Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Live Webinar | Ready to Supercharge Your Microsoft Environment? Yes, sign me up!


Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover

What is an Integrated Cloud Email Security (ICES) Solution?
21 January 2022
In recent years, the shift away from on-prem email platforms to cloud-based platforms has been dramatic, with Gartner estimating that 70% of organizations now use cloud productivity suites like Microsoft 365 and Google Workspace. But as email migrates from legacy on-prem approaches to the cloud, securing these cloud based services becomes the next big challenge.   Cloud productivity suites have traditional SEG security capabilities natively included. Do stand-alone SEGs have a place in this rapidly evolving new reality?   This article takes a look at the ‘Who? What? And Why?’ of Integrated Cloud Email Security (ICES) solutions – explaining what they are, the benefits of using them, and how you can best evaluate those on offer.
What is an Integrated Cloud Email Security (ICES) Solution?   The term ‘Integrated Cloud Email Security (ICES)’ was coined in the Gartner 2021 Market Guide for Email Security. ICES solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.     ICES solutions are cloud-based, and use APIs to detect anomalies in emails with advanced techniques such as natural language understanding (NLU), natural language processing (NLP) and image recognition. Using API access to the cloud email provider, these solutions have much faster deployment and time to value, analyzing email content without the need to change the Mail Exchange (MX) record.   Taking it one step further, ICES solutions can also provide in-the-moment prompts that can help reinforce security awareness training (SAT), and are able to detect compromised internal accounts. In the report, Gartner reflected on the future of ICES solutions, suggesting that they would eventually render SEGs redundant:    “Initially, these solutions are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.”
Gartner predicts that by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG)… But why? In short, legacy SEGs are no match for the cyber threats of tomorrow. Email is responsible for 96% of cybersecurity breaches, making it the greatest threat vector. In fact, in the 12 months between July 2020 and July 2021, Tessian detected 2 million malicious emails that had bypassed SEGs. So why are traditional SEGs not fit for today’s cybersecurity landscape?
Rule-based approaches don’t cut it SEGs were developed in 2004 with on-premise email servers in mind and use a rule-based approach to threat detection. They use deny lists, allow lists and signatures for message authentication to help stop attacks – with these lists created using threat intelligence. They are reactive by design, and protect email data against threats that are already known. This means that SEGs offer no protection against zero-day attacks (a significant and growing threat vector), and are easily evaded by attackers using advanced social engineering campaigns. SEGs also fail to detect business email compromise (BEC), account takeover (ATO) and advanced spear phishing attacks.
The migration to the cloud   More and more, organizations are adopting SaaS offerings like Microsoft 365 – which have SEG capabilities natively included. This shift was well underway before the pandemic, but has since been accelerated with data suggesting that ICES solutions are here to stay and will displace SEGs from the cybersecurity stack.. The rise of offerings like Microsoft 365 and Google Workspace and the move away from SEGs comes as no surprise, with enhanced functionality at the platform level that can include:   Blocking emails from known bad senders Scanning attachments with AV Blocking emails with known bad URLs Content analysis to identify SPAM   Given these native SEG-like capabilities in cloud productivity suites, makes ICES solutions the perfect supplement to ensuring comprehensive email protection..  ICES solutions are so effective because they  provide protection against many of the threats SEGs fail to detect – when used in combination with SaaS offerings like Microsoft 365.
What are the benefits of ICES solutions?   ICES solutions offer more than just threat detection. Key features of ICES solutions  can include:   BEC and ATO Attack detection using NLU, NLP, social graph analysis and image recognition Context-aware banners to warn users Phish Reporting Mail Security Orchestration, Automation and Response (MSOAR) capabilities to assist in automatic reclassification of emails and removal from inboxes
How to evaluate ICES vendors   The number of  ICES solutions available on the market is continually growing. There are a few key things you should consider when evaluating which ICES solution to use. Taking a look at your current email security framework and comparing it to your end goal, the following elements should be analyzed:   Time-to-value, return-on-investment time horizon Cost of effort to install and manage False positive rate ML- and AI-based technology to detect advanced social engineering attacks including BEC and ATO attacks Ability to analyze and map conversation history Computer vision to analyze suspicious data and links in emails User education controls to reinforce training, including context-aware banners and/or in-line prompts Ability to analyze emails prior to delivery to the end user API integration  of email events into Extended Detection and Response (XDR) or Security Information and Event Management/Security Orchestration, Automation and Response (SIEM/SOAR) solutions Still struggling to decide? Have a look at the 2021 Gartner Market Guide to Email Security, which contains further information on ICES vendors, including Tessian.
Why choose Tessian?   Tessian was recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security.     What sets Tessian apart from other ICES solutions is its advanced email security and email data loss prevention (DLP) capability, including:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence   Tessian also offers protection against both malicious and accidental data loss, in-the-moment security awareness training for suspected phishing emails and in-the-moment security awareness notifications. 
To summarize, there are four key Tessian differentiators:   Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite. Protection also includes class leading email DLP. Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI     To find out more about Tessian as an ICES solution, and the key findings listed in the 2021 Gartner® Market Guide for Email Security, click here. 
Five Benefits of Automated Email Security Reporting
By John Filitz
21 January 2022
One of the leading challenges cybersecurity and risk leaders face is demonstrating the return on investment (ROI) of security tools deployed in their environments. Having easy access to data-rich cybersecurity metric reporting is increasingly a differentiator between the best-of-breed cybersecurity solutions and the rest.    At a tactical level and in a crowded cybersecurity stack, cyber metric reporting helps security leaders determine whether the tool deployed is having the desired effect (i.e. reducing cybersecurity risk.) Cyber metric reporting also plays a key role in annual budget justification –  an especially relevant consideration within the first 12 months of a tool’s deployment or upon contract renewal.    At a strategic level, with cybersecurity risk increasing, having access to, and being able to, report relevant cyber risk metrics on demand is essential for cybersecurity and risk leaders.    Regular and easy to understand cyber risk metrics reporting is fundamental for garnering executive and employee level support for cybersecurity initiatives and  plays a key role in improving the security culture and posture of an organization.
Tessian automated reporting: visibility on ROI   We know CISO time comes at a premium that is why time shouldn’t be spent validating past procurement decisions. This is why we engineered our reporting platform with the CISO in mind. But we also made it accessible for the non-security professional.   The latest automated reporting release from Tessian enables security leaders to stay focussed on their core tasks by delivering rich insight on demand.    The reporting capability extends across all of Tessian’s modules: email security and Data Loss Prevention (DLP).
Here are 5 benefits of Tessian’s automated email security metric reporting   1: Save time with automated reporting. Reporting email related incidents and associated risk to leadership is a core task for every security leader. On average organizations spend up to 600 hours per month dealing with employee-related emails security incidents, with 40% of organizations reporting 10 or more incidents per month. The automated email security risk reporting from Tessian allows cybersecurity and risk leaders to stay focussed on their main job of keeping their organizations safe and secure, without the need for manual reporting.  This is data from our Lost hours report, showing what CISOs spend too little, and too much time on
2: Employee-level email security risk distilled. At a glance, security leaders  are able to see how email cybersecurity risk is trending over a period of time, down to the employee level. This includes insight on the total number of inbound and outbound emails analyzed, as well as providing insight on threat vectors such as phishing attacks, data loss, and security awareness.  This example report shows the total number of emails checked, risk drivers, inbound attack highlights
3: Deep reporting insight on every module. Often cyber metric reports are diluted and not very useful. Granularity of threat intelligence reporting is at the core of Tessian’s automated reporting, providing module specific insight. For example on the Tessian Enforcer module that prevents data exfiltration (see below), reporting details include the total number of sensitive events, the severity of those events, as well as insight on the user experience. In this view, admins can see analysis of outbound emails, including exfiltration attempts, and how users are interacting with Tessian warnings
4: Accessible, forensic-level threat intel with actionable insight. The reporting capability includes data rich and actionable insight on the types of email delivered attacks and threats thwarted – and is presented in user-friendly reports. Report recipients are also able to dig deeper on specific threat events documented in the report. In this view, types of accidental data loss can be monitored, as well as reviewing your custom policies
5: Automated reporting. Reports are available on demand or can be delivered to any employee on the recipient email list on a weekly, monthly or quarterly basis. And recipients have the ability to download the PDF report for this specific module (or any of the Tessian modules). You can generate reports to go to key stakeholders automatically.
Client feedback on the new automated reporting capability has been overwhelmingly positive, with consensus that it takes the pain out of reporting and allows security and risk leaders to focus on their core tasks: keeping their organizations safe and secure.
By providing intuitive insight into cybersecurity risk mitigation measures, it is also playing an integral role in improving the security culture and hardening the security posture of client’s organizations. Automated reporting is one more reason why you need Tessian in your environment.   Click here to book a demo of our market leading email security and DLP platform.
Why Enterprises Are Replacing Their SEGs With Microsoft and Tessian
By John Filitz
14 January 2022
The advancing sophistication of cybersecurity threat campaigns have brought legacy cybersecurity tools into sharp focus. Built for an on-premise world, these manual, rule-based approaches to cybersecurity are unable to ward off adaptive and increasingly intelligent attack methods.   On the other side of the coin are security leaders who are overwhelmed and overworked. This is largely due to the proliferation of threats, juxtaposed against managing their IT environments from a tooling and staff resource perspective.    Tool sprawl is reaching excessive levels that are simply impossible to manage. The average enterprise now has in excess of 45 cybersecurity tools deployed. Research shows excessive tools deployed leads to a decline of security effectiveness.    The bottom line: Increasing complexity warrants tool rationalization.    Keep reading to learn:   Why Secure Email Gateways (SEGs) have become redundant The powerful capabilities (and shortcomings) of Microsoft  The benefits of replacing your SEG with Tessian + Microsoft
SEG redundancy   The effectiveness of legacy Secure Email Gateway (SEG) solutions is starting to receive due attention as email related breaches continue to snowball. Depending on the statistic cited, the email threat vector accounts for anywhere between 80-96% of cybersecurity attacks.   Replacing SEGs represents a high return, low risk optimization opportunity, due to declining security effectiveness and the high degree of redundancy in the enterprise.     SEG security effectiveness is declining for two reasons:    The majority of enterprises have adopted cloud hosted productivity suites such as Microsoft 365, which natively provide SEG capabilities including malware, phishing and URL protection.  SEGs rely on static, rule-based approaches that are ineffective in safeguarding  email users and data from advanced threats.    Once a threat actor is able to bypass the SEG, they effectively have unmitigated access to carry out their threat campaign. This can (and often does) include Account Takeover (ATO), deploying exploit kits or more damagingly, delivering ransomware. And little protection is offered against insider threats – a growing concern.  
The powerful capabilities (and shortcomings) of Microsoft    Microsoft 365, which includes Exchange Online Protection (EOP) and Microsoft 365 Defender, provides a reasonable degree of email security that effectively makes the legacy SEG redundant.   M365 on E5 licensing provides the following capabilities:   Anti-malware protection Anti-phishing protection Anti-spam protection Insider risk management  Protection from malicious URLs and files in email and Office documents (Safe Links and Safe Attachments) Message encryption via issued PKI Audit logging Quarantine Exchange archiving
Microsoft alone, however, does not guarantee against advanced email threats. Significant gaps remain in Microsoft’s ability to protect against advanced social engineering campaigns that can result in business email  compromise (BEC), ATO, or zero day exploitation. And this is why these shortcomings are also reflected in Microsoft’s Service Level Agreement (SLA) exclusions, for example excluding guarantees against zero day exploits and phishing in non-English languages.    Microsoft + Tessian = Comprehensive security   This is where a next-gen behavioral cybersecurity solution like Tessian comes into play, providing advanced automated email threat detection and prevention capability.   With Tessian, no mail exchange (MX) records need to be changed. Tessian is able to construct a historical user email pattern map of all email behavior in the organization. The best-in-class algorithm is then able to detect and prevent threats that Microsoft or SEGs have failed to detect within 5 days of deployment.    This dynamic protection improves with each threat that is prevented, and unlike the in-line static nature of SEGs, it ensures 24/7 real time protection against all attack vectors, including insider threats. That is why the leading enterprises are opting for displacing their legacy SEG and augmenting Microsoft’s native security capabilities with Tessian.   
Tessian Defender’s capabilities include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover Invoice FraudBulk Remediation Automated Quarantine  Threat Intelligence
No black box threat visibility and intelligent risk mitigation   Beyond the cost and resource optimization realized by removing SEGs, Tessian clients see significant efficiency gains in the SOC due to the high degree of automating triage and the enablement of a distilled view on the threats that matter  –  finding that needle in the haystack, in real time and in context.    For example, with one-click, SOC analysts can bulk remediate high volume phishing campaigns (aka burst attacks) that are targeting the organization as they happen. Suspicious emails are also automatically quarantined, with threat remediation context provided.    The platform provides a single pane of glass, giving security and risk leaders visibility of how cybersecurity risk is trending in their organization and the types of threats thwarted, down to individual employee-level risk scoring.
Context aware security awareness training  The context-aware security capability of Tessian extends to providing in-the-moment security awareness training to employees. The real-time security notifications flag suspicious and malicious emails received, offer a clear explanation, and provide education to employees in real time. Most enterprises experience a 30% click through rate (CTR) on simulated phishing exercises – including our clients prior to deployment. Tessian clients see simulated phishing exercises returning a less than 5% CTR after deployment – illustrating the effectiveness of Tessian’s security awareness training.
Stopping threats, reducing complexity    Tessian enables security teams to focus on mission critical tasks rather than manually and retroactively triaging already occurred security events. Legacy email security approaches relying on SEGs simply no longer have a place in an increasingly crowded cybersecurity stack. By leveraging Microsoft 365’s native capability together with Tessian, presents an opportunity for security leaders to improve security while reducing complexity.
This is why according to a Tessian commissioned Forrester study, 58% of cybersecurity leaders are reevaluating legacy email security tools and approaches, and why 56% will be investing in behavioral email security solutions with automated detection capabilities.
ATO/BEC Human Layer Security
Must-Know Phishing Statistics: Updated 2022
By Maddie Rosenthal
12 January 2022
Looking for something more visual? Check out this infographic with key statistics.
The frequency of phishing attacks   Phishing is a huge threat and growing more widespread every year. 2021 Tessian research found that employees receive an average of 14 malicious emails per year. Some industries were hit particularly hard, with retail workers receiving an average of 49.   ESET’s 2021 research found a 7.3% increase in email-based attacks between May and August 2021, the majority of which were part of phishing campaigns.   And 2021 research from IBM confirmed this trend, citing a 2 percentage-point rise in phishing attacks between 2019 and 2020, partly driven by COVID-19 and supply chain uncertainty.   CISCO’s 2021 Cybersecurity threat trends report suggests that at least one person clicked a phishing link in around 86% of organizations. The company’s data suggests that phishing accounts for around 90% of data breaches. There’s an uneven distribution in phishing attacks throughout the year. CISCO found that phishing tends to peak around holiday times, finding that phishing attacks soared by 52% in December. We’ve written about a similar phenomenon that typically occurs around Black Friday.   ⚡  Want to learn how to prevent successful attacks? Check out this page all about BEC prevention.   How phishing attacks are delivered 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. The increase in phishing attacks means email communications networks are now riddled with cybercrime. Symantec research suggests that throughout 2020, 1 in every 4,200 emails was a phishing email. When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 
The most common subject lines According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention   Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020:   IT: Annual Asset Inventory Changes to your health benefits Twitter: Security alert: new or unusual Twitter login Amazon: Action Required | Your Amazon Prime Membership has been declined Zoom: Scheduled Meeting Error Google Pay: Payment sent Stimulus Cancellation Request Approved Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription RingCentral is coming! Workday: Reminder: Important Security Upgrade Required
Research from Cofense suggests phishing emails are slightly more like to contain a link to a malicious website (38%) than a malicious attachment (36%).   Further reading: ⚡ How to Identify a Malicious Website   The most common malicious attachments 2021 Tessian research suggests that PDFs are the most common type of malicious file attached with phishing emails. This trusted and versatile file format can be used to hide phishing links, run JavaScript, and deliver fraudulent invoices.   SonicWall’s 2021 Cyber Threat report suggests that there was a huge jump in the number of malicious PDFs and Microsoft Office files (sent via email) between 2018 and 2020. Workers are particularly likely to click these trusted formats. The volume of malicious Office and PDF files did start to dip in 2021, however, as some workers returned to working in the office.   However, it’s important to note—as users become more wary of opening suspicious-looking files—that many malicious emails don’t contain an attachment. In fact, 2021 Tessian research found that 76% of malicious emails did not contain an attachment.   The data that’s compromised in phishing attacks   The top three “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Medical (treatment information, insurance claims)   When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences:  60% of organizations lost data 52% of organizations had credentials or accounts compromised 47% of organizations were infected with ransomware 29% of organizations were infected with malware 18% of organizations experienced financial losses
The cost of a breach   In 2021, RiskIQ estimated that businesses worldwide lose $1,797,945 per minute due to cybercrime—and that the average breach costs a company $7.2 per minute. IBM’s 2021 research into the cost of a data breach ranks the causes of data breaches according to the level of costs they impose on businesses.    Phishing ranks as the second most expensive cause of data breaches—a breach caused by phishing costs businesses an average of $4.65 million, according to IBM. And Business Email Compromise (BEC)—a type of phishing whereby the attackers hijack or spoof a legitimate corporate email account—ranks at number one, costing businesses an average of $5.01 million per breach.   That’s not the only way phishing can lead to a costly breach—attacks using compromised credentials were ranked as the fifth most costly cause of a data breach (averaging $4.37 million). And how do credentials get compromised? More often than not, due to phishing.   On the plus side, IBM found that businesses with AI-based security solutions experienced a significant reduction in the costs associated with a data breach. In fact, AI security solutions were found to be the biggest factor in cutting breach costs, from $6.71 million to $2.90 million.   According to Verizon, organizations also see a 5% drop in stock price in the 6 months following a breach. Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime.   And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter.   This cost can be broken down into several different categories, including:   Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees   Costs associated remediation generally account for the largest chunk of the total.    Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industries   CISCO’s 2021 data suggests that financial services firms are the most likely to be targeted by phishing attacks, having been targeted by 60% more phishing attacks than the next-highest sector (which CISCO identifies as higher education).   Tessian’s 2021 research suggests workers in the following industries received a particularly large quantity of malicious emails:   Retail (an average of 49 malicious emails per worker, per year) Manufacturing (31) Food and beverage (22) Research and development (16) Tech (14) Phishing by country   Not all countries and regions are impacted by phishing to the same extent, or in the same way.   Here are some statistics from another source showing the percentage of companies that experienced a successful phishing attack in 2020, by country: United States: 74% United Kingdom: 66% Australia: 60% Japan: 56% Spain: 51% France: 48% Germany: 47%   Phishing awareness also varies geographically. Here’s the percentage of people who correctly answered the question: “What is phishing?”, by country: United Kingdom: 69% Australia: 66% Japan: 66% Germany: 64% France: 63% Spain: 63% United States: 52%   As you can see, there’s no direct correlation between phishing awareness and phishing susceptibility, which is why security training isn’t enough to prevent cybercrime. The most impersonated brands   2021 Tessian research found these to be the most commonly impersonated brands in phishing attacks:   Microsoft ADP Amazon Adobe Sign Zoom   The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information.   But it’s not just consumer brands that scammers impersonate. Public bodies are also commonly mimicked in phishing scams.   Between August 2020 and July 2021, the UK’s tax authority (HMRC) reported: Over than 450 COVID-19-related financial support scams More than one million reports of “suspicious contact” (namely, phishing attempts) More than 13,000 malicious web pages (used as part of phishing attacks) The rates of phishing and other scams reported by HMRC more than doubled in this period.
Facts and figures related to COVID-19 scams   Phishing scammers had a field day exploiting the fear and uncertainty that arose as a result of COVID-19. Crowdstrike identified the following most common themes among COVID-related phishing emails    Exploitation of individuals looking for details on disease tracking, testing and treatment  Impersonation of medical bodies, including the World Health Organization (WHO) and U.S. Centers for Disease Control and Prevention (CDC)  Financial assistance and government stimulus packages  Tailored attacks against employees working from home  Scams offering personal protective equipment (PPE)  Passing mention of COVID-19 within previously used phishing lure content (e.g., deliveries, invoices and purchase orders)   And the COVID phishing surge is far from over. In December 2021, the US Federal Trade Commission (FTC) launched a new rule-making initiative aiming to combat the tidal wave of COVID scams, having received 12,491 complaints of government impersonation and 8,794 complaints of business impersonation related to the pandemic.   Further reading: ⚡ COVID-19: Screenshots of Phishing Emails ⚡How Hackers Are Exploiting the COVID-19 Vaccine Rollout ⚡ Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. Phishing and the future of work   The move to remote work has presented many challenges to business—and the increased range, frequency, and probability of security incidents are among the most serious.   New working habits have contributed to the recent surge in phishing because IT teams have less oversight over how colleagues are using their devices and can struggle to provide support when things go wrong.   According to Microsoft’s New Future of Work Report:    80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.  Of these, 62% said phishing campaigns had increased more than any other type of threat. Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the office   Furthermore, an August 2021 survey conducted by Palo Alto Networks found that: 35% of companies reported that their employees either circumvented or disabled remote security measures Workers at organizations that lacked effective remote collaboration tools were more than eight times as likely to report high levels of security evasion 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issue   Further reading: ⚡ The Future of Hybrid Work ⚡ 7 Concerns Security Leaders Have About Permanent Remote Working
What can individuals and organizations do to prevent being targeted by phishing attacks?   While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received.   You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action.   Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply   But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough.   That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones.   Further reading: ⚡ Tessian Defender: Product Data Sheet  
ATO/BEC Human Layer Security Life at Tessian Engineering Team
Why Confidence Matters: How Good is Tessian Defender’s Scoring Model?
10 January 2022
This post is part two of Why Confidence Matters, a series about how we improved Defender’s confidence score to unlock a number of important features. You can read part one here.   In this part, we will focus on how we measured the quality of confidence scores generated by Tessian Defender. As we’ll explain later, a key consideration when deciding on metrics and setting objectives for our research was a strong focus on product outcomes.   Part 2.1 – Confidence score fundamentals   Before we jump into the particular metrics and objectives we used for the project, it’s useful to discuss the fundamental attributes that constitute a good scoring model.   1. Discriminatory power   The discriminatory power of a score tells us how good the score is at separating between positive (i.e. phishy) and negative examples (i.e. safe). The chart below illustrates this idea.    For each of two models, the image shows a histogram of the model’s predicted scores on a sample of safe and phish emails, where 0 is very sure the email is safe and 1 is absolutely certain the email is phishing.    While both are generally likely to assign a higher score for a phishing email than a safe one, the example on the left shows a clearer distinction between the most likely score for a phishing vs a safe email.
Discriminatory power is very important in the context of phishing because it determines how well we can differentiate between phishing and safe emails, providing a meaningful ranking of flags from most to least likely to be malicious. This confidence also unlocks the ability for Tessian Defender to quarantine emails which are likely to be phishing, and reduce flagging on emails we are least confident about, improving the precision of our warnings.  
2. Calibration Calibration is another important attribute of the confidence score. A well-calibrated score will reliably reflect the probability that a sample is positive. Calibration is normally assessed using a calibration curve, which looks at the precision of unseen samples across different confidence scores (see below).
The above graph shows two example calibration curves. The gray line shows what a perfectly calibrated model would look like: the confidence score predicted for samples (x-axis) always matches the observed proportion of phishy emails (y-axis) at that score. In contrast, the poorly-calibrated red line shows a model that is underconfident for lower scores (model predicts a lower score than the observed precision) and overconfident for high scores.   From the end-user’s perspective, calibration is especially important to make the score interpretable, and especially matters if the score will be exposed to the user.
3. Consistency  A good score will also generalize well across different cuts of the samples it applies to. For example, in the context of Tessian Defender, we needed a score that would be comparable across different types of phishing. For example, we should expect the scoring to work just as well for Account Takeover (ATO) as it does for a Brand Impersonation. We also had to make sure that the score generalized well across different customers, who operate in different industries and send and receive very different types of emails. For example, a financial services firm may receive a phishing email in the form of a spoofed financial newsletter, but such an email would not appear in the inbox of someone working in the healthcare sector.
Metrics  How do we then quantify the above attributes for a good score? This is where metrics come into play – it is important to design appropriate metrics that are technically robust, yet easily understandable and translatable to a positive user experience.   A good metric for capturing the overall discriminatory power of a model is the area under the ROC curve (AUC-ROC) or the average precision of a model at different thresholds, which capture the performance of the model across all possible thresholds. Calibration can be measured with metrics that estimate the error between the predicted score and true probability, such as the Adaptive Calibration Error (ACE).    While these out-of-the-box metrics are commonly used to assess machine learning (ML) models, there are a few challenges which make it hard to use in a business context.    First, it is quite difficult to explain simply to stakeholders who are not familiar with statistics and ML. For example, the AUC-ROC score doesn’t tell most people how well they should expect a model to behave. Second, it’s difficult to translate real product requirements into AUC-ROC scores. Even for those who understand these metrics, it’s not easy to specify what increase in these scores would be required to achieve a particular outcome for the product.
Defender product-centric metrics   While we still use AUC-ROC scores within the team and compare models by this metric, the above limitations meant that we had to also design metrics that could be understood by everyone at Tessian, and directly translatable to a user’s product feature experience.    First, we defined five simpler-to-understand priority buckets that were easier to communicate with stakeholders and users (from Very Low to Very High). We aimed to be able to quarantine emails in the highest priority bucket, so we calibrated each bucket to the probability of an email being malicious. This makes each bucket intuitive to understand, and allows us to clearly translate to our users’ experience of the quarantine feature.    For the feature to be effective, we also defined a minimum number of malicious emails to prevent reaching the inbox, as a percentage of the company’s inbound email traffic. Keeping track of this metric prevents us from over-optimizing the accuracy of the Very-High bucket at the expense of capturing most of the malicious emails (recall), which would greatly limit the feature’s usefulness.   While good precision in the highest confidence bucket is important, so is accuracy on the lower end of the confidence spectrum.    A robust lower end score will allow us to stop warning on emails we are not confident in, unlocking improvements in overall precision to the Defender algorithm. Hence, we also set targets for accuracy amongst emails in the Very-Low/Low buckets.    For assurance of consistency, the success of this project also depended on achieving the above metrics across slices of data – the scores would have to be good across the different email threat types we detect, and different clients who use Tessian Defender.
Part 2.2 – Our Data: Leveraging User Feedback After identifying the metrics, we can now look at the data we used to train and benchmark our improvements to the confidence score.Having the right data is key to any ML application, and this is particularly difficult for phishing detection. Specifically, most ML applications rely on labelled datasets to learn from.    We found building a labelled dataset of phishing and non-phishing emails especially challenging for a few reasons:
Data challenges Phishing is a highly imbalanced problem. On the whole, phishing emails are extremely low in volumes compared to all other legitimate email transactions for the average user. On a daily basis, over 300 billion emails are being sent and received around the world, according to recent statistics. This means that efforts to try to label emails manually will be highly ineffective, like finding a needle in a haystack.   Also, phishing threats and techniques are constantly evolving, such that even thousands of emails labelled today would quickly become obsolete. The datasets we use to train phishing detection models must constantly be updated to reflect new types of attacks.   Email data is also very sensitive by nature. Our clients trust us to process their emails, many of which contain sensitive data, in a very secure manner.  For good reasons, this means we control who can access email data very strictly, which makes labelling harder.    All these challenges make it quite difficult to collect large amounts of labelled data to train end-to-end ML models to detect phishing.
User feedback and why it’s so useful   As you may remember from part one of this series, end-users have the ability to provide feedback about Tessian Defender warnings. We collect thousands of these user responses weekly, providing us with invaluable data about phishing.   User responses help address a number of the challenges mentioned above.    First, they provide a continually updated view of changes in the attack landscape. Unlike a static email dataset labelled at a particular point in time, user response labels can capture information about the latest phishing trends as we collect them, day-in and day-out. With each iteration of model retraining with the newest user labels, user feedback is automatically incorporated into the product. This creates a positive feedback loop, allowing the product to evolve in response to users’ needs.   Relying on end-users to label their own emails also helps alleviate concerns related to data sensitivity and security. In addition, end-users also have the most context about the particular emails they receive. Combined with explanations provided by Tessian warnings, they are more likely to provide accurate feedback.    These benefits address all the previous challenges we faced neatly, but it is not without its limitations.    For one, the difference between phishing, spam and graymail is not always clear to users, causing spam and graymail to often be labelled as malicious. Often, several recipients of the same email can also disagree on whether it is malicious. Secondly, user feedback data may not be a uniform representation of the email threat landscape – we often receive more feedback from some clients or certain types of phishing. Neglecting to address this under-representation would result in a model that performs better for some clients, something we absolutely need to avoid in order to ensure consistency in the quality of our product for all new and existing clients.   In the last part of the series Why Confidence Matters, we’ll discuss how we navigated the above challenges, delve deeper into the technical design of the research pipeline used to build the confidence-scoring model, and the impact that this has brought to our customers.
(Co-authored by Gabriel Goulet-Langlois and Cassie Quek)
What the Ransomware Pandemic Tells Us About the Evolution of Spear Phishing Attacks
By John Filitz
06 January 2022
Over the last several years, the cybercriminal economy has undergone a sea change in maturity and sophistication. And it’s not going to slow down any time soon. Looking at the numbers: The cost of cybercrime damages, currently in the $6 trillion range, is expected to reach $10.5 trillion by 2025 – a +350% increase from 2015  The average cost of a cybersecurity breach escalated to $4.24 million in 2021 – up almost 10% year-over-year. By 2025 the lucrative nature of cybercrime will be 10x greater than all other illicit activities combined  Ransomware is proving to be particularly problematic, with ransomware damages exceeding $20 billion for 2021 – a 57x fold increase from 2015 2021 also saw the largest ransomware payment yet, by insurer CNA for a sum of $40 million to regain access to their data and information systems  The past 12 months have been equally tough for the cyber insurance industry, with claims up by 500% YoY – and ransomware responsible for 75% of those claims  As a consequence, cyber insurance premiums are now in record territory, witnessing 75% to 100% increases over the past 12 months  – with some of the leading insurers now excluding coverage for nation-state cyber attacks. The bottom line: the threat paradigm has evolved, and ransomware is the biggest challenge security leaders face. 
Ransomware as organized cybercrime The increasing sophistication of ransomware attacks (both in target acquisition and attack execution) points to a new level of maturity. Cybercriminals are displaying a level of sophistication akin to organized criminal groups. What compounds the challenge is a sizable share of these organized criminal groups have nation-state backing.  Recent trends point to increasing commercialization of offerings available on the dark web, with Ransomware-as-a-Service (RaaS) available for as little as $40 per month. Russian-linked cybercrime groups REvil and DarkSide have been particularly active on the RaaS front – with REvil being taken offline twice by law enforcement in 2021. 
Cybercriminals generally fall into two categories:  The purely criminal enterprise, either composed of solo or group actors that are loosely organized acting on their own initiative or available for hire. Motivations are primarily for financial gain. The organized cyber criminal gangs that are often transnational in scope, and often it is these groups that benefit from implicit or explicit nation-state support. Motivations for attacking include financial gain and /or political reasons (espionage and sabotage). These groups do not focus exclusively on deploying ransomware but continually adapt, seek and develop new exploit methods. Also commonly referred to as advanced persistent threat actors (APT), well known examples include the Russian state-linked Fancy Bear (APT 28) and Cozy Bear (APT 29), or the China-state linked Wekby (APT 18), Emissary Panda (APT27) and Wicked Panda (APT 41). Other countries linked to APT groups include Iran, North Korea (Lazarus Group) (APT 38) and Vietnam.
All threat actors deserve attention, but the APT actors and their association with ransomware attacks are of particular concern. APTs pose the greatest threat to companies and countries alike due to their advanced capabilities and degree of state sanction with which they operate. Industries like manufacturing, financial services, healthcare, and critical infrastructure, as well as countries around the world continue to be targeted.   APTs are often driven by a mandate of either financial gain, Intellectual Property and data theft, which can include industrial or state espionage – evident in the recent Chinese linked APT data harvesting campaigns. Additional motivations can include nation-state sabotage, either accidental as we saw in the Colonial Pipeline hack, or orchestrated such as the Russian-linked critical infrastructure destabilization campaigns in the Ukraine. 
The actions of ransomware campaigns can have devastating financial and other consequences including:   Financial costs associated with the ransomware payment – declared ransomware payments in the US totalled $590 million from January to June 2021 Cost of disruption damage – the damages associated with the NotPetya ransomware attack are estimated to be +$10 billion  Reputation damage – unquantifiable  Catastrophic data loss events resulting in significant business harm or business failure –  FEMA indicates a +90% probability of business failure for a data recovery effort that takes longer than 5 days.
The importance of hardening your email defensive capability One particular threat vector of concern is the targeting of employees via email through advanced and persistent social engineering campaigns, often driven by APT actors. And legacy email security solutions built for the on-premise world of email exchange servers, and relying on manual, static and rule-based security methodologies, offer rudimentary protection at best.
This helps explain why email continues to be the number one threat vector. With the average organization experiencing a click through rate of 30% on simulated phishing exercises, it’s of no surprise that 96% of phishing attempts are delivered via email. The odds are certainly in the bad actors’ favor.    This explains why phishing via email remains the number one delivery mechanism for ransomware – accounting for 54% of successful attacks.   The types of phishing attacks that are most devastating center on advanced spear phishing and business email compromise (BEC). Targeted at senior personnel in an organization, these attacks deploy a range of impersonation methods – also referred to as whaling or C-suite impersonation attacks.    Senior personnel are targeted due to the significant administrative privileges these email accounts carry. Once an attacker has successfully compromised an employee’s email account, the mean time for deploying the ransomware and demanding a ransom ranges from 12 to 76 hours. For small companies the incident usually plays out over 2 to 4 days, with larger enterprises this can take several weeks.   The fallibility of employees to phishing attacks, combined with legacy email security solutions built for an on-premise world, go some way in explaining why damages associated with cyber attacks are expected to increase exponentially in the coming months, especially with hybrid-working here to stay.
What the pandemic means for enterprise cybersecurity    The dramatic shift to a hybrid and remote operating model as a result of the pandemic has proved a boon for cybercriminals, with ransomware attacks being particularly rewarding. Even the “average” person is worried about cybercrime, with Americans saying it’s the crime they’re most worried about in 2021.   Security leaders are, too, with 69% saying they think ransomware attacks will be a greater concern in a hybrid work place.    Enterprises with significant on-premise footprints and associated legacy IT infrastructure have been particularly vulnerable to cyber attacks. Attack surface risk increased exponentially overnight, with employees logging into corporate networks from poorly secured home networks, and often on personal devices. The telemetry that on-premise cybersecurity tools provided was, and has been, severely curtailed. These legacy tools were built for a world of securing networks, endpoints and devices.   The pandemic set new parameters of where cyber risk could manifest and revealed a need for a new approach to cybersecurity – an approach that addresses cyber risk as it manifests, in real-time, regardless of network, endpoint or device.   
Human Layer Security for the post perimeter new order   It is for these reasons that 75% of cybersecurity leaders believe legacy email security approaches and tools are no longer adequate for the current threatscape. This is also why 58% of cybersecurity leaders are investing in behavioral intelligence enabled email security solutions. Only by securing an organization’s most important asset – its employees – will the risk of a cyber attack, including ransomware be mitigated.   That is where a solution like Tessian’s advanced email security and Data Loss Prevention (DLP) platform provides a level of unmatched security, at the human layer level.    Key features include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence Insider Threat Management Accidental & Malicious DLP   Want to learn more? See how Tessian prevents ransomware attacks, watch a product overview video, download our platform architecture whitepaper, or book a demo. 
ATO/BEC Human Layer Security Life at Tessian Engineering Team
Why Confidence Matters: How We Improved Defender’s Confidence Scores to Fight Phishing Attacks
04 January 2022
‘Why Confidence Matters’ is a weekly three-part series. In this first article, we’ll explore why a reliable confidence score is important for our users. In part two, we’ll explain more about how we measured improvements in our scores using responses from our users. And finally, in part three, we’ll go over the pipeline we used to test different approaches and the resulting impact in production.   Part One: Why Confidence Matters   Across many applications of machine learning (ML), being able to quantify the uncertainty associated with the prediction of a model is almost as important as the prediction itself.  Take, for example, chatbots designed to resolve customer support queries. A bot which provides an answer when it is very uncertain about it, will likely cause confusion and dissatisfied users. In contrast, a bot that can quantify its own uncertainty, admit it doesn’t understand a question, and ask for clarification is much less likely to generate nonsense messages and cause frustration amongst its users.
The importance of quantifying uncertainty   Almost no ML model gets every prediction right every time – there’s always some uncertainty associated with a prediction. For many product features, the cost of errors can be quite high. For example, mis-labelling an important email as phishing and quarantining it could result in a customer missing a crucial invoice, or mislabelling a bank transaction as fraudulent could result in an abandoned purchase for an online merchant.    Hence, ML models that make critical decisions need to predict two key pieces of information: 1. the best answer to provide a user 2. a confidence score to quantify uncertainty about the answer. Quantifying the uncertainty associated with a prediction can help us to decide if, and what actions should be taken.
How does Tessian Defender work?   Every day, Tessian Defender checks millions of emails to prevent phishing and spear phishing attacks. In order to maximise coverage,  Defender is made up of multiple machine learning models, each contributing to the detection of a particular type of email threat (see our other posts on phishing, spear phishing, and account takeover).      Each model identifies phishing emails based on signals relevant to the specific type of attack it targets. Then, beyond this primary binary classification task, Defender also generates two key outputs for any email that is identified as potentially malicious across any of the models:   A confidence score, which is related to the probability that the email flagged is actually a phishing attack. This score is a value between 0 (most likely safe) and 1 (most certainly phishing), which is then broken down into 4 categories of Priority (from Low to Very High). This score is important for various reasons, which we further expand on in the next section. An explanation of why Defender flagged the email. This is an integral part of Tessian’s approach to Human Layer Security: we aim not only to detect phishy emails, but also to educate users in-the-moment so they can continually get better at spotting future phishing emails. In the banner, we aim to concisely explain the type of email attack, as well as why Defender thinks it is suspicious. Users who see these emails can then provide feedback about whether they think the email is indeed malicious or not. Developing explainable AI is a super interesting challenge which probably deserves its own content, so we won’t focus on it in this particular series. Watch this space!   
Why Confidence Scores Matters  Beyond Defender’s capability to warn on suspicious emails, there were several key product features we wanted to unlock for our customers that could only be done with a robust confidence score. These were: Email quarantine Based on the score, Defender first aims to quarantine the highest priority emails to prevent malicious emails from ever reaching their employees’ mailboxes. This not only reduces the risk exposure for the company from an employee still potentially interacting with a malicious email; it also removes burden and responsibility from the user to make a decision, and reduces interruption to their work.   Therefore, for malicious emails that we’re most confident about, quarantining is extremely useful. In order for quarantine to work effectively, we must:   Identify malicious emails with very high precision (i.e. very few false positives). We understand the reliance of our customers on emails to conduct their business, and so we needed to make sure that any important communications must still come through to their inboxes unimpeded. This was very important so that Tessian’s Defender can secure the human layer without security getting in our user’s way.  Identify a large enough subset of high confidence emails to quarantine. It would be easy to achieve a very high precision by quarantining very few emails with a very high score (a low recall), but this would greatly limit the impact of quarantine on how many threats we can prevent. In order to be a useful tool, Defender would need to quarantine a sizable volume of malicious emails.   Both these objectives directly depend on the quality of the confidence score. A good score would allow for a large proportion of flags to be quarantined with high precision.
Prioritizing phishy emails In today’s threat landscape, suspicious emails come into inboxes in large volumes, with varying levels of importance. That means it’s critical to provide security admins who review these flagged emails with a meaningful way to order and prioritize the ones that they need to act upon. A good score will provide a useful ranking of these emails, from most to least likely to be malicious, ensuring that an admin’s limited time is focused on mitigating the most likely threats, while having the assurance that Defender continues to warn and educate users on other emails that contain suspicious elements.   The bottom line: Being able to prioritize emails makes Defender a much more intelligent tool that is effective at improving workflows and saving our customers time, by drawing their attention to where it is most needed.  
Removing false positives We want to make sure that all warnings Tessian Defender shows employees are relevant and help prevent real attacks.    False positives occur when Defender warns on a safe email. If this happens too often, warnings could become a distraction, which could have a big impact on productivity for both security admins and email users. Beyond a certain point, a high false positive rate could mean that warnings lose their effectiveness altogether, as users may ignore it completely. Being aware of these risks, we take extra care to minimize the number of false positives flagged by Defender.    Similarly to quarantine, a good confidence score can be used to filter out false positives without impacting the number of malicious emails detected. For example, emails with a confidence score below a given threshold could be removed to avoid showing employees unnecessary warnings.
What’s next?   Overall, you can see there were plenty of important use cases for improving Tessian Defender’s confidence score. The next thing we had to do was to look at how we could measure any improvements to the score. You can find a link to part two in the series below (Co-authored by Gabriel Goulet-Langlois and Cassie Quek)
ATO/BEC Email DLP Human Layer Security
A Year in Review: 2021 Product Updates
By Harry Wetherald
16 December 2021
Looking back at the last 12 months, Tessian’s Human Layer Security platform has scanned nearly 5 billion emails, identified over half a million malicious emails, stopped close to 30,000 account takeover attempts, and prevented over 100,000 data breaches due to a misdirected email…   At the same time, we rolled out a number of important product updates to help keep our customers safe. Here are the most important product updates to Tessian’s Human Layer Security platform from 2021.   We built world’s first Intelligent Data Loss Prevention Engine   We believe that the next generation of Data Loss Prevention is fundamentally about shifting away from entirely rule-based techniques towards a dynamic, behavioral approach. That’s why we built Guardian and Enforcer, to automatically prevent both accidental data loss and sensitive data exfiltration to unauthorized accounts.    But we have also seen that, when combined with dynamic behavioral analysis, custom DLP policies, play an important role in an organization’s data security strategy.   With the launch of Tessian Architect in October 2021, enterprises can now deploy powerful, intelligent DLP policies. Architect is a perfect complement to Tessian Guardian and Enforcer and provides the market’s best-in-class Email DLP platform:   Architect was built together with leading security teams – it’s intuitive, quick-to-learn and comes with a library of prebuilt policies Architect has built-in machine learning capabilities and features a powerful logic engine to address even the most complex DLP use cases Architect is designed to educate users about data security practices in-the-moment and guide people towards better behavior Want to learn more about Tessian Architect? Read more about it here.
We now protect customers from compromised external counterparties   This year, we saw a record number of bad actors compromising email accounts of trusted external senders (suppliers, customers, and other third-parties) to breach a target company. These attacks are canned external Account Takeovers (ATO), and they’re one of the main pathways to Business Email Compromise (BEC).   Because these malicious emails don’t just appear to have come from a trusted vendor or supplier’s legitimate email address, but actually do come from it, external ATOs are incredibly hard to spot, meaning organizations are exceptionally vulnerable to them.    Tessian Defender now automatically detects and stops external Account Takeover attacks.    By using machine learning to understand a sender’s normal email sending patterns (like where they usually send from, what they talk about, what services they use, and more), it can identify suspicious deviations from the norm and detect malicious emails.    When this happens, Defender can either block these attacks, or show educational alerts to end-users, helping them identify and self-triage attacks.   Learn more about External Account Takeover protection here.
We now stop more threats, with better accuracy, with less admin overhead   In-the-moment warnings are one of the features that set Tessian apart from the competition. When Tessian Defender detects a potentially malicious email, it warns users with a pop-up, explaining exactly why the email was flagged.   But, we know that sometimes, it’s better to automatically block phishing emails.   Tessian Defender now automatically blocks attacks, before they reach a user’s mailbox. This gives security teams an  additional layer of email security, preventing end-users from receiving emails that are highly likely to be phishing attacks.    Defender can also adapt the response it takes to remediate a threat. If our machine learning is close to certain an email is malicious, it can quarantine it. Otherwise, it can deliver it to the end-user with an educational warning. This adaptive approach is so powerful because it strikes a balance between disrupting end-users and protecting them.   Finally, this year, Tessian Defender’s detection algorithm made some big strides. In particular, improvements in our risk confidence model allowed us to reduce false positives by significantly providing a better experience to end-users and security teams.
We now stop employees from accidentally sending the wrong attachment   Accidental data loss is the number one security incident reported to the Information Commissioner’s Office, and sending an incorrect attachment is part of that problem. In fact, 1 in 5 external emails contain an attachment, and research shows nearly half (48%) of employees have attached the wrong file to an email.    42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data   Thanks to an upgrade to Tessian Guardian, organizations can now prevent employees from accidentally sending the wrong attachment in an email.    The upgrade uses historical learning, deep content inspection, natural language processing (NPL), and heuristics to detect counterparty anomalies, name anomalies, context anomalies, and file type anomalies to understand whether an employee is attaching the correct file or not. If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. This is completely automated, requiring no overhead from IT teams.   Best of all, the warnings are helpful, and flag rates are extremely low. This means employees can do their jobs without security getting in the way.   Learn more about misattached file protection here.
We can now quantify and measure human layer risk   Comprehensive visibility into employee risk is one of the biggest challenges security leaders face. With the Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture, with granular visibility into employee risk, and insights into their risk levels and drivers.   How does it work? Tessian creates risk profiles for each employee, modelled from a range of signals like email usage patterns, indirect risk indicators, and employee security decisions (both historic and in real-time). Because of this unique data modelling, Tessian can gauge employees’ risk level, including whether or not they’re careful, careless, frequently attacked, and more.   This offers organizations protection, training, and risk analytics all in one platform, providing a clear picture of risk and the tools needed to reduce it.   Learn more about the Human Layer Risk Hub here.
We now integrate with KnowBe4, Sumo Logic, Okta, and more… Tessian is even more powerful when integrated with other security solutions that help address the risk posed by employees. That’s why, in the last 12 months, we’ve announced exciting integrations with Okta, Sumo Logic, and KnowBe4, each with their own unique benefits for joint customers. With Sumo Logic + Tessian, security and risk team can understand their risk through out-of-the-box monitoring and analytics capabilities.
With Okta + Tessian, security and risk management teams geet granular visibility into their organization’s riskiest and most at-risk employees and consequently enable them to deploy policies that can help protect particular groups of users from threats like advanced spear phishing and account compromise and prevent accidental data leaks.
And with KnowBe4 + Tessian, security and risk management teams get more visibility into phishing risk than ever before.
Want to help us solve more challenges across use cases? Come build with us.
The Ultimate Guide to Spear Phishing
By Andrew Webb
09 December 2021
Phishing, spear phishing, smishing, vishing, and several other *ishing techniques all aim to do one thing: convince targets to reveal information which is either valuable in itself and can be ransomed or sold, or can be used to access financial systems to transfer money.   That information could be account logins, bank details, customer information, or personal identifiable information (PII).  Types of phishing attacks Phishing is a numbers game; hackers send hundreds or thousands of messages in the hope that even just oneeee person is distracted enough to click.    That’s why a lot of attacks leverage popular culture. For example, when the smash hit series Squid Games ended, bad actors wasted no time in sending out ‘exclusive look at season 2’ scams.  TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware @proofpoint #SquidGame #Dridex — David Bisson (@DMBisson) November 1, 2021 Scammers are like wasps at a picnic, they’ll try and attack anything to provoke you… even your daily cup of Joe. As one InfoSec attendee at our Human Layer Security Summit in November said, “If a hacker created a fake offer for free pumpkin spiced latte from Starbucks, trust me, this time a year, people will click on it”.   But there’s a much more targeted sub-category of phishing: spear phishing. Spear phishing attacks center on one or a few individuals. Hackers generally use information like a person’s whereabouts, nickname, or details about their work to craft customized, believable messages.   And getting that information is surprisingly easy. We live our lives online, and every action we take leaves a trail of data and information. Social media status updates, geo-located photographs, travel tickets, venue check-ins, all these can be used to build a picture about an individual’s movements and preferences.
In fact, our How to Hack a Human report revealed that 90% of people post information related to their personal and professional lives online. One-third of people share business travel updates and photos online, and 93% of people update their social profiles when they get a new job. Out of Office replies also contain plenty of data that can be harnessed for an attack.
Our research also revealed that 88% of people have received a suspicious message this year. Can you guess the most popular channel? Email.    Verizon’s 2021 Data Breach Investigations Report found that a staggering 96% of phishing or spear phishing attacks arrive via email (the other means are smishing, which uses SMS, and vishing, which uses faked voicemail or phone calls). Here then, is our ultimate guide to spear phishing attacks: how to spot them, how to stop them, and how to ensure your organization is alert, trained and protected.
How big of an issue are we talking about here? It’s a big problem. 2021’s Spear Phishing Threat Landscape Report revealed that 75% of organizations experienced some kind of phishing attack in 2020. Another 65% faced Business Email Compromise (BEC) attacks, and 35% experienced spear phishing attacks. Graph from the FBI’s Internet Crime Report 2020   And according to the FBI, phishing incidents nearly doubled in frequency, from 114,702 in 2019, to 241,324 incidents in 2020. In all, there were more than 11 times as many phishing complaints to the FBI in 2020 compared to 2016. The numbers for 2021 will no doubt be even higher.
Our report also found that the average employee receives 14 malicious emails a year. For a 500-person company, that’s 7,000 a year. However, this number rose dramatically in the retail sector to 49 on average. Manufacturing employees received 31, R&D 16, and tech employees 14. The problem is, you just can’t stop people from using email. For many of us, it’s a critical part of our jobs. In fact, according to data from Tessian’s own platform, employees send around 4800 emails a year. Our inboxes are a revolving door of links, documents, and information – a door bad actors are quietly trying to slip through.
How a phishing attack starts… Just like real fishing, the cyber version needs bait – something to entice, scare, or shock the target to act. For this, bad actors like to tap into the zeitgeist. Whatever trend, fashion, must-see TV show, or social concern is currently top of mind for their victims, they’ll try to exploit it.   What bad actors like most is something big that affects a large number of people at the same time, and things don’t get much bigger than a global pandemic. At the end of 2020, Britain’s National Cyber Security Centre (NCSC) revealed that it removed more online scams that year than in 2016 to 2019 combined.    In total they found 120 separate phishing campaigns in which the UK’s National Health Service was impersonated – up from just 36 in 2019. The lure commonly used in these scams? The vaccine roll-out.
Indeed, the pandemic provided – and is still providing – a once in a lifetime global opportunity for scammers. Our own survey from 2021 found that 35% of US citizens and 22% of UK citizens said they’d received a ‘proof of vaccination’ phishing email this year. On top of these were Zoom link scams as we all went remote, logistic firm scams as we ordered everything online, romance scams as we got lonely, and ‘back to school’ scams as young people went back into in-person education. Scammers even went for tax day scams as everyone prepared to file their tax returns.
The hook: impersonation Again, just like real fishing, you need a mechanism to get the bait into the water – the hook. An email has to come from someone, right? And getting someone to click a link that appears to have come from Zoom, Netflix, or their boss means convincing them that it’s really from that organization or person.    Business email compromise (BEC) One way scammers do this is with business email compromise (BEC). BEC is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address to convince a target that the email is from a legitimate business.
Here attackers are looking to spoof big global organizations that everyone will have heard of and therefore trust and potentially use – so think Microsoft, Apple, Google, as well as Amazon, DHL, and UPS. We all receive perfectly legitimate emails from these companies all the time, so our defenses are lower. You can find out more about spoof emails here   As well as global brands and companies, BEC attacks can also impersonate a person, typically a senior executive or leader. The target is often a junior employee who’s instructed to urgently help close a deal by transferring funds. This is called CEO Fraud.
CEO fraud   CEO fraud is a particular type of spear phishing in which a fraudster impersonates a senior company executive via email. This could be a CEO, CFO, Head of HR — or anyone with the power to ask employees to make payments or send sensitive information. In these types of attacks, there is again normally a sense of urgency, a perceived external threat, and crucially, often the promise of some sort of incentive for the employee to carry out the action.  Urgency is not always the case however, there’s also the ‘reasonable request’. As Glyn Wintle, CTO and co-founder of Tradecraft, told us, “If you say the request must be actioned in one day, you will get a large number of replies from employees complaining it’s not enough time. If you say it must be actioned in a week, a lot of people will forget about it. If you say it must be actioned in two working days, people think it’s a reasonable period of time and will do it immediately to avoid forgetting about it”.
It even happens to Tessian staffers, a hacker impersonated our CEO and co-founder, Tim Sadler, and tried to get an employee to get them some iTunes vouchers. Needless to say, they didn’t fall for it.   Account Takeover (ATO) Attacks launched from Account Takeovers (ATOs) are some of the hardest to stop because the attacker will start the phishing process from a genuine, compromised account belonging to a real person, rather than a spoofed or fake one.  That’s why ATOs are able to slip past traditional phishing solutions like Secure Email Gateways (SEGs).During the pandemic, ATO attacks increased 307% between 2019 and 2021, and for sectors like Fintech the figure was 850%
Why we click phishing links Hackers like to take advantage of psychological factors like stress, social relationships, and uncertainty that affect people’s decision-making, as this is often when they make mistakes.    In our Psychology of Human Error report we asked 2,000 professionals about mistakes they’ve made at work. The results made for interesting reading.    Worryingly, nearly half of employees (43%) say they’ve made a mistake at work that had security repercussions for themselves or their company.   One in four employees (25%) said they have clicked on a phishing email at work. Men were twice as likely as women to fall for phishing scams, with 34% of male respondents saying they have clicked on a link in a phishing email versus just 17% of women.
Distraction means bad action Nearly half of respondents (45%) surveyed in our report cited distraction as the top reason for falling for a phishing scam. Other reasons for clicking on phishing emails included the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%). Impersonating a position of trust or authority is a common and effective tactic used by hackers in phishing campaigns.
In our spring 2020 Human Layer Summit, Glyn Wintle gave us several examples of how to set up your people and security to mitigate the risks from spear phishing.  
So what does a phishing email look like? As we know, 75% of organizations experienced some kind of phishing attack in 2020 and almost all (96%) arrived via email. But what does an actual phishing attack look like? We’re rounded up five REAL examples of typical spear phishing attacks you can read here. All these attacks were detected (and prevented) by Tessian Defender, so no employees were harmed in the making of this blog post.
Most employees don’t really understand what a spear phishing email looks like until it’s too late. And while attacks can take lots of different forms and approaches, there are four commonalities in virtually all spear phishing emails: impersonation, motivation, urgency, and payload.
When are you most likely to be targeted by a phishing attack? Unsurprisingly, scammers have access to a huge amount of data and, like a regular business sending a newsletter or social media post, they’ve studied when is the best time to launch an attack.    A big event in every scammer’s calendar is Black Friday, and with lots of email, money, and pressure to grab a bargain flying around, it’s easy to see why. 
Black Friday came out as the worst time of the year in Our Spear Phishing Threat Landscape report, which details how Tessian detected nearly 2 million malicious emails that slipped past legacy phishing solutions over a 12-month period.   As for the most popular time of day to launch an attack, research shows that after lunch was the most popular time, followed by just before the end of the day. You can see why. People have just eaten, they’ve come back to a newly full inbox, and they’re trying to get on with the rest of their day.   At the end of the day people have one eye on the door, they might be thinking about the commute home, or dinner, or going somewhere…anything except phishing attacks.  This is why securing your Human Layer is crucial to protecting your organization
You’re secure, but what about your suppliers? Even if you’ve done the best you can to mitigate external risks to your organization’s staff, dangers can still come from your suppliers and other partners you work with. Businesses are porous institutions and rely on other businesses for everything from raw materials to stocking the stationary cupboard.
Big businesses rarely publish data on their supply chains, but according to this article from Forbes, Proctor and Gamble list over 75,000 suppliers, while the retailer Walmart uses over 100,000.    Hackers exploit these relationships in software supply chain attacks. These  involve inserting malicious code into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software. Like all other forms of attack, supply chain attacks are increasing, up 4 fold in 2021 from 2020. The UK’s National Cyber Security Center has detailed examples of typical supply chain attacks, as well as advice on how to defend against them.
The impact of an attack Phishing of all types is the threat most security leaders are concerned about for the following reasons: attacks are becoming more frequent, they’re performed at scale, they’re hard-to-spot, they’re time-consuming to investigate, and can be very expensive to recover from.    IBM’s annual Cost of a Data Breach found that the average cost in 2021 was $4.24 million, but can be as high as $7million depending on the sector involved and size of the breach.  Why so much?. There’s the potential ransom from the hacker, but also reputation damage, regulatory fines, and time and resources diverted from other things to deal with the attack. It adds up.
The problems with legacy phishing prevention solutions As the attacks have gotten smarter, faster, and more varied, existing solutions are struggling to stop them. Here’s why.    Secure Email Gateways (SEGs) Problem: SEGs lack the intelligence to learn user behavior or rapidly adapt. The backbone of a SEG is traditional email security approaches – static rules, signature based detection, library of known threats, etc. Meanwhile, attackers consistently evolve their techniques, email networks are dynamic in nature, and human behavior is inconsistent and unpredictable. That means rules are out of date as soon as they are created and signature-based approaches are ineffective.   SEGs can’t detect advanced impersonation, account takeover (ATO), third-party supply chain risk, or wire fraud.
Karl Knowles, Global Head of Cyber for law firm HFW, told us how there’s been a huge rise in impersonation attacks, accounting for more than half of the threats HFW gets. With domain impersonation attacks also getting more sophisticated, SEGs alone can’t cope.
And as James McQuiggan, Security Awareness Advocate at KnowBe4, explained in our Fall Summit, bad actors have upped their game and started to find ways to bypass these systems by buying and configuring the same off- the- shelf hardware and software firms use, and seeing what gets through.
Sandboxes Problem: Easily bypassed yet potential bottlenecks to genuine business needs   Any detection made by the sandbox is dependent on a file exhibiting malicious behavior. This is easy to work around. Hackers will often send a PDF that contains a link to a malicious form to avoid detection. Likewise, documents with a URI (Uniform Resource Identifier) have an extremely low footprint for sandboxes to detect. And the short TTL domain doesn’t leave much evidence for event analysis or threat intelligence.   There are issues with latency, too. Emails, communications, downloads, and important files can take several minutes to reach their destination because of the bottleneck sandboxes can create.
DMARC Problem: Only one-third of businesses employ DMARC and the info is publicly accessible.   Domain-Based Message Authentication Reporting and Conformance (DMARC), is an added authentication method that uses both Sender Policy Framework (SPF)  and DomainKeys Identified Mail (DKIM) to verify whether or not an email was actually sent by the owner of the domain that the user sees. However, DMARC, SPF, and DKIM records are inherently public information – they need to be so that receiving mail clients can authenticate a sender’s domain. Attackers can see not only if your organization has a DMARC policy, but also how strictly you have configured it. Before trying to impersonate your email domain directly, a sophisticated attacker will check if you have a strict DMARC policy in place. If you do, the attacker can still carry out an advanced spear phishing attack.
Ok so what about more security training? You might think that your legacy solutions in conjunction with more security awareness training (SAT), will help mitigate some of these attacks. Training is important, but the trouble with most security training is no matter how fun and engaging you try to make it, pretty much everyone in the room has somewhere else they’d rather be. It’s also expensive, time consuming, and will always be one step behind actual threats.  
For most non-IT staff, trying to explain things like how potentially spoofed domain URLs are constructed is just far too technical, and something they’re hardly likely to remember in the heat of their inboxes weeks or months later. After all, as we learned at our Human Layer Security Spring Summit, the average human makes 35,000 decisions a day – analysing a suspect domain URL in detail probably isn’t going to be one of them. Regardless of how frequent, tailored, and engaging it is – security awareness training can’t be your only defense against social engineering. Why? many of the more sophisticated attacks just aren’t detectable by humans.
How Tessian can help So the only question left to answer is this. When legacy solutions and training programs aren’t enough, how can we prevent employees from interacting with the malicious emails that land in their inbox?   We believe the answer is Human Layer Security (HLS). Don’t just take our work for it, here’s what security leaders who use Tessian say about our products:   Tessian Defender uses machine learning (ML) to protect your people from even the most advanced inbound threats.  Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learn employees’ normal communication patterns, and map their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential impersonation, ATO, or BEC threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, and sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language via an interactive notification. If you’re in InfoSec, you’ll know only too well that your organization is one click away from an ‘Oh Sh*t’ moment. Tessian automatically stops those moments from happening. Questions? We’d be happy to help. Book a demo today today to find out more about how Tessian can help your organization secure your Human Layer. 
ATO/BEC Human Layer Security
Product Integration News: Tessian + KnowBe4 = Tailored Phishing Training
By Austin Zide
07 December 2021
Following other recent integrations (Okta, Sumo Logic…) we’re adding KnowBe4 – the world’s largest integrated security awareness training and simulated phishing platform – to the list, giving organizations more  visibility into phishing risk than ever.
What are the benefits of Tessian + KnowBe4? The integration combines KnowBe4’s phishing simulation and training results with powerful insights from Tessian’s Human Layer Risk Hub, to give security and risk management teams a more comprehensive view of their riskiest employees. By identifying the employees who are most likely to fall for phishing attacks, security teams can adjust their security policies to the specific risks posed by individuals or deliver more tailored training in the areas where people are struggling most.    With Tessian + KnowBe4: Training is more relevant Employees are more engaged  Security leaders can easily report on the impact training has on improving the company’s overall security posture   This is a shift away from the traditional approach to security awareness training and is a much-needed solution to the ever-growing problem of phishing attacks. Figures show that 1 in 4 employees has clicked on a phishing email at work, while the FBI revealed that phishing was the most common type of cybercrime last year, with 11x as many phishing reports in 2020 compared to 2016.
Learn more To find out more about the Tessian and KnowBe4 integration, click here.
ATO/BEC Human Layer Security Life at Tessian
Holiday Book Recommendations for Security Professionals
By Maddie Rosenthal
01 December 2021
It’s the holidays, so we thought we’d pull together a little reading guide for when you get some well-earned downtime.  Got a voucher (or even cash – retro!) these past holidays and need some reading inspo? We asked around the Tessian offices for recommendations for good reads in the tech and security space. Here’s the team’s recommendations.
Cyber Privacy: Who Has Your Data and Why You Should Care April Falcon Doss Amazon, Google, Facebook, governments. No matter who we are or where we go, someone is collecting our data: to profile us, target us, assess us; to predict our behavior and analyze our attitudes; to influence the things we do and buy — even to impact our vote. Read more at Good Reads   Social Engineering: The Science of Human Hacking Christopher Hadnagy Social Engineering: The Science of Human Hacking reveals the craftier side of the hacker’s repertoire—why hack into something when you could just ask for access? Undetectable by firewalls and antivirus software, social engineering relies on human fault to gain access to sensitive spaces; in this book, renowned expert Christopher Hadnagy explains the most commonly-used techniques that fool even the most robust security personnel, and shows you how these techniques have been used in the past. We take a deep dive into the psychology of human error in this report, with insights from Stanford Psychology and Communications professor Jeff Hancock. Read more at Good Reads.    The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats Richard A. Clarke  “Great book on the challenges of cyberwarfare policy” – Paul Sanglé-Ferrière, Product Manager, Tessian. An urgent new warning from two bestselling security experts – and a gripping inside look at how governments, firms, and ordinary citizens can confront and contain the tyrants, hackers, and criminals bent on turning the digital realm into a war zone. Read more at Good Reads   The Wires of War: Technology and the Global Struggle for Power Jacob Helberg From the former news policy lead at Google, an urgent and groundbreaking account of the high-stakes global cyberwar brewing between Western democracies and the autocracies of China and Russia that could potentially crush democracy. Read more at Good Reads   This Is How They Tell Me the World Ends: The Cyberweapons Arms Race Nicole Perlroth Filled with spies, hackers, arms dealers, and a few unsung heroes, written like a thriller and a reference, This Is How They Tell Me the World Ends is an astonishing feat of journalism. Based on years of reporting and hundreds of interviews, The New York Times reporter Nicole Perlroth lifts the curtain on a market in shadow, revealing the urgent threat faced by us all if we cannot bring the global cyber arms race to heel. Read more at Good Reads.   The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data Kevin Mitnick & Robert Vamosi  In The Art of Invisibility Mitnick provides both online and real life tactics and inexpensive methods to protect you and your family, in easy step-by-step instructions. He even talks about more advanced “elite” techniques, which, if used properly, can maximize your privacy. Read more at Good Reads The Cuckoo’s Egg Clifford Stoll “Probably the original threat actor report – so good” – Matt Smith, Software Engineer at Tessian In 1986,  Clifford Stoll – a systems administrator at the Lawrence Berkeley National Laboratory – wrote this book. Based on his field notes, this is arguably one of the first documented cases of a computer hack and the subsequent investigation, which eventually led to the arrest of Markus Hess. It’s now considered an essential read for anyone interested in cybersecurity. Read more at Good Reads. CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers  Todd Fitzgerald While this book covers all the fundamentals of IT security governance and risk management, it also digs deeper into people. After all, being a CISO isn’t just about technology. The insights in the book come directly from CISOs. In total, 75 security leaders contributed to the book, which means there’s plenty of actionable advice you can apply to your strategies.  Looking for more insights from security leaders? Check out Tessian’s CISO Spotlight series. Read more at Good Reads.   Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers  Andy Greenburg Politics play a big role in cybercrime. This book is focused on Sandworm, the group of Russian hackers who, over the last decade, has targeted American utility companies, NATO, and electric grids in Eastern Europe and paralyzed some of the world’s largest businesses with malware. But the author, Wired senior writer Andy Greenberg, also provides plenty of background on both the technology and the relationships between various countries. Read more on Good Reads.   Cult of the Dead Cow Joseph Menn Cult of the Dead Cow is the tale of the oldest, most respected, and most famous American hacking group of all time. Though until now it has remained mostly anonymous, its members invented the concept of hacktivism, released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar, forcing giant companies to work harder to protect customers.  Cult of the Dead Cow explores some of the world’s most infamous hacking groups – particularly the cDc – and explains how technology, data, and – well – the world has changed because of them. Read more at Good Reads. The Making of a Manager: What to Do When Everyone Looks to You Julie Zhuo  Congratulations, you’re a manager! After you pop the champagne, accept the shiny new title, and step into this thrilling next chapter of your career, the truth descends like a fog: you don’t really know what you’re doing. Read more at Good Reads. CISM Certified Information Security Manager All-in-One Exam Guide Yes, this is an exam guide…and yes you should add it to your reading list. If nothing else, to have on-hand as a reference. Why? It covers everything. Security governance, risk management, security program development, and security incident management. Curious as to whether or not other security professionals have their CISM certification? We interviewed 12 women about their journeys in cybersecurity. Read their profiles here and the full report, Opportunity in Cybersecurity Report 2020. Read more on Good Reads. The health benefits of reading Whatever you choose to read these holidays, the health benefits of reading are well documented. As our Lost Hours report revealed, many CISOs aren’t taking time out from their jobs to de-stress and unwind. So make sure you schedule a little you time with a good book.  
How to Spot a Delivery Impersonation Attack
By Andrew Webb
25 November 2021
Amazon, UPS, DHL, FedEx, USPS, Royal Mail – logistics delivery is a huge part of our lives. Amazon is said to ship 1.6m parcels a day and DHL delivers over 1.5 billion parcels per year. Of course all these parcels make this sector a prime theatre for bad actors to operate in. Why? Think about the process for ordering a package. You enter card details, your email address, and other Personally Identifiable Information (PII) like your home address. And, as we all know, pretty much all of us use logistic delivery services at some point.   In fact, according to Tessian research, nearly half (47%) of people say they shopped online more in the last year than the year prior. It’s no wonder delivery impersonation attacks are among the most common types of cyberattacks targeting people today.    What’s more, delivery impersonation scammers are using increasingly complex and hard-to-spot tactics to carry out their attacks.This article will explain what a delivery impersonation attack is and provide helpful guidance on how you can help yourself and your organization avoid falling victim to this type of scam.
What is a delivery impersonation attack?   First things first: what is a delivery impersonation attack? A delivery impersonation attack is a type of phishing where the attacker impersonates a delivery company.  The scam involves sending a fraudulent SMS or email to a consumer, telling them that they have missed a delivery. The message contains a link that, when followed, leads to a website operated by the scammers. When the target visits the fraudulent website, they are duped into revealing personal information, such as their login credentials, contact details, or payment information.
How common are delivery impersonation attacks?   It’s no exaggeration to say that delivery impersonation attacks are an endemic and widespread security threat.Delivery impersonation attacks occur year-round, but spike around the same periods each year, typically when consumers are making a lot of online orders—most notably around Black Friday.   In Q3 2020, Tessian detected a significant spike in fraudulent email activity in the run-up to Black Friday, as cybercriminals attempted to exploit the increase in online deliveries. More recent Tessian research reveals that around 20% of US consumers and 33% of UK consumers have received a delivery impersonation email or SMS so far in 2021.   This increase in delivery impersonation is part of a general surge in phishing that has occurred since the start of the pandemic.In October 2021, research from Ofcom revealed that 82% of UK adults received a suspicious text or email in the preceding three months. The situation has gotten so bad that the UK Government announced it was relaunching its Joint Fraud Taskforce in response.
Telltale signs of a delivery impersonation attack   Now we’ve explained what a delivery impersonation attack is, let’s consider what such an attack looks like.   As explained, a delivery impersonation message will always contain a link. The aim of the attack is to get you to click or tap the link and give up your personal information.   Therefore, it’s crucial that you carefully inspect any link contained in a text or email to determine whether it is malicious.    Here’s an example:   The phishing link contained in this delivery impersonation message points to a site that is operated by scammers, rather than the delivery company Hermes. But how can you tell whether a URL is malicious?   Well, it’s not always obvious. While some URLs are blatantly fraudulent, fraudsters have come up with ingenious ways of creating links that really look right. Here are some examples of different URL impersonation techniques.
Root domain impersonation   The “root domain” is the part of the URL that appears before the “top-level domain”. So, in “”, the root domain is “amazon”, and the top-level domain is “.com”. Amazon owns the root domain “amazon”, so fraudsters can’t simply set up their own phishing sites under that domain. But they can create domains that look like “” to fool people into clicking their phishing links. One common root domain impersonation tactic is to use numbers instead of letters. So, swap the “o” in “amazon” with a zero, and you have “”. At first glance, an undiscerning target might mistake this for Amazon’s actual website. However, root domain impersonation is increasingly uncommon as this trick is relatively easy to spot. Also, major brands tend to buy up similar-looking domains to prevent cybercriminals from acquiring them. Tessian research reveals that only 20% of top couriers have configured their website’s DMARC policies to the strictest settings. This means fraudsters can use tactics like email spoofing to convincingly imitate these sites via fraudulent emails.
Subdomain impersonation   One highly persuasive impersonation technique is to include the impersonated company’s name in the subdomain of a URL operated by the cybercriminals. The subdomain is the part of a URL that appears before the root domain of a website. Here’s an example of a delivery impersonation attack message impersonating delivery company DPD:
The first part of this link is “dpd”, and so it may appear to lead to DPD’s website. However, the root domain—the website operated by the fraudsters—comes after “dpd”. It’s “track7k4”. So, if you receive a delivery message that looks real at first glance, take special care to check whether the root domain is as authentic-looking as the subdomain.   Top-level domain impersonation Attackers can also impersonate the top-level domain of a URL to make it appear authentic. The top-level domain appears last in a URL. Common examples include “.com”, “.net”, and “”. Here’s an example:
In this delivery impersonation message, the link points to a URL that might seem authentic at first glance. Visiting “” would take you to the Post Office website. But this URL doesn’t actually lead to “”—the top-level domain is “”, not “”. Note that the words “uk” and “” are separated by a hyphen rather than a forward-slash, meaning that both words are part of the top-level domain.   Protecting employees from delivery impersonation attacks As noted, delivery impersonation attacks mainly target consumers. But they can be a problem for businesses too—particularly in the age of “bring-your-own-device” and remote working.So how can you protect your organization from delivery impersonation attacks?   Unfortunately, there is little you can do to stop employees from receiving delivery impersonation attacks via SMS. Android and iOS have some basic filtering and notification functions, but these often fall short and allow delivery impersonation attacks to reach people’s mobiles.   Therefore, incorporating information about delivery impersonation attacks into your company’s security training program is essential. When it comes to preventing delivery impersonation attacks via email, there is a viable solution.   Tessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most subtle signs of email impersonation and phishing.  Here’s how it works: Tessian’s machine learning algorithms analyze your company’s email data, learning each employee’s usual communication patterns and mapping their trusted email relationships inside and outside of your organization. Tessian inspects both the content and metadata of inbound emails for signals suggesting email impersonation or other phishing attacks. Such content might include suspicious payloads, geophysical locations, IP addresses, email clients, or sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.   Click here to learn more about how Tessian Defender protects your team from email impersonation and other cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like phishing.