Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

New Webinar: Check out how PeaceHealth maintains word class email security with a vast supply chain and 19k caregivers. Register Now →


Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover

How Hackers Use Social Media For Phishing Attacks
By Maddie Rosenthal
06 May 2022
Over the last decade, phishing – a type of social engineering attack – has transformed from something more like spam to the threat most likely to cause a breach. During that same period, the number of adults on social media platforms like Facebook increased by almost 1,300%.   Every photo we post, status we update, person we tag, and place we check into reveals valuable information about our personal and professional lives. And hackers use this information to craft targeted – and effective – attacks at scale.
How big are our digital footprints?    Our digital footprints are bigger than ever. There are over: 2,701,000,000 users on Facebook 1,158,000,000 users on Instagram 722,000,000 users on LinkedIn 353,000,000 users on Twitter And it shouldn’t surprise you that, according to research, 90% of people post information related to their personal and professional lives online. This number is even higher among 18-34 year olds. And, across LinkedIn, Instagram, and Facebook, 55% of people have publicly visible accounts.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//");
When an account is public, anyone can see the information you post online, whether it’s a photo of your boarding pass, or a birthday shout-out to a colleague. Harmless, right? Unfortunately not.   This information is gold dust to hackers and makes reconnaissance impossibly easy.    Take the former Australian Prime Minister, Tony Abbott. He posted a picture of his boarding pass on Instagram. From the booking reference, hackers found his passport number and phone number – information that could have helped them gain access to other accounts, including sensitive personal and government information.   It didn’t take much work. According to an ethical hacker we spoke to, “Anyone who saw that Instagram post could also have [his passport number and phone number].”   Mr. Abbott isn’t the only person who posts this kind of information online…
32% of employees post business travel photos and updates. Nearly 72% mention birthday celebrations. 36% share information about their jobs. And don’t forget about all the information we share about our pets, partners, and children.     Hackers use all of it. Yep, even that photo of your pup.    How do bad actors use this information?   To understand exactly how hackers leverage all of this information, we have to look at a social engineering attack from start to finish.   First, a hacker identifies a target organization.    Depending on their motivations, they could choose an asset management firm with hopes of initiating a wire transfer or a pharmaceutical company with hopes of getting their hands on R&D. From there, they’ll research supply chains and vendors, study company org. charts, map employee relationships, and monitor individual behavior. And, by running scripts, they can do this automatically and at scale.     Why do all this reconnaissance? To pinpoint potential entry points, identify viable third-parties to impersonate, and to collect information (however subtle) that’ll help them nudge their targets towards unconscious (and conscious) confirmation and – eventually – trust and compliance. 
While behavior varies by region, most of us eagerly announce when we start a new job. In the US, almost everyone does – with 93% of employees in the US saying they update their job status on social media.   We share press releases about new clients and mergers and acquisitions. We post photos of our employee IDs and screenshots of Zoom calls. We tag our colleagues and customers in our updates and comment on theirs. We share all of this information regularly.    Almost half (43%) of us post every day, giving hackers up-to-date intelligence about where we’re working, who we’re working with, and what we’re working on.   Passwords play a role, too   When it comes to Business Email Compromise, information related to your professional life is important. But your personal information can be just as valuable.   Hackers can use information about your pets, partner, children, and even your interests to crack passwords and answer security questions, giving them full access to personal and work accounts, including password managers and even your email.    Don’t believe us? 21% of people use information like their favorite football team, their pet’s name, or birthdays when creating passwords and some of the most common security questions include: What is your mother’s maiden name? What was your first car? What elementary school did you attend? What year were you married?    This is all readily available online. 34% of people share the names of their pets, 34% mention their children/partner, and 40% share information about their interests.     People may even unwittingly share this information via gimmicks or memes that make their rounds on social media. For example, “name generators” that ask you to combine your pet’s name with your childhood street address. Sound familiar?
An example of a social engineering attack leveraging social media In this example of a social engineering attack, hackers use an OOO message and other publicly available information to initiate a wire transfer.   Type of Attack: CEO/CXO Fraud Industry: Financial Services Hacker Motivation: (Quick) Financial Gain
The hacker group monitors news wires for up-to-date information about banks in the United States to find their target, an asset management firm called SoBank.  They see that the company’s CFO – Andrew Neal – is OOO at a conference. Thanks to his OOO message, they’re able to identify their target, Tristan Porter. They also learn that Andrew goes by “Andy” at work. The hacker group sends a fabricated email chain that appears to be between Andy and Gregory Ellwood, Senior Partner at Dorling Clayton – SoBank’s advising firm – urging Tristan to make a wire transfer.
Cybersecurity best practice   Want to better manage your digital footprint and avoid being targeted by (and falling for) a social engineering attack?   Here’s a list of do’s and don’ts.
ATO/BEC Human Layer Security
Phishing Awareness Training: How Effective is Security Training?
By Maddie Rosenthal
30 April 2022
Phishing awareness training is an essential part of any cybersecurity strategy. But is it enough on its own? This article will look at the pros and cons of phishing awareness training—and consider how you can make your security program more effective.
✅ Pros of phishing awareness training   Employees learn how to spot phishing attacks   While people working in security, IT, or compliance are all too familiar with phishing, spear phishing, and social engineering, the average employee isn’t. The reality is, they might not have even heard of these terms, let alone know how to identify them.   But, by showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.     Looking for resources to help train your employees? Check out this blog with a shareable PDF. It includes examples of phishing attacks and reasons why the email is suspicious.    It’s a good chance to remind employees of existing policies and procedures   Enabling employees to identify phishing attacks is important. But you have to make sure they know what to do if and when they receive one, too. Training is the perfect opportunity to remind employees of existing policies and procedures. For example, who to report attacks to within the security or IT team.   Training should also reinforce the importance of other policies, specifically around creating strong passwords, storing them safely, and updating them frequently. After all, credentials are the number one “type” of data hackers harvest in phishing attacks.    Security leaders can identify particularly risky and at-risk employees   By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?    These observations will help security leaders stay ahead of security incidents, can inform subsequent training sessions, and can help pinpoint gaps in the overall security strategy.
Training satisfies compliance standards   While you can read more about various compliance standards – including GDPR, CCPA, HIPAA, and GLBA – on our compliance hub, they all include a clause that outlines the importance of implementing proper data security practices.   What are “proper data security practices?” This criterion has – for the most part – not been formally defined. But, phishing awareness training is certainly a step in the right direction and demonstrates a concerted effort to secure data company-wide.     It helps organizations foster a strong security culture   In the last several years (due in part to increased regulation) cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective.    That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement.   You can read more about creating a positive security culture on our blog.
❌ Cons of phishing awareness training   Training alone can’t prevent human error   People make mistakes. Even if you hold a three-hour-long cybersecurity training session every day of the week, you’ll never be able to eliminate the possibility of human error. Don’t believe us? Take it from the U.K.’s National Cyber Security Centre (NCSC) “Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle. The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.”   That’s right, even the U.K.’s top cybersecurity experts can’t always spot a phishing scam. Social engineering incidents—attacks that play on people’s emotions and undermine their trust—are becoming increasingly sophisticated.   For example, using Account Takeover techniques, cybercriminals can hack your vendors’ email accounts and intercept email conversations with your employees. The signs of an account take-over attack, such as minor changes in the sender’s writing style, are imperceptible to humans.   Phishing awareness training is always one step behind   Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today. In the last year, we’ve seen bad actors leverage COVID-19, Tax Day, furlough schemes, unemployment checks, and the vaccine roll-out to trick unsuspecting targets.   What could be next?   Training is expensive   According to Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, there are three fundamental flaws in training: it’s boring, often irrelevant, and expensive. We’ll cover the first two below but, for now, let’s focus on the cost.   Needless to say, the cost of training and simulation software varies vendor-by-vendor. But, the solution itself is far from the only cost to consider. What about lost productivity?   Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.   While – yes – a successful attack would cost more, we can’t forget that training alone doesn’t work. (See point 1: Phishing awareness training can’t prevent human error.)
Phishing awareness training isn’t targeted (or engaging) enough   Going back to what Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply one lesson to an entire organization – whether it’s 20 people or 20,0000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy. Age is especially important.   According to Tessian’s latest research, nearly three-quarters of respondents who admitted to clicking a phishing email were aged between 18-40 years old. In comparison, just 8% of people over 51 said they had done the same. However, the older generation was also the least likely to know what a phishing email was.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//");   Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, explained how tailored training programs could help.
Should I create a phishing awareness training program? The short answer: “Yes”. These programs can help teach employees what phishing is, how to spot phishing emails, what to do if they’re targeted, and the implications of falling for an attack. But, as we’ve said, training isn’t a silver bullet. It will curb the problem, but it won’t prevent mistakes from happening. That’s why security leaders need to bolster training with technology that detects and prevents inbound threats. That way, employees aren’t the last line of defense. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in.   How does Tessian detect and prevent targeted phishing attacks?   Tessian fills a critical gap in security strategies that SEGs, spam filters, and training alone can’t.   By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to detect a wide range of impersonations, spanning more obvious, payload-based attacks to difficult-to-spot social-engineered ones like CEO Fraud and Business Email Compromise.   Once detected, real-time warnings are triggered and explain exactly why the email was flagged, including specific information from the email. Best of all? These warnings are written in plain, easy-to-understand language.
These in-the-moment warnings reinforce training and policies and help employees improve their security reflexes over time.  To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.   Not ready for a demo? Sign-up for our weekly blog digest to get more cybersecurity content, straight to your inbox.  Just fill out the form below.
Five Ways Tessian Cloud Email Security Improves Enterprise Cybersecurity
By Martin Nielsen
22 April 2022
Tessian, an intelligent cloud email security solution for the enterprise, prevents advanced email threats and protects against data loss. With email responsible for up to 90% of all breaches, rule based security solutions like Secure Email Gateways (SEGs) no longer cut it. This explains why 58% of cybersecurity leaders are actively looking to displace SEGs for the next generation of email security.   Next gen solutions like Tessian ensure significantly improved threat detection and prevention capabilities thanks to machine learning and behavioral user intelligence, and offer a simplified approach to solution integration and management.
Removing the pain from security management   Tessian’s API integration into both Microsoft 365 and Google Workspace cloud email environments enables deployment in seconds, and provides unparalleled protection within hours. No manual updates, complex mail rerouting, or MX record re-configuration is needed.   And, when customers integrate Tessian’s security event feed with other solutions, they’re able to streamline processes and workflows and get a more contextualized and complete risk profile of their environment, down to the employee level.   To help you better understand the value of Tessian with products like Splunk, Okta, and KnowBe4, let’s explore real use cases from our customers. 
Tessian + Splunk Customer: Financial Services Employees: 7,000 Tessian Products Deployed:  Enforcer and Guardian    Use case:  For one of our financial services customers, the integration of Tessian with Splunk has been essential in addressing insider threats and preventing data loss. The client ingests, triages and remediates Tessian’s alerts in its SOC which runs on Splunk.   By sending data to Splunk, the SOC is empowered to create dashboards for the key security events that they care about, for example users with the most flags, or top recipients of flagged emails. This data can be combined with metrics from other cybersecurity tools in the environment to form a more comprehensive risk profile. For example, correlating the data from Tessian with endpoint security alerts enabled the client to get a deeper level of risk understanding viewed from a single pane of glass.   From here the client is able to create workflows through ServiceNow, which allows streamlining of Tessian’s security feeds into existing security workflows.   Some of the key benefits of Tessian and Splunk integration include:   Setting up custom alerts Triaging security events Identifying risky users Easy reporting of risk to the risk committee
Tessian + Sumo Logic Customer: Financial Services Employees: 3,100 Tessian Products Deployed:  Defender, Enforcer, and Guardian   Use Case: Sumo Logic is a central source for log analysis and is often a starting point for remediation workflows. Tessian has a native app built to Sumo Logic’s Modern Enterprise Security Architecture (MESA). With this native app, Sumo Logic users can ingest Tessian alerts and correlate them with other events.    One of our financial services clients uses Sumo Logic for log correlation and analysis. By feeding logs and alerts into Sumo Logic, enables the client to quickly identify spikes in anomalous email activity, for example:  misdirected email (Guardian), unauthorized email (Enforcer) and phishing emails (Defender).    Once a verdict has been delivered on an email, the SecOps team is in a position to take mitigating actions. 
Tessian + Okta  Customer: Financial Services Employees: 1, 200 Tessian Products Deployed: Defender, Enforcer, and Guardian    Use case:  The Tessian integration with Okta enables clients to use Okta’s Universal Directory to set specific email security policies for user groups based on risk. For example, one client in financial services leverages the integration to enforce more stringent email security rules for the finance department – responsible for sending and receiving sensitive financial data.    Tessian is leveraged to target these specific user groups with email security policies that ensure safe email behavior and prevents email related data loss.    The integration with Okta enables greater security flexibility for user groups, rather than a standard one-size fits all approach to security policy orchestration.
Tessian + CrowdStrike + Netskope Customer: Healthcare Employees: 16,500 Tessian Products Deployed: Defender, Enforcer, and Guardian    Use case: A growing number of Tessian clients, such as one in healthcare, is using Tessian as an integral security pillar to keep their enterprise safe from external and insider threats, particularly concerning data loss.   Tessian is seen as one of core security pillars keeping employees and the email ecosystem safe. Other key security pillars and best-in-breed solutions include CrowdStrike for endpoint and Netskope for cloud security – deployed alongside Tessian.    By leveraging Tessian in combination with these tools enables a defense in depth approach, giving security practitioners peace of mind that they have the best tools in place to keep their employees and their data safe.
Tessian + KnowBe4 Customer: Pharmaceuticals Employees: 650 Tessian Products Deployed: Defender   Use case: The Tessian integration with Knowbe4 gives organizations more visibility into phishing risk by identifying the employees who are most likely to fall for phishing attacks. Tessian ingests KnowBe4’s Phish Prone Score and combines it with our own Risk Score, presenting a more comprehensive risk profile for each employee.   This way, security teams can customize security policies and training programs for more targeted and engaging security awareness for specific employees rather than a blanketed approach – that often lacks context.    After deploying Tessian to bolster KnowBe4, one pharmaceutical company saw click through rate drop significantly from 20% to below the industry benchmark of 3%. Another Tessian client in the financial services sector summed up the value of the Tessian and KnowBe4 integration:
Click here to book a demo of our market leading cloud email security and DLP platform.
Why You Should Stop Phishing Your Own Employees
By KC Busch
20 April 2022
Many organizations spend significant time and effort on counter-phishing programs and training. The emphasis of these mitigation is always preventing the click; how to see it, how to stop it, and how to report it in a timely manner.   Rarely though, does anyone ask why the end user clicks on a malicious email. There’s a variety of psychological triggers that prompt a bad outcome of clicking on malspam, but an interesting one is that you might have trained them to do it.
And if you think email is dead, think again. A 2019 study by Adobe Analytics found US-based workers spend an average of 3 hours a day managing work email. Practically speaking, no one can directly engage with that much email using 100% of their critical thinking capacity.     As a result, users tend to rely on heuristics to manage the cognitive load, such as rules sorting content into different folders, only reading subject lines, or sometimes ignoring some types of messages altogether.   In somewhat of an escalating arms race for attention, corporate comms teams can often add things like “ACTION REQUIRED”, “URGENT”, highlight portions of text, or load up the email with HTML and various trackers. Many people view those sorts of messages as just petty annoyances, but let’s take a look at some actual phishes to see why they might actually be dangerous.
As we can see, two scammers attempting to impersonate Tessian executives rely very heavily on a sense of urgency to short circuit critical thinking skills that would easily catch out these phishes.     While on their own they’re not very sophisticated at all, when sent to an organization that bombards their users with urgent action required emails, the environment has already trained the users to look out for and at least open such messages.  As a result, false urgency is very frequently found in almost any malicious email. Let’s look at how formatting can abuse user trust as well.
This looks pretty good for the average phish, but we can mark it as malicious due to poor language skills alone. However, IT teams will commonly use formatting very similar to this to announce server upgrades and request user action.     Organizations will hide links behind buttons to be “friendly’, use red text to highlight a tl;dr, or use bolding liberally to draw the eye. While a deep read will reveal the above phish as fraudulent fairly easily, a user inundated with email is not going to deep read anything – especially if their IT team uses similar formatting on a regular basis.
A positive counterexample   Microsoft, once renowned for the most inscrutable error messages of all time in earlier versions of Windows (see above), has been putting increasing thought into how to communicate in effective ways with the end user. Let’s see how they communicate that a user’s operating system is at end of life for support.    
This can serve as a reasonable guide to how to communicate facts to the end user and request an action be taken. The negative outcome is centered, at the top, and large enough to be read first, but without any highlights or red text to suggest undue urgency.     Consequences of this outcome are listed clearly in idiomatically correct and simple English.  Lastly, the recommended action (clicking to be guided to an upgrade page) is gently highlighted but not required, and other options are presented to the user to avoid any pressure for a particular action.    Going against the grain of most corporate communications that tend to be quite directive, Microsoft is presenting simple facts in a clean, unhurried way, and providing options for action at the end user’s preferred pace.     Taking design cues from this error message can prompt a harried employee relying on heuristics rather than close reading to slow down and only take action when they have the resources to do so in a considered manner.  
Lessons learned   Sending messages to your employees that share design cues with phishes is not a great security outcome.  So how do we do better?  Comprehensive phishing solutions can catch a lot of nastiness on the front end and keep it out of the inbox.  But empowering users to spot and flag malicious content on their own can be a great adjunct strategy to catch threats that never make it to security staff.  We can help them do that by taking a deep look at what sort of information handling environment the user lives in and designing communication that makes full use of critical thinking easier rather than harder.  The above attacks were all caught via Tessian’s Defender module, with end user warnings like the one here.  Breaking up the user’s typical email experience and providing clear, simple information necessary to make a good judgment on the emails’ authenticity.    In these instances, augmenting technical controls by giving the user timely guidance helped us enable good outcomes for the attacks.  As with most email attacks, focusing on human factors has been a very effective force multiplier in keeping the organization safe.
Why Cybercrime is Thriving, And What You Can Do About It
By Andrew Webb
19 April 2022
Cybercrime is big business. But just how big? Well, big. A recent report from Cybercrime Magazine predicted cybercrime would cost the world $10.5 trillion annually by 2025. Bear in mind that estimates in 2020 were just over half that, at $6 trillion, and up from $2.9 trillion in 2015. So ,why is there a cybercriminal gold rush? And why are attacks getting increasingly more sophisticated, more numerous, and more successful?
Legacy solutions are no match for today’s attacks   As we noted in our recent Spear Phishing Threat Landscape Report, attacks are getting more sophisticated and are bypassing traditional defense systems like rule-based Secure Email Gateways (SEGs). We know this because we examined platform data and found that between July 2020 and July 2021, Tessian scanned nearly 4 billion emails and flagged nearly 2 million as malicious. These emails sailed right past our customers’ Secure Email Gateways (SEGs) and native tools and would have left employees as the last line of defense if it wasn’t for Tessian. Not only that, attacks are getting more frequent. Cybersecurity Magazine estimated a new ransomware attack hits every 11 seconds.    Oftentimes, big problems (like paying out millions for a ransom) can be traced back to small oversights. Like not using Multi-Factor Authentication (MFA). This is particularly common in mid-market SMEs, despite the fact that Microsoft Research found that MFA blocks 99.9% of all automated attacks. As Dave Kennedy, Founder of TrustedSec said at our Spring 2022 Human Layer Security Summit, just 22% of O365 users have MFA enabled. And so attackers can target these firms much more easily. SMEs also have smaller budgets and headcount allocated to cyber compared to the enterprise. The result: 60% of SMEs file for bankruptcy within six months of a breach.
Email is inherently flawed   If someone broke into your office, chances are you’d know about it quickly and do something about it. Unfortunately, the same doesn’t apply to many organizations’ networks and inboxes. From a simple way of sending asynchronous ASCII messages between user accounts on an academic network in the 1970s, email has grown into a world-devouring beast that is the very backbone of commerce and information exchange. Over 7 billion users globally send and receive 333.2 billion emails a day. Such a vast user base means email is the number one threat vector. 
After all, for many, moving data via email IS their job. What’s more, email is on all our devices: desktops, tablets, and phones. But as Will Patterson, Enterprise Customer Success Lead, notes in this webinar, email has some inherent problems when it comes to security. Firstly, it’s open (in that you can email anyone) and secondly, email attacks are cheap to deploy; they’re effective and can be launched from anywhere. A big audience and low entry bar make it the ideal medium in which to conduct attacks.   It’s no wonder 90% of phishing occurs via email.
Cybercrime pays out – big time   Cybercriminals continue to attack because those attacks continue to be successful, netting potentially hundreds of thousands of dollars from companies for little effort and risk (compared with other types of crime).    The international nature of cybercrime adds another layer of complexity and helps shield attackers from law enforcement. According to the FBI, in 2021, BEC scammers made over $2.4 billion – far more than via any other type of cybercrime. Of course, the cost to the company isn’t just these initial losses, it’s the further costs of containing, reporting, and remediating the breach. IBM currently puts the cost to businesses at $4.24 million per breach. 
It’s faster, easier, and cheaper than ever to execute attacks   With such a big potential target group, attackers are using automation and off-the-shelf tools to not only launch attacks but process the data they exfiltrate in the process. And as James McQuiggan, Security Awareness Advocate at KnowBe4, said at our Fall Human Layer Security Summit, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. So if criminals are automating many of their repetitive processes, you should too.   Not only that, but it’s also easier and cheaper than ever to execute attacks, and technical skills are no longer required. There are numerous tools, platforms, and services that make executing attacks as easy as building a webpage. The following open-source intelligence (OSINT) apps and tools can be used to gather precise information about a person’s social media details, location, and their work email address, making it impossibly easy to identify and manipulate a target.  
Security teams are burned out   Against this cybercrime tsunami stands the CISO and the company’s security team, and the daily battle to keep employees and the organization safe. That’s taking its toll on security teams, who are often stressed and burned out. Our Lost Hours Report found CISOs regularly working extra hours and overtime to keep the company secure from threats.    The CISOs we surveyed worked, on average, 11 hours more than they’re contracted to each week. Nearly 1 in 10 work 20-24 hours more a week. What’s eating up that time is dealing with potential breaches. A quarter of respondents say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day.    A global study by The Ponemon Institute found that the average amount of time required to identify a data breach is 197 days. that’s over six months. It then takes another 69 days on average to contain and deal with the fallout of that breach. Better alerts and warning systems, as well as swift procedures in place to respond to them, are a must. Over six months is more than enough time to wreak havoc in a network. In medicine, there’s the concept of ‘the golden hour’, security needs to aim for a golden 24 hours because the faster an organization can respond the better and faster its recovery will be. 
Employees are busy, stressed, and distracted   The modern workplace is a fuzzy blend of devices (laptop/phone) and locations (home/office/coffee shop etc) with people constantly switching between them trying to juggle, on average, around 100 emails a day. You can see why our Psychology of Human Error report found that 26% of people fell for a phishing email at work in the last 12 months alone. People are maxed out trying to do their jobs, and it’s exactly this pressure that attackers are looking to exploit and manipulate, which underscores the important of building a positive security culture alongside HR.   So, as cybercrime is becoming more and more profitable, here’s what you need to do to strengthen your security stack and keep your people and organization safe:   Layer up your security stack with Integrated Cloud Email Security (ICES) to augment your SEG Implement better email monitoring Automate repetitive security tasks Improve your response time and processes Work with the people team on fostering a positive security culture and engaging security awareness training programs And don’t forget to switch on MFA ASAP!
ATO/BEC Human Layer Security
Phishing Campaigns Pick-Up in the Wake of the Ukraine Invasion
By Charles Brook
05 April 2022
Key Takeaways   We’ve seen an upward trend in the number of suspicious emails being flagged related to Ukraine.  Spam campaigns started to appear only one day after the initial invasion by Russia.   The number of new domains containing “Ukraine” registered in 2022 is up 210% from 2021.   An average of 315 new Ukraine themed domains have been observed per day since the 24th February.  77% of these domains appear to be suspicious based on early indicators.
Overview   The conflict taking place in Ukraine has quickly become a common theme for threat actors and scammers alike. Tessian has observed an upward trend in Ukraine themed emails flagged by our platform, including a number of threat campaigns that are exploiting the conflict as a theme for new scams, malspam, and phishing.   In line with this, open source intelligence shows a significant increase in the number of Ukraine themed domains being registered, which can be used for malicious purposes.   The scams observed typically request donations in the form of crypto-currency under the pretense of supporting the Ukrainian humanitarian effort in the wake of the Russian invasion. The spam is similar to common campaigns previously observed, pushing links to suspicious e-commerce sites selling Ukrainian themed items.
Trend analysis Domain registrations   There has been a significant upward trend in the number of new domains being registered that contain “Ukraine”. The number of these domains being registered is up more than 210% in 2022, compared to 2021.   Researching domain registrations , we can see the upward trend progressing over the past two months. 
Since early March there has been an average of 340 new domains registered each day, either containing “Ukraine” or closely resembling the word.  Our platform observed an upward initial trend in Ukraine themed emails, which peaked early March. This included the spam campaigns and donation scams.
Threat campaign explainer  Donation Scams   Donations from around the world have been made in support of Ukraine in the wake of the Russian invasion. Unfortunately, leveraging humanitarian efforts such as the one currently underway in Ukraine to perpetrate phishing-related fraud has become a common modus operandi for threat actors and fraudsters. This explains why phishing remains among the top reported cybersecurity incidents according to the FBI’s latest Internet Crime Report, with over 323k reported incidents for 2021.   The donation scams vary in sophistication from basic emails containing a short message with a plea for help, to fake websites set up to impersonate certain charitable organizations like the British Red Cross.    One of these scam emails claims to be supporting the humanitarian aid effort in Ukraine and is requesting  Bitcoin cryptocurrency donations. Legitimate website  text and logos from the likes of UNICEF, Actalliance and the Australian Council for International Affairs (ACFID) are being fraudulently leveraged to enhance the authenticity of the phishing emails.   The threat campaign detailed below purporting to be a legitimate humanitarian aid effort for Ukraine from the ACFID, requests Bitcoin donations and allows victims to make the donation via direct Bitcoin address or via a malicious QR code.
Phishing email purporting to be from the ACFID  
Scanning the QR code with the iOS camera app will prompt you to open a locally installed payment app that supports Bitcoin. In this case, Cash App.   According to Blockchain Explorer, the last transaction to take place with the address in this email was on 2022-02-14 with only 6 transactions in total.    Another donation scam was sent from a newly registered domain redcrossukraine[.]org impersonating the Red Cross in Ukraine. The email contained a link to a professional looking website containing details of the Ukraine conflict as well as instructions on how to donate cryptocurrency in aid of Ukraine.
The site was based on a bootstrap template by BootstrapMade which gave it the look and feel of a legitimate website. Towards the bottom were references to addresses for 3 different crypto wallets you could send payments to as a ‘donation’. One for Bitcoin, one for Ethereum, and one for Tether cryptocurrency.
Ukraine themed spam   Spammers have also quickly reacted to the invasion of Ukraine by adjusting the themes of their campaigns.    One notable spam campaign, only a day after the initial invasion, began blasting out spam with links to suspicious e-commerce sites pushing the sale of t-shirts and other items to show support for Ukraine.   The emails sent out in the campaign have subjects like “I Stand With Ukraine Shirts” and contain images of t-shirts with slogans in support of Ukraine. The emails also contain links pointing to sites like mimoprint[.]info or mabil-store[.]com where you can browse and purchase some of the products referenced in the email.   Links resolving to recently created sites like mimoprint[.]info or mabil-store[.]com were sent out in emails with subjects like  “I Stand With Ukraine Shirts”. Searching this site online reveals some reviews claiming that they are a scam and if a purchase is made then no product is received. Other reviews claim they steal designs from users on other sites.    Recommended action  Some charities do and are accepting cryptocurrency donations. But be cautious of any emails purporting to aid or receive donations in an effort to support the humanitarian effort in Ukraine. If cryptocurrency is requested from an unsolicited email then the likelihood is that it is a scam.   Before interacting with any Ukrainian themed email received, check the source and email header to confirm the organization it originated from is legitimate.   If you want to make a donation in support of Ukraine, then the best way is to go directly to your preferred charitable organization. CNET has published a list of reputable charities you can donate in aid of Ukraine. 
ATO/BEC Human Layer Security Life at Tessian
Book Recommendations for Security Professionals
By Maddie Rosenthal
01 April 2022
Looking for some summer reading? We’ve pulled together a little reading guide for when you get some well-earned downtime. We asked around the Tessian offices for recommendations for good reads in the tech and security space. Here’s the team’s recommendations.
Cyber Privacy: Who Has Your Data and Why You Should Care April Falcon Doss Amazon, Google, Facebook, governments. No matter who we are or where we go, someone is collecting our data: to profile us, target us, assess us; to predict our behavior and analyze our attitudes; to influence the things we do and buy — even to impact our vote. Read more at Good Reads   Social Engineering: The Science of Human Hacking Christopher Hadnagy Social Engineering: The Science of Human Hacking reveals the craftier side of the hacker’s repertoire—why hack into something when you could just ask for access? Undetectable by firewalls and antivirus software, social engineering relies on human fault to gain access to sensitive spaces; in this book, renowned expert Christopher Hadnagy explains the most commonly-used techniques that fool even the most robust security personnel, and shows you how these techniques have been used in the past. We take a deep dive into the psychology of human error in this report, with insights from Stanford Psychology and Communications professor Jeff Hancock. Read more at Good Reads.    The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats Richard A. Clarke  “Great book on the challenges of cyberwarfare policy” – Paul Sanglé-Ferrière, Product Manager, Tessian. An urgent new warning from two bestselling security experts – and a gripping inside look at how governments, firms, and ordinary citizens can confront and contain the tyrants, hackers, and criminals bent on turning the digital realm into a war zone. Read more at Good Reads   The Wires of War: Technology and the Global Struggle for Power Jacob Helberg From the former news policy lead at Google, an urgent and groundbreaking account of the high-stakes global cyberwar brewing between Western democracies and the autocracies of China and Russia that could potentially crush democracy. Read more at Good Reads   This Is How They Tell Me the World Ends: The Cyberweapons Arms Race Nicole Perlroth Filled with spies, hackers, arms dealers, and a few unsung heroes, written like a thriller and a reference, This Is How They Tell Me the World Ends is an astonishing feat of journalism. Based on years of reporting and hundreds of interviews, The New York Times reporter Nicole Perlroth lifts the curtain on a market in shadow, revealing the urgent threat faced by us all if we cannot bring the global cyber arms race to heel. Read more at Good Reads.   The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data Kevin Mitnick & Robert Vamosi  In The Art of Invisibility Mitnick provides both online and real life tactics and inexpensive methods to protect you and your family, in easy step-by-step instructions. He even talks about more advanced “elite” techniques, which, if used properly, can maximize your privacy. Read more at Good Reads The Cuckoo’s Egg Clifford Stoll “Probably the original threat actor report – so good” – Matt Smith, Software Engineer at Tessian In 1986,  Clifford Stoll – a systems administrator at the Lawrence Berkeley National Laboratory – wrote this book. Based on his field notes, this is arguably one of the first documented cases of a computer hack and the subsequent investigation, which eventually led to the arrest of Markus Hess. It’s now considered an essential read for anyone interested in cybersecurity. Read more at Good Reads. CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers  Todd Fitzgerald While this book covers all the fundamentals of IT security governance and risk management, it also digs deeper into people. After all, being a CISO isn’t just about technology. The insights in the book come directly from CISOs. In total, 75 security leaders contributed to the book, which means there’s plenty of actionable advice you can apply to your strategies.  Looking for more insights from security leaders? Check out Tessian’s CISO Spotlight series. Read more at Good Reads.   Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers  Andy Greenburg Politics play a big role in cybercrime. This book is focused on Sandworm, the group of Russian hackers who, over the last decade, has targeted American utility companies, NATO, and electric grids in Eastern Europe and paralyzed some of the world’s largest businesses with malware. But the author, Wired senior writer Andy Greenberg, also provides plenty of background on both the technology and the relationships between various countries. Read more on Good Reads.   Cult of the Dead Cow Joseph Menn Cult of the Dead Cow is the tale of the oldest, most respected, and most famous American hacking group of all time. Though until now it has remained mostly anonymous, its members invented the concept of hacktivism, released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar, forcing giant companies to work harder to protect customers.  Cult of the Dead Cow explores some of the world’s most infamous hacking groups – particularly the cDc – and explains how technology, data, and – well – the world has changed because of them. Read more at Good Reads. The Making of a Manager: What to Do When Everyone Looks to You Julie Zhuo  Congratulations, you’re a manager! After you pop the champagne, accept the shiny new title, and step into this thrilling next chapter of your career, the truth descends like a fog: you don’t really know what you’re doing. Read more at Good Reads. CISM Certified Information Security Manager All-in-One Exam Guide Yes, this is an exam guide…and yes you should add it to your reading list. If nothing else, to have on-hand as a reference. Why? It covers everything. Security governance, risk management, security program development, and security incident management. Curious as to whether or not other security professionals have their CISM certification? We interviewed 12 women about their journeys in cybersecurity. Read their profiles here and the full report, Opportunity in Cybersecurity Report 2020. Read more on Good Reads. The health benefits of reading Whatever you choose to read these holidays, the health benefits of reading are well documented. As our Lost Hours report revealed, many CISOs aren’t taking time out from their jobs to de-stress and unwind. So make sure you schedule a little you time with a good book.  
ATO/BEC Email DLP Human Layer Security
New Research: One in Four Employees Who Made Cybersecurity Mistakes Lost Their Jobs Last Year
By Laura Brooks
29 March 2022
According to our new research, one in four employees lost their job in the last 12 months after making a mistake that compromised their company’s security. The new report, which explores human error on email at work, also found that:   Just over one in four respondents (26%) fell for a phishing email at work, in the last 12 months  Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT
Why do people make mistakes at work?   When asked why these mistakes happened, half of employees said they had sent emails to the wrong person because they were under pressure to send the email quickly – up from 34% reported by Tessian in its 2020 study – while over two-fifths of respondents cited distraction and fatigue as reasons for falling for phishing attacks. More employees attributed their mistakes to fatigue and distraction in the past year, versus figures reported in 2020, likely brought on by the shift to hybrid working   “With the shift to hybrid work, people are contending with more distractions, frequent changes to working environments, and the very real issue of Zoom fatigue – something they didn’t face two years ago,” said Jeff Hancock, a professor at Stanford University who contributed to the report. 
People are falling for more advanced phishing attacks    While the number of employees who fell for phishing attacks only increased by 1% in the last 12 months, people were far more likely to fall for more advanced phishing attacks than they were in 2020.    Over half of employees (52%) said they fell for a phishing email because the attacker impersonated a senior executive at the company – up from 41% reported in 2020. In comparison, click-through rates on phishing emails whereby threat actors impersonated well-known brands dropped. These findings mirror those reported by the FBI, which found that business email compromise attacks (BEC) are eight times more common than ransomware and the losses from these attacks continue to grow year on year.    People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months, compared to 26% of those who fell for phishing scams over email. Older employees were more susceptible to smishing attacks; one-third of respondents aged over 55 complied with requests in smishing scam versus 24% of 18-to 24-year-olds.
The consequences for accidental data loss are more severe   On average, a US employee sends four emails to the wrong person every month – and organizations are taking tougher action in response to these mistakes that compromise data. Nearly a third of employees (29%) said their business lost a client or customer after sending an email to the wrong person – up from the 20% in 2020. One in four respondents (21%) also lost their job because of the mistake, versus 12% in July 2020.    Over a one-third (35%) of respondents had to report the accidental data loss incidents to their customers, breaking the trust they had built. Businesses also had to report the incidents to regulators. In fact, the number of breaches reported to the Information Commissioner’s Office, caused by data being sent to the wrong person on email, was 32% higher in the first nine months of 2021 than the same period in 2020.
Employees are fearful of reporting mistakes   With harsher consequences in place, Tessian found that fewer employees are reporting their mistakes to IT. Almost one in four (21%) said they didn’t report security incidents, versus 16% in 2020, resulting in security teams having less visibility of threats in the organization.
Josh Yavor, CISO at Tessian, said, “We know that the majority of security incidents begin with people’s mistakes. For IT and security teams to be successful, they need visibility into the human layer of an organization, so they can understand why mistakes are happening and proactively put measures in place to prevent them from turning into serious security incidents. This requires earning the trust of employees; and bullying employees into compliance won’t work. Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions at work.”
Buyer’s Guide to Integrated Cloud Email Security
By John Filitz
29 March 2022
The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a fresh approach to solving increasingly sophisticated and elusive email security threats.    Born in the cloud, for the cloud, ICES solutions are seen as an integral additional layer of email security to complement the native email security capabilities present in cloud productivity suites, such as Microsoft 365 and Google Workspace.   At last count, according to the latest Gartner Market Guide for Email Security (2021) there were 13 ICES vendors – giving customers a lot of choice to choose from.    Not every ICES vendor however, offers the same completeness of vision, degree of protection, or intelligent capabilities.   This short guide will bring insight on some of the key fundamentals that prospective buyers of an ICES solution should be aware of.
Why is there a need for ICES solutions in the first place?   Evidence shows that email remains an important and attractive attack vector for threat actors; according to a recent study, it’s responsible for up to 90% of all breaches.    The fact that the vast majority of breaches are attributed to an email compromise, indicates that the current status quo regarding email security is incapable and insufficient at preventing breaches. This was confirmed in a Forrester survey conducted on behalf of Tessian, with over 75% of organizations reporting on average of 20% of email security incidents getting by their existing security controls.   Threat actors are using more sophisticated email-based techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.    In this new world, threat actors develop exploit kits and offer their services for sale. This has unfortunately led to a dramatic increase in the ability of attackers to find targets. And this explains why the cost of damages from cybercrime is expected to rocket to $10.5 trillion by 2025 – representing a +350% increase from 2015.   Digital transformation is another key reason too. Cloud adoption was accelerating prior to the Covid-19 pandemic. In the wake of the pandemic, cloud adoption accelerated even more quickly. This dramatic shift to the cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.    This structural shift in computing has also revealed the soft underbelly of legacy cybersecurity solutions built for an on-premise world, including the rule-based and static protection for email offered by Secure Email Gateways (SEGs). And this explains why 58% of cybersecurity leaders are actively looking to displace SEGs for the next generation of email security – with behavioral intelligence and machine learning at the core.
ICES fundamentals  Approach to threat detection and prevention   The key differentiator between SEGs and ICES solutions from a threat detection standpoint is that ICES are underpinned by machine learning and utilize a behavioral intelligence approach to threat detection.    The algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior. Unlike SEGs, this enables these solutions to detect threats as they arise, in real time.  Deployment architecture   There are also important differences in the architecture and configuration of ICES solutions from SEGs. ICES solutions do not sit in-line like SEGs, they also do not require MX re-routing, but rather connect either via connect or API and scan email either pre-delivery or post-delivery – detecting and quarantining any malicious email. 
Degree of security automation    ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces alert fatigue and the SOC burden, ultimately improving security effectiveness.
Key differences between SEGs and ICES   SEGs ICES Requires MX records changes, sits in-line, acts as a gateway for all email flow Requires no MX record changes and scans incoming email downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Designed to detect basic phishing attacks, spam, malware and graymail. No zero day protection Designed to detect advanced social engineering attacks including spear phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO). Advanced zero day protection Static, rule and policy based protection. No intelligent component to threat detection for inbound or outbound, resulting in high false positives and significant triaging of email security incidents  Behavioral and machine learning detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and more SOC optimization Limited insider threat detection and no lateral attack detection capability. Once the threat has bypassed the gateway the threat actor as unlimited access to the victims’ data and information systems Advanced insider and lateral attack detection capability, stopping threats where and when they arise Basic email field scanning capability. Relies a threat engine of previously identified threats, and static rules and policies All of the email fields are analyzed using machine learning and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Advanced malicious emails go undetected and reach target inboxes. Some of the less sophisticated malicious emails end up in the spam or junk folder – enabling users to accidentally interact with it Advanced malicious emails are detected and automatically hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will in nanoseconds claw-back a suspected email determined to be malicious.  No in-the-moment employee security warnings. Security alerts are retroactive and aimed at SecOps, offering no context to employees or the ability to improve the security culture An in-the-moment security notification banner can be added to an incoming or outgoing email indicating the level of risk of the scanned email and the context. These real-time security notifications lead to improved security culture, by empowering employees to take safe action, in real time Basic DLP capability Some ICES like Tessian have advanced DLP capability
Five market differentiators for ICES solutions   Not all ICES solutions however, offer the same degree of completeness in product and protection. It is important that prospective customers of ICES solutions understand and interrogate the following key differentiators during the vendor selection process:   1: Completeness of the product offering and product roadmap Does the solution cover inbound and outbound email protection (i.e. does it prevent email data loss events from occurring?) Does it have pre-built integrations with other cybersecurity tools such as SIEMs?   2: Degree of protection offered During the POV it is important to test the efficacy of the algorithm and determine a true baseline of detection, including the % of false positives. Verify the actual results from the POV against the vendors stated claims.   3: Deployment and management overhead Some vendors have unrealistic claims of “protection within seconds” – understanding the actual amount of FTE resources and time needed for deployment is crucial, as well as the product’s ability to scale. Determining the degree of management FTE required for managing the tool on a day-to-day basis is equally important.   4: UX and reporting capability The overall UX including UI for SecOps teams, and feedback from employees after using the product during the POV is essential. Evidence shows that if the UX is poor, the security effectiveness of the tool will be diminished.  Having the ability to on-demand pull or automate risk metric reporting down to the employee level, for inbound and outbound email, is crucial for cybersecurity and risk compliance leaders.   5: Degree of automation Automation is fast becoming a buzzword in cybersecurity. Here buyers need to be aware of the degree of automation that the ICES solution actually delivers, ranging from threat detection to the triaging of threats, as well as risk reporting.
The final word   All it takes is one click on malicious content for a breach to take place. When assessing and selecting an ICES solution, it is important that customers consider the above listed criteria as part of their general vendor assessment criteria.     The considerations on the completeness of the product offering and the degree of protection offered should be weighed carefully.    Finally, it’s the human-side that often never gets mentioned in vendor assessments. The experience interacting with the vendor from the first interaction through to the end of the POV should provide key insight into what the future partnership with the vendor will look and feel like.
About Tessian Tessian is one of the few ICES vendors that offers comprehensive protection for inbound threats like advanced spear phishing attacks, as well as outbound protection, preventing malicious and accidental data loss.    Unlike many of our ICES competitors, we don’t treat our customers as test subjects – our algorithm was developed and fine tuned for 4 years before we went live. Due to this level of product maturity, we boast among the lowest percentage of false positives in our industry.   We have among the most attractive UI, delivering a phenomenal UX. This includes advanced and automated cyber risk reporting, making security and risk leaders lives’ easier.   We never make claims that we can’t back up. We deploy in seconds and protect within hours. Both the deployment and management overhead are extremely efficient due to product maturity and the degree of automation inherent in our product.   Finally it’s worthwhile mentioning we take our customers seriously. Here’s what some of them have to about using our product:
Tessian Defender API Deployment and Enhanced Quarantine Capability
By Robert Slocum
25 March 2022
In today’s threat environment of increasing cyber threats and complexity, the email threat vector is only growing in prominence. With Tessian’s behavioral intelligence email security, we provide comprehensive protection from the most advanced email threats of today and tomorrow. This includes advanced anti-phishing protection and email data loss prevention.   We’re excited to announce the release of our new Microsoft 365 API that enables deployment of Tessian’s inbound protection in seconds, and provides unparalleled protection within hours. The seamless Microsoft 365 integration presents an opportunity to consolidate your cybersecurity stack, making it easy to displace your Secure Email Gateway for the next generation of email security, Tessian. You can download our full solution brief here.    The release of the API and new advanced quarantine isolation capabilities mark yet another milestone in Tessian’s growth and solidifies its place as the Integrated Cloud Email Security (ICES) market leader – offering clients a simplified integration, to enable comprehensive email protection against the most advanced inbound threats.  
Taking the effort out of integration Where traditional gateway deployments take months, the Tessian API enables seamless integration for Microsoft 365 clients, whether on premise, in hybrid, or in cloud environments.  Deploy Tessian within seconds and protects within hours.  No configuration is required.    API deployment simplified   The API allows deployment in 3 simple steps:      Enable connection to user mailboxes feature and select the + Defender Protection option    Grant required permission for Tessian to connect    Assign user mailboxes to the Directory Group for Tessian protection
The benefits of API deployment  The benefits of Tessian’s API deployment include:   Low cost of effort integration and management  No complex manual configurations, no MX records configuration or email rerouting needed Low management overhead, enabling security teams to focus on only malicious emails No manual updates required, you’re always running the latest version of our advanced threat protection   Reduced operational risk and enhanced security Elimination of point-of-failure risk and negative performance impacts due to simplified architecture – does not sit-inline Significantly reduced SOC burden and alert fatigue  Significantly reduced false positives, filtering out the noise from the actual threats   Scaled protection on demand Enterprise scalable solution but also accommodates the SMB sector Simply add new users to the Directory Group  Protection extends to all devices, including mobile
New levels of control and enhanced protection    We’re also excited to announce new quarantine features as a part of the Microsoft 365 API for inbound protection providing enhanced levels of control with our advanced quarantine threat isolation capability. The two user-friendly quarantine features are designed to stop threats, without interrupting business, and were built with security admins and employees in mind. The end result: Significantly reduced SOC burden, saving resources, with only malicious emails quarantined.   Admin Quarantine: Depending on the level of enforcement threshold selected by the security admin, emails that have been determined to be malicious by Tessian’s algorithm will automatically be quarantined for further analysis.    Soft Quarantine: Only emails with a lower probability of being malicious are sent to employees. Here, the employee receives a “defanged” copy of the email together with an in-the-moment security warning message. This enables them to decide whether to allow, or to delete the original email. 
How it works Admin Quarantine The Admin Quarantine capability automatically detects malicious emails and quarantines them on arrival. These emails have the highest probability of being malicious. These emails are temporarily removed from the employee’s inbox and assigned to the security admin via an alert notification.  The security admin triages the threat and can decide to release, or to delete the email from either the Tessian portal, or from the alert notification itself.   Soft Quarantine  The Soft Quarantine function detects emails with a lower probability of being malicious and, instead of being sent to the security admin, they’re held in a “Soft Quarantine” or hidden folder in the employee’s email account. These emails are not sent to the “junk folder” in order to prevent accidental interaction by the employee. Tessian sends a “defanged” copy of the email to the employee with an alert notification, alerting them that the flagged email is potentially malicious. The “defanging” of the email effectively neutralizes hyperlinks and removes attachments, thus removing any malicious payloads and is not released until the email is determined not to be malicious.   
In-the-moment security training hardens your security posture in real time   We believe employees are a company’s greatest security asset. With our in-the-moment security awareness notifications, we provide the necessary contextual understanding to prompt safer behavior. Not only is each warning message contextualized to the specific threat, but it also delivers a memorable and individualized security awareness training session.   Our customers consider these warnings an extension of their security awareness training programs, which helps build a more security conscious employee base and improves the security culture, in real time.
Intelligent and comprehensive email security protects against advanced threats   The threatscape is only increasing in sophistication and scope, with threat actors continuously refining attack methods to circumvent rule-based security controls. This helps explain why social-engineering based attacks delivered via email remain the number one threat vector for attack.   Given the high success rate of email-based attacks, it is clear that legacy rule-based email security solutions are no longer capable of keeping employees and data safe. This new reality has driven the need for intelligent email security solutions that provide real time protection and threat defense capability against advanced threats.   The new Tessian API release for Microsoft 365 and quarantine functionality, together with the full capability of Tessian’s security platform provides comprehensive email security for  advanced inbound and outbound threats – giving customers peace of mind that email security is one less challenge they have to deal with.    This is why our customers can’t imagine a world of not having Tessian in their environment.  Want to learn more? See how Tessian prevents ransomware attacks, bolsters DLP, watch a product overview video, or book a demo.
Everything You Need to Know About Tax Day Scams 2022
By Maddie Rosenthal
23 March 2022
Only two things are certain in life, death and taxes. As the 2022 Tax Day rolls around, making a payment to the IRS isn’t the only thing you need to be worried about.    These phishing attacks can take many different forms. In the US, these attacks will use the deadline of Monday, 18 April to file your income tax returns as bait. Meanwhile in the UK, these attacks will use your potential tax refund as bait.    But we’re here to help. Here’s what you need to look out for and what to do in case you’re targeted by Tax Day scams. 
 What do Tax Day scams look like?   As is the case with other phishing and spear phishing attacks, bad actors will be impersonating trusted brands and authorities and will be, in some way, motivating you to act.   In this article, we’re exploring Tax Day scams that arrive via email. You may also receive phone calls or text messages from bad actors, claiming that you’re being investigated for tax fraud or have an overdue bill. They may also simply request more information from you, like your name and address, or bank account details. You shouldn’t give any of this information away over the phone. Government organizations will never call you or use recorded messages to demand payment. Now, let’s take a closer look at some real scam examples. Example 1: IRS Impersonation 
What’s wrong with this email? The IRS has said they never contact taxpayers by email, so any correspondence “from” them is illegitimate There is an extra “r” in “internal” in the sender’s email address Email addresses from government agencies will always contain the top-level domain “.gov” There are spelling errors and inconsistencies in the text that you wouldn’t expect from a government agency Example 2: Tax-Preparation Software Impersonation
What’s wrong with this email? While the sender’s email address does contain the company name (Fast Tax), the top level domain name (.as) is unusual The sender is motivating the target to follow the embedded link by claiming their tax return is incomplete Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. These are called malicious websites. Example 3: HMRC Impersonation
What’s wrong with this email? While the Display Name, email template, logos, and language used in the email seem consistent with HMRC, the sender’s email address contains the top-level domain “.net” instead of “” Upon hovering over the link, you’ll see the URL is suspicious Example 4: Client Impersonation
What’s wrong with this email? Unfortunately, in this case, there are no obvious giveaways that this is a phishing scam. However, if Joe, the tax accountant in this scenario, knew he hadn’t met or interacted with a woman named Karen Belmont, that could be a warning sign Individuals and organizations should always be wary of attachments and should have anti-malware and/or virus protection in place This examples demonstrates the importance of having policies in place to verify clients beyond email. And remember, there’s nothing wrong with being extra cautious this time of year. Example 5: CEO Impersonation
What’s wrong with this email? The the sender’s email address ( is inconsistent with the recipient’s email address ( The attacker is impersonating the CEO, hoping that the target will be less likely to question the request; this is a common social engineering tactic  The attacker is using urgency both in the subject line and the email copy to motivate the target to act quickly Because this is a zero-payload attack (an attack that doesn’t rely on a link or attachment to carry malware), anti-malware or anti-virus software wouldn’t detect the scam
Who will be targeted by Tax Day scams?    From the examples above, you can see that cybercriminals will target a range of people with their Tax Day scams. Taxpayers, tax professionals, and businesses are all susceptible and savvy hackers will use different tactics for each. Here’s what you should look out for.   Taxpayers  Attackers will be impersonating trusted government agencies like the IRS and HMRC and third-parties like tax professionals and tax software vendors  Attackers will use coercive language and the threat of missed deadlines or promises of refunds to motivate their targets to act  Many phishing emails contain a payload; this could be in the form of a malicious link or attachment   Tax Professionals  Attackers will be impersonating either existing clients/customers or prospects. In either case, they’ll be pretending they need help with their tax return or tax refund  Attackers will use the lure of new business or the threat of losing a customer to motivate their targets to act  Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  Businesses  Attackers will be impersonating CEOs, HR representatives, Finance Directors, or other individuals or agencies who need access to sensitive tax information  Attackers are strategic in their impersonations of people in positions of power; people are less likely to question their superiors.   
What do I do if I’m targeted by a Tax Day scam? While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals and businesses should always follow the same guidelines if they think they’ve received a phishing email.    First and foremost, always, always, always check the sender. Confirm that the domain is legitimate and that the Display Name matches the email address. Be wary of any emails that aren’t from a “.gov” address.  If anything seems unusual, do not follow or click links or download attachments  Check for spelling errors or formatting issues. Be scrupulous! If anything feels off, proceed cautiously. (See below.  If the email appears to come from an individual you know and trust, like a colleague, customer, or client, reach out to the individual directly by phone, text or a separate email thread  If you’re an employee who’s been targeted, contact your line manager and/or IT team. Management should, in turn, warn the larger organization  The best way to avoid falling victim to one of these scams is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid.
More resources As a security start-up, we’re committed to helping you stay safe. If you’re looking for more information on Tax Day scams, consult the following government websites. Advice from the IRS Advice from HMRC Looking for more advice about scams? Sign-up to our newsletter below to get articles just like this, straight to your inbox. 
What is Email Impersonation? Everything You Need to Know
16 March 2022
Email impersonation might not be the most sophisticated phishing method, but it’s simple, it’s widespread, and it can be devastating. Here’s why…     Email impersonation vs. email spoofing vs. account takeover   First, we need to describe “email impersonation” and distinguish it from some closely-related concepts.   Email impersonation: The attacker sets up an email address that looks like a legitimate email address (e.g. – note the zero instead of an o in the domain name). Email spoofing: A technical process where the attacker modifies an email’s headers so the receiving email client displays a false email address (the sender’s email address is “,” but the recipient sees “” in their inbox) Account takeover: The attacker gains access to another person’s account (using hacking or stolen credentials) and uses it to send phishing emails.   Email spoofing and account takeover require some technical ability (or, at least, access to the dark web). With email impersonation, though, the attacker just needs to secure a domain that looks like it could belong to a legitimate business.   This is easy (and cheap!) with domain registrars like GoDaddy. We explore different types of impersonation techniques below.   Phishing methods that use email impersonation   Cybercriminals can use email impersonation to facilitate any type of email-based phishing attack. There are some types of phishing in which email impersonation is particularly common, including:   Business Email Compromise (BEC) — Impersonating a business CEO fraud — Impersonating a company executive and targeting one of their employees Whaling — Targeting a company executive   These are all among the more sophisticated and targeted types of phishing attacks. These types of attacks must employ email impersonation, email spoofing, or account takeover to be successful.   Types of email impersonation   Now we’ll look at the various ways a cybercriminal can impersonate an email address. To understand these, you’ll need to know about the different parts of an email address:
Each of these elements of an email address is relevant to a different type of email impersonation.   Root domain-based email impersonation   A company’s root domain is usually the most distinctive part of its email address. It’s the part immediately before the top-level domain (e.g. “.com”) — the “Amazon” in “”.   Root domain impersonation involves creating a root domain using replacement characters, so it looks like an email has arrived from a legitimate company. Here’s an example:
In this root domain impersonation, the attacker has replaced the “l” in “external” and “supplier” with a “1”. At first glance, the recipient might not notice this, and they might treat the email as though it has come from “External Supplier.”   Top-level domain-based email impersonation   The top-level domain is the part after the root domain: e.g., “.com”, “.jp”, or “.net”. The top-level domain usually denotes a country or a type of organization. For example:   .com — Commercial organizations .uk — Internet country code for the UK .gov — US government agency   Sometimes, a second-level domain accompanies a top-level domain: — Commercial organization from the UK — Higher education institution from Japan — Organization from Warsaw, Poland   Using top-level domain impersonation, a cybercriminal can create an authentic-looking email address that the recipient might assume belongs to a legitimate organization (if they even notice it).   Here’s an example:
Here we have “” imitating “”. The top-level domain “.io” is actually registered to British Indian Ocean Territory (BIOT), but Google recognizes it as “generic” because many non-BIOT organizations use it.   Subdomain-based email impersonation   A subdomain appears after the “@” sign, but before the root domain. For example, in “”, the subdomain is “mail”. Most email addresses don’t have a subdomain.   An attacker can use subdomains to impersonate a legitimate company in two main ways:   Using a company’s name as a subdomain to the attacker’s domain. For example, in “”, “amazon” is the subdomain and “mailerinfo” is the domain. Splitting a company’s name across a subdomain and domain.   Here’s an example of the second type of subdomain impersonation:
Display name impersonation   A display name is how an email client shows a sender’s name. You can choose your display name when you sign up for an email account. We explore display name impersonation in more detail in this article: How to Impersonate a Display Name.   Display name impersonation exploits a bad habit of mobile email clients. On mobile, common email clients like Outlook and Gmail only display a sender’s display name by default. They don’t display the sender’s email address.    So, even an email address like “” might show as “Amazon Customer Services” in your mobile email client — if that’s the display name that the attacker selected when setting up the account.   But this isn’t a mobile-only problem. According to new research, just 54% of employees even look at the email address of a sender before responding or actioning a request. This is good news for attackers, and bad news for businesses.      Username impersonation   The username is the part of the email address that appears before the “@” symbol. For example, in “”, the username is “bill.gates”.   Username impersonation is the least sophisticated form of email impersonation, but it can still work on an unsuspecting target. This technique is sometimes called “freemail impersonation,” because scammers can register false usernames with Gmail or Yahoo.    With this technique, they can create accounts that look like they could belong to your CEO, CFO, or another trusted person in your network.  Here’s an example:
More resources on email impersonation   Now you know the basic techniques behind email impersonation, read our articles on preventing email impersonation, CEO fraud, and Business Email Compromise to find out how to protect your business from these cyberattacks.   You can also learn how Tessian detects and prevents advanced impersonation attacks by reading our customer stories or booking a demo. Not quite ready for that? Sign-up for our newsletter below instead. You’ll be the first to know about new research and events and get helpful checklists and how-to guides straight to your inbox.