identity and privacy. That thinking eventually led me to start MetaCert.
Our early focus was on protecting children from adult content, which naturally led us to classify other categories. From there, we built the first security service for mobile device OEMs, followed by a patented security service for mobile app developers. Both were ahead of their time, so we pivoted to team collaboration security, starting with Slack.
In 2017, the crypto community turned to us as they faced severe problems with scams. Most companies didn’t yet think security inside Slack was necessary, but the crypto world built their communities there and urgently needed protection. We were the only company with a viable solution, and within three months we had effectively eliminated phishing on Slack. We made it cost prohibitive for criminals by rapidly classifying new phishing scams with unique technology and a 15,000-strong community. But the reality was sobering: most scams were only detected after victims had lost their savings. That’s when we realised threat-based detection wasn’t effective. Solving phishing required a radical new way of thinking.
Q: Can you share how you helped discover the crime of phishing in the 90s?
Phishing was first discovered at AOL, where I was exposed to it in 1996.
Hackers impersonated high-profile AOL employees, including myself, within chat rooms, emails, and instant messages. The term “phishing” itself combines “phreaking” (a hacker term) and “fishing,” where you cast a wide net to catch some fish. Thinking about my granddad, who delivered secure communications as a dispatch rider during wartime, makes me proud of what my team is doing today. Just as he carried trusted messages across dangerous ground, we’re protecting people on the digital front line where phishing is exploited by organised crime and hostile states like Russia and China.
While I didn’t immediately focus on phishing, this early exposure shaped my understanding of the web and my drive to make it safer and more accessible. I envision a world where anyone can feel safe opening a link, no matter where it comes from or where it leads, and easily avoid impersonators of any kind.
Zero Trust Approach: The Best Answer to the Tsunami of Phishing Attacks
Q: Describe a day at work where you feel satisfaction that you’ve achieved your mission.
A memorable moment came when a crypto company I advised sent me a Binance link, concerned it lacked MetaCert verification. Our software’s failure to authenticate it made them pause. I quickly confirmed it was a scam, preventing a $60,000 loss to criminals who had spent weeks building trust across multiple channels.
Another instance involved MyEtherWallet’s DNS being compromised. We quickly changed its classification from verified to dangerous. I received angry support tickets from customers whose money transfers were blocked, but I simply replied, “You’re welcome,” knowing we had saved them from significant losses.
More recently, with our new Link Verifier mobile app, even security professionals are recognizing its value. The founder of a security company, who sold his business to Symantec and invested in MetaCert, told me he relies solely on MetaCert for his own safety. These moments, where we directly prevent people from losing their life savings or critical assets, are incredibly rewarding.
Q: Can you explain the concept of zero trust?
Zero trust is what all security companies and all enterprises are migrating towards. The United States government, by executive order, has mandated federal agencies to migrate to zero-trust architecture. But zero trust is not a solution. It’s a strategy. It means that you do not trust anything or anybody by default.
Biometrics and hardware devices like YubiKey are zero trust identity tools, but they only work on login pages, and only a limited number at that. They can’t protect people from phishing attacks that involve fake apps (malware, spyware, and ransomware attacks). The industry is fixated on authenticating people when they access a site or service, yet no one outside MetaCert authenticates the sites, apps, and services themselves. Until MetaCert introduced zero trust for web links, the model had just four pillars: people, devices, apps, and network data – everything except links.
As a government or corporate employee, you might be restricted to using approved devices and secure apps. You can’t install anything else, and you connect to the network through a VPN. Yet when a link comes through an approved message, app, email, or web browser,, it’s still assumed safe by default. That’s the opposite of zero trust. Zero trust must be binary: every web link is dangerous unless it’s verified as legitimate in advance, and it must be authenticated each and every time.
Verifying paypal.com once is far easier than trying to classify the 45,000 fake sites that impersonate it with a padlock. Each time you click a link that belongs to paypal.com, our system authenticates it against our database. We don’t chase what’s fake. We confirm what’s real – every time.
Every link belonging to a .Bank domain is automatically treated as verified in our system. That’s because the .Bank registry already enforces rigorous identity checks that exceed anything we’d need to add. Put simply, the verification protocol for .Bank is so robust that our technology can trust it by default.
Q: Do you believe that technology can actually save (non-techy) ordinary people from advanced cybersecurity threats?
Yes, it is achievable, and it centers on human behavior and intuitive labeling.
While I co-invented the concept of labelling accounts on the web (such as Twitter Verified) when I co-founded the global standard for URL classification and content labelling at the W3C, the standards body for the Web, the implementation today must take a different form. The real key lies in intuitive design.
For example, with our concept, we use a simple rule: “If it ain’t green, it shouldn’t be seen.”
This simple visual cue, the green shield, allows a 60 or 70-year-old with Alzheimer’s to be safe. It’s about making security effortless. Everyone is told to “stay vigilant” and “check links,” but they have never been given the practical tools to do so, until now. Our Link Verifier app empowers people to check links easily before opening them.
While most people can spot a lot of lazy scams, it’s impossible to know whether a link is safe or dangerous without using gut instinct and luck, especially with link shorteners, server-side redirects, and URLs that look legitimate. Even many safe links can appear dangerous, and vice versa. Our goal is to shift the narrative from “human vulnerability” to “exploiting security.” Criminals aren’t just tricking people; they’re exploiting the flawed design in existing security measures, particularly with new dangerous links that haven’t been identified yet. For example, if a criminal sends a text with a dangerous link, they’re exploiting the fact that SMS systems rarely verify links. They can buy a regular SIM, send messages to themselves, swap URLs and try again until one gets through, and in minutes they know which links pass which networks. Detection systems only catch links after they have history or reports. Brand new links have no data and no reputation, so conventional security misses them every time. That is why threat detection is proven useless for the majority of phishing attacks.
This is where the concept of “zero trust” comes in.
Zero Trust means nothing is trusted by default. Everyone and everything is treated as potentially dangerous unless explicitly verified. Applied to URLs, this means every link must be assumed dangerous until it has been verified in advance. Real Zero Trust doesn’t rely on on-the-fly detection but on prior verification of legitimacy.
Again, it’s easier to verify a legitimate site like paypal.com once than to classify the 45,000 sites impersonating it. Our technology automatically verifies every .Bank link on our backend because we know of the robust identity verification processes required for .Bank domains.
This makes the .Bank domain inherently trustworthy from a security perspective, as each organisation’s identity has already been verified to a standard beyond what MetaCert typically performs. MetaCert’s focus is solely on ensuring a link is not impersonating a trusted organisation or person.
Sorting the Bad Links from the Safe Ones
Q: Is MetaCert’s Link Verifier technology something that could protect users natively on any device?
That’s exactly what it is right now.
If you install Link Verifier on an iPhone, it immediately adds the “Verify Link” option to every app’s native share menu, integrating it into the operating system. That means people can check links inside every text message, email, QR code, app, and web browser. Even if you install new apps later, Link Verifier will automatically appear within them.
We’re also in discussions with multiple banks and mobile carriers to deliver this same protection through our API, so their customers would see a branded Link Verifier inside every app on their phone. This is our actual go-to-market strategy. And our long-term goal is to help the entire security industry adopt a zero trust approach to web links with our Zero Trust API service.
Explaining this is a challenge because the biggest innovations are often hard to grasp until you see them. We’re refining our messaging so people quickly understand MetaCert’s verify before you trust model, with clear in-product guidance on how to check any link.
Regarding how unverified links become verified, it’s a complex process detailed in our white and technical papers.
We focus only on links that fail authentication. For customers, the outcome is always binary: either verified as legitimate or not. Internally, we apply multiple signals to reach that decision. For example, we use community validation where several people independently confirm legitimacy, supported by quality controls and AI. We can also weigh context, such as how often an unverified link is accessed or when a domain was registered. A brand-new banking site is a red flag, while a new domain for a friend’s personal page may be reasonable. But for customers the outcome is always the same: a binary decision. A link is either verified as legitimate or it’s not. We never use a scoring system, because Zero Trust requires absolute clarity.
Q: How do verified domains such as .Bank and .Insurance protect businesses and users?
The significance of .Bank domains is immense in this landscape.
Every single link to a .Bank domain is verified beyond MetaCert’s typical standards because the actual identity of the entity behind that domain has already been rigorously verified. This provides an unparalleled level of trust. It will be transformative as more and more banks consistently use .Bank domains and communicate it to their customers, “If you get a link from our bank and it’s not on .Bank, don’t trust it.”
This is increasingly important because of PSD3 and instant payments. Instant payments means banks have to finalize transactions in less than 10 seconds 24×7 from October 2025? And according to the Banking Federation, banks that have instant payments already see fraud increased by 9 to 10-fold. That’s insane. Once the money is gone, it’s gone forever.
If Bank of Ireland embedded our API and example code, the app update wouldn’t add security features inside the banking app itself, since people rarely open links there. Instead, the update would deliver Link Verifier to the phone’s native share menu, which appears in every message, email, and app where phishing and fake payment requests happen. Customers would see the Bank of Ireland icon in the menu and on the warning page, putting the brand front and centre whenever they decide whether to trust a link, while massively reducing fraud.
Credit card fraud is on the rise but App fraud is going way up. Cybercrime is just over a trillion dollars a year, but that’s going to hit about nine to 10 trillion in four years time, and that’s because phishing has never been solved until now. And SMS fraud surpassed email as number one in 2024.
The biggest problem is cyber warfare, and its intersection with people, is not knowing where to find the truth.
Deepfakes and misinformation are rampant. The call to action in most cyberattacks, whether corporate espionage or fraud, is almost always a hyperlink. For banks and payment providers, this is particularly critical. While many feel their apps are secure, 83% of all new phishing websites are designed for mobile. Phishing accounts for 90% of all cyberattacks and is the single choke point to stop them.
To learn more about .Bank and stay ahead of the cybersecurity curve, we invite you to:
- Stay connected—Sign up for our monthly newsletter to receive exclusive banking and cybersecurity insights.
- Follow us on LinkedIn—Don’t miss important updates, including our upcoming webinars, by following our page.
- Schedule a call—Let’s discuss how .Bank can enhance your bank’s security.
