Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Webinar March 30 | Microsoft E3 and E5 + Tessian: Complete Email Protection | Register Today →

Tessian Blog

  • All
  • Customer Stories
  • Compliance
  • Email DLP
  • Integrated Cloud Email Security
  • Data & Trends
  • NULL
    array(14) { [0]=> object(WP_Term)#10309 (11) { ["term_id"]=> int(5) ["name"]=> string(16) "Customer Stories" ["slug"]=> string(16) "customer-stories" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(5) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Read our latest Customer Stories, interviews and news. Learn how Tessian protects organisations in Financial Services, Legal, Technology and other markets." ["parent"]=> int(0) ["count"]=> int(46) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [1]=> object(WP_Term)#10518 (11) { ["term_id"]=> int(120) ["name"]=> string(10) "Compliance" ["slug"]=> string(10) "compliance" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(120) ["taxonomy"]=> string(8) "category" ["description"]=> string(143) "Read our latest articles, tips and news on Compliance including GDPR, CCPA and other industry-specific regulations and compliance requirements." ["parent"]=> int(0) ["count"]=> int(40) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "5" } [2]=> object(WP_Term)#10517 (11) { ["term_id"]=> int(116) ["name"]=> string(9) "Email DLP" ["slug"]=> string(20) "data-loss-prevention" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(116) ["taxonomy"]=> string(8) "category" ["description"]=> string(144) "Read our latest articles, tips and industry-specific news around Data Loss Prevention (DLP). Learn about the implications of data loss on email." ["parent"]=> int(0) ["count"]=> int(99) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "4" } [3]=> object(WP_Term)#10516 (11) { ["term_id"]=> int(2) ["name"]=> string(31) "Integrated Cloud Email Security" ["slug"]=> string(20) "human-layer-security" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(2) ["taxonomy"]=> string(8) "category" ["description"]=> string(301) "Integrated Cloud Email Security solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.  Learn more about what they are, the benefits of using them, and how you can best evaluate those on offer." ["parent"]=> int(0) ["count"]=> int(133) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [4]=> object(WP_Term)#10515 (11) { ["term_id"]=> int(486) ["name"]=> string(17) "Data & Trends" ["slug"]=> string(11) "data-trends" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(486) ["taxonomy"]=> string(8) "category" ["description"]=> string(0) "" ["parent"]=> int(352) ["count"]=> int(1) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [5]=> object(WP_Term)#10514 (11) { ["term_id"]=> int(341) ["name"]=> string(13) "Insider Risks" ["slug"]=> string(13) "insider-risks" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(341) ["taxonomy"]=> string(8) "category" ["description"]=> string(154) "Access Tessian's library of free data exfiltration posts, guides and trend insights. Acidental data loss, insider threats, and misdirected emails content." ["parent"]=> int(490) ["count"]=> int(39) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [6]=> object(WP_Term)#10513 (11) { ["term_id"]=> int(433) ["name"]=> string(14) "Remote Working" ["slug"]=> string(14) "remote-working" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(433) ["taxonomy"]=> string(8) "category" ["description"]=> string(163) "Access free tips from security leaders and new research related to remote working and hybrid-remote structures. Level-up your cybersecurity for a remote workforce." ["parent"]=> int(116) ["count"]=> int(16) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [7]=> object(WP_Term)#10512 (11) { ["term_id"]=> int(384) ["name"]=> string(7) "Podcast" ["slug"]=> string(7) "podcast" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(384) ["taxonomy"]=> string(8) "category" ["description"]=> string(345) "Cybersecurity podcast series on the human factor, discussing why we need to focus on people - not just machines and data - to stop breaches and empower employees. Tim Sadler, CEO of Tessian meets with business, IT and security leaders to flip the strict on cybersecurity and share best practices, cybersecurity challenges, threat intel and more." ["parent"]=> int(2) ["count"]=> int(9) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [8]=> object(WP_Term)#10511 (11) { ["term_id"]=> int(411) ["name"]=> string(14) "Threat Stories" ["slug"]=> string(14) "threat-stories" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(411) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Tessian Threat Intelligence and Research team uncovers trends and insights in email security related to phishing, social engineering, and more. Learn more!" ["parent"]=> int(0) ["count"]=> int(24) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [9]=> object(WP_Term)#10510 (11) { ["term_id"]=> int(3) ["name"]=> string(22) "Advanced Email Threats" ["slug"]=> string(22) "advanced-email-threats" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(3) ["taxonomy"]=> string(8) "category" ["description"]=> string(166) "Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover" ["parent"]=> int(490) ["count"]=> int(152) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "6" } [10]=> object(WP_Term)#10303 (11) { ["term_id"]=> int(352) ["name"]=> string(15) "Life at Tessian" ["slug"]=> string(12) "team-culture" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(352) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about Tessian company news, events, and culture directly from different teams. Hear from engineering, product, customer success, and more." ["parent"]=> int(0) ["count"]=> int(45) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "7" } [11]=> object(WP_Term)#10467 (11) { ["term_id"]=> int(435) ["name"]=> string(21) "Interviews With CISOs" ["slug"]=> string(21) "ciso-spotlight-series" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(435) ["taxonomy"]=> string(8) "category" ["description"]=> string(164) "Learn how to navigate the threat landscape, how to get buy-in, and how to break into the industry from these cybersecurity leaders from Shell, Penn State, and more." ["parent"]=> int(0) ["count"]=> int(33) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "8" } [12]=> object(WP_Term)#10465 (11) { ["term_id"]=> int(436) ["name"]=> string(16) "Engineering Blog" ["slug"]=> string(16) "engineering-blog" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(436) ["taxonomy"]=> string(8) "category" ["description"]=> string(134) "Tessian's engineering team shares tips for solving complex problems. Get advice related to QAs, 502 errors, team management, and more." ["parent"]=> int(352) ["count"]=> int(18) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [13]=> object(WP_Term)#10314 (11) { ["term_id"]=> int(434) ["name"]=> string(16) "Cyber Skills Gap" ["slug"]=> string(16) "cyber-skills-gap" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(434) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about the cybersecurity skills gap and cybersecurity gender gap. Research and interviews with industry leaders and champions of diversity." ["parent"]=> int(435) ["count"]=> int(19) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } }
Beyond the SEG / Microsoft + Tessian, Threat Stories, Advanced Email Threats
Tessian in Action: Microsoft Credential Scraping Attempt
by Tessian Threat Engineering Group Monday, March 20th, 2023
Recently Tessian’s Threat Engineering Group identified an emerging threat detected by Tessian Defender targeting around 45 of our customers. The campaign was an email credential harvesting attack and was not detected by Microsoft Exchange Online Protection (EOP) when the attack began.  Anatomy of the attack The attack email was able to bypass legacy security solutions, like secure email gateways, as well as Microsoft 365. Let’s explore some of the reasons why it was able to do that: Firstly, the email was ‘sent’ by Amazon Simple Email Service (SES), which is a common tool leveraged by attackers to send automated attacks. However, the display name impersonated the company being targeted, no doubt attempting to add legitimacy, • The display name was actually dynamically generated, taking the first three letters of the recipient address and pretending to be the company name. • This is done to avoid basic aggregation and detection methods by secure email gateways and native security controls of email providers. • Looking at the subject of the email, it’s fairly innocuous, and again a rule in a SEG to flag the word ‘payment’ would trigger hundreds of false positives. • Finally, the body of the email itself is benign, simply stating “Please consider the environment before printing this email”. If anything, the attack attempt is a little too spartan in content, which might have raised suspicions in the user that received it.
Let’s now look at the HTM attachment, which contains JavaScript, which is encoded (below)
And when decoded twice it looks like this. Note that some of the content is still encoded.
All this encoding and obfuscation is attempting to hide the fact that the script redirects the user to a credential harvesting form. The form is hosted on a domain registered one day before the first phishing email was seen on the Tessian network. What’s more, to add legitimacy, the customer’s logo is hosted at the top of the form. Remember, this attack went to several organizations, so the logo must be dynamic. It’s therefore likely that it was scraped by the attacker using automated tooling. The user the “username” field is already pre-populated with the recipient’s email address. Again, adding legitimacy and lower the amount of effort for the recipient to share their password. Finally, when the password is entered, it is posted to a PHP script hosted on the same domain.
How did Tessian Defender detect this threat? So how did Tessian Defender stop this threat when SEGs and Microsoft 365 didn’t? Well, as well as detecting unusual file characteristics, Tessian’s Behavioural Intelligence models detected additional anomalies increasing our confidence score to 100/100. They are as follows:   The recipient company name was used in the display name.  The recipient has no historical relationship with the sender. Multiple emails were sent to each customer in a short period of time, to unconnected employees, this is known as a bust attack.  Tessian’s Natural Language Processing (NLP) models classified the email as being payments-related Depending on the specific customer configuration, Tessian Defender either hard-quarantined this email or displayed the following warning message to end users, coaching them and raising their security awareness
Indicators of Compromise (IOCs) Tessian Threat Engineering Group reacted to add the below IOCs to the Tessian Unified Threat Interface. We recommend readers do the same Sender Address: jorgezamora@powderiverdev[.]com Credential Harvesting Site Domain: https://emdghouseltd4[.]pro
Contributors: Ed Bishop and Catalin Giana.
Read Blog Post
Beyond the SEG / Microsoft + Tessian
Tessian Recognized as a Representative Vendor in the 2023 Gartner® Market Guide for Email Security
by James Alliband Monday, March 20th, 2023
Tessian is honored that Gartner has recognized us as a Representative Vendor for Integrated Cloud Email Security (ICES) in the 2023 Market Guide for Email Security. Within the report, Gartner recommends that security and risk management leaders should: “Supplement the native capabilities of your existing cloud email solutions with third-party security solutions to provide phishing protection for collaboration tools and to address both mobile- and BEC-type phishing scenarios.” According to the report, “The migration to cloud email platforms continues along with a significant increase in the number of phishing attacks.” Further in the report Gartner states, “Impersonation and account takeover attacks via business email compromise (BEC) are increasing and causing direct financial loss, as users place too much in the identities associated with email, which is inherently vulnerable to deception and social engineering.” The report informs its readers, “email continues to be a significant attack vector for malware and credential theft through phishing. An estimated 40% of ransomware attacks start through email. Cloud adoption continues, with an estimated 70% using cloud email solutions.  
Gartner recommends that security and risk management leaders responsible for email security should:  Supplement the native capabilities of your existing cloud email solutions with third-party security solutions, to provide phishing protection for collaboration tools and to address both mobile- and BEC-type phishing scenarios.  Use email security solutions that include anti-phishing technology for targeted BEC protection that use AI to detect communication patterns and conversation-style anomalies, as well as computer vision for inspecting suspect URLs. Select products that can provide strong supply chain and AI-driven contact chain analysis for deeper inspection and can detect socially engineered, impersonated, or BEC attacks.  Prioritize integration of email security solution APIs to enable integration of email events into a broader XDR or security information and event management (SIEM)/security orchestration, analytics and reporting (SOAR) strategy.
While email security has come a long way since its inception around 2000, the greatest external threats facing on-premise mail servers at the time were bulk unsolicited mail and spam. But today, the world has changed. As Gartner refers to in the report, now an estimated 70% of organizations are using cloud email solutions. This rapid shift to the cloud has opened up a new threat to landscape security. Risk management leaders must uncover and learn how to protect themselves from it. Regarding email, the effectiveness of safeguarding this unsolicited domain has been in the crosshairs for quite some time. Today email is the entry point responsible for over 90% of cyber attacks.   
But why is this the case?  The rapid shift in moving to the cloud allowed cyber criminals a huge opportunity; an opportunity grabbed with both hands. Email security, while being in the crosshairs, has been largely untouched for many years. Organizations holding significant investments in their Secure Email Gateway (SEG) protect their internal network from the outside world. Still, it isn’t as though these solutions deteriorated overnight, but the world around them did. Secure Email Gateways were built to address security concerns in a forgone, cloud-adverse world. They were once the gold standard in email security. But the rapid shift to the cloud and ever-changing threat landscape exposed this once sturdy and reliant email defense to become vulnerable and ineffective in safeguarding users and data from advanced threats and insider risks.  Further to this, Microsoft and Google have pressured this space. Now offering overlapping capabilities of a Secure Email Gateway (SEG) solution within the cloud productivities platforms allowing organizations to streamline their email security approach, simplify their security stack and reduce cost and complexity. But while this is a positive for security and risk management leaders, Gartner states in the report that “threat actors are also getting more sophisticated, often targeting the end users using fake login pages as a way of harvesting credentials. Sophisticated email threats include compromised websites and weaponized documents used to deploy malware. Many ransomware-as-a-service gangs use email as the initial entry point. Beyond malware, business email compromise and account takeover threats continue to rise, with significant financial losses as a result”. 
Combatting this new wave of attacks  Now it is recommended to consolidate overlapping gateway capabilities into Microsoft 365 to help CISOs reduce cost and complexity while cautioning that CISOs should carefully evaluate the native capabilities offered by cloud email systems and ensure that they are adequate to prevent a sophisticated attack. An argument can be made that “complexity” remains at the heart of Microsoft’s licensing model. Microsoft has numerous packaging options, bundles, and add-ons. Knowing where they differ and overlap is vital to understanding what you have access to today and effectively leveraging native security capabilities to secure your email environment.
At Tessian we believe that organizations need to go beyond their SEG and that a Microsoft + ICES email security stack is the future of email security. Gartner recommends that to combat this new wave of attacks, email security solutions need to use a variety of more-advanced detection techniques, including, but not limited to, Natural Language Processing, Natural Language Understanding, and Social Graph Analysis. Gartner states, “ICES solutions go beyond simply blocking email by adding context-aware banners warning users. This means that the threshold for false positives can be higher and can also reinforce security awareness training. Often, a mechanism for reporting phishing is included, either as part of the email client or as another banner inserted into the email body.” Microsoft + Tessian = Comprehensive security This is where an intelligent cybersecurity solution like Tessian Cloud Email Security Platform comes into play, providing advanced email threat protection and insider risk protection on email. With Tessian, no mail exchange (MX) records need to be changed. Tessian can construct a historical user email pattern map of all email behavior in the organization. The algorithm can then detect and prevent threats that Microsoft or SEGs have failed to detect. 
This dynamic protection improves with each threat that is prevented. Unlike the in-line static nature of SEGs, it ensures 24/7 real-time protection against all attack vectors, including insider threats. That is why the leading enterprises opt to displace their legacy SEG and augment Microsoft’s native security capabilities with Tessian. Gartner, Market Guide for Email Security, Ravisha Chugh, Peter Firstbrook, Franz Hinner, 13 February 2023 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Read Blog Post
Attack Types, Threat Stories, Advanced Email Threats
Dozens of SVB and HSBC-themed URLs Registered
by Tessian Threat Engineering Group Wednesday, March 15th, 2023
As we explored 48 hours ago, the recent turbulence in the banking sector provided a potential opportunity for threat actors to launch attacks. So it comes as no surprise that we’re starting to see domains spun up for just such purposes. Tessian’s Threat Intel Team have been monitoring the situation as it unfolds, and found that multiple domains featuring both SVB and HSBC were registered. Malicious domains are being added to Tessian’s Unified Threat Feed to proactively protect our customers from future phishing attacks. What is interesting about this is that some are for legitimate, if a little unorthodox, activities like driving traffic, marketing and selling merchandise. It’s in this ‘fog of war’ that bad actors like to hide, and clearly some have been registered with attacks in mind. So let’s look at those first.  Siiiconvalleybank[.]com and siliconvalleybonk[.]com have clearly been set up to launch impersonation attacks, hoping people don’t notice those typos in the URLS. Other examples include myaccount-hsbc[.]com and thesiliconvalleybank[.]com. Meanwhile Svb-usdc[.]com and svb-usdc[.]net are both already set up to launch phishing attacks.
Google is already blocking these and alerts any visitors to that effect. Exploring beyond that warning reveals a ‘lookalike’ site offering a reward program and clicking ‘claim’ opens a QR code.
Fake URLs to drive traffic Some of the newly registered URLs are also being used to drive traffic. hsbcinvestdirect.co[.]in uses HSBC brand in order to gain more traffic for an Indian-based website with adult content. Meanwhile SVBlogin[.]com loads up All Day Capital Partners website offering to ‘help’ SVB customers. Many of the others are cybersquatting, no doubt hoping to sell on, while others registered but don’t contain any content or redirect, as if waiting to see how things pan out. Perhaps one of the oddest is svbbankrun2023[.]com, which hosts a merchandise shop selling SVB-themed items.  
Tessian Recommends: The following list should be used as a blocklist at your own risk, but we advise adding the newly registered domains on a watchlist for monitoring purposes. Here’s a full list of SVB and HSBC URLs we’ve documented so far.    Hsbcsvb[.]com Siiiconvalleybank[.]com Login-svb[.]com Svbankcollapseclaimants[.]com Svbankcollapselawsuit[.]com Svblawsuits[.]com Hsbcinvestdirect.co[.]in Svbanklegal[.]com Svbankcollapse[.]com Svbankcollapseclaims[.]com siliconvalleybankfilm[.]com siliconvalleybankcrash[.]com siliconvalleybankcollaps[.]com siliconvalleybankcolapse[.]com siliconvalleyfederalbank[.]us silliconvalley[.]ink siliconvalleyfederalbank[.]net siliconvalleybank-usdc[.]com siliconvalleybonk[.]com ziliconvalley[.]sk siliconvalleybankcustomerservice[.]com siliconvalleybankhelp[.]com siliconvalleyentrepreneursbank[.]com siliconvalleybankcreditors[.]com siliconvalleyentrepreneurbank[.]com siliconvalleybankclasaction[.]com wwwsiliconvalleybankclassaction[.]com siliconvalleybankfailures[.]com siliconvalleybanksettlement[.]com siliconvalleybank[.]xyz siliconvalleybank[.]lol siliconvalleyfederalbank[.]biz siliconvalleyfederalbank[.]lol siliconvalleybankmovie[.]com siliconvalleybank[.]biz siliconvalleybn[.]com siliconvalleybanklawsuit[.]com siliconvalleybankclassaction[.]com siliconvalleybankreceivershipcertificate[.]com siliconvalleybankcollapse[.]com siliconvalleybust[.]com svbbankrun2023[.]com svbalternative[.]com svbankclassaction[.]com svbanklawsuit[.]com svb-cash[.]com svbfdic[.]com svbwiki[.]com svbcollapseexplained[.]com banksvb[.]com svbdeposit.fyi svbcollapse[.]net svbbailout[.]org fucksvb[.]com svbcoin[.]xyz svbchain[.]xyz svb-usdc[.]com svb-usdc[.]net svbfailure[.]com svbopenletter[.]com svbplaintiffs[.]com svbinfo[.]com svbbankrun[.]com svbrecovery[.]com svbmeltdown[.]fyi wefundsvbclients[.]com svbreceivership[.]com svblogin[.]com svbcollapse[.]com svbclaim[.]com svbdebt[.]com svbclaims[.]net svbbailout[.]com svbi[.]io svbank[.]com hsbcbdubai[.]com hsbc079[.]com hsbc757[.]com Hsbc736[.]com hsbc119[.]com hsbc719[.]com hsbc938[.]com Hsbc891[.]com Hsbc-premium[.]com Hsbckyc[.]com Hsbclogin[.]co Myaccount-hsbc[.]com Thesiliconvalleybank[.]com 1svb[.]com Circle-svb[.]com Svb2023[.]com Svbgate[.]com Svbtoken[.]com Svbnfts[.]com whatissvb[.]com
Read Blog Post
Attack Types, Threat Stories, Advanced Email Threats
The Current SVB Banking Crisis Will Increase Cyberattacks, Here’s How to Prepare
by Tessian Threat Engineering Group Monday, March 13th, 2023
The recent banking turmoil involving Silicon Valley Bank and Signature Bank sent shockwaves through technology firms globally as they scrambled to transfer their capital, secure payroll, and pay their bills. However, this mass changeover in banking details is exactly the situation that breeds targeted cyberattacks. Although the swift intervention of The Federal Reserve, The Bank of England, HSBC and others helped calm the liquidity crisis, a cyber threat crisis is likely now brewing as threat actors spin up a host of impersonation attacks and campaigns. The Tessian Threat Intel Team has already seen dozens of SVB and HSBC-themed URLs registered, some of which are used to launch phishing campaigns. 
Money, distraction, urgency Bad actors are driven by money. And there is a lot of money at play with this crisis. The streaming firm Roku indicated it has about $487 million in deposits at SVB. They are likely making changes now to diversify where they deposit this money and, accordingly, updating wiring instructions to reflect these new banking relationships. In their Q4 Risk Insights index, Corvus Insurance indicated 28% of all claims in Q4 2022 were due to fraudulent funds transfers. Threat actors relish the confusion and rapid changes that come with a crisis like this. The sheer number of updates to wiring instructions increases the chances that standard operating procedures around changing wiring instructions are ignored. Common operating procedures around changing wiring instructions might include (a) verifying the authenticity of each request by calling the person (using a known, existing phone number, not one provided in a new email) (b) implementing a call-back verification system for each vendor when any wiring instructions are changed, and (c) implementing dual control and multiple “eyes” on every wire change request. Tessian is already seeing genuine email traffic related to changing wiring instructions and expects to see advanced attacks leveraging this crisis soon. Finally, the scale of this crisis is huge and information about it is widespread. There are a large number of affected entities – Reuters published a list detailing not only the firms affected but their financial exposure – ensuring a target rich environment for the bad guys.
Fraudulent (and genuine) wire transfers The top 2 common attack vectors with fraudulent funds transfers are (1) impersonation attacks and (2) targeted phishing attacks. In an impersonation attack, the bad actor impersonates someone or some company that is known to the organization. They will typically do this by registering a new domain name that is largely similar to the targeted company’s domain.
In this example, the attacker registered a new domain name (salesciricle-receivables.com) which looks similar to salescircle.com. They are reaching out to the finance department at Acme to request a change in bank accounts for future payments. Sophisticated attackers will conduct research using publicly available information (10-K annual reports, LinkedIn blog posts, LinkedIn connections to the CFO or Accounts payable personnel, and any website mentions) to build a convincing approach.  A targeted phishing attack would use similar impersonation methods while attempting to gain access – either electronically with a username and password or via socially engineered approach – to implement a fraudulent funds transfer. In the below example, the attacker is impersonating a known, trusted domain and attempting to gain access to an accounts payable employee. 
Recommended next steps Tessian’s Threat Engineering teams are monitoring our datasets closely for emergent threat signals and updating Tessian’s Global Threat Library and Behavioral Intelligence Model in response. Our existing Defender customers will automatically benefit from this protection. In addition, we are recommending the following steps to further protect our existing customers: Deployment hygiene: review your deployment coverage to ensure Defender’s protection is configured to apply to all mailboxes on all devices. Schedule a deployment health-check.  Enable warnings for money requests: for additional protection, Defender Customers can leverage Defender’s Custom Protection to detect and warn users when an email “requests money”.  Reinforce approval processes: work with your finance teams to revise and review your payment approval workflows, and consider adding an additional internal verification layer to account for the increased risk 
How Tessian stops wire fraud attacks Built ready: The SVB crisis and other events like this are exactly the sort of thing Tessian was built to handle. Tessian covers fraudulent fund transfer attacks and other scenarios that are difficult to detect and that are often missed by legacy email security tools. Tessian is built to detect and prevent any variations of wire fraud attacks.
Spotting imposters: Tessian catches thread hijacking attempts by looking for subtle indications of domain spoofing and small changes in behavior that suggest the sender isn’t who they say they are.  Custom protection: All Tessian customers have access to an additional layer of protection that allows them to educate users at the point of receiving a suspicious email including those involving fraudulent funds transfers. Defender’s Custom Protection gives organizations an additional layer of security by alerting users when an email triggers specified conditions. This provides further fine tuning around threats specific to your organization or specific groups within your organization.
Proactive defense: As this situation evolves, Tessian’s Threat Engineering Team are closely monitoring incoming emails for new phishing tactics and upward trends in existing ones, continuously improving the breadth and accuracy of the protection we provide to our customers. Our threat intelligence team can also respond to new phishing campaigns in a matter of minutes by updating our global threat library, ensuring that all of our customers are protected against malicious sender domains and URLs. Guidance: While we may see more basic attacks leveraging the SVB crisis initially, threat actors will quickly evolve in sophistication to take advantage of the sheer volume of wire changes occurring to better target organizations. Legacy email security tools that use rules and policies are more likely to miss these attacks or report large numbers of false positives. Tessian’s guidance to our customers and anyone else is to expect a significant uptick in volume and in quality (more convincing) attacks on your employees over the coming weeks and months. See Defender in action (video) or request a free trial of Tessian to start detecting wire fraud attacks today.
Read Blog Post
Beyond the SEG / Microsoft + Tessian, Advanced Email Threats
Why You Should Download the Microsoft 365 + Tessian Guide
by Bob Boyle Thursday, March 9th, 2023
With Business Email Compromise (BEC) attacks remaining the number one cybercrime in 2022, and 82% of data breaches involving humans – email continues to be the largest threat vector for any organization. The effectiveness of legacy gateway solutions like Proofpoint, Ironport, and Mimecast has come under scrutiny as organizations look to solve new security concerns in a cloud-first world. Organizations that have already begun adopting cloud-hosted productivity suites, like Microsoft 365, are finding an overlap in their native-security capabilities, which legacy email security solutions have traditionally addressed.  Microsoft has made significant strides in improving the native-security features built into their different licensing models. This allows security leaders to reduce cost and complexity within their security stack, as the email security capabilities offered by Microsoft 365 mirror that of a Secure Email Gateway (SEG):  Traditional Email Security URL & Attachment Protection Manual Investigation & Response Rule-Based DLP Policies  These overlapping capabilities have given security leaders a good enough option to move beyond legacy SEGs, but understanding what is included within each Microsoft licensing model is key to effectively securing an organization’s email environment. Microsoft offers various packaging bundles and add-ons, allowing flexibility for security leaders to maintain the same level of protection offered by their legacy gateway solutions.
Is good enough really good enough?  The global shift to a remote workforce has also opened up new threat vectors and emerging attack types that security leaders are still struggling to prevent. Round-the-clock access to sensitive data has increased the human risk of malicious, negligent, and accidental data loss. Attackers are leveraging social engineering to trick end-users by abusing trusted relationships. Relying solely on traditional detection methods to defend against advanced attacks and rule-based policies to protect against insider risk, is leaving organizations more vulnerable than ever before.  A more intelligent approach is needed. Organizations can continue to rely on traditional detection methods to filter out bulk phishing and spam, but simply put, scanning for malicious signatures based on known threat intelligence doesn’t stop the advanced threats that security leaders face today.
There is, however, a solution. The advanced detection capabilities of an Integrated Cloud Email Security (ICES) solution close the gaps where legacy, rule-based detection or current Microsoft tools fall short. ICES solutions employ advanced machine learning to map an organization’s typical email behavior and detect unusual communication patterns, providing a more accurate defence against BEC attacks. In addition, ICES solutions can warn end-users of potential misdirected emails or instances of sensitive data loss.
In this Solution Guide, we discuss the decline of legacy gateway solutions, how to reduce cost & complexity by migrating to Microsoft 365, and what email security capabilities are available in each Microsoft licensing package. In the end, readers will understand how Tessian + Microsoft 365 enables the most complete Integrated Cloud Email Security platform.
Read Blog Post
Insider Risks
Taking a Modern Approach to Insider Risk Protection on Email
by Seema Shah Thursday, March 9th, 2023
Businesses have found themselves in a world where data is a form of currency. Their biggest successes rely on leveraging and exchanging vast volumes of data such as company IP, customer PII data, payment information, or confidential business intel. In nearly every case, this is sensitive data. While businesses would not thrive without data, they would also not run without their people. People and data working in harmony, enabled by technology, and driven by processes are the key ingredients for what powers a business.  The increasingly interconnected nature of the global business network demands a universally accepted and standardized method of communication. Unsurprisingly, this is email by default, making it the most utilized channel for sending and receiving sensitive data, with nearly 350 billion emails sent daily.  But as Spiderman’s Aunt May said, with great power comes great responsibility. As much as data can serve as a competitive advantage, it can also be the cause of the downfall of a business. The average cost of a data breach in 2022 stands at $4.35 million according to IBM Security’s “The Cost of a Data Breach Report“. Rules don’t work Preventing breaches is paramount, but it’s only possible to truly secure the data by understanding the people. And it isn’t possible to understand people with static, stagnant rules and a one-size-fits, rigid approach because everyone is different. People work in many roles and functions, interacting with varying types of sensitive data in their own way. Subsequently, the rise of remote working and migration to the cloud has allowed people to work “in their own way” more than ever before.   Everyone has a unique behavior on email, from the way different individuals address their recipients to the distinct set of initiatives they are working on and the typical associated stakeholders and data of each of those.   So it follows that today, one of the biggest challenges of protecting data on email is insider risk, whereby an employee accidentally, negligently, or maliciously leaks sensitive data.  Why we’ve published this guide With current DLP solutions, you would have to configure endless rules to account for the countless different email behaviors unique to each employee to address the majority of data loss events arising from insider risks such as misdirected emails, miss-attached files, and data exfiltration.   The issue of insider risk and data loss on email requires a tailored approach to every employee’s unique, risky behaviors on email, driven by a deep understanding of their normal behavior to identify anomalies, mistakes, and malicious actions effectively.  Insider risk can cause real harm to your business. What’s more, many security leaders are unaware how many incidents actually happen, as many are unreported. Tessian has created a guide for addressing the problem of insider risk on email, covering what you need to know about today’s threats and what it takes to solve the problem. Download our guide to find out how. 
Read Blog Post
Engineering Blog, Life at Tessian
Our VP of Engineering on Tessian’s Mission and His First 90 Days in the Role
by Gün Akkor Wednesday, March 8th, 2023
After many years working to secure the networks, computers, applications and connected devices that power our world, I joined Tessian a little over 90 days ago to help them in their journey to eliminate human influenced cyber attacks, accidents, and insider threats from the enterprise.  So why Tessian and why now? Targeted email attacks such as business email compromise (BEC), spear phishing, account takeover, and ransomware continue to be the number one and most damaging human-influenced cyber threats to businesses.  As businesses move to cloud-based email services like Microsoft 356 and Google Workspace, they are looking for email security solutions that can be combined with the capabilities of these platforms. A new market space – Integrated Cloud Email Security (ICES) – is emerging to fill this need.
I believe the evolution of ICES will follow a pattern similar to that of the emergence of Endpoint Detection and Response (EDR) in endpoint protection space, and Cyber Asset Attack Surface Management (CAASM) in asset management space: legacy solutions pivoting into the new market and forward thinking new companies looking to disrupt the status quo.  Tessian has the forward thinking necessary to become one of the visionaries in this space. I am excited to join Tessian to help accelerate their execution to become the leader. The journey is just starting to be interesting! Moreover, Tessian is not playing a “finite game” (good news for you Simon Sinek fans!). Our vision is to secure the human layer. This vision is beyond just email security, and one that I can get behind.  Just like physical security, cybersecurity has been taking an adversarial approach to protecting the networks and computers humans engage in the course of doing day-to-day business. Over the past several decades we have built solutions that protect network perimeters and detect and respond to anomalies in machines running applications and software.  Today, employees in an organization use multiple interfaces; email, messaging, shared drives, and documents, to access and work with (sensitive) data. Many solutions put rules and boundaries around such interactions without learning from and adapting to the changing nature of them; they are not only insufficient but also restrictive.  Tessian aspires to protect every business’ mission while empowering their people to do their best work. This is not an end goal but a shared purpose. Lastly, no company aspiring to secure the human layer could be true to itself if it wasn’t human-first and customer-centric. These are part of Tessian’s core values, and I look forward to building a company that exemplifies these values everyday and learns from the industry experts, our partners, and of course our customers. It has been a whirlwind 90-days so far! If you are interested in knowing more about Tessian, or would like to work with us, or you are an expert with an idea to pitch, reach out to me. I would be happy to hear from you, and our open roles are here.
Read Blog Post
Compliance, Advanced Email Threats
Will Australia’s Tougher Cyber Regulation Force Firms to Upgrade Their Security?
by Andrew Webb Friday, March 3rd, 2023
2023 saw several shifts around the world in data privacy laws. But by far the biggest is the news that the Australian authorities have increased penalties for data breaches following a spate of major cyberattacks.  Australian firms are facing a hacking ‘pile on’ as threat actors find relatively few sophisticated defenses and an undersized and overstretched cybersecurity workforce to stop them. The Australian cybersecurity minister, Clare O’Neil, has warned of a new world “under relentless cyber-attack” as Australia’s security agencies scramble to stop the latest ransomware attacks.  This is exacerbated by a country-wide lack of skilled security professionals across all disciplines which, according to the latest research, is nearing crisis levels. Finally, Australia isn’t immune to global pressures like the post-pandemic shift to remote working which has only increased the attack surface.
Previous attempts to address the issue It’s not like the Australian Government has been sitting on its thumbs over the issue. In 2016, the government released its first Cyber Security Strategy, which included investments in cybersecurity research and development, increased collaboration between government and industry, and the establishment of the Australian Cyber Security Centre (ACSC). The ACSC is a key element of Australia’s cybersecurity infrastructure and provides a range of services to government agencies and businesses, including threat intelligence, incident response, and advice on cybersecurity best practices. The ACSC also works with international partners to share information and collaborate on cybersecurity initiatives. The Australian government has also introduced legislation aimed at improving cybersecurity. The Security of Critical Infrastructure Act 2018 requires owners and operators of critical infrastructure to report cyber incidents to the government, while the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 provides law enforcement agencies with greater powers to access encrypted communications.
Australian privacy breach fines just got a whole lot bigger The new bill aims to increase fines from a current maximum of AU$ 2.22 million (USD$ 1.4m) to whichever of the following is greater; AU$50 million (USD$ 34m), three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period. That’s a significant increase on the old fine and dwarfs IBM’s average total cost of a data breach which stood at USD$4.35 million in 2022. It is even bigger than the estimated $25m and $35m fallout costs of the attack on Australian healthcare provider, Medibank. Further damage was done as Medibank’s value fell by AU$1.6 billion in just a single week after the breach.
Australia’s cyber future Another key trend that will shape the future of cybersecurity in Australia is the increasing use of cloud computing. Many businesses are moving their data and applications to the cloud, which can provide cost savings and greater flexibility. However, cloud computing also introduces new cybersecurity challenges, such as the need to secure data stored in multiple locations and the risk of third-party data breaches. As mentioned above, the shortage of skilled cybersecurity professionals is also likely to remain a challenge in the future. The Australian Cyber Security Centre’s 2020 Cyber Security Survey found that 88% of surveyed businesses had difficulty recruiting cybersecurity professionals. To address this shortage, the Government and industry need to work together to provide training and education opportunities for cybersecurity professionals. Looking further ahead, the Government recently launched the 2023-2030 Australian Cyber Security Strategy Discussion Paper, seeking the views and opinions of interested parties and experts (the option to contribute closes April 15 2023). The aim is to assemble an offensive cyber team to become the world’s “most cyber-secure country” by the end of the decade. That’s going to take a while. In the meantime, Australian firms, or global enterprises that have data there, are left with the threat of large, potentially ‘business ending’ fines. Interestingly, The ‘breach turnover period’ stands at 12 months or the duration of the contravention, whichever is longer. For longer-term systemic breaches by larger organizations, this framework could lead to maximum penalties significantly higher than the A$50 million figure. Indeed some commentators are asking if 2023 will see the first AU$1 billion data privacy fine. All this raises the question about the effectiveness of state sanctions on companies who fall foul of cyber regulations. But will, as the Australian authorities hope, bigger fines lead to companies upgrading their security stance and ultimately fewer breaches? We’ll have to wait and see. But with email the biggest attack vector, Australia-based organizations should give serious thought to adopting an Integrated Cloud Email Security solution, and quickly. 
Read Blog Post
Life at Tessian
A decade in the making, but the best is yet to come.
by Tim Sadler Tuesday, February 28th, 2023
January 2023 was a special month for us here at Tessian. We celebrated our 10th birthday and we also brought together over 200 Tessians in person for the first time ever for our company kick-off (CKO) in London. It was a humbling moment and a great reminder of how far we’ve come from the days of building Tessian v1 in our first HQ (which was also our living room) and cold emailing thousands of people a week trying to get anyone to take a meeting with us.  With a more distributed team than we’ve ever had before, we thought it was really important to get everyone together in person to celebrate the wins of the past year and set the course for our ambitious 2023 plans. You can see a video reel of the event above, but I wanted to share three of my highlights. Sharing the journey with an incredible team. It’s said so often that it’s almost cliche but when building a startup, you live and die by the strength of your team. Having everyone all together for the first time since 2019 was a reminder of the incredible passion, talent and shared sense of mission that we all have at Tessian.  Appreciating the scale of what you’ve built. When you’ve been building for 10 years, it’s easy to lose track of the progress you’ve made over time. This hit home when we reflected on preventing hundreds of thousands of data breaches and security threats and, on our busiest days, processing more than 1,400 transactions per second for our customers.  Hearing your customers tell you the impact you’re having for them. We invited several Tessian customers from the US and UK to share their stories and experiences with our team. Maurice Tunney (Director of Technology & Innovation at Keystone Law) became a Tessian customer just over a year ago and in that time Tessian has stopped 33 account takeover attacks, any one of which, in Maurice’s words, “could have shut the business down”. Having customers who care so much about your product that they take time out of their schedule to join your company kick-off and share why you’re such a critical part of their security technology stack is an incredible reminder of the impact our technology is having and the importance of our mission. Tessian may be a decade in the making, but the best is yet to come and we have an exhilarating year ahead. If you’re interested in joining our mission and being there for next year’s CKO, please check out our open roles here.
Read Blog Post
Beyond the SEG / Microsoft + Tessian, Advanced Email Threats
Tessian Threat Hunting Series: Account Takeover & SharePoint File Share Attack
by Tessian Threat Engineering Group Wednesday, February 22nd, 2023
Recently, Tessian Defender detected and prevented an emergent threat across a large number of our legal and financial customers. Here’s how it happened… This external Account Take Over (ATO) campaign contained over 500 malicious emails that evaded Microsoft’s and customers’ secure email gateway (SEG) controls. Subsequently, it went on to reach 20 of our customers’ inboxes. An ATO often occurs when a user accidentally shares their credentials with a threat actor allowing them full access to their email account. Because a legitimate account was compromised, this ATO attack was sent from a trusted email address, with the correct domain, meaning it would have been almost impossible for an end user to identify it as malicious. What’s more, the email content was a legitimate Microsoft SharePoint file sharing email pointing to a OneNote file in SharePoint. The hosted file pointed to a malicious website used to harvest user credentials.  Here’s a screenshot of the SharePoint email (the name, file and entities have been anonymized).
Why did the SEGs not detect this threat? There are two main reasons why a traditional SEG didn’t stop this attack. Firstly, external ATOs are extremely difficult to detect because the phishing email is sent from a legitimate account, it’s just a bad actor operating the account. This means all email authentication methods such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC), will pass. Secondly, the email pointed to a legitimate SharePoint URL which, at the time of delivery, was not present on URL Threat Feeds. SEG detection relies heavily on signature-based, threat intelligence feeds. But for new and emerging threats, when the URL has not been seen before, there is no signature to detect so the only option they have is to deliver the email.
How did Tessian Defender detect this threat? Tessian Defender’s behavioral intelligence models identified two clear anomalous signals to predict this ATO attack. Firstly, Unusual Sender Behavior. A large amount of emails (~500) were sent from the compromised account, to many disconnected users on the Tessian network, in a short period of time. Successfully compromising an account is a rare event for an attacker, therefore the attacker will likely send many emails from the compromised account to trusted contacts in the account’s address book, as quickly as possible, before being discovered and before the credentials are changed. Secondly, Unusual File Sharing Service Used. As mentioned above, Microsoft SharePoint was leveraged in this attack. There is nothing unusual or suspicious about SharePoint, however because Tessian Defender’s behavioral models have a deep understanding of every relationship in our customer’s accounts, they were able to identify that the sender of this email had never used the SharePoint service in previous interactions. Depending on the specific customer configuration, Tessian Defender either hard-quarantined this email or displayed the following warning message to end users:  
This email was confirmed to be malicious by end users and security analysts across our customer base – reinforcing and strengthening the Tessian Global Threat Network, and nullifying this emergent threat.  Account takeover attacks are becoming an increasingly common category of threat – driven by their ability to evade existing Microsoft and secure email gateway controls. Consequently, there is a strong likelihood of an end user being tricked into trusting the legitimacy of the email. Once inside a threat actor can deploy ransomware, instigate fraudulent fund attacks, and continue to move laterally through a customer by compromising higher target accounts. 
Read Blog Post
Insider Risks, Email DLP
Real Examples of Negligent Insider Risks
Monday, February 20th, 2023
Anyone can make a simple mistake. Attach the wrong file, click a bad link, or send an email to the wrong person. Tessian’s own research found that for an organization of around 1000 people, 800 misdirected emails were sent in 12 months. What’s more, employees also receive an average of 14 malicious emails per year, with some industries such as retail receiving an average of 49. Here then, are real life examples of when someone made a simple mistake, as well as the fall out from that. Read more about different types of insider threats, and why inside threat management matters here.
The employee who fell for a phishing attack The Anti-Phishing Working Group’s new Phishing Activity Trends Report reveals that in the third quarter of 2022, they observed 1,270,883 total phishing attacks — the worst quarter for phishing that the APWG has ever observed. While shocking in numbers, these aren’t particularly new threats. One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen. That might not sound like a lot, but the data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records. The employee who accidentally sent an email to the wrong person Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications? It depends on what data has been exposed. In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives. This included mental health information and surgery information. While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. We outline even more consequences of misdirected emails in this article. The employee who sent company data to a personal email account We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend. But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes. The employees who exposed 250 million customer records Here’s an example of a “negligent insider” threat. In December 2019, a researcher from Comparitech noticed that around 250 million Microsoft customer records were exposed on the open web. This vulnerability meant that the personal information of up to 250 million people—including email addresses, IP addresses, and location—was accessible to anyone. This incident represents a potentially serious breach of privacy and data protection law and could have left Microsoft customers open to scams and phishing attacks—all because the relevant employees failed to secure the databases properly. Microsoft reportedly secured the information within 24 hours of being notified about the breach.
The work-from-home employees duped by a vishing scam Cybercriminals saw an opportunity when many of Twitter’s staff started working from home. One cybercrime group conducted one of the most high-profile hacks of 2020 — knocking 4% off Twitter’s share price in the process. In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials.   Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam. This incident put “vishing” (voice phishing) on the map, and it reinforces what all cybersecurity leaders know — your company must apply the same level of cybersecurity protection to all its employees, whether they’re working on your premises or in their own homes. The employee offered a bribe by a Russian national In September 2020, a Nevada court charged Russian national Egor Igorevich Kriuchkov with conspiracy to intentionally cause damage to a protected computer. The court alleges that Kruichkov attempted to recruit an employee of Tesla’s Nevada Gigafactory. Kriochkov and his associates reportedly offered a Tesla employee $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The Kruichkov conspiracy was disrupted before any damage could be done. But it wasn’t the first time Tesla had faced an insider threat. In June 2018, CEO Elon Musk emailed all Tesla staff to report that one of the company’s employees had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.” With state-sponsored cybercrime syndicates wreaking havoc worldwide, we could soon see further attempts to infiltrate companies. That’s why it’s crucial to run background checks on new hires and ensure an adequate level of internal security. The employee who accidentally misconfigured access privileges NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS. These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic. Read more on how Tessian stops misdirected emails here, or download the data sheet with more information.
Read Blog Post
Insider Risks, Email DLP
Real Examples of Malicious Insider Threats
Monday, February 20th, 2023
Revenge, or sometimes, just plain old greed, can lead former or current employees to harm your organization by exfiltrating data, customer information, or sensitive intellectual property. Here are real world examples of people who have done just that, as well as what happened to them. Read more about different types of insider threats, and why inside threat management matters here. The employee who deleted data after being fired Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And 2022’s tech layoffs have added 121,000 tech workers to that list. Unsurprisingly this has caused widespread distress, it’s also led to an increase in malicious insider threats, particularly when you combine this distress with the reduced visibility of IT and security teams. One such case involves a former employee of a medical device packaging company who was let go in early March 2020. After he was given his final paycheck, Christopher Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records. This caused significant delays in the delivery of medical equipment to healthcare providers.
The employee who sold company data for financial gain An older one this, but it checks out. In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web. The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000. The employee who stole trade secrets In July 2020, further details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets. The employee, Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company. The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially-sensitive calculations to a co-conspirator. Having pleaded guilty to the charges, Delia was sentenced to 24 months in jail. What can we learn from this extraordinary inside job? Delia hacked the human to gain access controls, which is why ensuring you have robust email threat protection is vital.
The ex-employee who got two years for sabotaging data The case of San Jose resident Sudhish Kasaba Ramesh serves as a reminder that it’s not just your current employees that pose a potential internal threat—but your ex-employees, too. Ramesh received two years imprisonment in December 2020 after a court found that he had accessed Cisco’s systems without authorization, deploying malware that deleted over 16,000 user accounts and caused $2.4 million in damage. The incident emphasizes the importance of properly restricting access controls—and locking employees out of your systems as soon as they leave your organization.   The employees leaking customer data  Toward the end of October 2020, an unknown number of Amazon customers received an email stating that their email address had been “disclosed by an Amazon employee to a third-party.” Amazon said that the “employee” had been fired — but the story changed slightly later on, according to a statement shared by Motherboard which referred to multiple “individuals” and “bad actors”. So how many customers were affected? What motivated the leakers? We still don’t know. But this isn’t the first time that the tech giant’s own employees have leaked customer data. Amazon sent out a near-identical batch of emails in January 2020 and November 2018. If you want to prevent a data breach, insider threats management of email is critical.
The ex-employee who offered 100 GB of company data for $4,000 Police in Ukraine reported in 2018 that a man had attempted to sell 100 GB of customer data to his ex-employer’s competitors—for the bargain price of $4,000. The man allegedly used his insider knowledge of the company’s security vulnerabilities to gain unauthorized access to the data. This scenario presents another challenge to consider when preventing insider threats—you can revoke ex-employees’ access privileges, but they might still be able to leverage their knowledge of your systems’ vulnerabilities and weak points. The security officer who was fined $316,000 for stealing data (and more!) In 2017, a California court found ex-security officer Yovan Garcia guilty of hacking his ex-employer’s systems to steal its data, destroy its servers, deface its website, and copy its proprietary software to set up a rival company. The cybercrime spree was reportedly sparked after Garcia was fired for manipulating his timesheet. Garcia received a fine of over $316,000 for his various offenses. The sheer amount of damage caused by this one disgruntled employee is pretty shocking. Garcia stole employee files, client data, and confidential business information; destroyed backups; and even uploaded embarrassing photos of his one-time boss to the company website. Read more on who Tessian stops insider threats by email, or download the data sheet for more information.
Read Blog Post