Spear Phishing
Phishing in Retail: Cybercriminals Follow The Money
07 May 2020
Retailers have always been a lucrative target for cybercriminals and their phishing scams — even more so during peak shopping times. The thing is, cybercriminals always follow the money and opportunistic hackers will find ways to cash in on spikes in consumers’ spending.  During the coronavirus lockdown, for example, global payments systems provider ACI Worldwide found that online sales for retailers dramatically increased. It reported a 74% growth in average transaction volumes in March 2020, compared to the same period the year before. However, while they saw an increase in online sales, they also saw a spike in fraudulent activity and Covid-19 phishing scams.  We see a similar trend around retailers’ busiest shopping period of the year – Black Friday.  A golden opportunity for fraudsters US shoppers spent a record $7.4bn on Black Friday in 2019, and a further $9.2bn on Cyber Monday. In the UK, Barclaycard reported that transaction value was up 16.5% in 2019, compared to Black Friday in 2018. A golden opportunity for fraudsters. When we surveyed IT decision makers at UK and US retailers, the majority told us the number of number of phishing attacks their company receives during the Black Friday weekend spikes. In fact, respondents said they receive more phishing attacks in the last three months of the year – in the lead up to the holidays – compared to the rest of the year. Consequently, one in five IT decision makers told us that phishing poses the greatest threat to their retail organization during peak shopping times. They identified phishing as a bigger threat to their business than ransomware or Point of Sale (PoS) attacks. Their reasons? They aren’t confident that their staff will be able to identify the scams that land in their inbox during these busier periods, namely because people are receiving more emails at this time and are more distracted. A third of IT decision makers in retail also told us that phishing emails are, simply, becoming harder to spot. The high price of a phishing attack The devastating consequences of falling for a phishing attack are troubling the IT leaders we surveyed. Over a third said financial damage would have the greatest impact to their business following a successful phishing attack. It’s not surprising. Today, the average cost of a phishing attack on a mid-size company is $1.6 million. For small businesses, the cost of a cyber attack stands at just over $53,000 – a devastating blow for any small retailer and one that could put them out of business. More sales, more mistakes The people-heavy nature of the retail industry is something cybercriminals prey on. Using sophisticated social engineering techniques and clever impersonation tactics, they’re counting on people making a mistake and falling for their scams.  Sadly, during busy shopping periods, mistakes are likely to happen. When faced with hundreds of orders, thousands of customers to respond to, and overwhelming sales targets, cybersecurity is rarely front of mind as people just focus on getting their jobs done. In these situations, you can’t expect people to accurately spot a phishing scam every time. New solutions needed Retailers, therefore, need to consider how they can protect their people from the growing number of phishing scams plaguing the industry — beyond training and awareness. In our report – Cashing In: How Hackers Target Retailers with Phishing Attacks – we look into the biggest threats IT leaders in the retail sector face, reveal the gaps in security that need addressing, and explain how to best protect people on email. 
Spear Phishing
How to Avoid the PPP Scams Targeting Small Businesses
By Maddie Rosenthal
01 May 2020
On April 27, the U.S government’s coronavirus relief fund for small businesses – the Payroll Protection Program – resumed lending, after an additional $320 billion in funding was authorized to help small businesses keep employees on the payroll. The program will provide much needed relief for small businesses, but it could also provide cybercriminals with another prime opportunity to cash in on Covid-19 related schemes. Over the last month, Tessian has identified ways in which criminals have taken advantage of the global pandemic to make their scams more effective – from impersonating remote working and collaboration tools to tricking people into clicking onto fake stimulus check domains.  We are now warning small businesses of the PPP and CARES Act scams that they could face.  Tessian’s latest research reveals that 645 domains related to the PPP were registered between March 30 and April 20, with the majority of the domains being registered in the week following the US government’s announcement on March 31.  While 85% of the domains are offline, it’s unclear how long they will remain offline for. Of the newly registered domains that are currently live: 35% were registered as multiple domains that lead users to the same website. The 31 of the grouped domains only lead people to eight websites. 28% were from different loan providers that have a separate PPP presence through an online form. Although these may not all be spammy, it’s important for people to be wary of what they’re signing up for, what information they’re sharing and any associated costs. 24% were law firms and consultants offering their services. Around 10% were “advisory,” giving businesses information about PPP in a blog style without any notable Call To Action or service. Worryingly, a recent survey by IBM X-Force found that only 14% of small business owners say they are very knowledgeable about how to access the SBA’s loan relief program. Cybercriminals will use this to their advantage, targeting those individuals seeking more information or guidance on the PPP. And although not every newly registered PPP domain may be malicious, it’s possible that these websites could be set up to trick people into sharing money, credentials or personal information.  Small businesses have been prime targets throughout the global pandemic. We’ve seen a number of spam campaigns whereby hackers impersonate the Small Business Administration (SBA) or well-respected banks to entice people into opening malicious attachments or sharing sensitive information. At this time, we urge small business owners and staff to think twice about what they share online and question the legitimacy of the emails they receive.  Our advice to avoiding the PPP scams: Be cautious about sharing personal information online. If it doesn’t look right, it probably isn’t. Understand the Call To Action on these PPP-related sites and emails you receive from them asking for urgent action or to click links.  Make sure any sites offering consultancy services are legitimate before sharing information or money. Always check the URL and, if you’re still not sure, verify by calling the company directly. Never share direct deposit details or your Social Security number on an unfamiliar website. Always use different passwords when setting up new accounts on websites. And enable two-factor authentication on all the services that you use.
Spear Phishing
Spotting the Stimulus Check Scams
16 April 2020
Since the US government announced that citizens who make less than $75K would receive $1,200 checks, we have found that there have been 673 newly registered domains related to the $2T stimulus package.  Unlike the domains spoofing the U.S. Census that we discovered earlier this month, these URLs aren’t intended to mimic official government websites. Rather, these domains have been set up to take advantage of the stimulus package, using common questions or key words to lure users in such as whereismystimuluscheck.com or covid-19-stimulus.com.  Where do these new domains go? When we looked at the newly registered domains more closely, we found that nearly half of the newly registered domains hosted websites offer the following services: Consultancy: helping people with the paperwork to get their checks Calculators: asking users to enter their personal information, such as their age and address, to find out how much money they are entitled to Donations: giving people the opportunity to donate their check to a Covid-19 related cause Business loans We also found that 7% of these spoofed domains were spam websites, with no clear call to action. With hackers capitalizing on this global health crisis to launch targeted phishing scams, people need to be mindful of what information they share on these sites.  The thing is that cybercriminals will always follow the money, looking for ways to take advantage of the fact people will be seeking more information or guidance on the stimulus package. Although not every domain registered in the last month may be malicious, it’s possible that these websites offering consulting and business loans could be set up to trick people into sharing money or personal information.  Our advice? Always check the URL of the domain and verify the legitimacy of the service by calling them directly before taking action.  Think twice about sharing your data It’s also important to consider what data you are being asked to share via websites offering calculators or status checks, and what the websites offer after you have taken an action. Cybercriminals could use the information you shared to craft targeted phishing emails that include the ‘results’ of your assessment, tricking you to click on malicious links with the intention of stealing money, credentials or installing malware onto your device. Earlier this week, the IRS launched a new online resource for citizens to check on their payment status. We anticipate that even more URLs will crop up as a result of this. How to avoid potential scams Think twice before sharing personal information to calculator websites. If it doesn’t look right, it probably isn’t  Make sure the educational sites offering consultancy services are legitimate before sharing information or money. Always check the URL and, if you’re still not sure, verify by calling the company directly Never share direct deposit details or your Social Security number on an unfamiliar website Take care when sharing your email address and other personal information on websites like the calculator ones and question the legitimacy of the emails sharing your results before clicking on any links Always use different passwords when setting up new accounts on these websites  
Spear Phishing
COVID-19: Real-Life Examples of Opportunistic Phishing Emails
15 April 2020
A few weeks ago we published the post below, which included real-world examples of opportunistic phishing attacks exploiting COVID-19. One of the phishing attacks pretended to be from “Management” and contained an attachment with guidance on how to stay safe. Another attack was designed to look like an account activation email for a remote-working tool; it was sent by “IT Support.” We have two more real-world examples, and this time the attackers are impersonating a company that has seen tremendous attention and adoption with the rise of remote-working: Zoom.  Phishing Email #1: Your CEO is Waiting for You
What’s wrong with this email? The Display Name ([email protected]) and the email address do not match. The actual sender address is [email protected] The attacker, who sent the email on a Friday afternoon, is hoping that the target will a) be motivated to respond quickly to a meeting request from the CEO and b) be less scrutinizing and security-conscious as it’s the end of the week.  The target is being encouraged to click on a seemingly legitimate Zoom link, which would likely lead to a malicious site or could deploy malware.  Upon hovering over the provided link, you’ll find the URL is actually different than the hyperlink would lead you to believe The closing of the email is suspicious: “This message is from your company’s IT.” NB: This phishing email is a direct spoof and was prevented because of DMARC; it was automatically sent to a Spam folder. If you haven’t set your DMARC records correctly, these emails will fly past existing defenses.
Phishing Email #2: Generic Zoom Spoof
What’s wrong with this email? The Display Name (tessian.com ZoomCall) and the email address do not match, but the attacker is hoping the recipient doesn’t look beyond the sender Display Name. The conference call time and date in the email subject line seem to have already passed, based on when the attack was received. Note this email was received at 3:22am, so would likely be the first email the recipient reads in the morning.  The email contains the message “Zoom will only keep this message for 48 hours.” This combined with the subject line adds a sense of urgency and could potentially convince the recipient they’ve missed something important and should quickly try to remedy it.  The target is being encouraged to click on a seemingly legitimate Zoom link, which would likely lead to a malicious site or could deploy malware.  We’ve been pulling together guidance and resources to help employees and businesses stay safe while working remotely. If you suspect you’ve been targeted by a phishing attack, do not click any links or download attachments. Instead, directly contact the sender via phone or a messaging app to confirm legitimacy of the email and immediately alert your IT or security team.
__________________________________________ Original post from Tuesday March 24, 2020 Over the last several weeks, there’s been a surge in opportunistic phishing attacks in which hackers are using the outbreak of COVID-19 to dupe targets into following links, downloading attachments, or otherwise divulging sensitive information.  We highlighted a few examples of phishing scams both consumers and employees should be aware of in our blog post, Coronavirus and Cybersecurity: How to Stay Safe from Phishing Attacks. Importantly, though, the examples were anecdotal.  Now, we want to share two real-life examples that Tessian Defender has flagged internally since the original blog was published.  Phishing Email #1: The Attacker is Capitalizing on Fear Around COVID-19
What’s wrong with this email? The Display Name (Information Unit) and the email address do not match at all. (What’s more, ‘Information Unit’ is not a genuine internal group at Tessian.) The attacker, who sent the email late-afternoon on a Friday, is no doubt hoping that the target – our marketing team –  is less scrutinizing and security-conscious as the week comes to a close, especially when employees across the globe are working from home. The target is being encouraged to download an attachment, which opens a fake login page to steal the victim’s credentials. The email is rife with spelling and grammar errors as well as formatting inconsistencies and the unconcerned, mechanical language is out-of-character for anyone in management, especially given the content of the email.  The attacker used complex encoding to try to evade traditional phishing detection tools that would scan for certain keywords in the email’s body. How? By interspacing different invisible characters between other characters so that the content looks like gibberish. Below is a screenshot of encoding in the email body for reference. Here, you see the characters marked “transparent”; those are the invisible characters.
Phishing Email #2: The Attacker Baits the Target With a Remote-Working Tool
What’s wrong with this email? The Display Name ([email protected]) and the email address are in stark contrast. This sender’s email address is a direct spoof of the domain (tessian.com). The attacker is taking advantage of the fact that many employees around the world are now suddenly working from home and in need of remote-working tools. Therefore, targets are more likely to trust that their employer has, in fact, set them up for remote connection provided by a VPN vendor. The way this email is constructed – poor grammar and impersonal – makes it obvious to a Tessian employee that this is not legitimately from our IT manager. The target is being encouraged to follow a link, which looks inconspicuous. But, upon hovering, you’ll see that the link the target will actually be led to is suspicious.
Important: Because Tessian has DMARC enabled, emails that spoof our domain are automatically sent to “quarantine”. That means the email was never actually received by the target and instead went straight to a spam folder. Unfortunately, though, a lot of companies don’t have DMARC enabled. In fact, nearly 80% of domains have no DMARC policy. Now that you know what these opportunistic phishing emails look like, what do you do if you’re targeted? That is, after all, what’s really important when it comes to preventing a data breach.  What to Do If You’re Targeted by a Phishing Attack If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  If you’re an employee who’s been targeted, contact your line manager and/or IT team. Unfortunately, hackers are taking advantage of other opportunities to target individuals and businesses, including: Tax Day The US Census Stimulus Checks  You can also find information, including the types of brands and people hackers try to impersonate and how to spot a suspicious or spoofed email address, here. 
Compliance Data Loss Prevention Spear Phishing
Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges
15 April 2020
As a part of our ongoing efforts to help security professionals around the world manage their new remote workforces, we’ve been holding virtual panel discussions and roundtables with ethical hackers and security and compliance leaders from some of the world’s leading institutions to discuss cybersecurity best practice while working from home. Our panelists and speakers have included David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, Jenna Franklin, Managing Counsel, Privacy & Data at Santander, Stacey Champagne, Head of Insider Threat at Blackstone, Ben Sadeghipour, Head of Hacker Education at HackerOne, Chris Turek, CIO at Evercore, Jon Washburn, CISO at Stoel Rives, Peter Keenan, CISO at Lazard, Gil Danieli, Director of Information security at Stroock, and Justin Daniels, General Counsel at Baker Donelson We’ve compiled some of the key takeaways to help IT, privacy, and security professionals and employees stay secure wherever they’re working.  Interested in joining a future roundtable? You can register here.
How to defend against spear phishing (inbound threats) Communicate new threats. Cybercriminals are carrying out opportunistic phishing attacks around COVID-19 and the mass transition from office-to-home. Keep employees in the loop by showing them examples of these threats. But, it’s important to not over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. Create policies and procedures around authenticating requests. Communicating new threats isn’t enough to stop them. To protect your employees and your data, you should also set up a system for verifying and authorizing requests via a known communication channel. For example, if an employee receives an email requesting an invoice be paid, they should contact the relevant department or individual via phone before making any payments. Enable multi-factor authentication. This easy-to-implement security precaution helps prevent unauthorized individuals from accessing systems and data in the event a password is compromised.   Encourage reporting. Creating and maintaining a positive security culture is one of the best ways to help defend against phishing and spear phishing attacks. If employees make a habit of reporting new threats, security and IT teams have a better chance of remediating them and preventing future threats.  Update security awareness training. Remote-working brings with it a host of new security challenges. From the do’s and don’t of using personal devices to identifying new threat vectors for phishing, employees need to refresh their security know-how now more than ever.
How to defend against data exfiltration (outbounds threats) Exercise strict control over your VPN. Whether it’s disabling split tunneling on your  VPN or limiting local admin access, it’s absolutely vital that you minimize lateral movements within your network. This will not only help prevent insider threats from stealing data, but it will also prevent hackers from moving quickly from one device to another.  Block downloads of software and applications. This is one of the easiest ways to minimize the attack vectors within your network. By preventing downloads by individual users, you’ll be able to exercise more control over the software and applications your employees use. This way, only vetted tools and solutions will be available for use.  Secure your cloud services. As workforces around the world are suddenly remote, cloud services are more important than ever. But, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Create a system for onboarding and offboarding employees. Both negligent and malicious incidents of data exfiltration are on the rise. To prevent new starters or bad leavers from mishandling your data, make sure you create and communicate new policies for onboarding and offboarding employees. In order to be truly effective, this will need to be a joint effort between HR, IT and security teams. Update security awareness training. Again, remote-working brings with it a host of new security challenges. Give your employees the best chance of preventing data loss by updating your security awareness training. Bonus: Check your cybersecurity insurance. Organizations are now especially vulnerable to cyber attacks. While preventative measures like the above should be in place, if you have cybersecurity insurance, now is the time to review your policy to ensure you’re covered across both new and pre-existing threat vectors.  Our panelist cited two key points to review: If you are allowing employees to use personal devices for anything work-related, check whether personal devices are included in your insurance policy. Verify whether or not your policy places a cap on scams and social engineering attacks and scrutinize the language around both terms. In some instances, there may be different caps placed on these different types of attacks which means your policy may not be as comprehensive as you might have thought. For example, under your policy, what would a phishing attack fall under? 
How to stay compliant Share updated policies and detailed guides with employees. While employees may know and understand security policies in the context of an office environment, they may not understand how to apply them in the context of their homes. In order to prevent data loss (and fines), ensure your employees know exactly how to handle sensitive information. This could mean wearing a headset while on calls with clients or customers, avoiding any handwritten notes, and – in general – storing information electronically. Update security awareness training. As we’ve mentioned, organizations around the world have seen a spike in inbound attacks like phishing. And, when you consider that 91% of data breaches start with a phishing attack, you can begin to understand why it’s absolutely essential that employees in every department know how to catch a phish and are especially cautious and vigilant when responding to emails. Conduct a Data Protection Impact Assessment (DPIA). As employees have moved out of offices and into their homes, businesses need to ensure personal data about employees and customers is protected while the employees are accessing it and while it’s in transit, wherever that may be. That means compliance teams need to consider localized regulations and compliance standards and IT and security teams have to take necessary steps to secure devices with software, restricted access, and physical security. Note: personal devices will also have to be safeguarded if employees are using those devices to access work.  Remember that health data requires special care. In light of COVID-19, a lot of organizations are monitoring employee health. But, it’s important to remember that health data is a special category under GDPR and requires special care both in terms of obtaining consent and how it’s processed and stored.  This is the case unless one of the exceptions apply. For example, processing is necessary for health and safety obligations under employment law. Likewise, processing is necessary for reasons of public interest in the area of public health. An important step here is to update employee privacy notices so that they know what information you’re collecting and how you’re using it, which meets the transparency requirement under GDPR.   Revise your Business Continuity Plan (BCP). For many organizations, recent events will have been the ultimate stress test for BCPs. With that said, though, these plans should continually be reviewed. For the best outcome, IT, security, legal, and compliance teams should work cross-functionally. Beyond that, you should stay in touch with suppliers to ensure service can be maintained, consistently review the risk profile of those suppliers, and scrutinize your own plans, bearing in mind redundancies and furloughs.  Stay up-to-date with regulatory authorities. Some regulators responsible for upholding data privacy have been releasing guidance around their attitude and approach to organizations meeting their regulatory obligations during this public health emergency.  In some cases, fines may be reduced, there may be fewer investigations, they may stand down new audits, and – while they cannot alter statutory deadlines – there is an acknowledgment that there may be some delays in fulfilling certain requests such as Data Subject Access Requests (DSARs). The UK privacy regulator, the ICO, has said they will continue acting proportionately, taking into account the challenges organizations face at this time. But, regulators won’t accept excuses and they will take strong action against those who take advantage of the pandemic; this crisis should not be used as an artificial reason for not investing in security.  
Looking for more advice around remote-working and the new world of work? For more practical advice from security leaders for security leaders and privacy professionals, join us for our next virtual panel discussion on April 30. We’ve also created a hub with curated content around remote working security which we’ll be updating regularly with more helpful guides and tips.
Spear Phishing
How to Spot and Avoid 2020 Census Scams
By Maddie Rosenthal
07 April 2020
In case you missed it, Tessian recently published a blog around the most common types of Tax Day scams in both the US and the UK.  Unfortunately, though, these aren’t the only opportunistic phishing attacks bad actors are carrying out this time of the year. They’re also launching Census scams.  As they do in Tax Day scams, cybercriminals will be impersonating government agencies. In this case, you’ll find they’re generally impersonating either the U.S. Census Bureau or an agent, or a third-party agency working for the U.S. Census Bureau. What do Census scams look like? Hackers have a range of threat vectors they can use to carry malware or gain access to sensitive information. In the past, we’ve seen attacks via email, phone, social media, job boards, and even traditional mail.  The common thread between all of these attacks is the request for sensitive personal information like home addresses, social security numbers, ethnicity and information related to the members of your household. This information could be used to make you a victim of identity theft. It’s important to remember that attacks may not ask directly for this information and may instead direct you to another webpage or portal via a link or QR code.  In this post, though, we’ll focus on email scams.  Example: Email Survey Scam
What’s wrong with this email? The US Census Bureau conducts surveys online, over the phone, via mail, or in-person, not via email.  While the Display Name looks authentic, the full email address is suspicious and inconsistent and doesn’t match the legitimate domain, which is @census.gov. Upon hovering over the link, you’ll see the URL is suspicious. Not only is the website connection not secure (remember: https indicates a secure connection), but the format and website name are both unusual.  Who will be targeted by Census scams?  Because it’s mandatory for all households to participate in the census, every US resident over 18 years of age is at risk of being targeted. That means that over the next several weeks, everyone in every state needs to exercise caution when responding to a request for personal information that appears to be coming from the U.S. Census Bureau or an affiliated individual or organization.   What do I do if I’m targeted by a phishing attack?  While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals should always follow the same guidelines if they think they’ve received a fraudulent request for information, whether by mail, email, SMS, or another online forum.  If anything seems unusual, do not follow or click links or download attachments.  The best way to avoid falling victim to one of these scams – whether over email, online, or over the phone – is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid. If you’ve been targeted, report the attack to the Census Bureau. Call 1-800-354-7271, in English, or 1-800-833-5625, in Spanish. More resources The best way to stay safe is to stay informed.  The Census Bureau has issued its own advice on how to stay safe from phishing scams online and over the phone. Read their tips here. 
Spear Phishing
Everything You Need to Know About Tax Day Scams 2020
By Maddie Rosenthal
07 April 2020
While the world’s workforce has been adjusting to remote-working over the last several weeks and has, at the same time, become aware of opportunistic phishing attacks around COVID-19, attackers have been plotting their next attack: Tax Day Scams. These phishing attacks can take many different forms and target both US and UK residents. In the US, these attacks will use the deadline to file your income tax returns as bait. In the UK, these attacks will use your potential tax refund as bait.  But we’re here to help.  Here’s what you need to look out for and what to do in case you’re targeted by Tax Day scams. 
 What do Tax Day scams look like? As is the case with other phishing and spear phishing attacks, hackers will be impersonating trusted brands and authorities and will be – in some way – motivating you to act. Let’s take a closer look at how they do both through a series of examples. Example 1: IRS Impersonation 
What’s wrong with this email? The IRS has said they never contact taxpayers by email, so any correspondence “from” them is illegitimate. There is an extra “r” in “internal” in the sender’s email address Email addresses from government agencies will contain the toplevel domain “.gov”. There are spelling errors and inconsistencies in the text that you wouldn’t expect from a government agency. Example 2: Tax-Preparation Software Impersonation
What’s wrong with this email? While the sender’s email address does contain Fast Tax, the company name, the toplevel domain name (.as) is unusual. The sender is motivating the target to follow the embedded link by claiming their tax return is incomplete. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. Example 3: HMRC Impersonation
What’s wrong with this email? While the Display Name, email template, logos, and language used in the email seem consistent with HMRC, the sender’s email address contains the toplevel domain “.net” instead of “.gov.uk” Upon hovering over the link, you’ll see the URL is suspicious.  Example 4: Client Impersonation
What’s wrong with this email? Unfortunately, in this case, there are no obvious giveaways that this is a phishing scam. However, if Joe, the tax accountant in this scenario, knew he hadn’t met or interacted with a woman named Karen Belmont, that could be a warning sign. Individuals and organizations should always be wary of attachments and should have anti-malware and/or virus protection in place. Example 5: CEO Impersonation
What’s wrong with this email? The root domain (supplier-xyz) in the sender’s email address is inconsistent with the toplevel domain (.com) in the recipient’s email address. The attacker is  impersonating the CEO in hopes that the target will be less likely to question the request.  The attacker is using urgency both in the subject line and the email copy to motivate the target to act quickly. Because this is a zero-payload attack (an attack that doesn’t rely on a link or attachment to carry malware), anti-malware or anti-virus software wouldn’t detect the scam. Who will be targeted by Tax Day scams?  From the examples above, you can see that cybercriminals will target a range of people with their Tax Day scams. Taxpayers, tax professionals, and businesses are all susceptible and savvy hackers will use different tactics for each.  Here’s what you should look out for. Taxpayers Attackers will be impersonating trusted government agencies like HMRC and IRS and third-parties like tax professionals and tax software vendors. Attackers will use coercive language and the threat of missed deadlines or promises of refunds to motivate their targets to act. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  For more information on payloads, read this comprehensive guide to phishing scams. Tax Professionals Attackers will be impersonating either existing clients/customers or prospects. In either case, they’ll be pretending to need help with their tax return or tax refund. Attackers will use the lure of new business or the threat of losing a customer to motivate their targets to act. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  Businesses Attackers will be impersonating CEOs, HR representatives, Finance Directors, or other individuals or agencies who need access to sensitive tax information. Attackers are strategic in their impersonations of people in positions of power; people are less likely to question their superiors.  What do I do if I’m targeted by a phishing attack? While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals and businesses should always follow the same guidelines if they think they’ve received a phishing email.
If anything seems unusual, do not follow or click links or download attachments.  The best way to avoid falling victim to one of these scams is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid. If the email appears to come from an individual you know and trust, like a colleague, customer, or client, reach out to the individual directly by phone, text or a separate email thread. If you’re an employee who’s been targeted, contact your line manager and/or IT team. Management should, in turn, warn the larger organization.
More resources As a security start-up, we’re committed to helping you stay safe. If you’re looking for more information on Tax Day scams, consult the following government websites. Advice from the IRS Advice from HMRC
How to protect your organization from phishing attacks year-round As we’ve mentioned, Tax Day scams are just one of the ways bad actors will try to get hold of sensitive information or infect devices with malware. The best way to avoid falling for these scams year-round is to educate your employees and stay vigilant.  If you’re an organization, it only takes one mistake, one time for your most sensitive data to fall into the wrong hands. If you’re an IT or Security professional looking for a solution that’s more effective than awareness training and SEGs at preventing advanced phishing threats, consider Tessian Defender.  Book a demo now to find out how Tessian uses contextual machine learning to detect and prevent advanced spear phishing attacks without impeding on employee’s productivity. 
Spear Phishing
Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks
17 March 2020
Hackers love emergencies and times of general uncertainty. Why? Because people are scared, distracted, potentially desperate, and are therefore vulnerable—making them ideal targets. As COVID-19 continues to spread and global concern about the pandemic rises, bad actors will be impersonating trusted institutions like healthcare organizations, insurance companies, banks, and airlines in order to steal money, harvest credentials, or install malware on your computer…and that’s just on the consumer side.  When it comes to business, trusted individuals and brands will be impersonated. For example, hackers will impersonate out-of-office CxOs and popular web conferencing applications, especially as organizations encourage and rely on remote-working. Internally at Tessian, we’ve shared tips with our employees on how to spot this type of scam and what to do in case you’re targeted. We think it’s important to spread the message and raise awareness with everyone.  Consumers: What Should You Look For? Hackers will be impersonating trusted brands. Carefully inspect all emails, but be especially wary of those coming from healthcare organizations, insurance companies, banks, and airlines, especially those that ask you to “Confirm you are safe”, “Confirm you haven’t traveled to recently affected COVID-19 countries”, or anything similar.  Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors or branding inconsistencies either in the logo, email template, or a landing page.  Employees: What Should You Look For? Hackers will be impersonating people within your organization and third-parties like suppliers or vendors. You should be cautious when responding to any internal email that mentions the sender being out-of-office and any third-party email that comes from a source you don’t recognize or that requires urgent action. Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors, language or requests that are out-of-character, and branding inconsistencies. These red flags are all a bit easier to spot when you have a bit more context. Below are just a few examples of phishing emails that you may see over the next few weeks. The Fraudulent Third-Party
What’s wrong with this email? The sender’s email address contains irregular characters and doesn’t match the Display Name. Organizations should send internal communications to let their employees know they’ve implemented new tools or platforms. You shouldn’t be hearing about it from the third-party first. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The Out-Of-Office Boss
What’s wrong with this email? The sender’s email address is from a freemail domain (@yahoo.com) and not from within the organization. The attacker is giving the email a sense of urgency. That attacker is using remote-working as a ploy to encourage the target to do something unusual. The attacker is impersonating a person in power; this is a common tactic in social engineering schemes. The Concerned Counterparty
What’s wrong with this email? The toplevel domain (.net) is unusual and inconsistent with previous emails from this supplier. The attacker is using fear and urgency to motivate the target to act. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The “Helpful” Government Organization
What’s wrong with this email? All valid email correspondence from WHO will come from @who.int, not any other variation. The attacker is using the fear of COVID-19 to motivate the target to download the malicious attachment. Like many other organizations, WHO has stipulated they will never send unsolicited emails containing attachments. The Proactive Health Insurance Provider
What’s wrong with this SMS? The attacker is using fear to motivate the target to act. Because no health insurance provider is mentioned by name, you can assume this text has been sent to a large pool of targets. Legitimate organizations will never ask you to update your payment details via text. The text message contains a shortened link; the target can’t see the URL of the website they’re being led to. Of course, knowing what these opportunistic phishing emails look like is just the first step. Actually knowing what to do if you’re targetted is what’s really important. What to Do If You’re Targeted  If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  If you’re an employee who’s been targeted, contact your line manager and/or IT team. We’ve all heard the phrase “prevention is better than cure” and phishing attacks are no exception. While knowing what to do if and when you’re targetted is incredibly valuable, it’s also important that both individuals and organizations know how to avoid being impersonated in the first place.  How to Avoid Being Impersonated For those of you who are working remotely or are otherwise Out of Office, don’t include any personally identifiable information (PII) in your automated emails or on social media. For example, don’t provide your personal mobile number or email address. Don’t tell people to email a colleague in your absence; this information helps bad actors map connections and relationships within an organization, which can be used to make future phishing emails seem more convincing. Hackers can use this to their advantage to target your colleagues. Organizations should implement SPF, DKIM, and DMARC to help prevent hackers from directly spoofing their domain.   Both brands and senior leadership should advise customers and employees what they will and will not ask for via email, phone, or text. People will then have a better sense of what requests are out of the ordinary and therefore suspicious.  As we continue sharing best practice tips with our employees to keep them secure while working remotely, we’ll share them with you, too. Check back on our blog for the latest updates.
Human Layer Security Spear Phishing
Hacker’s Advice: 7 Tips for Avoiding Phishing Scams
09 March 2020
The final speaker at Tessian’s first Human Layer Security Summit was Glyn Wintle, the CTO and co-founder of Tradecraft (formerly DXW Cyber), a security consulting agency that uses social engineering tactics, technical work, open intelligence sources, and attacks on physical locations to breach clients’ systems. In other words, he’s an ethical hacker, although he prefers “friendly hacker”.  During his presentation, he explained how hackers combine psychology and technical know-how to create highly targeted and highly effective phishing attacks on people. Based on his insights, we’ve put together 7 tips to help you avoid social engineering schemes like phishing attacks.
1. Don’t Underestimate Hackers or Overestimate Your Ability to Spot a Phish Glyn started his presentation with one clear and concise statement: Breaking in is easier than defending. And, he’s right.  Attacks like phishing emails rely on power in numbers, meaning that only one person has to follow a link, click an attachment, share personal information, or make a bank transfer for the hacker to be successful.  Interestingly, though, employees tend to be incredibly confident in their ability to spot phishing emails; only 3% of people think it’s difficult to spot a phish. The general consensus, especially amongst employees at organizations where security awareness training is required, is that “only idiots fall for scams”.  While that may be the case with the more blatantly obvious scams – for example, an email coming from a Nigerian Prince claiming they’d like to share their fortune with you if you share your bank account details – hackers have an arsenal of techniques to dupe even the most discerning eye. This is especially the case in spear phishing attacks where hackers might spend days or even weeks researching their target to craft a perfectly believable email. With social platforms like LinkedIn, they can easily uncover not just a company’s organizational structure, but more timely information about individuals like when they’re attending a conference. This is powerful ammunition for a spear phishing attack. 2. Look Out for Both Emotive and Enterprising Scams People tend to be familiar with phishing and spear phishing attacks that rely on an emotional response – fear, urgency, stress – often triggered by an email that appears to be sent from a person in power. They work, really well. But enterprising scams are just as powerful.
Glyn cited an example in which a company made a public announcement that it recently received VC funding. Based on the press release, a savvy hacker contacted the Venture Capital firm impersonating the company. The hacker was able to create a convincing email relationship with the Venture Capital firm and this trust enabled the hacker to successfully get the VC to transfer the funds into their account.  People sometimes mistakenly think the solution to this is to hide all information. But often there’s a reason why information was and is made public. Making sure people know what information is public or not can help. 3. Relying on hyper vigilance isn’t enough People – especially in work environments – tend to move and work quickly. Because of that, and despite training, they might not think twice about irregularities in email addresses, URLs, or landing pages in pursuit of being productive. What’s more, expecting people to double check every thing will not work. They will not get any work done. Management must understand that people make mistakes; expecting them to be hyper vigilant at all times cannot be the solution. There are technical measures that can be used to warn someone that something abnormal is happening. Showing users who do have the privileges to do harmful things what real targeted phishing emails look like can help. But you must also find ways to make their lives easier. Telling them “this is really hard” then saying “best of luck”, is not setting them up for success. 4. Don’t take the “secret” bait If nothing else, hackers are inventive. Glyn cited one example where, instead of emailing a target pretending to be someone else, they’ll simply CC individuals into a conversation that genuinely has nothing to do with them. The email message will allude to a secret or piece of sensitive information; potentially with a malicious link to the alleged source or malicious attachment. It seems rudimentary but it works.  More often than not, the target will follow the link or attachment, thinking they’re gaining access to something highly confidential. In reality, they will have installed malware on their computer. 5. Beware of Urgent Requests and Reasonable Requests While a lot of hackers will use urgency to incite action, that’s not the only tactic they employ. In fact, a tried-and-tested technique according to Glyn is to request an action within two working days.  “If you’re impersonating a company and targeting employees, and you say something must be actioned within two working days, you will get much higher hit rates.”
6. Take Extra Caution on Your Mobile While mobile phones have no doubt made it easier for us to stay connected, they’ve also made it even easier for hackers to pull off successful phishing attacks given the smaller screens and differences in functionality, especially after hours. “I love mobiles. But if you’re targeting someone on mobile, the rules change. You probably want to do it on a Friday night, when alcohol might be involved, especially because the smaller web browser makes it hard to see who the sender is or tell what exactly the URL is.” But, it’s not smaller browsers that make mobiles risky. Smishing and vishing are also on the rise, meaning email isn’t the only threat vector to be weary of. 7. Implement a Security Solution While there are certainly steps individuals can take to prevent themselves from falling victim to a phishing scam, if organizations really want to protect their people, they have to implement security solutions.
#HumanLayerSecuritySummit20
Human Layer Security Spear Phishing
Tim Sadler on Hacking Humans Podcast: Episode 87 “The Art of Cheating”
28 February 2020
Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why email is so risky and inboxes remain dangerous territory. Listen to Hacking Humans Episode 87 “The Art Of Cheating.” Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He is from a company called Tessian. And we discuss the human element of cybersecurity, along with some details on some phishing schemes. Here’s my conversation with Tim Sadler. Tim Sadler: I think, for a long time, when we’ve spoken about securing people, we’ve always defaulted to training and awareness rather than thinking about how we can use technology to take the burden of security away from people. So I think there’s a challenge at the moment in that humans are unpredictable. They break the rules. They make mistakes. And they’re easily tricked. And that’s what’s leading to so many data breaches today that are ultimately caused by people and human error. Dave Bittner: And so the bad guys, knowing this, have adjusted their tactics. Tim Sadler: I think that’s right. I mean, if you think about email for an organization, it is an open gateway. So it is one of the only pieces of infrastructure an organization has where anybody can send anything into an organization without pre-approval. And I think that’s one of the reasons why we’re seeing such a high level of threat around phishing, spear-phishing, business email compromise, those kinds of attacks. It is the – really, the entry point for every attacker that wants to get into an organization today, and it’s so effortless to execute one of these scams. Dave Bittner: So what kind of things are you tracking? What are some of the specific campaigns that are popular these days? Tim Sadler: So I think, you know, we see everything from the well-known trends like the fact that, you know, it’s tax season and the W-9 form scam – so attackers putting malicious attachments in emails trying to get people to open them because, you know, it’s tax season, and that’s something that everybody is watching out for. And then some of the more interesting things that we’re seeing specifically are around attackers scraping LinkedIn data to automate attacks based on people moving jobs. So a new joiner to an organization will – you know, is – may have a higher propensity to be duped by a phishing scam. They won’t know the protocol that an organization has in place. So we’re seeing a lot of attacks that come through when people are new to an organization. It’s maybe in their first or second week, and then they’ll receive a spear-phishing email pretending to be the CFO or pretending to be the CEO, trying to dupe them into doing something and, again, use those techniques of deception and urgency on emails. Dave Bittner: Now, what about some of the more targeted campaigns – you know, things like spear-phishing, even – you hear it referred to sometimes as whaling, where they’re targeting high-level people within organizations?
Tim Sadler: And actually, you can – for attackers, it is fairly scalable to do this. You can build a LinkedIn scraper. You can be pulling names. And you can be automating the purchase of domains that look like legitimate domains but, in fact, aren’t. And then you can automate the sending of those emails into organizations. And, you know, the rewards from doing this kind of thing can be enormous for attackers. So I read about that charity in the U.K. this morning who fell victim to a spear-phishing scam where they lost almost a million dollars over three transactions. So it is a huge, huge payoff for these attackers when they actually – you know, they get their target to do the thing they want them to. Dave Bittner: What are your recommendations for organizations to best protect themselves? Tim Sadler:  So I think, you know, it does start with awareness. You have to make sure that employees are aware that their inbox is dangerous. And they need to pause, if only for five seconds, just with every email they get and do some basic checks. So check, who is this email from? Does the domain look legitimate? Tim Sadler: But really, what is extremely difficult is, for most organizations today, their entire security strategy is reliant on their employees doing the right thing 100% of the time. So if you are only relying on security training and awareness, there are going to be things that creep through. There are going to be attacks that are successful. And in the same way that organizations use advanced technology to secure their networks and secure their devices, we believe that organizations today need to be using advanced technology to secure their people. Dave Bittner: Well, how does that technology play out? What sort of things are you describing here? Tim Sadler: In order to secure people – so again, we come back to this point that people are unpredictable. They break the rules. They make mistakes, and they’re easily hacked. A system needs to understand the normal patterns of behavior that a person exhibits on email in order to understand what looks like a security threat and what looks like a normal email. So what organizations can do is they can use a platform – like Tessian, for example – that uses machine learning to analyze historical email patterns and behaviors to understand, on every incoming email, does this email look legitimate or not? And that’s something that we’ve pioneered and we use and is much more effective than some of the traditional approaches, which use rules or policies to control the flow of inbound email. Dave Bittner: You know, it reminds me of a story that a colleague of mine shared with some friends who work for a nonprofit. And they got an email from the chief financial officer, who had just gone on vacation, and it said, I know; I realize I’m out of town, but I need you all to transfer this large sum of money, and I need it done immediately; you know, please don’t let me down. And to a person, they all said, this is the last thing in the world this person would ever say or do. And that tipped them off to the problem. It sounds like – I mean, that’s a similar thing to how you’re coming at this from a technological point of view or looking – making sure that the behavior isn’t anomalous. Tim Sadler: Yeah, that’s exactly right. We use machine learning in the way that it’s been applied to other fields – for example, credit card fraud detection. You look at their normal spending patterns and behaviors on card transactions, and then you use that intelligence to then spot the fraudulent transactions. And that’s what we’re doing. We’re looking at normal email behavior in order to spot the fraudulent email behavior. And in the same way that you would try and train a person to look out for the unusual aspects of an email that may give a clue as to whether it’s a phishing email or not, you can train a machine-learning algorithm to do the same. Tim Sadler: Now, the difference and the advantage to doing this is that a machine-learning algorithm can traverse millions and millions and millions of data points in a split second, whereas a human is only going to have a limited number of data points that they can remember or they can go back to in their mind. Dave Bittner: Where do you suppose we’re headed with this? As you look towards the future and this problem with email continues to be an issue, do you suppose the types of things that you’re offering here are going to become just a standard part of doing business? Tim Sadler: I think it’s critical that organizations today realize that their security strategy cannot be reliant on training people to do the right thing 100% of the time. And again, it comes back to – at the beginning of my career, I was working for one of the world’s largest banks and saw a massive problem, and that is that banks spend millions of dollars on securing their networks and devices using advanced technology, but they completely neglect the security of their people. So instead, they’re relying on training them to do the right thing 100% of the time. And that, obviously, doesn’t work. Tim Sadler: I saw people who would send highly sensitive information to completely the wrong person. They would email documents to their personal email account, or they would fall for phishing scams. So we thought this was a huge problem that needed solving, and that’s why we built the product that we’re building today – because we believe that in the same way you have a firewall for your network and you have an EDR platform for your devices, we believe you need a human-layer security platform to protect your people. Dave Bittner: All right. Interesting stuff. Joe? Joe Carrigan: Yeah. A couple things stick out to me. One, your inbox is dangerous, and Tim does a really good job of describing why that is. He calls it an open gateway because anyone – literally anyone – can use your inbox.
Spear Phishing
How to Prevent and Avoid Falling for Email Spoofing Attacks
By Maddie Rosenthal
25 February 2020
Email spoofing – also known as a domain spoof or direct spoof –  is a type of phishing attack in which an attacker sends an email that appears to be from a legitimate source. These emails are sent with the intention of tricking the target into following a link, downloading an attachment, or performing some other kind of action that will result in the attacker capturing login details or other sensitive information like their banking or credit card information. While some spoofed emails may be flagged by inbound security solutions, they’re often mistaken for legitimate emails, which can lead to serious consequences for both individuals and businesses. This blog explores how and why email spoofing works, how to identify spoofed emails, and what you can do to protect yourself and your organization from such attacks. What does a spoofed email look like? While email impersonation attacks often rely on imperceptible misspellings, spoofed emails appear to be sent from the real domain, look genuine to most users, and can bypass spam filters and security tools.  For example, a bad actor might craft an email that appears to be “from” a well-known courier service, which for the purposes of this example doesn’t have DMARC set-up. The email will claim there was a problem with your delivery and that you must follow a link to log in and confirm your details. Savvy people may look for Display Name impersonations, but, because it’s a domain spoof, they won’t notice any inconsistencies. 
And, if such an email is sent to many thousands of users (which is one of the techniques hackers use when sending phishing emails) this increases the chance that at least one recipient will be expecting a delivery from the spoofed courier, and, because of that, the target may do what the email instructs.  Incidents of email spoofing  Email spoofing is on the rise.  The FBI’s 2019 Internet Crime Report states that the agency received complaints of spoofing attacks from over 25,000 victims last year alone, making it the fifth most popular form of cybercrime. The total loss reported from these victims was over $300,000,000. How does email spoofing work? Email spoofing attacks can be successful simply because people assume that the information in email headers – specifically about where the email comes from – is trustworthy. The reality is that the original protocols that still underpin email, such as the Simple Mail Transfer Protocol (SMTP), were never designed to authenticate the sender information.  In other words, there is no inherent way to confirm that an email comes from the email address specified in the Sender parameter in the email header. When an email is sent, the initial connection to the receiving mail server contains two parameters, MAIL FROM and RCPT TO, which specify the address the email is sent from and to, respectively. These parameters are commonly known as the “envelope” of the email. However, there are no default checks on the MAIL FROM parameter to ensure that the connecting mail server is authorized to send emails on behalf of that domain. Therefore, if the RCPT TO parameter is correct, the receiving server indicates it will accept the email and the sending server proceeds with the rest of the email, including the From, Reply to, and Sender header items, which are similarly not checked by default. Therefore, an attacker with the right tools at their disposal can easily create and send emails as if they were someone else. This is not hard to achieve, and there are many tools available for them to do this. They can also create a legitimate seeming link in the email that, if followed, will take the recipient to a server under the attacker’s control. Spoofed emails from the attacker’s perspective The easiest way to explain how an attack might unfold is to explain it from the attacker’s perspective. Example scenario: An attacker of moderate skill decides to launch a phishing attack on a company. The attack takes the form of an email asking the recipient to read and indicate acceptance of a company security policy update; this will be a document attached to the email. The file itself will contain malicious code, which will give the attacker a foothold on the machine of anyone who opens it. Target: Copper Duck, a finance company. Copper Duck hasn’t configured DMARC, nor does it have other protections in place. Objective: The attacker’s aim is to run malicious code on Copper Duck machines, in an attempt to gain information on the company network that will uncover further vulnerabilities and also capture usernames and passwords. The ultimate goal is to gain access to Copper Duck’s sensitive financial and personal data. Research: The attacker researches Copper Duck, and from publicly available information discovers that it has not registered its domain – @copperduck.com – with DMARC. They also search for Copper Duck email addresses in public repositories so they can copy the header and footer information. Additionally, they’ll look for any other information, such as employee names and job titles on LinkedIn, which could help them target the attack and create a believable email.  Attack preparation: The attacker can obtain phishing kits and code suited to their purpose on the dark web. There are many such kits, and while it only takes moderate skill for an attacker to launch a phishing attack, these make it even easier. They compile a list of email addresses to target, sometimes from addresses discovered in the public domain, or by making informed guesses. For example, if the attacker has a number of addresses in the form [email protected], it’s likely that other employee addresses follow the same format. Once they have the list, the attacker creates the phishing email and the attachment file containing the malicious code. Because Copper Duck has not implemented a method to protect their domain from spoofing, the attacker can easily forge the Sender and other information in the email header. The attack: The emails are sent early in the morning on a weekday, to arrive shortly before employees begin working their way through their inboxes.  Every employee who clicks the link and opens the document will activate the malicious code it contains. It runs on their machine, and sends any sensitive data it can find back to the attacker. Even if not every employee clicks through, there is a good chance that at least one will. One is all it takes for an attacker to gain a foothold in the network. Bonus: The time of day an email is sent is one of many important factors that attackers may consider; there are several instances where an employee’s ability to make the right cybersecurity decision may be impaired. Read the full report here. What if there are protections in place? If Copper Duck used DMARC or a mail application that scanned attachments for malicious code, this would make life more difficult for the attacker, but not impossible. As previously mentioned, they could register a domain almost identical to that of Copper Duck (for example, copper-duck.com or coppperduck.com), and prompt the user to follow a link to a server under their control instead. However, protections like DMARC only stop spoofs of your domain; it won’t protect against all spoofs you might receive (for example, a spoof of one of your suppliers). This means you have to be vigilant both as a consumer and an employee when it comes to protecting yourself from these types of attacks. What can you do to protect yourself from email spoofing attacks? Phishing attacks employing spoofed emails are inevitable. So how can you spot them, what should you do when you’re targeted, and how can a business protect itself against the threat they pose? As a private individual… Watch for emails that try to instill a sense of urgency in the reader. Attackers often rely on inspiring fear or worry to try to get their targets to act in the way they want Try to get into the habit of reading emails thoroughly and exercise caution, especially if they contain a call to action, such as following a link, downloading an attachment, or sharing sensitive information If you have any reason to doubt an email’s legitimacy, such as poor spelling or an unusual tone of voice, check the email address it’s sent from, not just the Sender field or Display Name Also check  any links the email contains for grammatical errors or suspicious URLs Perhaps most importantly, do not open attachments or follow links that prompt you to log in unless you are absolutely sure they are legitimate. In the case of links, you’re better off searching for the organization and following links directly from their website As an employee… In addition to all of the precautions listed above, you should report suspected phishing attacks through the normal channels, such as your system administrators or IT helpdesk If you suspect you have fallen victim to a phishing attack, again, report it as soon as possible. Everyone makes mistakes, and the better phishing attacks can be hard to spot. The quicker you report it, the better the chances are of remediating the situation. For IT and security teams, oversight is essential  As a business… Set up proper DMARC records with a quarantine or reject policy, and use other protections such as SPF to help identify spoofed emails before they arrive in your inboxes  Train your employees to spot phishing emails by sharing information with them, such as this article Actively encourage employees to report the attacks. It is especially important that they feel they can come forward if they’ve fallen victim to one, without fear of blame. This is why creating a positive security culture is paramount. Unfortunately, though, DMARC, training, and a positive security culture simply aren’t enough. Cybersecurity strategies have to account for the fact that DMARC doesn’t stop bad actors from domain lookalike impersonations, training is ineffective long-term, and people won’t do the right thing 100% of the time.  To combat the threat of email spoofing, security teams should also deploy enterprise-level security applications to identify and block phishing attacks, such as Tessian Defender. What is Tessian Defender? Tessian Defender is powered by machine learning (ML). By learning from historical email data, Tessian’s ML algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of advanced phishing scams, including email spoofing attacks. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts.
Spear Phishing
Phishing vs. Spear Phishing: Differences and Defense Strategies
13 February 2020
On average, 246.5 billion emails are sent and received every single day. Of those, 6.4 billion will be “fake”. People use email to communicate with brands like Netflix and Booking.com to confirm subscriptions or make reservations, and employees communicate on a loop with suppliers, vendors, and colleagues to schedule meetings, make payments and share data. The bottom line: email is an essential part of our daily personal and professional lives. It’s no surprise, then, that email remains the most popular channel for cybercriminals to target victims through email scams like phishing or spear phishing attacks. What is the difference between phishing and spear phishing? There are three key differences between phishing and spear phishing. Phishing attacks are high-volume, most often targeting hundreds or thousands of people while spear phishing attacks are low-volume, meaning only one person or a small group of people are targeted. Phishing attacks are non-personalized while spear phishing attacks are highly personalized. Phishing emails more often employ malicious links or attachments (called “payloads”) to deliver malware or capture sensitive information, while spear phishing emails don’t always carry payloads; these are called “zero-payload attacks”.
What is phishing? Phishing is one of the oldest, most prevalent, and most disruptive cyber attacks in the world. For some perspective, we’ve seen a 250% increase in the frequency of phishing attacks from 2018 to 2019. Likewise, we’ve seen the cost of the average data breach climb to $3.92 million and – you guessed it – phishing attacks are the number one cause of these breaches. Phishing attacks rely largely on impersonation – often of trusted brands – to obtain money or sensitive information from unsuspecting targets or to install malware on their computers. While it may come as a surprise, it’s likely that at some point, most of us have actually been a target, whether via our personal email accounts or business email accounts. These attacks have even evolved past email, with bad actors now using telephone and SMS as entry vectors. This is referred to as smishing. Don’t think it could happen to you? Over the last several years alone, customers of big brands like Amazon, Apple, and Microsoft have all been targeted, impacting millions of people. This is, of course, in addition to the more blatantly obvious scams in which Bill Gates, Donald Trump or a Nigerian Prince offer to share their fortune with you. Surprisingly, many of these scams aren’t particularly sophisticated and require little technical know-how from attackers. Instead of relying on the quality of the scam, phishing attacks target large numbers of people to increase their odds. The logic: more targets equal more opportunity for success.
Looking at the email above, you’ll see that the email appears to be sent from FedEx Customer Service, the greeting is generic and un-personalized, and the content of the message – from the subject line to email body – motivates the user to act. Of course, the link won’t lead to an authentic page. Instead, it will lead users to a look-a-like page. While this page will contain branded elements that resemble the genuine FedEx site, any information inputted will be collected by the scammer, not FedEx. Just like that, a crook can have access to your personal data. It’s important to note, though, that it’s more likely that only someone who was actually expecting a delivery from FedEx will follow the link and enter information like their name, address, or phone number in order to arrange a new delivery time. Attackers know this, hence why an email like this will have been sent to hundreds or even thousands of people. Remember: more targets equal more opportunity for success. But, not all cyber attacks are bulk in nature; spear phishing is highly targeted and extremely difficult to detect.
What is spear phishing? Like phishing attacks, spear phishing attacks rely on impersonation to obtain money or sensitive information or install malware. But, instead of using generic email content and the front of a trusted brand, bad actors will use personalized correspondence to manipulate targets into transferring money, handing over sensitive information, or granting access to an otherwise secure network. Because of the personalized nature of these emails, they are not sent to hundreds of people. Instead, they’re sent to one person or a small, targeted group like a specific department within an organization, oftentimes “from” a source that’s trusted by the target(s) like a supplier, a line manager, or CEO. Whereas a phishing scam simply requires a believable email template, potentially a look-a-like landing page or an infected attachment, a successful spear phishing attack requires more effort. Given the personalized nature of a spear phishing email, a cybercriminal will have to do a bit of due diligence to ensure the email is believable and therefore effective.
Looking at the example above, we can see how a spear phishing email resembles a phishing email. The sender is impersonating someone else, in this case, Tom Adams, a senior employee at Dorling Clayton. Likewise, there’s a clear call to action that motivates the user to act. There are noteworthy differences, though. To start, the email is highly personalized. The target is addressed by name and the sender demonstrates a lot of knowledge related specifically to Laura’s organization and, it would seem, Tom Adams himself, including conferences he’s speaking at and organizations within his supply chain. What’s more, the attacker is leveraging Tom’s senior position within the company to coerce the target to act quickly. If you got an email with an urgent request from a Senior Partner, what would you do? A savvy recipient may notice that the sender domain looks suspicious. But, it’s rare for people to scrutinize sender domains and almost impossible for them to do so on mobile phones – where a lot of us send and receive emails – because the domain is usually hidden, with only the display name visible.
Under pressure to perform, many people would pay the £11,522 into the account requested without asking any questions. Unfortunately, this swift action would be bad news for Dorling Clayton as the money would be delivered to a scammer, not SoBank. This is a classic example of CEO Fraud.
Defense strategies for phishing Because phishing schemes have been around since the mid-90s, there are a handful of solutions for both consumers and businesses that can help decrease the number of fraudulent emails that land in your inbox. These include the following: Spam Filters: Created and installed by Email Service Providers (ESPs) like Gmail, spam filters sort incoming messages based on a programmed set of rules. Emails with known viruses or sent from blacklisted domains will either be automatically redirected from your inbox into a junk folder or won’t be delivered at all. Think of this as your first line of defense. Secure Email Gateways (SEGs): A step above spam filters, SEGs are optimized for better spam detection and have therefore historically been an important part of  business’ security framework, in particular for large-scale bulk email detection. Training: Whether done via regular phishing simulations or cybersecurity awareness sessions, training is invaluable for both individual employees and the larger organization. After all, it is people who are controlling all of our data and networks. Email Authentication: In order to prevent direct impersonation of an organization’s domain, the organization can enforce a DMARC policy. Unfortunately, though, only 51% of Fortune 500 companies have adopted this email-authentication standard. These solutions certainly help mitigate risk, but millions of phishing emails evade detection by filters and gateways and dupe well-trained people everyday. That means individuals must still be vigilant in inspecting emails before downloading an attachment, clicking a link, or otherwise divulging sensitive information. To stay safe on email we recommend that you: Review the email address of senders and look out for impersonations of trusted brands, including display name impersonation and domain impersonation. Always inspect URLs in emails for legitimacy by hovering over links before clicking on them Pay attention to differences – that may be very subtle – in website content if you follow a URL after inspecting it Never divulge personal information if you don’t trust or recognize the sender or if you have any doubts about the legitimacy of the email. Genuine brands generally won’t ask you to share sensitive personal information via email. If you’ve been prompted to, investigate and contact the brand directly, rather than hitting reply Interested in learning a bit more? Click here for more information on how to identify and prevent phishing attacks.
Defense strategies for spear phishing The very nature of spear phishing attacks – low-volume, high-personalization, and often zero-payload – means that they’re even more difficult to spot and prevent than phishing attacks. Unfortunately, though, many businesses are employing the same tools and techniques to protect their employees against these more targeted variants. The problem? Impersonation can be nearly impossible for people and rule-based technology to detect when bad actors put a great deal of effort into researching their target and the people or companies they impersonate. An individual or tool would require an in-depth understanding of the minutiae of human relationships within a particular company and advanced knowledge of common impersonation techniques to detect this type of threat. That’s a tall order. While SEGs might reject or flag emails sent from well-known domain impersonations, they can struggle to detect complex variants or domain spoof. Employees – armed only with some security training at best – are then left as the last line of defense. And, with average click through rates of spear phishing attacks at 10% – this can put a business’ people, data, and systems at risk.
How can machine learning detect impersonation? To manage the problem of sophisticated impersonation, businesses need to invest in machine learning (ML) tools like Tessian Defender. Trained on historical email data, Tessian Defender understands a company’s complex network of relationships and the context behind each email. This way, it’s able to detect a wide range of impersonations, from obvious payload-based attacks to subtle social-engineered ones. By analyzing hundreds of data points – from the language patterns in an email to the domain and IP address contained in the header, among others – Tessian’s explainable ML algorithms successfully prevent spear phishing attacks by flagging anomalous emails to users with clear, educational warnings. A warning will look something like this: Notice what’s been flagged as suspicious about the email: the domain, the reply-to address, and the language. The user is then empowered to make a more informed decision about how to interact with the email, and administrators have oversight into which employees are targeted by these inbound attacks and whether or not they’re heeding the warning. While Tessian Defender can and will help protect employees from spear phishing attacks and help organizations monitor trends in activity, it’s important to understand from the outset whether or not you’re an especially susceptible target.
Who is most likely to be targeted by a spear phishing attack? When you consider the aim of a spear phishing attack – to steal data or money or infect a network with malware – it’s not surprising who the most likely targets are. They’ll tend to be those people with more privileged access to all of the above as well as those most embedded in supply chains. Here are some of the most targeted departments: Finance Human Resources Operations Legal Of course, with so much information available online through a company’s website, press releases, and social media like LinkedIn, cybercriminals can craft an email that could fool anyone, from any department. New joiners tend to be especially vulnerable targets in Business Email Compromise or CEO Fraud because they may be unfamiliar with an organization’s processes and may be particularly keen to impress the colleagues or customers bad agents often impersonate. High-ranking employees, high-risk With that said, though, even the most risk-aware individuals can be duped, depending on when the email is sent, the tone in which it’s delivered, and who the perceived sender is.  For example, whaling scams are targeted specifically at C-level executives because they simultaneously have their attention divided across many parts of the business and have access to significant amounts of sensitive information. That, combined with busy schedules and a tremendous amount of pressure, means that critical mistakes can – and have – happened. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account.
Ever-evolving threats to hack the human Cybercriminals are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks, and it’s imperative that organizations stay ahead of the curve. After all, just one successful spear phishing attack can result in the extraction of millions of dollars, devastating data loss, and incalculable reputational damage. Prevent spear phishing attacks in your organization with Tessian Defender To learn more about how organizations across industries are using Tessian Defender to prevent sophisticated, highly-targeted spear phishing attacks, read some of our customer success stories here. For more information about how Tessian can be quickly and easily deployed to Office 365, Exchange, and G-Suite to protect your people, data, and networks all without disrupting workflow or impeding on productivity, request a demo now.
Page