In recent years, the shift away from on-prem email platforms to cloud-based platforms has been dramatic, with Gartner estimating that 70% of organizations now use cloud productivity suites like Microsoft 365 and Google Workspace. But as email migrates from legacy on-prem approaches to the cloud, securing these cloud based services becomes the next big challenge. Enter Integrated Cloud Email Security.

What is an Integrated Cloud Email Security (ICES) Solution? The term ‘Integrated Cloud Email Security (ICES)’ was coined in the Gartner 2021 Market Guide for Email Security. ICES solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.   ICES solutions are cloud-based, and use APIs to detect anomalies in emails with advanced techniques such as natural language understanding (NLU), natural language processing (NLP) and image recognition. Using API access to the cloud email provider, these solutions have much faster deployment and time to value, analyzing email content without the need to change the Mail Exchange (MX) record. Taking it one step further, ICES solutions can also provide in-the-moment prompts that can help reinforce security awareness training (SAT), and are able to detect compromised internal accounts. In the report, Gartner reflected on the future of ICES solutions, suggesting that they would eventually render SEGs redundant: “Initially, these solutions are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.”

Gartner predicts that by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG)… But why? In short, legacy SEGs are no match for the cyber threats of tomorrow. Email is responsible for 96% of cybersecurity breaches, making it the greatest threat vector. In fact, in the 12 months between July 2020 and July 2021, Tessian detected 2 million malicious emails that had bypassed SEGs. So why are traditional SEGs not fit for today’s cybersecurity landscape?

Rule-based approaches don’t cut it SEGs were developed in 2004 with on-premise email servers in mind and use a rule-based approach to threat detection. They use deny lists, allow lists and signatures for message authentication to help stop attacks – with these lists created using threat intelligence. They are reactive by design, and protect email data against threats that are already known. This means that SEGs offer no protection against zero-day attacks (a significant and growing threat vector), and are easily evaded by attackers using advanced social engineering campaigns. SEGs also fail to detect business email compromise (BEC), account takeover (ATO) and advanced spear phishing attacks.

The migration to the cloud More and more, organizations are adopting SaaS offerings like Microsoft 365 – which have SEG capabilities natively included. This shift was well underway before the pandemic, but has since been accelerated with data suggesting that ICES solutions are here to stay and will displace SEGs from the cybersecurity stack.. The rise of offerings like Microsoft 365 and Google Workspace and the move away from SEGs comes as no surprise, with enhanced functionality at the platform level that can include: Blocking emails from known bad senders Scanning attachments with AV Blocking emails with known bad URLs Content analysis to identify SPAM Given these native SEG-like capabilities in cloud productivity suites, makes ICES solutions the perfect supplement to ensuring comprehensive email protection. ICES solutions are so effective because they  provide protection against many of the threats SEGs fail to detect – when used in combination with SaaS offerings like Microsoft 365.

What are the benefits of ICES solutions? ICES solutions offer more than just threat detection. Key features of ICES solutions  can include: BEC and ATO Attack detection using NLU, NLP, social graph analysis and image recognition Context-aware banners to warn users Phish Reporting Mail Security Orchestration, Automation and Response (MSOAR) capabilities to assist in automatic reclassification of emails and removal from inboxes

How to evaluate ICES vendors The number of  ICES solutions available on the market is continually growing. There are a few key things you should consider when evaluating which ICES solution to use. Taking a look at your current email security framework and comparing it to your end goal, the following elements should be analyzed: Time-to-value, return-on-investment time horizon Cost of effort to install and manage False positive rate ML- and AI-based technology to detect advanced social engineering attacks including BEC and ATO attacks Ability to analyze and map conversation history Computer vision to analyze suspicious data and links in emails User education controls to reinforce training, including context-aware banners and/or in-line prompts Ability to analyze emails prior to delivery to the end user API integration  of email events into Extended Detection and Response (XDR) or Security Information and Event Management/Security Orchestration, Automation and Response (SIEM/SOAR) solutions Still struggling to decide? Have a look at the 2021 Gartner Market Guide to Email Security, which contains further information on ICES vendors, including Tessian.

Why choose Tessian? Tessian was recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security.   What sets Tessian apart from other ICES solutions is its advanced email security and email data loss prevention (DLP) capability, including: Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence Tessian also offers protection against both malicious and accidental data loss, in-the-moment security awareness training for suspected phishing emails and in-the-moment security awareness notifications. 

To summarize, there are four key Tessian differentiators: Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite. Protection also includes class leading email DLP. Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI   To find out more about Tessian as an ICES solution, and the key findings listed in the 2021 Gartner® Market Guide for Email Security, click here. 

Most people – we hope – can smell a rat when supposedly African Royalty offers us several thousand dollars as a ‘gift’ to help them get money out of the country, but what about when a well known brand you love offers you free samples or invites you to enter a competition?    The recent Heineken Father’s Day beer contest on WhatsApp is just the latest in a long line of seasonal or topical attacks that are run almost like marketing campaigns. Like all phishing attempts there are a few common themes. One is a sense of urgency, in this case the fact that there are only a certain number of freebies available. There’s also nudging text like ‘don’t miss out’ ‘exclusive’ and ‘enter now’.

The Threat Actor’s Editorial Calendar   But what’s also interesting is that this attack came on Father’s Day, when a brand like Heineken might legitimately launch such a campaign and when people are thinking about last minute gifts for Dad – it feels legit because it plugs into where your employees’ heads are at. Heineken wasn’t the only ‘Dad brand’ that suffered a scam, UK hardware stores ScrewFix and B&Q also had exclusive Father’s Day competition prizes that were actually scams.    That topicality and seasonality is played out throughout the year, on national awareness days, public holidays and yearly events like tax deadlines and Black Friday. As one attendee at our October Human Layer Security Summit told us “in the Fall, someone is always going to click on FREE STARBUCKS PUMPKIN SPICED LATTE”. We’ve seen this in the world of entertainment too. In November 2021, fans were promised early access to the new season of Squid Games, only after filling in a short ‘survey document’.

Cost of Living Scams   Having targeted tech and finance brands for years, as well as logistics and delivery brands during the pandemic, it seems scammers are teeing up a summer of cyberattacks on consumer brands and retailers. The cost of living crisis, rising inflation and surge in food and energy costs now makes grocery stores, food companies and energy companies prime targets for scams. In June, we saw a scam featuring UK supermarket Tesco, with the promise of a £500 gift card.    In May the UK energy regulator, Ofgem, alerted consumers to a new energy rebate scam as energy prices soared. Meanwhile in the US fuel company Shell highlighted a gas card phishing scam involving their Fuel Rewards program. And with some US employers offering to pay towards employees’ gas costs, you can see why things are getting confusing. The brand and sector may change but the scam is always the same; the promise of something for free coupled with a sense of urgenc

Education and awareness These new threat vectors join the long queue of existing ones that your staff and organization are already vulnerable to. As we saw with Covid bad actors thrive in times of confusion and uncertainty. And after global pandemics, global economic turbulence and spiraling cost of living is the next theater on which bad actors like to strut their stuff. So what to do?      As Bobby Ford said at our Human Layer Security summit, the way you ‘crack the nut’ is putting a little piece of cybersecurity awareness in all your other programs, projects and meetings happening across your organization. That can be a quick update at the all-hands or creating material, updates and awareness within your team that you don’t just push out, but people actively come and seek out.    Work with your allies. Who else in the company can you form an alliance with? Perhaps you can bring in your internal comms or PR team’s experience? Getting the people team involved to make cybersecurity part of the onboarding process helps new joiners orient themselves before they touch your network.    Finally, the C-suite is critical to supporting any initiative you design, which matters because as Mike Privitte notes in this Linkedin post, “Phishing doesn’t have “work life balance.” Company executives and their families will only see increased attempts outside of the 9-5 space”.

Summary Tessian Threat Intel is issuing a threat advisory on cyber threat actors requesting payment from unsuspecting victims using fraudulent invoices issued via PayPal. We have alerted PayPal.   Overview Tessian Threat Intel analysts have observed scammers, on numerous occasions, sending emails with fake invoice payment requests. Historically many of these sorts of attempts would be detected by traditional spam filters and end up in the junk folder or in quarantine. This is due to the email senders being repeat offenders with the same template and text – easily detected as spam or malicious by rule based email security solutions.    Since early March 2022, Tessian identified ways in which threat actors have been adapting their techniques to reach victim’s inboxes by abusing the legitimate capability of sending invoices to 3rd parties using PayPal’s email-delivered invoicing services.    To be clear, this is not a vulnerability within PayPal. Nor is it an example of an account takeover (ATO).  Rather, threat actors are creating invoices in PayPal and then issuing them to victims through PayPal’s service.     Technically, an email  from PayPal would pass some of the most fundamental checks in email security like SPF, DMARC and DKIM. This would ensure with a high degree of probability that similar emails would avoid detection by rule based email security solutions, as well as giving an air of legitimacy to the email.    An email sent from a financial services provider like PayPal, would increase the probability of  the victim seeing and interacting with the email, including acquiescing to its demands for payment. 

Examples of fraudulent PayPal invoices   The screenshot below is a legitimate email from PayPal containing a fraudulent invoice. In this example, the attacker has created a paypal account with the profile name “bit-coins payments,” which is displayed as the sender display name.    The threat actor has then created an invoice using the invoicing service available in PayPal (see Fig 2), and has then sent it with a message added by the attacker for the recipient. Grammatical style errors can also be observed, similar to what we have seen in common   phishing emails.

The below screenshot shows the PayPal invoicing service.

In the example below, we can see the actual link addresses which would redirect the recipient to the PayPal generated invoice if clicked.

Technical breakdown of the message headers As you can see below, both SPF and SKIM are a pass, and the sender IP ties back to PayPal directly. This sort of email has a high probability of passing rule based email security solutions and being delivered into a victim’s inbox.   Authentication-Results: spf=pass (sender IP is 173.0.84.227)  smtp.mailfrom=paypal.com; dkim=pass (signature was verified)  header.d=paypal.com;dmarc=pass action=none  header.from=paypal.com;compauth=pass reason=100 Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates  173.0.84.227 as permitted sender) receiver=protection.outlook.com;  client-ip=173.0.84.227; helo=mx2.slc.paypal.com;

Threat Mitigation Steps   Once PayPal was informed, Tessian found that the invoice was taken offline and no longer accessible. Thank you PayPal for your quick engagement.   In order to not fall victim to similar types of email-delivered invoice fraud we recommend:   Be careful of unsolicited emails, especially those containing requests for payment or including links to invoices. Always verifying the authenticity of an invoice with the actual purchase order.  If necessary, contact PayPal or any vendor requesting payment via independent method i.e. telephone to verify the authenticity of the request. Have a failsafe system in place in your accounting department that requires two members of staff to verify the authenticity of invoices matched against purchase orders. Adopt intelligent cloud email security solutions like Tessian that use behavioral intelligence to detect and prevent advanced email attacks, including increasingly sophisticated email-delivered invoice and wire fraud.

To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

The subject of prioritizing cybersecurity spending often arises in periods of economic uncertainty. As most security professionals will admit, the challenge of security budget justification is challenging in many organizations, regardless of the economic cycle. But in a recession, the challenge of cybersecurity budget allocation and spending can be compounded because, too often, cybersecurity is viewed as an auxiliary and non-critical IT program.   This blog sets out some core tenets essential for building a recession proof cybersecurity program. Spoiler: Building a resilient cybersecurity program starts with a mind shift

Cultivating a positive organizational cybersecurity culture   Many security leaders struggle to make the case for cybersecurity spending allocation, regardless of the economic environment. This is due to an out of touch mindset, with certain leaders failing to understand the importance of cybersecurity to their company’s overall business operations and objectives.     This poorly informed view was evidenced in a recent survey conducted by Tessian, with only 58% of employees thinking that senior executives at their company value cybersecurity. This explains why 1 in 3 employees don’t understand the value of cybersecurity, and why 30% of employees believe they play no role in cybersecurity threat prevention.   The mixed attitude towards cybersecurity could also explain why security leaders often find it challenging to justify cybersecurity program spend, which can become even more challenging in an economic downturn. The tide is slowly starting to turn, due in a large part to increasing cybersecurity risk and the catastrophic fallout associated with breaches, which can result in business failure.    Beyond an organization’s self-interest to keep their information systems and data secure, investors are starting to exert pressure on their portfolio companies to maintain an industry baseline of cybersecurity protection. Evidence of this shift in attitudes is reflected in the fact that environmental, social and governance (ESG) reporting now includes an assessment of an organization’s cybersecurity program and defenses.   It needn’t break the bank. Developing a positive cybersecurity culture in an organization is something that can be achieved on a relatively low cost basis. The key elements to achieve this include clear communication from the executive leadership on the importance of maintaining good cybersecurity hygiene. Creating a positive employee experience in relation to cybersecurity is essential. This entails developing engaging and context-based security awareness training programs that drive cybersecurity awareness – empowering employees to become part of the cyber defense.   

Using open source resources and frameworks to build cybersecurity resilience   While there is no singular approach to building out a cybersecurity program, there are a trove of freely available resources and best practice guides to assist with building information governance systems and cybersecurity programs. View cybersecurity program development as a work in progress. Many unique factors and characterics will come into play in shaping your cybersecurity program development.   By establishing a dedicated team to tackle enterprise security architecture and using well established enterprise architecture frameworks such as COBIT and TOGAF,  in conjunction with cybersecurity frameworks such as NIST Cybersecurity Framework, ISO 27001/02 and the CIS Critical Controls, organizations can start putting the building blocks in place for developing well-integrated and robust information governance systems.    Enterprise architecture frameworks such as COBIT are useful to build an information governance system that proactively identifies areas of risk or IT capabilities that need improvement to ensure that business objectives are achieved.

Ensuring compliance with industry and geo-specific regulations   Cyber risk is increasing year-over-year. In the latest FBI IC3 report, Business Email Compromise (BEC) fraud related losses increased by 65% globally in the period 2019 to December 2021. In the latest Verizon DBIR, ransomware attacks increased by 13% year-over-year, representing the largest increase in over 5 years.   Prioritize your cybersecurity technology budget from the assumption that there is a very strong likelihood that you will at some point suffer a breach. On this basis, focus on the fundamental threat vectors relative to your accepted risk threshold.    In US states such as California and many jurisdictions around the world, regulatory authorities are establishing minimum levels of cybersecurity preparedness that need to be met to ensure compliance.    The California Attorney General under the California Consumer Privacy Act (CCPA), has for instance established the requirement that businesses over a certain revenue threshold have to have a reasonable level of security in place. Reasonable security according to the CCPA is defined as having the CIS Controls implemented.   In the EU’s General Data Protection Regulation (GDPR), key stipulations include having data privacy and data security safeguards in place to ensure the confidentiality, integrity and availability of information processing systems and services. Other security controls include having the ability to restore availability and access to personal data, as well as having a process in place to regularly test, assess and evaluate the effectiveness of technical and organizational measures that ensure the security of data.  

Going beyond the minimum   Threat actors are continuously advancing their abilities. This is why cybersecurity and business leaders cannot afford to rest. Continuously testing your cybersecurity defenses through regular audits and penetration testing will help you identify areas for improvement. This includes practicing incident response and business continuity preparedness.   Cybersecurity is not a tick box compliance exercise.   Cybersecurity is everyone’s responsibility. Many of the core components that encompass a cybersecurity program do not require significant budget, but rather effective leadership, time and effort. Most importantly it requires adopting a mindset that recognizes the importance of being cyber resilient as essential to the organization’s overall success.

To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Verizon just released its annual Data Breach Investigation Report for 2022. Some highlights include the most targeted industries, the role of human error, insight on social engineering and the devastating impact that insider risk poses to your organization. The report also reveals email as a significant attack vector, and the preferred method for delivering malicious payloads. Ransomware is becoming a protracted security challenge, so too is the role of supply chains and the risk posed by misconfiguration.   Keep reading for key findings from the report.

Industries and attacks vectors   Top 3 industry verticals that suffered a breach. Finance, Professional Services and Healthcare suffered the highest proportion of breaches for the year.   Human error remains a significant breach risk factor. 82% of breaches involved the human element – either due to compromised credentials, phishing, misuse or error.   Securing end-users and systems should be prioritized equally. The 4 main paths to a breach include:   Credential compromise Phishing Exploiting vulnerabilities Botnets Top 2 targeted IT assets. Web applications (56% of breaches) and mail servers (28%) are the two most targeted IT assets by threat actors.

Social engineering, insider risk and attack motivations   Social engineering attacks are growing in complexity. Phishing (+60%) remains the dominant method for executing social engineering attacks, followed by the use of stolen credentials (+30%) and pretexting (27%).   Protecting against threat actors is a complex challenge. External threat actors account for 80% of breaches, and insiders 20%.   Insider breaches are the most devastating from a records exposure perspective. Insider breaches result in 10:1 more compromised records being exposed than external breaches do.   Money heist. Financial or personal gain is the key motive for over 80% of external threat actors.

Email is a significant attack vector   Email is the most preferred channel for threat actors. Email remains the #1 delivery mechanism for malware, including ransomware.   Email attracts the greatest investment in the attacker value chain. Email development, email addresses and email distribution see the highest share of investment from threat actors for carrying out a breach.   Office docs are the preferred trojan horse. Office docs are the preferred file for delivering malicious payloads, usually delivered via email.   BEC attacks come in different flavors. Phishing was responsible for 41% of BEC attacks, while credential theft was responsible for 43%. And pretexting, a component of phishing, is becoming increasingly prominent, responsible for 27% of social engineering breaches.   Don’t take solace in low phish rates. Even low phish rates of less than 3% can have devastating impacts on large organizations in terms of total records compromised.

Additional key findings   Ransomware attacks are trending in the wrong direction. The scourge of ransomware is accelerating at an unprecedented pace, up 13% YoY, representing the equivalent annual increase of the past 5 years combined.   The integrity of supply chains is in sharp focus. Supply chains are responsible for 62% of system intrusions.   As IT complexity increases so too does misconfiguration risk.  In a cloud based world, misconfiguration remains a mainstay vulnerability, responsible for 13% of breaches.

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Over the last decade, phishing – a type of social engineering attack – has transformed from something more like spam to the threat most likely to cause a breach. During that same period, the number of adults on social media platforms like Facebook increased by almost 1,300%.   Every photo we post, status we update, person we tag, and place we check into reveals valuable information about our personal and professional lives. And hackers use this information to craft targeted – and effective – attacks at scale.

How big are our digital footprints?    Our digital footprints are bigger than ever. There are over: 2,701,000,000 users on Facebook 1,158,000,000 users on Instagram 722,000,000 users on LinkedIn 353,000,000 users on Twitter And it shouldn’t surprise you that, according to research, 90% of people post information related to their personal and professional lives online. This number is even higher among 18-34 year olds. And, across LinkedIn, Instagram, and Facebook, 55% of people have publicly visible accounts.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

When an account is public, anyone can see the information you post online, whether it’s a photo of your boarding pass, or a birthday shout-out to a colleague. Harmless, right? Unfortunately not.   This information is gold dust to hackers and makes reconnaissance impossibly easy.    Take the former Australian Prime Minister, Tony Abbott. He posted a picture of his boarding pass on Instagram. From the booking reference, hackers found his passport number and phone number – information that could have helped them gain access to other accounts, including sensitive personal and government information.   It didn’t take much work. According to an ethical hacker we spoke to, “Anyone who saw that Instagram post could also have [his passport number and phone number].”   Mr. Abbott isn’t the only person who posts this kind of information online…

32% of employees post business travel photos and updates. Nearly 72% mention birthday celebrations. 36% share information about their jobs. And don’t forget about all the information we share about our pets, partners, and children.     Hackers use all of it. Yep, even that photo of your pup.    How do bad actors use this information?   To understand exactly how hackers leverage all of this information, we have to look at a social engineering attack from start to finish.   First, a hacker identifies a target organization.    Depending on their motivations, they could choose an asset management firm with hopes of initiating a wire transfer or a pharmaceutical company with hopes of getting their hands on R&D. From there, they’ll research supply chains and vendors, study company org. charts, map employee relationships, and monitor individual behavior. And, by running scripts, they can do this automatically and at scale.     Why do all this reconnaissance? To pinpoint potential entry points, identify viable third-parties to impersonate, and to collect information (however subtle) that’ll help them nudge their targets towards unconscious (and conscious) confirmation and – eventually – trust and compliance. 

While behavior varies by region, most of us eagerly announce when we start a new job. In the US, almost everyone does – with 93% of employees in the US saying they update their job status on social media.   We share press releases about new clients and mergers and acquisitions. We post photos of our employee IDs and screenshots of Zoom calls. We tag our colleagues and customers in our updates and comment on theirs. We share all of this information regularly.    Almost half (43%) of us post every day, giving hackers up-to-date intelligence about where we’re working, who we’re working with, and what we’re working on.   Passwords play a role, too   When it comes to Business Email Compromise, information related to your professional life is important. But your personal information can be just as valuable.   Hackers can use information about your pets, partner, children, and even your interests to crack passwords and answer security questions, giving them full access to personal and work accounts, including password managers and even your email.    Don’t believe us? 21% of people use information like their favorite football team, their pet’s name, or birthdays when creating passwords and some of the most common security questions include: What is your mother’s maiden name? What was your first car? What elementary school did you attend? What year were you married?    This is all readily available online. 34% of people share the names of their pets, 34% mention their children/partner, and 40% share information about their interests.     People may even unwittingly share this information via gimmicks or memes that make their rounds on social media. For example, “name generators” that ask you to combine your pet’s name with your childhood street address. Sound familiar?

An example of a social engineering attack leveraging social media In this example of a social engineering attack, hackers use an OOO message and other publicly available information to initiate a wire transfer.   Type of Attack: CEO/CXO Fraud Industry: Financial Services Hacker Motivation: (Quick) Financial Gain

The hacker group monitors news wires for up-to-date information about banks in the United States to find their target, an asset management firm called SoBank.  They see that the company’s CFO – Andrew Neal – is OOO at a conference. Thanks to his OOO message, they’re able to identify their target, Tristan Porter. They also learn that Andrew goes by “Andy” at work. The hacker group sends a fabricated email chain that appears to be between Andy and Gregory Ellwood, Senior Partner at Dorling Clayton – SoBank’s advising firm – urging Tristan to make a wire transfer.

Cybersecurity best practice   Want to better manage your digital footprint and avoid being targeted by (and falling for) a social engineering attack?   Here’s a list of do’s and don’ts.

Phishing awareness training is an essential part of any cybersecurity strategy. But is it enough on its own? This article will look at the pros and cons of phishing awareness training—and consider how you can make your security program more effective.

✅ Pros of phishing awareness training   Employees learn how to spot phishing attacks   While people working in security, IT, or compliance are all too familiar with phishing, spear phishing, and social engineering, the average employee isn’t. The reality is, they might not have even heard of these terms, let alone know how to identify them.   But, by showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.     Looking for resources to help train your employees? Check out this blog with a shareable PDF. It includes examples of phishing attacks and reasons why the email is suspicious.    It’s a good chance to remind employees of existing policies and procedures   Enabling employees to identify phishing attacks is important. But you have to make sure they know what to do if and when they receive one, too. Training is the perfect opportunity to remind employees of existing policies and procedures. For example, who to report attacks to within the security or IT team.   Training should also reinforce the importance of other policies, specifically around creating strong passwords, storing them safely, and updating them frequently. After all, credentials are the number one “type” of data hackers harvest in phishing attacks.    Security leaders can identify particularly risky and at-risk employees   By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?    These observations will help security leaders stay ahead of security incidents, can inform subsequent training sessions, and can help pinpoint gaps in the overall security strategy.

Training satisfies compliance standards   While you can read more about various compliance standards – including GDPR, CCPA, HIPAA, and GLBA – on our compliance hub, they all include a clause that outlines the importance of implementing proper data security practices.   What are “proper data security practices?” This criterion has – for the most part – not been formally defined. But, phishing awareness training is certainly a step in the right direction and demonstrates a concerted effort to secure data company-wide.     It helps organizations foster a strong security culture   In the last several years (due in part to increased regulation) cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective.    That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement.   You can read more about creating a positive security culture on our blog.

❌ Cons of phishing awareness training   Training alone can’t prevent human error   People make mistakes. Even if you hold a three-hour-long cybersecurity training session every day of the week, you’ll never be able to eliminate the possibility of human error. Don’t believe us? Take it from the U.K.’s National Cyber Security Centre (NCSC) “Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle. The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.”   That’s right, even the U.K.’s top cybersecurity experts can’t always spot a phishing scam. Social engineering incidents—attacks that play on people’s emotions and undermine their trust—are becoming increasingly sophisticated.   For example, using Account Takeover techniques, cybercriminals can hack your vendors’ email accounts and intercept email conversations with your employees. The signs of an account take-over attack, such as minor changes in the sender’s writing style, are imperceptible to humans.   Phishing awareness training is always one step behind   Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today. In the last year, we’ve seen bad actors leverage COVID-19, Tax Day, furlough schemes, unemployment checks, and the vaccine roll-out to trick unsuspecting targets.   What could be next?   Training is expensive   According to Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, there are three fundamental flaws in training: it’s boring, often irrelevant, and expensive. We’ll cover the first two below but, for now, let’s focus on the cost.   Needless to say, the cost of training and simulation software varies vendor-by-vendor. But, the solution itself is far from the only cost to consider. What about lost productivity?   Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.   While – yes – a successful attack would cost more, we can’t forget that training alone doesn’t work. (See point 1: Phishing awareness training can’t prevent human error.)

Phishing awareness training isn’t targeted (or engaging) enough   Going back to what Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply one lesson to an entire organization – whether it’s 20 people or 20,0000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy. Age is especially important.   According to Tessian’s latest research, nearly three-quarters of respondents who admitted to clicking a phishing email were aged between 18-40 years old. In comparison, just 8% of people over 51 said they had done the same. However, the older generation was also the least likely to know what a phishing email was.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");   Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, explained how tailored training programs could help.

Should I create a phishing awareness training program? The short answer: “Yes”. These programs can help teach employees what phishing is, how to spot phishing emails, what to do if they’re targeted, and the implications of falling for an attack. But, as we’ve said, training isn’t a silver bullet. It will curb the problem, but it won’t prevent mistakes from happening. That’s why security leaders need to bolster training with technology that detects and prevents inbound threats. That way, employees aren’t the last line of defense. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in.   How does Tessian detect and prevent targeted phishing attacks?   Tessian fills a critical gap in security strategies that SEGs, spam filters, and training alone can’t.   By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to detect a wide range of impersonations, spanning more obvious, payload-based attacks to difficult-to-spot social-engineered ones like CEO Fraud and Business Email Compromise.   Once detected, real-time warnings are triggered and explain exactly why the email was flagged, including specific information from the email. Best of all? These warnings are written in plain, easy-to-understand language.

These in-the-moment warnings reinforce training and policies and help employees improve their security reflexes over time.  To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.   Not ready for a demo? Sign-up for our weekly blog digest to get more cybersecurity content, straight to your inbox.  Just fill out the form below.

Tessian, an intelligent cloud email security solution for the enterprise, prevents advanced email threats and protects against data loss. With email responsible for up to 90% of all breaches, rule based security solutions like Secure Email Gateways (SEGs) no longer cut it. This explains why 58% of cybersecurity leaders are actively looking to displace SEGs for the next generation of email security. Next gen solutions like Tessian ensure significantly improved threat detection and prevention capabilities thanks to machine learning and behavioral user intelligence, and offer a simplified approach to solution integration and management.

Removing the pain from security management Tessian’s API integration into both Microsoft 365 and Google Workspace cloud email environments enables deployment in seconds, and provides unparalleled protection within hours. No manual updates, complex mail rerouting, or MX record re-configuration is needed. And, when customers integrate Tessian’s security event feed with other solutions, they’re able to streamline processes and workflows and get a more contextualized and complete risk profile of their environment, down to the employee level. To help you better understand the value of Tessian with products like Splunk, Okta, and KnowBe4, let’s explore real use cases from our customers. 

Tessian + Splunk Customer: Financial Services Employees: 7,000 Tessian Products Deployed:  Enforcer and Guardian  Use case:  For one of our financial services customers, the integration of Tessian with Splunk has been essential in addressing insider threats and preventing data loss. The client ingests, triages and remediates Tessian’s alerts in its SOC which runs on Splunk. By sending data to Splunk, the SOC is empowered to create dashboards for the key security events that they care about, for example users with the most flags, or top recipients of flagged emails. This data can be combined with metrics from other cybersecurity tools in the environment to form a more comprehensive risk profile. For example, correlating the data from Tessian with endpoint security alerts enabled the client to get a deeper level of risk understanding viewed from a single pane of glass. From here the client is able to create workflows through ServiceNow, which allows streamlining of Tessian’s security feeds into existing security workflows. Some of the key benefits of Tessian and Splunk integration include: Setting up custom alerts Triaging security events Identifying risky users Easy reporting of risk to the risk committee

Tessian + Sumo Logic Customer: Financial Services Employees: 3,100 Tessian Products Deployed:  Defender, Enforcer, and Guardian Use Case: Sumo Logic is a central source for log analysis and is often a starting point for remediation workflows. Tessian has a native app built to Sumo Logic’s Modern Enterprise Security Architecture (MESA). With this native app, Sumo Logic users can ingest Tessian alerts and correlate them with other events.  One of our financial services clients uses Sumo Logic for log correlation and analysis. By feeding logs and alerts into Sumo Logic, enables the client to quickly identify spikes in anomalous email activity, for example:  misdirected email (Guardian), unauthorized email (Enforcer) and phishing emails (Defender).  Once a verdict has been delivered on an email, the SecOps team is in a position to take mitigating actions. 

Tessian + Okta  Customer: Financial Services Employees: 1, 200 Tessian Products Deployed: Defender, Enforcer, and Guardian  Use case:  The Tessian integration with Okta enables clients to use Okta’s Universal Directory to set specific email security policies for user groups based on risk. For example, one client in financial services leverages the integration to enforce more stringent email security rules for the finance department – responsible for sending and receiving sensitive financial data.  Tessian is leveraged to target these specific user groups with email security policies that ensure safe email behavior and prevents email related data loss.  The integration with Okta enables greater security flexibility for user groups, rather than a standard one-size fits all approach to security policy orchestration.

Tessian + CrowdStrike + Netskope Customer: Healthcare Employees: 16,500 Tessian Products Deployed: Defender, Enforcer, and Guardian  Use case: A growing number of Tessian clients, such as one in healthcare, is using Tessian as an integral security pillar to keep their enterprise safe from external and insider threats, particularly concerning data loss. Tessian is seen as one of core security pillars keeping employees and the email ecosystem safe. Other key security pillars and best-in-breed solutions include CrowdStrike for endpoint and Netskope for cloud security – deployed alongside Tessian.  By leveraging Tessian in combination with these tools enables a defense in depth approach, giving security practitioners peace of mind that they have the best tools in place to keep their employees and their data safe.

Tessian + KnowBe4 Customer: Pharmaceuticals Employees: 650 Tessian Products Deployed: Defender Use case: The Tessian integration with Knowbe4 gives organizations more visibility into phishing risk by identifying the employees who are most likely to fall for phishing attacks. Tessian ingests KnowBe4’s Phish Prone Score and combines it with our own Risk Score, presenting a more comprehensive risk profile for each employee. This way, security teams can customize security policies and training programs for more targeted and engaging security awareness for specific employees rather than a blanketed approach – that often lacks context.  After deploying Tessian to bolster KnowBe4, one pharmaceutical company saw click through rate drop significantly from 20% to below the industry benchmark of 3%. Another Tessian client in the financial services sector summed up the value of the Tessian and KnowBe4 integration:

Click here to book a demo of our market leading cloud email security and DLP platform.

Many organizations spend significant time and effort on counter-phishing programs and training. The emphasis of these mitigation is always preventing the click; how to see it, how to stop it, and how to report it in a timely manner.   Rarely though, does anyone ask why the end user clicks on a malicious email. There’s a variety of psychological triggers that prompt a bad outcome of clicking on malspam, but an interesting one is that you might have trained them to do it.

And if you think email is dead, think again. A 2019 study by Adobe Analytics found US-based workers spend an average of 3 hours a day managing work email. Practically speaking, no one can directly engage with that much email using 100% of their critical thinking capacity.     As a result, users tend to rely on heuristics to manage the cognitive load, such as rules sorting content into different folders, only reading subject lines, or sometimes ignoring some types of messages altogether.   In somewhat of an escalating arms race for attention, corporate comms teams can often add things like “ACTION REQUIRED”, “URGENT”, highlight portions of text, or load up the email with HTML and various trackers. Many people view those sorts of messages as just petty annoyances, but let’s take a look at some actual phishes to see why they might actually be dangerous.

As we can see, two scammers attempting to impersonate Tessian executives rely very heavily on a sense of urgency to short circuit critical thinking skills that would easily catch out these phishes.     While on their own they’re not very sophisticated at all, when sent to an organization that bombards their users with urgent action required emails, the environment has already trained the users to look out for and at least open such messages.  As a result, false urgency is very frequently found in almost any malicious email. Let’s look at how formatting can abuse user trust as well.

This looks pretty good for the average phish, but we can mark it as malicious due to poor language skills alone. However, IT teams will commonly use formatting very similar to this to announce server upgrades and request user action.     Organizations will hide links behind buttons to be “friendly’, use red text to highlight a tl;dr, or use bolding liberally to draw the eye. While a deep read will reveal the above phish as fraudulent fairly easily, a user inundated with email is not going to deep read anything – especially if their IT team uses similar formatting on a regular basis.

A positive counterexample   Microsoft, once renowned for the most inscrutable error messages of all time in earlier versions of Windows (see above), has been putting increasing thought into how to communicate in effective ways with the end user. Let’s see how they communicate that a user’s operating system is at end of life for support.    

This can serve as a reasonable guide to how to communicate facts to the end user and request an action be taken. The negative outcome is centered, at the top, and large enough to be read first, but without any highlights or red text to suggest undue urgency.     Consequences of this outcome are listed clearly in idiomatically correct and simple English.  Lastly, the recommended action (clicking to be guided to an upgrade page) is gently highlighted but not required, and other options are presented to the user to avoid any pressure for a particular action.    Going against the grain of most corporate communications that tend to be quite directive, Microsoft is presenting simple facts in a clean, unhurried way, and providing options for action at the end user’s preferred pace.     Taking design cues from this error message can prompt a harried employee relying on heuristics rather than close reading to slow down and only take action when they have the resources to do so in a considered manner.  

Lessons learned   Sending messages to your employees that share design cues with phishes is not a great security outcome.  So how do we do better?  Comprehensive phishing solutions can catch a lot of nastiness on the front end and keep it out of the inbox.  But empowering users to spot and flag malicious content on their own can be a great adjunct strategy to catch threats that never make it to security staff.  We can help them do that by taking a deep look at what sort of information handling environment the user lives in and designing communication that makes full use of critical thinking easier rather than harder.  The above attacks were all caught via Tessian’s Defender module, with end user warnings like the one here.  Breaking up the user’s typical email experience and providing clear, simple information necessary to make a good judgment on the emails’ authenticity.    In these instances, augmenting technical controls by giving the user timely guidance helped us enable good outcomes for the attacks.  As with most email attacks, focusing on human factors has been a very effective force multiplier in keeping the organization safe.

Cybercrime is big business. But just how big? Well, big. A recent report from Cybercrime Magazine predicted cybercrime would cost the world $10.5 trillion annually by 2025. Bear in mind that estimates in 2020 were just over half that, at $6 trillion, and up from $2.9 trillion in 2015. So ,why is there a cybercriminal gold rush? And why are attacks getting increasingly more sophisticated, more numerous, and more successful?

Legacy solutions are no match for today’s attacks   As we noted in our recent Spear Phishing Threat Landscape Report, attacks are getting more sophisticated and are bypassing traditional defense systems like rule-based Secure Email Gateways (SEGs). We know this because we examined platform data and found that between July 2020 and July 2021, Tessian scanned nearly 4 billion emails and flagged nearly 2 million as malicious. These emails sailed right past our customers’ Secure Email Gateways (SEGs) and native tools and would have left employees as the last line of defense if it wasn’t for Tessian. Not only that, attacks are getting more frequent. Cybersecurity Magazine estimated a new ransomware attack hits every 11 seconds.    Oftentimes, big problems (like paying out millions for a ransom) can be traced back to small oversights. Like not using Multi-Factor Authentication (MFA). This is particularly common in mid-market SMEs, despite the fact that Microsoft Research found that MFA blocks 99.9% of all automated attacks. As Dave Kennedy, Founder of TrustedSec said at our Spring 2022 Human Layer Security Summit, just 22% of O365 users have MFA enabled. And so attackers can target these firms much more easily. SMEs also have smaller budgets and headcount allocated to cyber compared to the enterprise. The result: 60% of SMEs file for bankruptcy within six months of a breach. 

https://www.tessian.com/wp-content/uploads/2022/04/MFA-quote-Dave-Kennedy-Trusted-Sec.m4v

Email is inherently flawed   If someone broke into your office, chances are you’d know about it quickly and do something about it. Unfortunately, the same doesn’t apply to many organizations’ networks and inboxes. From a simple way of sending asynchronous ASCII messages between user accounts on an academic network in the 1970s, email has grown into a world-devouring beast that is the very backbone of commerce and information exchange. Over 7 billion users globally send and receive 333.2 billion emails a day. Such a vast user base means email is the number one threat vector. 

After all, for many, moving data via email IS their job. What’s more, email is on all our devices: desktops, tablets, and phones. But as Will Patterson, Enterprise Customer Success Lead, notes in this webinar, email has some inherent problems when it comes to security. Firstly, it’s open (in that you can email anyone) and secondly, email attacks are cheap to deploy; they’re effective and can be launched from anywhere. A big audience and low entry bar make it the ideal medium in which to conduct attacks.   It’s no wonder 90% of phishing occurs via email.

Cybercrime pays out – big time   Cybercriminals continue to attack because those attacks continue to be successful, netting potentially hundreds of thousands of dollars from companies for little effort and risk (compared with other types of crime).    The international nature of cybercrime adds another layer of complexity and helps shield attackers from law enforcement. According to the FBI, in 2021, BEC scammers made over $2.4 billion – far more than via any other type of cybercrime. Of course, the cost to the company isn’t just these initial losses, it’s the further costs of containing, reporting, and remediating the breach. IBM currently puts the cost to businesses at $4.24 million per breach. 

It’s faster, easier, and cheaper than ever to execute attacks   With such a big potential target group, attackers are using automation and off-the-shelf tools to not only launch attacks but process the data they exfiltrate in the process. And as James McQuiggan, Security Awareness Advocate at KnowBe4, said at our Fall Human Layer Security Summit, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. So if criminals are automating many of their repetitive processes, you should too.   Not only that, but it’s also easier and cheaper than ever to execute attacks, and technical skills are no longer required. There are numerous tools, platforms, and services that make executing attacks as easy as building a webpage. The following open-source intelligence (OSINT) apps and tools can be used to gather precise information about a person’s social media details, location, and their work email address, making it impossibly easy to identify and manipulate a target.  

Security teams are burned out   Against this cybercrime tsunami stands the CISO and the company’s security team, and the daily battle to keep employees and the organization safe. That’s taking its toll on security teams, who are often stressed and burned out. Our Lost Hours Report found CISOs regularly working extra hours and overtime to keep the company secure from threats.    The CISOs we surveyed worked, on average, 11 hours more than they’re contracted to each week. Nearly 1 in 10 work 20-24 hours more a week. What’s eating up that time is dealing with potential breaches. A quarter of respondents say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day.    A global study by The Ponemon Institute found that the average amount of time required to identify a data breach is 197 days. that’s over six months. It then takes another 69 days on average to contain and deal with the fallout of that breach. Better alerts and warning systems, as well as swift procedures in place to respond to them, are a must. Over six months is more than enough time to wreak havoc in a network. In medicine, there’s the concept of ‘the golden hour’, security needs to aim for a golden 24 hours because the faster an organization can respond the better and faster its recovery will be. 

Employees are busy, stressed, and distracted   The modern workplace is a fuzzy blend of devices (laptop/phone) and locations (home/office/coffee shop etc) with people constantly switching between them trying to juggle, on average, around 100 emails a day. You can see why our Psychology of Human Error report found that 26% of people fell for a phishing email at work in the last 12 months alone. People are maxed out trying to do their jobs, and it’s exactly this pressure that attackers are looking to exploit and manipulate, which underscores the important of building a positive security culture alongside HR.   So, as cybercrime is becoming more and more profitable, here’s what you need to do to strengthen your security stack and keep your people and organization safe:   Layer up your security stack with Integrated Cloud Email Security (ICES) to augment your SEG Implement better email monitoring Automate repetitive security tasks Improve your response time and processes Work with the people team on fostering a positive security culture and engaging security awareness training programs And don’t forget to switch on MFA ASAP!

Key Takeaways   We’ve seen an upward trend in the number of suspicious emails being flagged related to Ukraine.  Spam campaigns started to appear only one day after the initial invasion by Russia.   The number of new domains containing “Ukraine” registered in 2022 is up 210% from 2021.   An average of 315 new Ukraine themed domains have been observed per day since the 24th February.  77% of these domains appear to be suspicious based on early indicators.

Overview   The conflict taking place in Ukraine has quickly become a common theme for threat actors and scammers alike. Tessian has observed an upward trend in Ukraine themed emails flagged by our platform, including a number of threat campaigns that are exploiting the conflict as a theme for new scams, malspam, and phishing.   In line with this, open source intelligence shows a significant increase in the number of Ukraine themed domains being registered, which can be used for malicious purposes.   The scams observed typically request donations in the form of crypto-currency under the pretense of supporting the Ukrainian humanitarian effort in the wake of the Russian invasion. The spam is similar to common campaigns previously observed, pushing links to suspicious e-commerce sites selling Ukrainian themed items.

Trend analysis Domain registrations   There has been a significant upward trend in the number of new domains being registered that contain “Ukraine”. The number of these domains being registered is up more than 210% in 2022, compared to 2021.   Researching domain registrations , we can see the upward trend progressing over the past two months. 

Since early March there has been an average of 340 new domains registered each day, either containing “Ukraine” or closely resembling the word.  Our platform observed an upward initial trend in Ukraine themed emails, which peaked early March. This included the spam campaigns and donation scams.

Threat campaign explainer  Donation Scams   Donations from around the world have been made in support of Ukraine in the wake of the Russian invasion. Unfortunately, leveraging humanitarian efforts such as the one currently underway in Ukraine to perpetrate phishing-related fraud has become a common modus operandi for threat actors and fraudsters. This explains why phishing remains among the top reported cybersecurity incidents according to the FBI’s latest Internet Crime Report, with over 323k reported incidents for 2021.   The donation scams vary in sophistication from basic emails containing a short message with a plea for help, to fake websites set up to impersonate certain charitable organizations like the British Red Cross.    One of these scam emails claims to be supporting the humanitarian aid effort in Ukraine and is requesting  Bitcoin cryptocurrency donations. Legitimate website  text and logos from the likes of UNICEF, Actalliance and the Australian Council for International Affairs (ACFID) are being fraudulently leveraged to enhance the authenticity of the phishing emails.   The threat campaign detailed below purporting to be a legitimate humanitarian aid effort for Ukraine from the ACFID, requests Bitcoin donations and allows victims to make the donation via direct Bitcoin address or via a malicious QR code.

Phishing email purporting to be from the ACFID  

Scanning the QR code with the iOS camera app will prompt you to open a locally installed payment app that supports Bitcoin. In this case, Cash App.   According to Blockchain Explorer, the last transaction to take place with the address in this email was on 2022-02-14 with only 6 transactions in total.    Another donation scam was sent from a newly registered domain redcrossukraine[.]org impersonating the Red Cross in Ukraine. The email contained a link to a professional looking website containing details of the Ukraine conflict as well as instructions on how to donate cryptocurrency in aid of Ukraine.

The site was based on a bootstrap template by BootstrapMade which gave it the look and feel of a legitimate website. Towards the bottom were references to addresses for 3 different crypto wallets you could send payments to as a ‘donation’. One for Bitcoin, one for Ethereum, and one for Tether cryptocurrency.

Ukraine themed spam   Spammers have also quickly reacted to the invasion of Ukraine by adjusting the themes of their campaigns.    One notable spam campaign, only a day after the initial invasion, began blasting out spam with links to suspicious e-commerce sites pushing the sale of t-shirts and other items to show support for Ukraine.   The emails sent out in the campaign have subjects like “I Stand With Ukraine Shirts” and contain images of t-shirts with slogans in support of Ukraine. The emails also contain links pointing to sites like mimoprint[.]info or mabil-store[.]com where you can browse and purchase some of the products referenced in the email.   Links resolving to recently created sites like mimoprint[.]info or mabil-store[.]com were sent out in emails with subjects like  “I Stand With Ukraine Shirts”. Searching this site online reveals some reviews claiming that they are a scam and if a purchase is made then no product is received. Other reviews claim they steal designs from users on other sites.    Recommended action  Some charities do and are accepting cryptocurrency donations. But be cautious of any emails purporting to aid or receive donations in an effort to support the humanitarian effort in Ukraine. If cryptocurrency is requested from an unsolicited email then the likelihood is that it is a scam.   Before interacting with any Ukrainian themed email received, check the source and email header to confirm the organization it originated from is legitimate.   If you want to make a donation in support of Ukraine, then the best way is to go directly to your preferred charitable organization. CNET has published a list of reputable charities you can donate in aid of Ukraine. 

According to our new research, one in four employees lost their job in the last 12 months after making a mistake that compromised their company’s security. The new report, which explores human error on email at work, also found that:   Just over one in four respondents (26%) fell for a phishing email at work, in the last 12 months  Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT

Why do people make mistakes at work?   When asked why these mistakes happened, half of employees said they had sent emails to the wrong person because they were under pressure to send the email quickly – up from 34% reported by Tessian in its 2020 study – while over two-fifths of respondents cited distraction and fatigue as reasons for falling for phishing attacks. More employees attributed their mistakes to fatigue and distraction in the past year, versus figures reported in 2020, likely brought on by the shift to hybrid working   “With the shift to hybrid work, people are contending with more distractions, frequent changes to working environments, and the very real issue of Zoom fatigue – something they didn’t face two years ago,” said Jeff Hancock, a professor at Stanford University who contributed to the report. 

People are falling for more advanced phishing attacks    While the number of employees who fell for phishing attacks only increased by 1% in the last 12 months, people were far more likely to fall for more advanced phishing attacks than they were in 2020.    Over half of employees (52%) said they fell for a phishing email because the attacker impersonated a senior executive at the company – up from 41% reported in 2020. In comparison, click-through rates on phishing emails whereby threat actors impersonated well-known brands dropped. These findings mirror those reported by the FBI, which found that business email compromise attacks (BEC) are eight times more common than ransomware and the losses from these attacks continue to grow year on year.    People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months, compared to 26% of those who fell for phishing scams over email. Older employees were more susceptible to smishing attacks; one-third of respondents aged over 55 complied with requests in smishing scam versus 24% of 18-to 24-year-olds.

The consequences for accidental data loss are more severe   On average, a US employee sends four emails to the wrong person every month – and organizations are taking tougher action in response to these mistakes that compromise data. Nearly a third of employees (29%) said their business lost a client or customer after sending an email to the wrong person – up from the 20% in 2020. One in four respondents (21%) also lost their job because of the mistake, versus 12% in July 2020.    Over a one-third (35%) of respondents had to report the accidental data loss incidents to their customers, breaking the trust they had built. Businesses also had to report the incidents to regulators. In fact, the number of breaches reported to the Information Commissioner’s Office, caused by data being sent to the wrong person on email, was 32% higher in the first nine months of 2021 than the same period in 2020.

Employees are fearful of reporting mistakes   With harsher consequences in place, Tessian found that fewer employees are reporting their mistakes to IT. Almost one in four (21%) said they didn’t report security incidents, versus 16% in 2020, resulting in security teams having less visibility of threats in the organization.

Josh Yavor, CISO at Tessian, said, “We know that the majority of security incidents begin with people’s mistakes. For IT and security teams to be successful, they need visibility into the human layer of an organization, so they can understand why mistakes are happening and proactively put measures in place to prevent them from turning into serious security incidents. This requires earning the trust of employees; and bullying employees into compliance won’t work. Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions at work.”