Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

October 27 | Fwd:Thinking. The Intelligent Security Summit (Powered by Tessian). Save Your Seat →

ATO/BEC

Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover

Remote Working ATO/BEC Data Exfiltration
Cybersecurity Awareness Month 2022: 12+ Free Resources
By Andrew Webb
25 September 2022
October is Cyber Awareness Month, and this year’s theme is “See Yourself in Cyber.”   Fun fact: Cyber Awareness Month started back in 2004, the same year a former AOL software engineer stole 92 million screen names and email addresses and sold them to spammers. Sadly, that’s peanuts compared to more recent breaches. Incidents involving insider threats are at an all-time high, phishing incidents are doubling and even tripling in frequency year-on-year, and the cost of a breach is now over $4 million. This is all to say that cybersecurity is more important than ever. And at Tessian, we live by the motto that cybersecurity is a team sport. So, to help you educate and empower your employees, we’ve put together a toolkit with over a dozen resources, including:
You can download them all for free, no email address or other information required. But, that’s far from the only content we have to share… CEO’s Guide to Data Protection and Compliance By 2024, CEOs will be personally responsible for data breaches. So it’s essential they (and other execs) understand the importance of privacy, data protection and cybersecurity best practices. To help you out, we’ve published an eBook which breaks down: How different regulations have changed how businesses operate  How cybersecurity and compliance can be leveraged as a business enabler The financial and operational costs of data breaches OOO Templates OOO emails can contain everything a hacker needs to know to craft a targeted spear phishing attack… Where you are How long you’ll be gone Who to get in touch with while you’re away Your personal phone number Use these templates as a guide to make sure you don’t give too much away👇🏼
Human Layer Security Knowledge Hub Cyber Awareness Month is all about raising awareness and sharing best practices, and we know the #1 source of trusted information and advice for CISOs are…other CISOs….  That’s why we’ve created a hub filled with dozens of fireside chats and panel discussions about enterprise security, spear phishing, data loss prevention, leadership, and the human element. Sign-up for free and hear from some of the biggest names in the industry.   You Sent an Email to the Wrong Person. Now What? Did you know at least 800 emails are sent to the wrong person in organizations with 1,000 employees every year. While it’s easy to shrug something like this off as a simple mistake, the consequences can be far-reaching and long-term. Learn more, including how to prevent mistakes like this.   6 Best Cybersecurity Podcasts While we’re partial to our own podcast – RE: Human Layer Security – we’ve learned from the best in the business.  To get our fix of cybersecurity breaking news, threat intel, and inspiring interviews, we regularly tune into these podcasts: The CyberWire Daily The Many Hats Club WIRED Security Get the full breakdown here.   How to Get Buy-In For Security Solutions As a security or IT leader, researching and vetting security solutions is step one. Step two involves convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done… So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs.  Here’s a summary of their tips.    Ultimate Guide to Staying Secure While Working Remotely While most of us have been working remotely or in a hybrid environment for well over a year, we know that more than half of IT leaders believe employees have picked up bad cybersecurity behaviors since working remotely. This eBook offers plenty of helpful reminders, including: The risk involved in sending work emails “home” Why using public Wi-Fi and/or your personal device as a hotspot aren’t good ideas Best practice around using cloud storage to share documents How to physically protect your devices Top tips for businesses setting up remote-working policies What Does a Spear Phishing Email Look Like? We know you’re working hard to train employees to spot advanced impersonation attacks…but every email looks different. A hacker could be impersonating your CEO or a client. They could be asking for a wire transfer or a spreadsheet. And malware can be distributed via a link or an attachment. But it’s not all bad news. While – yes – each email is different, there are four commonalities in virtually all spear phishing emails.  Download the infographic now to help your employees spot the phish.   The Risks of Sending Data to Your Personal Email Accounts  Whether it’s done to work from home (or outside of the office), to print something, or to get a second opinion from a friend or partner, most of us have sent “work stuff” to our personal email accounts.  And, while we might think it’s harmless…it’s not. In this article, we explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem.  Looking for more helpful content? Sign-up to our weekly newsletter, or follow us on LinkedIn and Twitter (or do all three!).
ATO/BEC Integrated Cloud Email Security
Product Update: Enhanced Security Event Filtering and Reporting
By Swati Aggarwal
22 September 2022
Our latest product update for our Advanced Email Threat Prevention module, Tessian Defender, improves the efficiency of security event filtering through new and easy-to-navigate event filters. We have also improved malicious email reporting, resulting in improvements to our detection efficacy.
New and enhanced filters for more efficient event filtering The enhanced event filtering interface will improve confidence and control for security admin using Tessian’s portal. It enables security admins to  efficiently filter and find security events, enabling security teams to respond faster.    
Some of the new and enhanced filters include:   Original filter location: Folder location of the email at the time of delivery to the end-user’s mailbox. Attachment filter: Contains attachments or not. Phishing simulation filtering: To exclude/include phishing simulations. Confidence level filtering: To filter on high/medium/low confidence interval events.  
Improved end-user reporting capability   Improvements to malicious email reporting will further improve the ability to recall malicious emails from inboxes, as well as improving detection efficacy. After a security admin reports a malicious email, future emails that share the same characteristics will automatically be quarantined in the portal – reducing cyber risk.  
Why these updates matter: Quicker response time and improved detection efficacy   In a hypothetical example of attempted Account Takeover (ATO), Tessian will flag suspicious emails as potentially malicious. After receiving an alert, security admins using the Tessian Cloud Email Security Platform, analyze all suspicious emails marked with a high degree of confidence and take appropriate action.    The new event filtering capability further speeds up this process, enabling security admins to filter all the security events by event type, confidence level, user response and quarantine status, while also allowing security admins to exclude events classified for example as phishing simulations – improving response times.     The new labeling feature incentivizes customers to report malicious emails. This, in turn, improves the detection efficacy of the platform’s algorithms with each reported email. 
Every minute counts to reducing cyber risk   Time is of the essence in triaging security events on email. Our engineering teams are working relentlessly to cut response times and give time back to security teams. These latest product updates do just that, enabling our customers to reduce the time spent on event triaging while also improving detection efficacy. To see how the Tessian Cloud Email Security platform intelligently prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.
For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
ATO/BEC
The Three Biggest Problems Facing Law Firm Security Leaders Right Now
By Andrew Webb
22 September 2022
Law firms handle some of the most sensitive and confidential information in any sector. Not only that, there are huge pressures on employees to ensure the right verdict for the firm’s clients. Add to this the large sums of money at stake in any court case and you can see why they represent nice juicy targets for bad actors/ . We spent the summer talking to law firm security leaders and technologists at various conferences. Here’s the problems they detailed and how they mitigate them.    Free as in domains   Law firms are public facing, customers can and do come in all shapes and sizes. Consequently many individual clients will use freemail email addresses. Increasingly many small businesses are also turning to services like Gmail for their email needs. Consequently, blanket banning freemail domains doesn’t work, and having to maintain and update a whitelist of individuals is a drag. What’s more, by banning freemail domains, you could potentially be costing the business money in the form of lost clients. This is where Tessian comes in. It looks beyond the domain to deeper within the content – and context –  of an email to understand the sender’s intent.
Partners going rogue Partners run the firm – it’s literally their names on the wall in reception – consequently they tend to act in a manner that they see fit, emailing case notes to their personal addresses to read later on that commute or vacation. You can’t stop them doing that – they’re the bosses, but with Tessian, you can track high profile users to understand what is being sent where and by who.   It’s not just the partners that can present problems. Lawyers are incredibly busy people juggling lots of information via email and trying to build a case around it. Statistically, that means that someone’s gonna hit the reply all rather than the reply button. Tessian’s in the moment notifications catch these human errors and alert the user to any potential dangers. It happens more times than you think.   The result depending on your jurisdiction could be serious compliance violation fines. Indeed, nearly half (48%) of the top 150 law firms in the UK have reported data breaches since the GDPR came into force in May 2018. And, of those breaches, 41% were a result of emailing the wrong person.
Forwarding exhibit A   Many law firms didn’t adopt email until the 1990s. In 1996 the UK’s leading legal technology expert, Richard Susskind, was almost banned from speaking and labelled ‘dangerous’ for predicting that lawyers would use email as their main communication method in the future, and was accused of “…bringing the profession into disrepute!” That was over 30 years ago, but technology is now everywhere. Indeed some of the biggest vendors at ILTACon were offering smart screens and projects that can access digital content from emails and shared company drives. As more case notes and legal content goes digital, the potential for email as a means of mis-distributing and mis-sharing this information grows exponentially.
Of course these three issues sit on top of all the regular ones security leaders in any sector face – rising threats, more advanced attacks and the cost of a breach rising exponentially. Tessian is trusted by over 15o of the world’s leading law firms. They rely on Tessian to protect their organizations from advanced email threats, data exfiltration and accidental data loss. Get in touch today and see how we can help your firm.
Data Science ATO/BEC Integrated Cloud Email Security
Product Update: Improvement to Algorithms Sees 15% Increase in Detection of Advanced Email Threats
By Jhamat Mahbubani
13 September 2022
Innovations in machine learning have fundamentally changed the email security landscape.    And in order to stay ahead, and to ensure that we are protecting our customers from new and advanced email threats, we need to continually improve our machine learning algorithms. Most recently, Tessian’s data science team updated our platform’s Behavioral Intelligence Modeling algorithms to detect advanced social engineering threats.   The result? A 15% increase in the detection of advanced email threats including impersonation spear phishing and account takeover (ATO) attacks.
The growing threat of advanced social engineering attacks  Social engineering attacks like impersonation and ATO attacks are a growing threat, with ATO attacks witnessing +300% growth over the last three years.    Impersonation and ATO attacks are a notoriously difficult type of advanced email threat to detect and prevent. This is because the threat actors either impersonate a trusted party or, in the case of ATO, the emails originate from a legitimate source, either within the organization from an already compromised account, or from a compromised vendor in the supply chain.    Traditional, rule-based email security solutions, like Secure Email Gateways (SEGs), which enterprises have been reliant on for decades, offer little protection against these types of attack. Why? Because legacy solutions like SEGs and built-in security from cloud providers are unable to detect adaptive and unknown threats with no prior indicators of compromise reported.    This makes the case for why security and risk management teams must move away from a rule-based approach to one that analyzes behavior instead.    This behavioral approach should leverage machine learning, Natural Language Processing (NLP), Behavioral Intelligence and Global Threat Feeds to automatically determine whether an email sent to an end-user at a particular time is an advanced threat.
A machine intelligent approach to email security Encouragingly, an increasing number of security leaders are realizing the need to adopt machine intelligent solutions to tackle the persistent threat of advanced email attacks. In fact, over half of cybersecurity leaders (58%) surveyed in a 2022 Forrester Consulting report said that they are actively looking to displace SEGs for the next generation of email security solutions. These solutions, like Tessian, leverage machine learning to help organizations mitigate risk on email.    The importance of machine learning powered cybersecurity solutions was similarly recognized by IBM’s Cost of Data Breach Report for 2022. IBM reported that the average cost of a data breach was $3.05 million less in organizations that deployed security artificial intelligence (AI) versus those that had not. What’s more, 66% of security leaders from across the world believe that AI and Machine Learning enables faster threat detection on email and 56% say it makes threat detection more accurate.    Continual improvements to our algorithms are important to ensuring we quickly and accurately detect new and unknown threats on email – keeping our customers and their data safe and secure.    Learn more by speaking to our experts and seeing our machine learning algorithms in action. 
ATO/BEC
When a Breach is More Than Just a Breach
By KC O'Carroll
12 September 2022
Sometimes, what looks like a harmless third party breach notification can lead on to other, more targeted attacks, in this article, Tessian’s Head of Security Engineering & Operations explains how.    There is a deluge of breach notifications for defenders to track, monitor, and respond to. When triaging a breach notification for a third party service, the first instinct is to review the exfiltrated data and evaluate for impact to users.    When that data comes back as non-sensitive, defenders will oftentimes stop analysis there and breathe a sigh of relief. Unfortunately, as some recent breaches make clear, evaluating risk and impact isn’t that simple.
Two confirmed identity points   Take Twitter’s July breach as an example. In the notification, Twitter confirmed the exposure of 5.4 million emails as well as associated phone numbers that had been used as 2 factor authentication (the problem with using phones for 2FA is a topic for another time). No passwords were exposed, so it’s simply a minor irritation for the impacted users, right?   Well, not always. Things get more complicated when we consider what an attacker might be able to pivot to with two confirmed identity traces like email and mobile number.   Smishing attacks   At the low end of the sophistication scale, the phone numbers (which remember have been confirmed as active to the attacker by virtue of use as an auth factor) can be targeted for waves of SMS based phishing attacks. Anecdotally, Tessian has received reports of an increase in these attacks for users who had a number tied to their Twitter accounts.
Moving up in complexity, a SIM swap attack paired with a compromised password can yield access to other accounts using the same email. Credential pair reuse across multiple sites can make a single breach keep yielding dividends to the attacker for months.   Secondary attack vectors   These are well known post breach secondary attack vectors that have had a lot of visibility over the years. Less well known is the gray market for end user data used to enable scams and sales of questionable products and services, popularly known as crapware.    Quite a few people have heard of tech support scams, where an overseas scammer will call an elderly person and pretend to have valuable security services to offer. Less well known is how these scammers get access to phone numbers in the first place.
As we can see here, third party data brokers offer resales of “warm leads” for tech support scams targeting English speaking countries for call centers around the world. It’s easy enough to buy or otherwise acquire breach data for this purpose; though it’s important to note that data brokers don’t always stop with legal means of targeting users.
This particular data broker kindly offers pop-up campaigns, better known as fake blue screens in the browser that force the user to call an 800 number to unlock. So while buying gray market data can be lucrative for brokers, they certainly aren’t limited to it.   How to protect against attacks   So how do we protect against the impact of a secondary attack vector like this? First, end users should be encouraged and enabled to use software authenticators or hard tokens. SMS based attacks are widespread and tough to mitigate.    Secondly, security tooling that identifies a departure from normal email traffic can be more effective than relying on end user reporting. Tessian’s implementation of our product alerts us to unusual trends in email traffic that we in turn use for campaign tracking and prioritizing SecOps team resources. An eye on what’s normal and what isn’t serves as our first line against malicious activity. Stay vigilant and stay secure.   To see how Tessian prevents ATO attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
ATO/BEC
52% of U.S. Healthcare Insurance Providers At Risk of Email Impersonation During Open Enrollment
By John Filitz
05 September 2022
Over half of the top 25 U.S. healthcare insurance providers are at risk of having their domain spoofed by threat actors looking to target individuals via advanced phishing and email impersonation attacks as open enrollment begins on 1 November 2022.    In our analysis, we found that 52% of the top healthcare insurance providers in the U.S. do not have DMARC – Domain-based Message Authentication, Reporting & Conformance – policies set up to the strictest settings or don’t have it set up at all to prevent abuse of the domain on email.    Why is DMARC important in preventing impersonation on email?    Nearly all cyberattacks in enterprises start with a successful spear phishing attack. This often involves a threat actor directly impersonating an email domain of a recognizable, trusted or well-known organization. 
There are a number of policies and protocols that prevent direct impersonation of an organization’s domain on email. In its simplest form, SPF and DKIM are email authentication records that allow email clients to validate the domain name of an inbound email. DMARC enables organizations to specify how to respond to emails that fail these SPF or DKIM checks – generally reject, quarantine, or take no action.   In the absence of authentication records, bad actors could easily create legitimate-looking emails with the domain extension, while the recipient of the malicious emails wouldn’t be able to validate the sender’s authenticity.    In the case of the insurance providers that do not have DMARC records in place – or do not have the DMARC policies set up to ‘reject’ – there is a very real opportunity for threat actors to impersonate the provider’s domain in spear phishing campaigns, convincing their targets they are opening a legitimate email from their healthcare insurance provider.    What risk does this pose to individuals?    Open enrollment – the yearly period in which people in the U.S. can enroll in a health insurance plan for the next calendar year – begins on 1 November 2022.    As open enrollment becomes available for employees and people seeking healthcare options, threat actors will likely take advantage of this time to target unsuspecting people – using the timely hook as a lure in their scams. We’ve noted in previous blogs how cybercriminals take advantage of timely or trending moments to make their phishing attacks more convincing.    By impersonating a trusted insurance provider, cybercriminals could trick people into sharing personally identifiable information including social security numbers, financial information, or even confidential medical details which – if gotten into the wrong hands – could be used to perpetrate identity fraud. 
Advisory to healthcare insurance companies and the public   As open enrollment begins,  healthcare insurance providers must ensure they are taking every measure to protect their domain from misuse over email.    Conversely, it’s important that employees signing up to new benefits – as well as HR personnel – are made aware of the potential scams that could land in their inbox during this period. Advise people that if they do receive an email from their provider, asking for urgent action or financial information, they must take the time to check it and question the legitimacy of any requests. If they’re ever unsure, they should always contact the insurance company directly to verify or only read correspondence in the insurance provider’s portal.    An more intelligent approach to email impersonation attacks   While DMARC is certainly a necessary first step to prevent domain impersonation over email, it’s not without its shortcomings and cybercriminals can find ways around it.    For example, DMARC won’t stop lookalike domains, and there’s nothing stopping threat actors from registering look-a-like domains, betting on the fact that victims may not notice the slight change. Furthermore, DMARC records are inherently public, and an attacker can use this information to select which domains they can directly impersonate, their targets and their attack methods, simply by identifying providers that do not have DMARC policies configured to the strictest settings.    In addition to ensuring DMARC records are set to the strictest standards, security teams at healthcare insurance providers should also question whether they are equipped to safeguard against email scams. They should consider whether a more intelligent approach to email security is needed to stop staff and customers falling victim to advanced email impersonation attacks.    To see how the Tessian Cloud Email Security platform intelligently prevents advanced email threats and impersonation attacks, watch a product overview video or book a demo with us today.
ATO/BEC Email DLP
Key Takeaways from IBM’s 2022 Cost of a Data Breach Report
By John Filitz
10 August 2022
The cost of a data breach is up 13% from 2020 totalling $4.35 million, according to IBM’s Cost of a Data Breach Report for 2022. IBM’s annual report also revealed that compromised credentials, phishing and cloud misconfiguration are the top three attack vectors. Phishing related breaches is the costliest form of attack, costing businesses $4.91 million in damages per breach.    IBM recommends investing in security tools that leverage artificial intelligence (AI) and machine learning. These next generation security tools represent the biggest breach cost mitigation measure organizations can take, reducing the overall cost of a breach by an average of $3.05 million.    Keep reading for key findings from the report.   Key findings   The cost of a breach continues to creep up year-over-year. The cost of a breach has increased to $4.35m in 2022 –  representing a nearly 13% increase from 2020. Top 3 attack vectors were identified as: compromised credentials (19%), phishing (16%) and cloud misconfiguration (15%). Phishing is the costliest form of a breach. Although compromised credentials is the leading cause of a breach, phishing is the costliest with the fallout averaging $4.91m per breach.  Business Email Compromise (BEC) is expensive. BEC attacks are the second costliest, totalling on average $4.89m per breach.  
Healthcare remains the most adversely impacted vertical. Costs of healthcare breaches have reached a record high of $10.1m. According to HIPAA, there were over 680,000 healthcare breaches in 2021, resulting in close to 45 million healthcare records being compromised. Million dollar savings. Investing in security AI and machine learning tools is the greatest breach cost mitigation organizations can take, reducing the overall cost of a breach by an average of $3.05m compared to organizations that do not have these tools in place.   The increasing frequency and costs associated with breaches is adding to inflationary pressure for goods and services. Companies that have suffered a breach are typically raising their prices for goods and services. Breaches are still taking an inordinate amount of time to contain. On average breaches are resolved within 277 days from discovery. Paying ransoms does not lead to significant cost savings for victims of a breach. Those that chose to pay ransoms saw on average $610, 000 less in breach costs than those that chose not to pay. Critical infrastructure remains vulnerable and lags in zero trust adoption. 80% of critical infrastructure organizations have not adopted zero trust strategies. The result is +$1m more costly breaches, totalling an average of $5.4m per breach. 
The importance of cloud adoption maturity and cloud security   Hybrid cloud represents a hedge against cyber risk. The study found hybrid cloud adopters discovered breaches 15 days sooner than companies that relied solely on a single public or private cloud operating model. Hybrid cloud reduces breach cost. Companies that rely on a  hybrid cloud operating model also experienced the lowest costs associated with a breach. On average breach costs for hybrid cloud adopters were $3.8 million. Cloud security adoption is lagging breaches. Almost half (45%) of all breaches originated in cloud environments, with 43% of organizations stating that they are only in the early stages of implementing security across their cloud environments.  A lack of cloud security adoption increases time to resolve a breach. On average organizations that failed to adopt adequate or any cloud security for their cloud environments required +108 days to resolve a breach.
Phishing and Business Email Compromise (BEC) are the costliest attack vectors   BEC and credential compromise breaches are insidious and difficult to discover. Email breaches have the second highest mean time to discovery at 308 days (+16% on the overall mean time), with compromised credentials topping the list with a mean time for discovery 327 days (+19%). Phishing is a lucrative scam. Phishing is the second leading attack vector for breaches (16%), and is also the costliest at $4.91m. BEC attacks come a close second, costing businesses $4.89m. 
Recommendations   Some of the key IBM recommendations include:   Adopt a zero trust security strategy and security model. Zero trust is particularly well-suited to hybrid cloud environments and hybrid and remote work operating models, protecting data by limiting accessibility and requiring context to grant access. Adopt security tools that can share and centralize data between disparate systems. Implement security tools that can centralize data security operations across multiple environments to enable security teams to detect incidents across complex hybrid multi-cloud environments. Invest in cloud native security automation tools. This includes security orchestration, automation and response (SOAR), security information and event management (SIEM), managed detection and response (MDR) tools and XDR to accelerate incident response through automation. Use best-of-breed security tools that help protect and monitor endpoints and remote employees. Remote work related breaches cost an average of $1 million more than non-remote work breaches. Leveraging endpoint and end-user focussed security solutions including endpoint protection platforms (EPP), identity and access management (IAM) and email security solutions are essential. Create and test incident response plans and playbooks. This includes creating incident response teams that are well rehearsed on testing the IR plan. Additional measures include red teaming and finding solutions that manage attack surface risk.  
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn.
ATO/BEC Integrated Cloud Email Security
How to Prepare for Increasing Cyber Risk
By John Filitz
13 July 2022
Each year it seems we are met with new complex challenges and risks that few could have predicted. In turbulent times, it is prudent to take stock of what business and security leaders can control. Allocating dedicated resources to more effectively manage both known and unknown risk is fast becoming essential to shore-up organizational resiliency.   Turning the focus to the sector that is germane to what we do at Tessian, effectively managing cybersecurity risk is now more critical than ever. In fact, cybersecurity risk is now considered the number 1 risk faced by businesses according to Allianz’s 2022 Global Risk Barometer, followed by business interruption (2) and natural disasters (3).   Read on to learn more about some of the key cyber risks organizations are faced with today, and how best to mitigate it.
Cybersecurity risk is increasing The costs associated with breaches are increasing each year. The global cost and impact of cybercrime damages is expected to reach $10.5 trillion in damages by 2025 – representing a 350%+ increase from 2015.    A sign of the worsening cyber risk can be seen in the cybersecurity insurance industry. Given the high number of recent claims, up by 500% in 2021, has resulted in cyber insurance premiums seeing significant escalations – essentially doubling over the past year. And as a result of recent developments in Ukraine, leading insurers are now excluding suspected nation-state cyber attacks from coverage provisions.  
Persistent and increasing email security risk   Due to its open nature, email remains the preferred method for delivering a malicious payload, including ransomware – responsible for up to 95% of breaches. Email also attracts the greatest investment in the attacker value chain and is the riskiest channel for data loss.    Until recently, detecting and preventing email threats relied on static, rule-based solutions like Secure Email Gateways (SEGs). These solutions are only able to detect known threats because they rely on a threat detection engine of already documented threat campaigns. But threats have become more advanced and are proliferating at an alarming rate, with the net result these threats are going undetected by SEGs and are reaching victims’ mailboxes.   According to Verizon’s DBIR 2022, email-delivered social engineering attacks are growing in complexity, with phishing responsible for 60% of these attacks. In addition, the FBI reported that $43 billion has been lost globally due to Business Email Compromises (BEC) in the past 5 years, with a 65% increase in BEC fraud related losses reported globally in the period 2019 to 2021.  
The growing ransomware challenge   Advanced cyber threats like ransomware are also trending in the wrong direction. Ransomware related damages exceeded $20 billion for 2021 – representing a 57x fold increase from 2015. By 2031 ransomware damages are expected to reach $265 billion. Responsible for 75% of cybersecurity insurance claims, Ransomware-as-a-Service offerings are mainstreaming the ability to carry out devastating ransomware attacks.    Russia-based Conti ransomware gang aka Wizard Spider has been linked to 50 incidents in April 2022 alone, including attacks on the Costa Rican and Peruvian governments. Currently there is a $15million bounty on Conti from the US government – indicative of the scale of the problem. The FBI estimates that over 1,000 Conti ransomware victims have paid in excess of $150 million in ransom in the past year.    Also concerning is the increasing proliferation of wiper-malware seen in 2022 in cyber attacks against the Ukraine in 2022. Disguised as ransomware, wiper-malware essentially wipes all data from infected hosts. In response to the growing ransomware threat, CISA announced the formation of a ransomware taskforce at the end of May 2022.   
Software supply chain vulnerability   Software supply chain cyber risk is another leading concern for CIOs and CISOs. The acceleration of digital transformation and cloud adoption, and increased speed of deployment through DevOps processes, have resulted in dramatically expanding the attack surface area with vulnerable code and applications exposed online.    Software supply chain attacks remain a vulnerable element given the high impact and high reward for the attackers as has been demonstrated in the SolarWinds and Kaseya attacks. 
Final thoughts for staying safe in a volatile cybersecurity environment   Prioritizing cybersecurity program development is now a core aspect of effective organizational risk management. There however remains a collective need in the vendor and the broader business community to elevate and educate executives particularly at the board level, on the importance of proactive cybersecurity risk management.    Assume you will suffer a breach. From this risk-aware position think about the proactive steps you can take to improve your cyber resilience. The escalating email, ransomware, wiper malware and supply chain vulnerability risks underscore the imperative for investing in intelligent and agile cybersecurity defenses.   Continuously seek out innovative solutions that keep your environment safe, while at the same time ensure high degrees of employee engagement on the importance of security awareness.  
To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
ATO/BEC Email DLP Integrated Cloud Email Security
What is an Integrated Cloud Email Security (ICES) Solution?
07 July 2022
In recent years, the shift away from on-prem email platforms to cloud-based platforms has been dramatic, with Gartner estimating that 70% of organizations now use cloud productivity suites like Microsoft 365 and Google Workspace. But as email migrates from legacy on-prem approaches to the cloud, securing these cloud based services becomes the next big challenge. Enter Integrated Cloud Email Security.
What is an Integrated Cloud Email Security (ICES) Solution? The term ‘Integrated Cloud Email Security (ICES)’ was coined in the Gartner 2021 Market Guide for Email Security. ICES solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.     ICES solutions are cloud-based, and use APIs to detect anomalies in emails with advanced techniques such as natural language understanding (NLU), natural language processing (NLP) and image recognition. Using API access to the cloud email provider, these solutions have much faster deployment and time to value, analyzing email content without the need to change the Mail Exchange (MX) record.   Taking it one step further, ICES solutions can also provide in-the-moment prompts that can help reinforce security awareness training (SAT), and are able to detect compromised internal accounts. In the report, Gartner reflected on the future of ICES solutions, suggesting that they would eventually render SEGs redundant:   “Initially, these solutions are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.”
Gartner predicts that by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG)… But why?   In short, legacy SEGs are no match for the cyber threats of tomorrow. Email is responsible for 96% of cybersecurity breaches, making it the greatest threat vector. In fact, in the 12 months between July 2020 and July 2021, Tessian detected 2 million malicious emails that had bypassed SEGs. So why are traditional SEGs not fit for today’s cybersecurity landscape?
Rule-based approaches don’t cut it SEGs were developed in 2004 with on-premise email servers in mind and use a rule-based approach to threat detection. They use deny lists, allow lists and signatures for message authentication to help stop attacks – with these lists created using threat intelligence. They are reactive by design, and protect email data against threats that are already known. This means that SEGs offer no protection against zero-day attacks (a significant and growing threat vector), and are easily evaded by attackers using advanced social engineering campaigns. SEGs also fail to detect business email compromise (BEC), account takeover (ATO) and advanced spear phishing attacks.
The migration to the cloud   More and more, organizations are adopting SaaS offerings like Microsoft 365 – which have SEG capabilities natively included. This shift was well underway before the pandemic, but has since been accelerated with data suggesting that ICES solutions are here to stay and will displace SEGs from the cybersecurity stack.. The rise of offerings like Microsoft 365 and Google Workspace and the move away from SEGs comes as no surprise, with enhanced functionality at the platform level that can include:   Blocking emails from known bad senders Scanning attachments with AV Blocking emails with known bad URLs Content analysis to identify SPAM   Given these native SEG-like capabilities in cloud productivity suites, makes ICES solutions the perfect supplement to ensuring comprehensive email protection. ICES solutions are so effective because they  provide protection against many of the threats SEGs fail to detect – when used in combination with SaaS offerings like Microsoft 365.
What are the benefits of ICES solutions?   ICES solutions offer more than just threat detection. Key features of ICES solutions  can include:   BEC and ATO Attack detection using NLU, NLP, social graph analysis and image recognition Context-aware banners to warn users Phish Reporting Mail Security Orchestration, Automation and Response (MSOAR) capabilities to assist in automatic reclassification of emails and removal from inboxes
How to evaluate ICES vendors   The number of  ICES solutions available on the market is continually growing. There are a few key things you should consider when evaluating which ICES solution to use. Taking a look at your current email security framework and comparing it to your end goal, the following elements should be analyzed:   Time-to-value, return-on-investment time horizon Cost of effort to install and manage False positive rate ML- and AI-based technology to detect advanced social engineering attacks including BEC and ATO attacks Ability to analyze and map conversation history Computer vision to analyze suspicious data and links in emails User education controls to reinforce training, including context-aware banners and/or in-line prompts Ability to analyze emails prior to delivery to the end user API integration  of email events into Extended Detection and Response (XDR) or Security Information and Event Management/Security Orchestration, Automation and Response (SIEM/SOAR) solutions   Still struggling to decide? Have a look at the 2021 Gartner Market Guide to Email Security, which contains further information on ICES vendors, including Tessian.
Why choose Tessian?   Tessian was recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security.     What sets Tessian apart from other ICES solutions is its advanced email security and email data loss prevention (DLP) capability, including:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence   Tessian also offers protection against both malicious and accidental data loss, in-the-moment security awareness training for suspected phishing emails and in-the-moment security awareness notifications. 
To summarize, there are four key Tessian differentiators:   Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite. Protection also includes class leading email DLP. Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI     To find out more about Tessian as an ICES solution, and the key findings listed in the 2021 Gartner® Market Guide for Email Security, click here. 
ATO/BEC
How Bad Actors Are Using the Cost of Living Crisis to Launch Attacks
By Andrew Webb
27 June 2022
Most people – we hope – can smell a rat when supposedly African Royalty offers us several thousand dollars as a ‘gift’ to help them get money out of the country, but what about when a well known brand you love offers you free samples or invites you to enter a competition?    The recent Heineken Father’s Day beer contest on WhatsApp is just the latest in a long line of seasonal or topical attacks that are run almost like marketing campaigns. Like all phishing attempts there are a few common themes. One is a sense of urgency, in this case the fact that there are only a certain number of freebies available. There’s also nudging text like ‘don’t miss out’ ‘exclusive’ and ‘enter now’.
The Threat Actor’s Editorial Calendar   But what’s also interesting is that this attack came on Father’s Day, when a brand like Heineken might legitimately launch such a campaign and when people are thinking about last minute gifts for Dad – it feels legit because it plugs into where your employees’ heads are at. Heineken wasn’t the only ‘Dad brand’ that suffered a scam, UK hardware stores ScrewFix and B&Q also had exclusive Father’s Day competition prizes that were actually scams.    That topicality and seasonality is played out throughout the year, on national awareness days, public holidays and yearly events like tax deadlines and Black Friday. As one attendee at our October Human Layer Security Summit told us “in the Fall, someone is always going to click on FREE STARBUCKS PUMPKIN SPICED LATTE”. We’ve seen this in the world of entertainment too. In November 2021, fans were promised early access to the new season of Squid Games, only after filling in a short ‘survey document’.
Cost of Living Scams   Having targeted tech and finance brands for years, as well as logistics and delivery brands during the pandemic, it seems scammers are teeing up a summer of cyberattacks on consumer brands and retailers. The cost of living crisis, rising inflation and surge in food and energy costs now makes grocery stores, food companies and energy companies prime targets for scams. In June, we saw a scam featuring UK supermarket Tesco, with the promise of a £500 gift card.    In May the UK energy regulator, Ofgem, alerted consumers to a new energy rebate scam as energy prices soared. Meanwhile in the US fuel company Shell highlighted a gas card phishing scam involving their Fuel Rewards program. And with some US employers offering to pay towards employees’ gas costs, you can see why things are getting confusing. The brand and sector may change but the scam is always the same; the promise of something for free coupled with a sense of urgenc
Education and awareness These new threat vectors join the long queue of existing ones that your staff and organization are already vulnerable to. As we saw with Covid bad actors thrive in times of confusion and uncertainty. And after global pandemics, global economic turbulence and spiraling cost of living is the next theater on which bad actors like to strut their stuff. So what to do?      As Bobby Ford said at our Human Layer Security summit, the way you ‘crack the nut’ is putting a little piece of cybersecurity awareness in all your other programs, projects and meetings happening across your organization. That can be a quick update at the all-hands or creating material, updates and awareness within your team that you don’t just push out, but people actively come and seek out.    Work with your allies. Who else in the company can you form an alliance with? Perhaps you can bring in your internal comms or PR team’s experience? Getting the people team involved to make cybersecurity part of the onboarding process helps new joiners orient themselves before they touch your network.    Finally, the C-suite is critical to supporting any initiative you design, which matters because as Mike Privitte notes in this Linkedin post, “Phishing doesn’t have “work life balance.” Company executives and their families will only see increased attempts outside of the 9-5 space”.
ATO/BEC
Tessian Threat Intel Advisory: PayPal Email Invoice Fraud Detected
By Charles Brook
20 June 2022
Summary Tessian Threat Intel is issuing a threat advisory on cyber threat actors requesting payment from unsuspecting victims using fraudulent invoices issued via PayPal. We have alerted PayPal.   Overview Tessian Threat Intel analysts have observed scammers, on numerous occasions, sending emails with fake invoice payment requests. Historically many of these sorts of attempts would be detected by traditional spam filters and end up in the junk folder or in quarantine. This is due to the email senders being repeat offenders with the same template and text – easily detected as spam or malicious by rule based email security solutions.    Since early March 2022, Tessian identified ways in which threat actors have been adapting their techniques to reach victim’s inboxes by abusing the legitimate capability of sending invoices to 3rd parties using PayPal’s email-delivered invoicing services.    To be clear, this is not a vulnerability within PayPal. Nor is it an example of an account takeover (ATO).  Rather, threat actors are creating invoices in PayPal and then issuing them to victims through PayPal’s service.     Technically, an email  from PayPal would pass some of the most fundamental checks in email security like SPF, DMARC and DKIM. This would ensure with a high degree of probability that similar emails would avoid detection by rule based email security solutions, as well as giving an air of legitimacy to the email.    An email sent from a financial services provider like PayPal, would increase the probability of  the victim seeing and interacting with the email, including acquiescing to its demands for payment. 
Examples of fraudulent PayPal invoices   The screenshot below is a legitimate email from PayPal containing a fraudulent invoice. In this example, the attacker has created a paypal account with the profile name “bit-coins payments,” which is displayed as the sender display name.    The threat actor has then created an invoice using the invoicing service available in PayPal (see Fig 2), and has then sent it with a message added by the attacker for the recipient. Grammatical style errors can also be observed, similar to what we have seen in common   phishing emails.
The below screenshot shows the PayPal invoicing service.
In the example below, we can see the actual link addresses which would redirect the recipient to the PayPal generated invoice if clicked.
Technical breakdown of the message headers As you can see below, both SPF and SKIM are a pass, and the sender IP ties back to PayPal directly. This sort of email has a high probability of passing rule based email security solutions and being delivered into a victim’s inbox.   Authentication-Results: spf=pass (sender IP is 173.0.84.227)  smtp.mailfrom=paypal.com; dkim=pass (signature was verified)  header.d=paypal.com;dmarc=pass action=none  header.from=paypal.com;compauth=pass reason=100 Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates  173.0.84.227 as permitted sender) receiver=protection.outlook.com;  client-ip=173.0.84.227; helo=mx2.slc.paypal.com;
Threat Mitigation Steps   Once PayPal was informed, Tessian found that the invoice was taken offline and no longer accessible. Thank you PayPal for your quick engagement.   In order to not fall victim to similar types of email-delivered invoice fraud we recommend:   Be careful of unsolicited emails, especially those containing requests for payment or including links to invoices. Always verifying the authenticity of an invoice with the actual purchase order.  If necessary, contact PayPal or any vendor requesting payment via independent method i.e. telephone to verify the authenticity of the request. Have a failsafe system in place in your accounting department that requires two members of staff to verify the authenticity of invoices matched against purchase orders. Adopt intelligent cloud email security solutions like Tessian that use behavioral intelligence to detect and prevent advanced email attacks, including increasingly sophisticated email-delivered invoice and wire fraud.
To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
ATO/BEC Compliance
Building a Recession Proof Cybersecurity Program
By John Filitz
09 June 2022
The subject of prioritizing cybersecurity spending often arises in periods of economic uncertainty. As most security professionals will admit, the challenge of security budget justification is challenging in many organizations, regardless of the economic cycle. But in a recession, the challenge of cybersecurity budget allocation and spending can be compounded because, too often, cybersecurity is viewed as an auxiliary and non-critical IT program.   This blog sets out some core tenets essential for building a recession proof cybersecurity program. Spoiler: Building a resilient cybersecurity program starts with a mind shift
Cultivating a positive organizational cybersecurity culture   Many security leaders struggle to make the case for cybersecurity spending allocation, regardless of the economic environment. This is due to an out of touch mindset, with certain leaders failing to understand the importance of cybersecurity to their company’s overall business operations and objectives.     This poorly informed view was evidenced in a recent survey conducted by Tessian, with only 58% of employees thinking that senior executives at their company value cybersecurity. This explains why 1 in 3 employees don’t understand the value of cybersecurity, and why 30% of employees believe they play no role in cybersecurity threat prevention.   The mixed attitude towards cybersecurity could also explain why security leaders often find it challenging to justify cybersecurity program spend, which can become even more challenging in an economic downturn. The tide is slowly starting to turn, due in a large part to increasing cybersecurity risk and the catastrophic fallout associated with breaches, which can result in business failure.    Beyond an organization’s self-interest to keep their information systems and data secure, investors are starting to exert pressure on their portfolio companies to maintain an industry baseline of cybersecurity protection. Evidence of this shift in attitudes is reflected in the fact that environmental, social and governance (ESG) reporting now includes an assessment of an organization’s cybersecurity program and defenses.   It needn’t break the bank. Developing a positive cybersecurity culture in an organization is something that can be achieved on a relatively low cost basis. The key elements to achieve this include clear communication from the executive leadership on the importance of maintaining good cybersecurity hygiene. Creating a positive employee experience in relation to cybersecurity is essential. This entails developing engaging and context-based security awareness training programs that drive cybersecurity awareness – empowering employees to become part of the cyber defense.   
Using open source resources and frameworks to build cybersecurity resilience   While there is no singular approach to building out a cybersecurity program, there are a trove of freely available resources and best practice guides to assist with building information governance systems and cybersecurity programs. View cybersecurity program development as a work in progress. Many unique factors and characterics will come into play in shaping your cybersecurity program development.   By establishing a dedicated team to tackle enterprise security architecture and using well established enterprise architecture frameworks such as COBIT and TOGAF,  in conjunction with cybersecurity frameworks such as NIST Cybersecurity Framework, ISO 27001/02 and the CIS Critical Controls, organizations can start putting the building blocks in place for developing well-integrated and robust information governance systems.    Enterprise architecture frameworks such as COBIT are useful to build an information governance system that proactively identifies areas of risk or IT capabilities that need improvement to ensure that business objectives are achieved.
Ensuring compliance with industry and geo-specific regulations   Cyber risk is increasing year-over-year. In the latest FBI IC3 report, Business Email Compromise (BEC) fraud related losses increased by 65% globally in the period 2019 to December 2021. In the latest Verizon DBIR, ransomware attacks increased by 13% year-over-year, representing the largest increase in over 5 years.   Prioritize your cybersecurity technology budget from the assumption that there is a very strong likelihood that you will at some point suffer a breach. On this basis, focus on the fundamental threat vectors relative to your accepted risk threshold.    In US states such as California and many jurisdictions around the world, regulatory authorities are establishing minimum levels of cybersecurity preparedness that need to be met to ensure compliance.    The California Attorney General under the California Consumer Privacy Act (CCPA), has for instance established the requirement that businesses over a certain revenue threshold have to have a reasonable level of security in place. Reasonable security according to the CCPA is defined as having the CIS Controls implemented.   In the EU’s General Data Protection Regulation (GDPR), key stipulations include having data privacy and data security safeguards in place to ensure the confidentiality, integrity and availability of information processing systems and services. Other security controls include having the ability to restore availability and access to personal data, as well as having a process in place to regularly test, assess and evaluate the effectiveness of technical and organizational measures that ensure the security of data.  
Going beyond the minimum   Threat actors are continuously advancing their abilities. This is why cybersecurity and business leaders cannot afford to rest. Continuously testing your cybersecurity defenses through regular audits and penetration testing will help you identify areas for improvement. This includes practicing incident response and business continuity preparedness.   Cybersecurity is not a tick box compliance exercise.   Cybersecurity is everyone’s responsibility. Many of the core components that encompass a cybersecurity program do not require significant budget, but rather effective leadership, time and effort. Most importantly it requires adopting a mindset that recognizes the importance of being cyber resilient as essential to the organization’s overall success.
To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Page