The Human Layer Security Summit is back. Save your spot today.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Threat Intel Spear Phishing
How Cybercriminals Exploited The Covid-19 Vaccine Roll-Out
By Tessian
10 May 2021
The National Cyber Security Centre (NCSC) recently revealed that it removed more online scams in 2020 than in 2016-2019 combined, due to a surge in malicious activity related to the Covid-19 pandemic.  In a report published by the NCSC’s Active Cyber Defence program, it’s revealed that more than 120 phishing campaigns in which the NHS was impersonated were detected in 2020 – up from 36 in 2019. The lure commonly used in these scams? The vaccine roll-out. How have cybercriminals taken advantage of the Covid-19 vaccine? Tessian researchers have been monitoring phishing campaigns related to the vaccination roll-out since the start of 2021, and their findings clearly demonstrate how quickly cybercriminals will jump on milestone moments to craft convincing scams.  In fact, in the week commencing January 4th 2021, Tessian data shows that the number of scam emails related to the vaccine was 188% higher than the weekly average of such scams detected in 2021. It was during this week that the UK began distributing the AstraZeneca/Oxford vaccine. Our researchers also saw significant spikes in suspicious emails related to the vaccine during the: Week commencing 25th January, when the Biden administration promised to have enough coronavirus vaccine for the entire US population by the end of summer. During this week, the number of suspicious emails relating to vaccines increased by 585% compared to the previous week.  Week commencing February 8th, when U.S. government officials announced that around 1 in 10 Americans had received the first dose of the two-part Covid-19 vaccine. The number of suspicious emails was 148% higher than the weekly average of vaccine related scams detected by Tessian in 2021.  Week commencing February 15th, when G7 countries pledged $4 billion to global Covid-19 vaccine initiatives. Suspicious emails related to the vaccine were 133% higher than the weekly average.  Week commencing March 1st, when President Biden announced that vaccines will be available for every US adult by May. The number of suspicious emails related to vaccines during this week were up by 161% compared to the previous week.  Now that the vaccine roll-out is well and truly underway, with many people having received both doses of the jab, Tessian researchers reported a significant drop in the number of scams. This a clear indication that hackers were responding to hot topics in the news to apply a sense of urgency and timeliness to their malicious campaigns.
Why are these phishing attacks so effective?  After a year of stress and uncertainty, people were desperately waiting for the vaccine roll-out. People urgently wanted to find out things such as when they will get the vaccine, where they can receive the jab, and many more wanted to research and understand potential side effects.  In response, cybercriminals capitalized on people’s desire for more information. They created fake websites, in which people were lured to via phishing scams, and tricked their targets into sharing personal or financial data in exchange for the information they were looking for. Tying their campaigns to timely moments in the news added another layer of urgency.  In fact, additional Tessian research revealed that a significant of website domains related to the Covid-19 vaccine were registered in the early days of the roll-out, with over 2,600 new website domains being created between 5 December 2020 and 10 January 2021. Many of these domains impersonated legitimate healthcare websites, touted misinformation around injection side effects, and falsely claimed to offer guidance around timing and logistics of distribution. The reason why these phishing scams are so effective is because hackers use techniques to prey on people’s vulnerabilities during times of crisis. In a report we published with Jeff Hancock, Professor of Communication at Stanford University and expert in trust and deception, he said, “when people are stressed and distracted, they tend to make mistakes or decisions they later regret.”  What does a vaccine scam look like?  Oftentimes, cybercriminals impersonated trusted healthcare organizations or government agencies to trick their victims into thinking they’d received an email from a legitimate source, as shown in the example below. 
In other examples detected by Tessian, bad actors would impersonate Human Resource departments, urging staff to click on links or download malicious attachments that supposedly contained information about the vaccine roll-out and/or infected employees. Below is an example received by a global financial services enterprise, and detected by Tessian Defender. In this case: The attacker registered a domain to impersonate an outsourced Human Resources function in a phishing email.  The phishing email used Covid-19 as the theme and used fear and urgency tactics to announce an “Covid-19 Emergency”, seemingly providing a list of known infected persons.  The aim of this was to encourage those who received the email to click a link to a PDF which claimed to contain information about the emergency and a list of infected individuals.  The attacker used the name of the financial services organization in the name of the file which was linked to in the URL. This implies that this attack was highly targeted; the recipient would assume that the link was legitimate.  It’s likely that the PDF linked to in the URL would have contained malicious macros designed to infect the target’s device. 
How to spot a Covid-19 scam Always be wary of emails purporting to come from healthcare organizations asking you to click on links to ‘find out more’. Always check the sender name and address, particularly if you have received an email on your phone in order to verify the sender’s identity. It’s also important to question any websites that request personal data. Domains that spoof government healthcare websites, like the Centers for Disease Control and Prevention (CDC) are especially dangerous, as cyber criminals could potentially steal extremely sensitive information such as Social Security numbers and health information like insurance or medical history details.  At a time when phishing scams are only growing in frequency and sophistication, always think twice before entering your personal information online and remember, if it doesn’t look right, it probably isn’t. Remember, you can always verify any question by contacting the sender directly, via another means of communication, to check it’s the real thing. 
Spear Phishing
11 Examples of Social Engineering: Real-World Attacks
07 May 2021
In this article, we’ll look at 11 social engineering examples — some big and some recent — all using different techniques. We’ll also tell you how to avoid falling victim to these sorts of attacks.
11 Social Engineering Examples 1.  $100 Million Google and Facebook Spear Phishing Scam The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national Evaldas Rimasauskas against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name. The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million. Further reading: ⚡ What is Spear Phishing? ⚡ What Does a Spear Phishing Email Look Like? 2. Deepfake Attack on UK Energy Company In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer. This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”   To learn more about how hackers use AI to mimic speech patterns, listen to Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI at Tessian Human Layer Security Summit. Further reading: ⚡ Deepfakes: What are They and Why are They a Threat? 3. $60 Million CEO Fraud Lands CEO In Court Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “CEO fraud scam” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls. While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.  Further reading: ⚡ What is CEO Fraud? (Tips for Identifying Attacks) ⚡ How to Prevent CEO Fraud
4. Microsoft 365 phishing scam steals user credentials In April 2021, security researchers discovered a Business Email Compromise (BEC) scam that tricks the recipient into installing malicious code on their device. Here’s how the attack works. Pay attention—it’s actually pretty clever, The target receives a blank email with a subject line about a “price revision.” The email contains an attachment that looks like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” is actually a .html file in disguise. Upon opening the (disguised) .html file, the target is directed to a website containing malicious code. The code triggers a pop-up notification, telling the user they’ve been logged out of Microsoft 365, and inviting them to re-enter their login credentials. You can guess what happens next—the fraudulent web form sends the user’s credentials off to the cybercriminals running the scam.  This type of phishing—which relies on human error combined with weak defenses—has thrived during the pandemic. Phishing rates doubled in 2020, according to the latest FBI data. Further reading: ⚡ Is Your Office 365 Email Secure? ⚡ Most Impersonated Brands in Phishing Scams 5. Ransomware gang hijacks victim’s email account In April 2021, several employees of U.K. rail operator Merseyrail received an unusual email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from several newspapers and tech sites were also copied in. The email—sent by a fraudster impersonating Merseyrail’s director—revealed that the company had been hacked and had tried to downplay the incident. The email also included an image of a Merseyrail employee’s personal data. It’s not clear how Merseyrail’s email system got compromised (although security experts suspect a spear phishing attack)—but the “double extortion” involved makes this attack particularly brutal. The “Lockbit” gang not only exfiltrated Merseyrail’s personal data and demanded a ransom to release it—the scammers used their access to the company’s systems to launch an embarrassing publicity campaign on behalf of its director. 6. Phishing scam uses HTML tables to evade traditional email security Criminals are always looking for new ways to evade email security software. One BEC attack, discovered in April 2021, involves a particularly devious way of sneaking through traditional email security software like Secure Email Gateways (SEGs) and rule-based Data Loss Prevention (DLP). BEC attacks often rely on impersonating official emails from respected companies. This means embedding the company’s logos and branding into the email as image files. Some “rule-based” email security software automatically treats image files as suspicious. If a phishing email contains a .png file of the Microsoft Windows logo, the email is more likely to be detected—but without that distinctive branding, the email won’t look like it came from Microsoft. But once again, cyber criminals have found a way to exploit the rule-based security approach.  To imitate Microsoft’s branding, this attack uses a table instead of an image file—simply a four-square grid, colored to look like the Windows logo. The average employee is unlikely to closely inspect the logo and will automatically trust the contents of the email. This isn’t the first time fraudsters have used tables to evade rule-based DLP software. For example, some email security filters are set up to detect certain words, like “bitcoin.” One way around this is to create a borderless table and split the word across the columns: “bi | tc | oin.” Further reading: ⚡ What is Email DLP? 7. Google Drive collaboration scam In late 2020, a novel but simple social engineering scam emerged that exploited Google Drive’s notification system. The fraud begins with the creation of a document containing malicious links to a phishing site. The scammer then tags their target in a comment on the document, asking the person to collaborate. Once tagged, the target receives a legitimate email notification from Google containing the comment’s text and a link to the relevant document.  If the scam works, the victim will view the document, read the comments, and feel flattered at they’re being asked to collaborate. Then, the victim will click one of the malicious links, visit the phishing site, and enter their login credentials or other personal data. This scam is particularly clever because it exploits Google’s email notification system for added legitimacy. Such notifications come straight from Google and are unlikely to trigger a spam filter. But like all social engineering attacks, the Google Drive collaboration scam plays on the victim’s emotions: in this case, the pride and generosity we might feel when called upon for help. Want to see a screenshot of a similar attack? We breakdown a spear phishing attack in which the attacker impersonates Microsoft Teams. Check it out here. 8. Sharepoint phishing fraud targets home workers April 2021 saw yet another phishing attack emerge that appears specifically designed to target remote workers using cloud-based software. The attack begins when the target receives an email—written in the urgent tone favored by phishing scammers—requesting their signature on a document hosted in Microsoft Sharepoint. The email looks legitimate. It includes the Sharepoint logo and branding familiar to many office workers. But the link leads to a phishing site designed to siphon off users’ credentials. Phishing attacks increasingly aim to exploit remote collaboration software—Microsoft research suggests nearly half of IT professionals cited the need for new collaboration tools as a major security vulnerability during the shift to working from home. Further reading: ⚡ 7 Concerns IT Leaders Have About Permanent Remote Working ⚡ Ultimate Guide to Staying Security While Working Remotely
9. $75 Million Belgian Bank Whaling Attack Perhaps the most successful social engineering attack of all time was conducted against Belgian bank Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice. Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds. Further reading: ⚡ Whaling Email Attacks: Examples & Prevention Strategies 10. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.  The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions. Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts. Following the hack, the FBI launched an investigation into Twitter’s security procedures. The scandal saw Twitter’s share price plummet by 7% in pre-market trading the following day. Further reading: ⚡ What You Need to Know About Vishing 11. Texas Attorney-General Warns of Delivery Company Smishing Scam Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it. Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details. The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission. Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS. Further reading: ⚡ Examples of Smishing Attacks Prevent social engineering attacks in your organization There’s one common thread through all of these attacks, whether delivered by email, text, or voicemail: they’re really, really hard to spot. That’s why technology is essential and where Tessian comes in. Powered by machine learning, Tessian Defender analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks. To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today. Or, if you’d rather just stay up-to-date with the latest social engineering attacks, subscribe to our weekly blog digest. You’ll get news, threat intel, and insights from security leaders for security leaders straight to your inbox.
Human Layer Security Spear Phishing
Phishing Awareness Training: How Effective is Security Training?
By Maddie Rosenthal
30 April 2021
Phishing awareness training is an essential part of any cybersecurity strategy. But is it enough on its own? This article will look at the pros and cons of phishing awareness training—and consider how you can make your security program more effective. Still wondering how big of a problem phishing really is? Check out this collection of 50+ phishing statistics. Don’t feel like scrolling? For more information about each point, you can click the text below to jump down on the page. 
✅ Pros of phishing awareness training Employees learn how to spot phishing attacks While people working in security, IT, or compliance are all too familiar with phishing, spear phishing, and social engineering, the average employee isn’t. The reality is, they might not have even heard of these terms, let alone know how to identify them. But, by showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.   Looking for resources to help train your employees? Check out this blog with a shareable PDF. It includes examples of phishing attacks and reasons why the email is suspicious.  It’s a good chance to remind employees of existing policies and procedures Enabling employees to identify phishing attacks is important. But you have to make sure they know what to do if and when they receive one, too. Training is the perfect opportunity to remind employees of existing policies and procedures. For example, who to report attacks to within the security or IT team. Training should also reinforce the importance of other policies, specifically around creating strong passwords, storing them safely, and updating them frequently. After all, credentials are the number one “type” of data hackers harvest in phishing attacks.  Security leaders can identify particularly risky and at-risk employees By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?  These observations will help security leaders stay ahead of security incidents, can inform subsequent training sessions, and can help pinpoint gaps in the overall security strategy.
Training satisfies compliance standards While you can read more about various compliance standards – including GDPR, CCPA, HIPAA, and GLBA – on our compliance hub, they all include a clause that outlines the importance of implementing proper data security practices. What are “proper data security practices?” This criterion has – for the most part – not been formally defined. But, phishing awareness training is certainly a step in the right direction and demonstrates a concerted effort to secure data company-wide.   It helps organizations foster a strong security culture In the last several years (due in part to increased regulation) cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective.  That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement. You can read more about creating a positive security culture on our blog.
❌ Cons of phishing awareness training Training alone can’t prevent human error People make mistakes. Even if you hold a three-hour-long cybersecurity training session every day of the week, you’ll never be able to eliminate the possibility of human error. Don’t believe us? Take it from the U.K.’s National Cyber Security Centre (NCSC): “Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle.  The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.” That’s right, even the U.K.’s top cybersecurity experts can’t always spot a phishing scam. Social engineering incidents—attacks that play on people’s emotions and undermine their trust—are becoming increasingly sophisticated.  For example, using Account Takeover techniques, cybercriminals can hack your vendors’ email accounts and intercept email conversations with your employees. The signs of an account take-over attack, such as minor changes in the sender’s writing style, are imperceptible to humans. Phishing awareness training is always one step behind Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today. In the last year, we’ve seen bad actors leverage COVID-19, Tax Day, furlough schemes, unemployment checks, and the vaccine roll-out to trick unsuspecting targets.  What could be next?  Training is expensive According to Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, there are three fundamental flaws in training: it’s boring, often irrelevant, and expensive. We’ll cover the first two below but, for now, let’s focus on the cost. Needless to say, the cost of training and simulation software varies vendor-by-vendor. But, the solution itself is far from the only cost to consider. What about lost productivity? Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.  While – yes – a successful attack would cost more, we can’t forget that training alone doesn’t work. (See point 1: Phishing awareness training can’t prevent human error.)
Phishing awareness training isn’t targeted (or engaging) enough Going back to what Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply one lesson to an entire organization – whether it’s 20 people or 20,0000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy. Age is especially important.  According to Tessian’s latest research, nearly three-quarters of respondents who admitted to clicking a phishing email were aged between 18-40 years old. In comparison, just 8% of people over 51 said they had done the same. However, the older generation was also the least likely to know what a phishing email was. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, explained how tailored training programs could help.
Should I create a phishing awareness training program? The short answer: “Yes”. These programs can help teach employees what phishing is, how to spot phishing emails, what to do if they’re targeted, and the implications of falling for an attack. But, as we’ve said, training isn’t a silver bullet. It will curb the problem, but it won’t prevent mistakes from happening. That’s why security leaders need to bolster training with technology that detects and prevents inbound threats. That way, employees aren’t the last line of defense. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. How does Tessian detect and prevent targeted phishing attacks? Tessian fills a critical gap in security strategies that SEGs, spam filters, and training alone can’t.  By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to detect a wide range of impersonations, spanning more obvious, payload-based attacks to difficult-to-spot social-engineered ones like CEO Fraud and Business Email Compromise. Once detected, real-time warnings are triggered and explain exactly why the email was flagged, including specific information from the email. Best of all? These warnings are written in plain, easy-to-understand language. 
These in-the-moment warnings reinforce training and policies and help employees improve their security reflexes over time.  To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today. Not ready for a demo? Sign-up for our weekly blog digest to get more cybersecurity content, straight to your inbox.  Just fill out the form below.
Threat Intel Spear Phishing
Cybercriminals Take Advantage of Mass Unemployment in Phishing Scams
By Charles Brook
07 April 2021
The global COVID-19 pandemic has wreaked havoc on job markets. In the US, the unemployment rate stands at 6.2 percent and in the UK, it’s estimated that around 2.2 million people, or 6.5% of all workers, could be unemployed at the end of the year.  Cybercriminals are taking note.  When Tessian researchers analyzed suspicious emails relating to ‘unemployment’ and terms associated with unemployment that were flagged by our inbound solution Tessian Defender, they saw a notable spike in suspicious emails related to unemployment and COVID-19 in the week of 24th February – the week in which President Biden announced the third round of stimulus checks, which would send billions of dollars to people without jobs. Our researchers also noted a spike in suspicious activity during the week of 8th March which is when COVID-19 the stimulus checks started being received. They found that: In the week of 24th February, the number of suspicious unemployment and COVID-19 related emails was 40% higher than the weekly average of such emails detected since the start of 2021. The number of unemployment themed emails alone was 16% higher than the weekly average. In the week of 24th February, the number of unemployment and COVID-19 related emails was 50% higher than previous week.  In the week of 8th March, the number of suspicious unemployment and COVID-19 related emails was 51% higher than weekly average recorded since the start of 2021. The number of unemployment and COVID-19 related emails detected during this week was 69% higher than the previous week.  Over the last 12 months, cybercriminals have capitalized on the fear, uncertainty and doubt created by the global pandemic to make their scams as believable and convincing as possible. At the start of 2021, for example, Tessian reported a surge in newly registered domains related to the vaccine roll-out and confirmed that a number of these websites were malicious and designed to harvest people’s financial information and account credentials. Now, cybercriminals are launching scams to prey on people who are vulnerable, out of work and urgently looking for relief. They are well aware that these individuals may be applying a little less scrutiny to the messages they receive – especially if the emails appear to have come from a legitimate and trusted sender. How do unemployment scams work?  Here’s how a typical unemployment related scam works: A fake job posting is listed on legitimate job sites. Often, scammers will target small businesses to spoof or impersonate as it is less likely for these companies to monitor their job listings.  An applicant will respond to that ad and will be sent a generic email asking them to perform a task for the interview process. These phishing emails could contain malicious attachments that applicants are asked to download or links to fake websites that ask applicants to input sensitive or personal information. This information could, then, be used to commit identity fraud.  Scammers will also ask applicants to click on a link that refers them to a fake credit check website. Here, they will ask the applicant to share financial information or wire money. Cybercriminals can also identify targets via social media sites like LinkedIn. A recent report from Tessian found that 93% of people share job updates online, and while it’s common for people to let their networks know that they’ve been laid off and are looking for jobs, they are also unknowingly giving cybercriminals the information they need to craft convincing social engineering attacks that are designed to steal personal information.  The FBI has released warnings of unemployment scams, disclosing that many U.S. citizens have been victimized by bad actors “impersonating the victims and using the victims’ stolen identities to submit fraudulent unemployment insurance claims online.” In fact, figures from a watchdog for the U.S. Department of Labor reveal that Americans have lost a shocking $63 billion of unemployment funds during the pandemic to improper payments and fraud, while the Illinois Department of Employment Security reports having stopped around 1.1 million claims involving identity theft in the past year. In many cases, victims don’t even realize they’ve been targeted until they later try to file for unemployment insurance benefits, receive a notification from the state unemployment insurance agency or even get notified by their employer that a claim has been filed while the victim is still employed.
What can you do to avoid falling victim to the scams? It’s always worth remembering that an official government agency or state workforce agency (SWA) will not contact you out of the blue, asking you to apply for UI benefits via an email or a text. So if you do receive a message like this, then do not click on the links or comply with the actions. We also recommend that you: Inspect emails carefully. Look for the .gov URL in the sender’s email address and check that the sender’s email domain matches the sender’s name. Don’t click on anything unless it’s from a legitimate source. Verify the legitimacy of the sender by calling the organization or agency directly. Adopt two-factor authentication and try to not use the same password across different sites. Password generators like 1Password create unique passwords and protect them with encryption software. Monitor your bank accounts on a regular basis to check for any fraudulent activity.
Human Layer Security Spear Phishing
Types of Email Attacks Every Business Should Prepare For
01 April 2021
Email remains the number one tool of business communication. The email network is open to practically anyone—and its flexibility, reliability, and convenience mean it’s not going away any time soon. But for all its benefits, email can also be a vector for serious cyberattacks. Social engineering attacks like phishing can lead to data breaches, malware attacks, and billions of dollars in losses for businesses worldwide. This article will explain the major types of email attacks, provide some data on how common they are, and consider the devastating impact that email attacks can have on your business. Types of email attacks First, we’ll walk you through some of the most common types of email attacks. Phishing Phishing can mean one of two things: An “umbrella term” meaning any social engineering attack that takes place via email. A type of email attack where the attacker sends a lot of malicious emails in an untargeted way. When we use “phishing” as an umbrella term, it refers to the most common type of email attack. Any malicious email that tries to trick you into clicking a link, opening a file, or taking any other action that causes harm, can be part of a phishing attack.  All of the other types of email attacks we’ll look at below are forms of phishing, if we use the term in this broad way. When we use “phishing” as a specific term, it means a “bulk” or “spray and pray” email attack, where the malicious email is sent to many unnamed recipients. Here’s an example:
What makes this a phishing email? There’s no addressee: It says “Hello,” not “Hello Rob.” The “update account now” button leads to a credential phishing page. Most importantly — Netflix didn’t send it! Further reading: ⚡  What is Phishing? ⚡ Spam vs. Phishing: The Difference Between Spam and Phishing ⚡ How Easy is it to Phish? ⚡ How to Avoid Falling For a Phishing Attack | 6 Useful Tips Spear phishing Spear phishing is an email attack targeting a specific individual. So, whereas bulk phishing uses a net — sending emails to as many potential victims as possible — spear phishing uses a spear to target one specific victim. Again, spear phishing is can also be an umbrella term, in that there are lots of different types of phishing attacks. Some of the examples below, including Business Email Compromise (BEC) and CEO fraud, are almost always spear phishing attacks. Why? Because whenever a phishing attack targets a specific individual, it’s a spear phishing attack. Here’s an example:
What makes this a spear phishing email? It targets a specific person. The “click here” link leads to a credential phishing website. Most importantly — you guessed it — DHL didn’t send it! Further reading: ⚡  What is Spear Phishing? ⚡ What’s the Difference Between Phishing and Spear Phishing? ⚡ Spear Phishing: Screenshots of Real Email Attacks Business Email Compromise (BEC) Business Email Compromise (BEC) is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address. In the sense that the attacker is impersonating a business, the Netflix and DHL examples above are both BEC attacks. But we normally use “BEC” to refer to a more sophisticated form of email attack. For example, one of the biggest cyberattacks of all time is an example of BEC. Between 2013 and 2015, a Latvian cybercrime gang headed by Evaldas Rimasauskas scammed Facebook and Google out of around $121 million by impersonating their suppliers and sending fake invoices via email. Further reading: ⚡ What is Business Email Compromise (BEC)? ⚡  5 Real Examples of Business Email Compromise
CEO fraud In a CEO fraud attack, the attacker impersonates a company executive and targets a less senior employee. Here’s an example:
What makes this a CEO fraud attack? The sender’s email address impersonates a real company executive (note the method here is email impersonation — ”microsott.com” — but other methods such as email spoofing are also common). The sender (“Leon”) puts a lot of pressure on the recipient (Tess). Stressed people make poor decisions. The attack involves wire transfer fraud. While not all CEO fraud attacks involve wire transfer fraud, this is a very common tactic. Further reading: ⚡  What is CEO Fraud? ⚡ CEO Fraud Prevention: 3 Effective Solutions How common are email attacks? Email attacks are on the rise, and are now extremely common. According to the FBI’s Internet Crime Complaint Center (IC3), phishing incidents more than doubled from 2019 to 2020, costing victims over $54 million in direct losses. Verizon says 22% of breaches in 2019 involved phishing. Around 75% of organizations around the world experienced some kind of phishing attack in 2020. Want more data on phishing and other email attacks? See our article Phishing Statistics (Updated 2021). Consequences of email attacks What are the main consequences of email attacks on businesses and their customers? Data breaches: Attackers use techniques such as credential phishing to exfiltrate your customers’ personal information. Data breaches can attract investigations, regulatory fines, and class-action lawsuits. IBM estimates that the average data breach costs a business $3.86 million Malware: Some email attacks aim to deposit a malicious payload on the recipient’s device. This payload is normally some form of malware, for example: A virus, which can infect other devices on your network Spyware, which can log your keystrokes and online activity  Ransomware, which encrypts your valuable data and demands you pay a ransom to get it back. Wire transfer fraud: Spear phishing attacks—particularly if they involve BEC or CEO fraud—often attempt to persuade the target into transferring funds into a bank account controlled by the attacker. And it really works—that’s why the FBI calls BEC “the $26 billion scam”
Spear Phishing
Everything You Need to Know About Tax Day Scams 2021
By Maddie Rosenthal
23 March 2021
It’s that time of year again…Tax Day. But, making a payment to the IRS isn’t the only thing you need to be worried about. ‘Tis the season for tax day scams. These phishing attacks can take many different forms. In the US, these attacks will use the deadline (May 17, 2021 – extended from April 15, 2021) to file your income tax returns as bait. In the UK, these attacks will use your potential tax refund as bait.  But we’re here to help.  Here’s what you need to look out for and what to do in case you’re targeted by Tax Day scams. 
 What do Tax Day scams look like? As is the case with other phishing and spear phishing attacks, bad actors will be impersonating trusted brands and authorities and will be – in some way – motivating you to act. Want to learn more about impersonation or get a better idea of what the average phishing attack looks like? Check out these articles: What is Phishing? Phishing 101 What is Spear Phishing? The Difference Between Phishing and Spear Phishing  What is Email Impersonation? Please note: In this article, we’re exploring Tax Day scams on email. You may also receive phone calls or text messages from bad actors, claiming that you’re being investigated for tax fraud or have an overdue bill. They may also simply request more information from you, like your name and address, or bank account details. You shouldn’t give any of this information away over the phone. Government organizations will never call you or use recorded messages to demand payment. Now, let’s take a closer look at how they do both through a series of examples. Example 1: IRS Impersonation 
What’s wrong with this email? The IRS has said they never contact taxpayers by email, so any correspondence “from” them is illegitimate There is an extra “r” in “internal” in the sender’s email address Email addresses from government agencies will always contain the toplevel domain “.gov” There are spelling errors and inconsistencies in the text that you wouldn’t expect from a government agency Example 2: Tax-Preparation Software Impersonation
What’s wrong with this email? While the sender’s email address does contain the company name (Fast Tax), the toplevel domain name (.as) is unusual The sender is motivating the target to follow the embedded link by claiming their tax return is incomplete Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. These are called malicious websites. Want to learn how to spot a malicious website? Check out this article. Example 3: HMRC Impersonation
What’s wrong with this email? While the Display Name, email template, logos, and language used in the email seem consistent with HMRC, the sender’s email address contains the toplevel domain “.net” instead of “.gov.uk” Upon hovering over the link, you’ll see the URL is suspicious Example 4: Client Impersonation
What’s wrong with this email? Unfortunately, in this case, there are no obvious giveaways that this is a phishing scam. However, if Joe, the tax accountant in this scenario, knew he hadn’t met or interacted with a woman named Karen Belmont, that could be a warning sign Individuals and organizations should always be wary of attachments and should have anti-malware and/or virus protection in place This examples demonstrates the importance of having policies in place to verify clients beyond email. And remember, there’s nothing wrong with being extra cautious this time of year. Example 5: CEO Impersonation
What’s wrong with this email? The the sender’s email address (@supplier-xyz.com) is inconsistent with the recipient’s email address (@supplierxyz.com) The attacker is impersonating the CEO, hoping that the target will be less likely to question the request; this is a common social engineering tactic  The attacker is using urgency both in the subject line and the email copy to motivate the target to act quickly Because this is a zero-payload attack (an attack that doesn’t rely on a link or attachment to carry malware), anti-malware or anti-virus software wouldn’t detect the scam You can learn more about CEO impersonation (also called CEO fraud) in this article: What is CEO Fraud? Who will be targeted by Tax Day scams?  From the examples above, you can see that cybercriminals will target a range of people with their Tax Day scams. Taxpayers, tax professionals, and businesses are all susceptible and savvy hackers will use different tactics for each.  Here’s what you should look out for. Taxpayers Attackers will be impersonating trusted government agencies like the IRS and HMRC and third-parties like tax professionals and tax software vendors Attackers will use coercive language and the threat of missed deadlines or promises of refunds to motivate their targets to act Many phishing emails contain a payload; this could be in the form of a malicious link or attachment For more information on payloads, read this article: What is a Malicious Payload and How is it Delivered?  Tax Professionals Attackers will be impersonating either existing clients/customers or prospects. In either case, they’ll be pretending they need help with their tax return or tax refund Attackers will use the lure of new business or the threat of losing a customer to motivate their targets to act Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  Businesses Attackers will be impersonating CEOs, HR representatives, Finance Directors, or other individuals or agencies who need access to sensitive tax information Attackers are strategic in their impersonations of people in positions of power; people are less likely to question their superiors.  What do I do if I’m targeted by a Tax Day scam? While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals and businesses should always follow the same guidelines if they think they’ve received a phishing email.
First and foremost, always, always, always check the sender. Confirm that the domain is legitimate and that the Display Name matches the email address. Be wary of any emails that aren’t from a “.gov” address. If anything seems unusual, do not follow or click links or download attachments  Check for spelling errors or formatting issues. Be scrupulous! If anything feels off, proceed cautiously. (See below. If the email appears to come from an individual you know and trust, like a colleague, customer, or client, reach out to the individual directly by phone, text or a separate email thread If you’re an employee who’s been targeted, contact your line manager and/or IT team. Management should, in turn, warn the larger organization The best way to avoid falling victim to one of these scams is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid.
More resources As a security start-up, we’re committed to helping you stay safe. If you’re looking for more information on Tax Day scams, consult the following government websites. Advice from the IRS Advice from HMRC Looking for more advice about scams? Sign-up to our newsletter below to get articles just like this, straight to your inbox. 
Spear Phishing
How to Prevent Email Impersonation | What You Can Do Now
16 March 2021
Email impersonation is a key method cybercriminals use to conduct phishing attacks. That’s because this technique is simple, accessible, and can evade many conventional security defenses.  By switching out characters in an email address, using false display names, securing top-level domains in the name of legitimate businesses, cybercriminals can impersonate your employees, vendors, or business partners — and they can do so pretty convincingly. Looking for more background on what exactly email impersonation is? We explore the definition and different types of email impersonation in this article: What is Email Impersonation? Everything You Need to Know. This article will guide you through how to recognize and combat email impersonation attacks.
We also have guidance on defending against related cybercrimes such as email spoofing, Business Email Compromise, and CEO fraud. Employee security awareness training Security leaders understand how important it is to involve the whole team in a company’s cybersecurity strategy. That’s why every security-conscious organization has an employee training program that helps staff to recognize signs of a phishing attack. But, it’s important your security awareness training is tailored, engaging, and consistently reinforced. Want more tips? Check out this article: The 7 Deadly Sins of Security Awareness Training. And – regardless of how tailored and engaging your training is – security awareness training can’t be your only defense against social engineering — many of the more sophisticated attacks just aren’t detectable by humans. Nonetheless, a security awareness program can help your team spot the more obvious signs of danger and understand the importance of cybersecurity. Signs of email impersonation Your employees should be able to realize when something suspicious is occurring. Email impersonation can be tricky to spot, but it usually is detectable — if you’re paying attention. So what are the signs to look out for that indicate email impersonation?  Let’s take a look at some of the different ways a cybercriminal could impersonate Elon Musk, CEO of Tesla, whose email (we’ll imagine) is [email protected]:
As you can see, cybercriminals have several options for impersonating an email address. Employees should look out for signs such as: Replacement characters (1 = l, a = 4, o = 0, etc.) Obscure or unexpected top-level domains Suspicious subdomains Incorrect domains associated with the username Display names that don’t correspond with the supposed sender We look at these email impersonation techniques in more detail in our article What Is Email Impersonation? Signs of a phishing attack Beyond recognizing the signs of email impersonation, employees must be aware of the more general signs of a phishing attack, which include: A sense of urgency: Social engineering attacks depend on exploiting the target’s emotions. A phishing email will normally use a very urgent tone. Incorrect branding: Some phishing emails attempt to imitate a company’s logos or branding. Although this is relatively easy, amateur cybercriminals can get it wrong. Poor spelling or grammar: Spelling and grammar errors are normally a sign of a phishing email, particularly if the fraudster is imitating an established business. Bear in mind that most sophisticated phishing emails don’t contain any of these giveaways. And you can’t always expect your employees to notice when they’re under threat.  We share five real-world examples of phishing attacks in this blog, which could help you educate your employees about what to look out for.  Deploy email security software As we’ve seen, email impersonation can be challenging for humans to spot.  That’s why deploying an intelligent inbound email security solution is key to preventing email impersonation. As your team switches to remote work, security software is more important than ever. Microsoft research shows that 80% of security professionals saw an increase in security incidents since employees started working from home. But traditional security solutions like Secure Email Gateways (SEGs) and spam filters can’t protect your employees against many email impersonation attacks. Tessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most subtle signs of email impersonation and phishing.  Here’s how Tessian Defender works: Tessian’s machine learning algorithms analyze your company’s email data. The software learns each employee’s usual communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of email impersonation or other phishing attacks, such as suspicious payloads, geophysical locations, IP addresses, email clients, or sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language. Click here to learn more about how Tessian Defender protects your team from email impersonation and other cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like phishing. Not ready to learn more about the solution? That’s okay! Sign-up for our newsletter below instead. You’ll be the first to know about new research and events and get helpful checklists and how-to guides straight to your inbox.
Spear Phishing
What is Email Impersonation? Everything You Need to Know
16 March 2021
Email impersonation might not be the most sophisticated phishing method, but it’s simple, it’s widespread, and it can be devastating. Keep reading to learn more. Email impersonation vs. email spoofing vs. account takeover First, we need to describe “email impersonation” and distinguish it from some closely-related concepts. Email impersonation: The attacker sets up an email address that looks like a legitimate email address (e.g. [email protected]). Email spoofing: A technical process where the attacker modifies an email’s headers so the receiving email client displays a false email address (the sender’s email address is “[email protected],” but the recipient sees “[email protected]” in their inbox) Account takeover: The attacker gains access to another person’s account (using hacking or stolen credentials) and uses it to send phishing emails. Email spoofing and account takeover require some technical ability (or, at least, access to the dark web). With email impersonation, though, the attacker just needs to secure a domain that looks like it could belong to a legitimate business.  This is easy (and cheap!) with domain registrars like GoDaddy. We explore different types of impersonation techniques below.  Phishing methods that use email impersonation Cybercriminals can use email impersonation to facilitate any type of email-based phishing attack. There are some types of phishing in which email impersonation is particularly common, including: Business Email Compromise (BEC) — Impersonating a business CEO fraud — Impersonating a company executive and targeting one of their employees Whaling — Targeting a company executive These are all among the more sophisticated and targeted types of phishing attacks. These types of attacks must employ email impersonation, email spoofing, or account takeover to be successful. Types of email impersonation Now we’ll look at the various ways a cybercriminal can impersonate an email address. To understand these, you’ll need to know about the different parts of an email address:
Each of these elements of an email address is relevant to a different type of email impersonation. Root domain-based email impersonation A company’s root domain is usually the most distinctive part of its email address. It’s the part immediately before the top-level domain (e.g. “.com”) — the “Amazon” in “[email protected]”. Root domain impersonation involves creating a root domain using replacement characters, so it looks like an email has arrived from a legitimate company. Here’s an example:
In this root domain impersonation, the attacker has replaced the “l” in “external” and “supplier” with a “1”. At first glance, the recipient might not notice this, and they might treat the email as though it has come from “External Supplier.” Top-level domain-based email impersonation The top-level domain is the part after the root domain: e.g., “.com”, “.jp”, or “.net”. The top-level domain usually denotes a country or a type of organization. For example: .com — Commercial organizations .uk — Internet country code for the UK .gov — US government agency Sometimes, a second-level domain accompanies a top-level domain: .co.uk — Commercial organization from the UK .ac.jp — Higher education institution from Japan .waw.pl — Organization from Warsaw, Poland Using top-level domain impersonation, a cybercriminal can create an authentic-looking email address that the recipient might assume belongs to a legitimate organization (if they even notice it). Here’s an example:
Here we have “externalsupplier.io” imitating “externalsupplier.com”. The top-level domain “.io” is actually registered to British Indian Ocean Territory (BIOT), but Google recognizes it as “generic” because many non-BIOT organizations use it. Subdomain-based email impersonation A subdomain appears after the “@” sign, but before the root domain. For example, in “[email protected]”, the subdomain is “mail”. Most email addresses don’t have a subdomain. An attacker can use subdomains to impersonate a legitimate company in two main ways: Using a company’s name as a subdomain to the attacker’s domain. For example, in “[email protected]”, “amazon” is the subdomain and “mailerinfo” is the domain. Splitting a company’s name across a subdomain and domain. Here’s an example of the second type of subdomain impersonation:
Display name impersonation A display name is how an email client shows a sender’s name. You can choose your display name when you sign up for an email account. We explore display name impersonation in more detail in this article: How to Impersonate a Display Name. Display name impersonation exploits a bad habit of mobile email clients. On mobile, common email clients like Outlook and Gmail only display a sender’s display name by default. They don’t display the sender’s email address.  So, even an email address like “[email protected]” might show as “Amazon Customer Services” in your mobile email client — if that’s the display name that the attacker selected when setting up the account. But this isn’t a mobile-only problem. According to new research, just 54% of employees even look at the email address of a sender before responding or actioning a request. This is good news for attackers, and bad news for businesses.  You can learn more about employees’ habits – and hacker’s tactics – in this report: How to Hack a Human. Username impersonation The username is the part of the email address that appears before the “@” symbol. For example, in “[email protected]”, the username is “bill.gates”. Username impersonation is the least sophisticated form of email impersonation, but it can still work on an unsuspecting target. This technique is sometimes called “freemail impersonation,” because scammers can register false usernames with Gmail or Yahoo.  With this technique, they can create accounts that look like they could belong to your CEO, CFO, or another trusted person in your network.  Here’s an example:
More resources on email impersonation Now you know the basic techniques behind email impersonation, read our articles on preventing email impersonation, CEO fraud, and Business Email Compromise to find out how to protect your business from these cyberattacks. You can also learn how Tessian detects and prevents advanced impersonation attacks by reading our customer stories or booking a demo. Not quite ready for that? Sign-up for our newsletter below instead. You’ll be the first to know about new research and events and get helpful checklists and how-to guides straight to your inbox.
Spear Phishing
What is Whaling? Whaling Email Attacks Explained
12 March 2021
Let’s jump straight into it…
Wondering why cybercriminals often target the boss, rather than someone lower down the chain of command? The answer is simple: Senior staff members staff have the greatest power, access, and influence in a company. This article will look at how whaling works, and how it fits into the broader cybercrime landscape. Then we’ll take a look at some real examples of whaling attacks. How whaling works First, it’s important to understand that whaling is a type of phishing attack. And, broadly speaking, there are two types of phishing attacks.  Phishing “in bulk” is like using a trawl net. Cast your net wide — by sending as many phishing emails as you can — and you’re likely to catch quite a few unfortunate minnows. With spear phishing, you aim your spear — or email — at a specific fish (er, person). Targets are carefully chosen, and emails are carefully crafted with the specific target in mind. Be patient, be smart, and you might catch something valuable. So what about whaling? Well, whaling is a type of spear phishing.  Whales — or company executives — are the biggest fish in the sea: They’re hard to catch, but if you manage to harpoon one, you could make a lot of money. Scroll down the page for examples of whaling, and you’ll see what we mean.  Okay — whales are mammals, not fish… but you get our point.  A company executive is the ultimate prize for cybercriminals. The boss can access information and resources that no other employee can reach.  Why target company executives? Ultimately, a CEO or CFO is just as likely to fall victim to a social engineering attack as any other employee. In fact, they’re arguably even more likely to do so. A whaling attack email usually asks the target to make a high-pressure decision. Here’s an example of the type of email a company executive might receive as part of a whaling attack:
If the boss is busy, stressed, or overworked (and hopefully they’re busy, at least), they’re more vulnerable to these types of cyberattacks. Tessian research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed. Furthermore, higher-level employees have greater access to money and data: the two things cybercriminals want most. Whaling vs. other types of cyberattack How does whaling fit into the cybercrime landscape?  There are many types of cybercrime. Some are interrelated; others frequently get conflated.  As we mentioned, whaling is a type of spear phishing: a phishing attack targeted at a specific individual — in this case, a company executive. Here are some types of cyberattacks that can involve whaling, if they specifically target a company executive: Business Email Compromise (BEC): A phishing attack that uses a compromised corporate email address. Wire transfer phishing: A phishing attack involving invoice fraud. Credential phishing: A phishing attack aiming to steal login credentials Smishing: Phishing via SMS Vishing: Phishing via voice (e.g., via phone or VoIP software) In other words, a whaling attack can also be a wire transfer phishing attack, for example, — if the attacker aims to persuade the target to transfer money into a bank account they control. Whaling sometimes gets conflated with another important type of cybercrime: CEO fraud. Here’s the difference: In a CEO fraud attack, the attacker impersonates a company executive and targets someone less senior. In a whaling attack, the company executive is the target. Of course, there can be some crossover between these two phishing techniques, too — where a cybercriminal impersonates one company executive and targets another. This occurred in 2017, in a scam that resulted in a $17 million loss for commodities trading company Scoular. Examples of whaling Here are some examples of businesses that fell victim to whaling attacks, to give you an idea of how damaging this type of cybercrime can be. Hedge fund co-founder targeted via Zoom In November 2020, the co-founder of Australian hedge fund Levitas Capital followed a fake Zoom link that installed malware on its network. The attackers attempted to steal $8.7 million using fraudulent invoices. In the event, they only got away with $800,000. But the reputational damage was enough to lose Levitas its biggest client, forcing the hedge fund to close. Aerospace firm fires CEO after $58 million whaling loss The CEO of Austrian aerospace company, FACC, was fired for his part in a whaling attack that cost the company around $58 million in 2016. A statement from the company said the CEO, Walter Stephen, had “severely violated his duties” by allowing the attack to occur. Small business owner loses $50,000 Whaling doesn’t just mean big companies losing millions of dollars — small businesses are affected, too. In an interview with NPR, “Mark,” the owner of a small real-estate firm, discussed how he fell victim to a targeted account takeover attack. In this sophisticated cyberattack, a hacker interrupted Mark’s email conversation with his partner, seizing the opportunity to divert a bank transfer for $50,000. How to Prevent Whaling Now you understand the dangers of whaling, you might be wondering how you can avoid falling for whaling attacks or – better yet – prevent whaling attacks from landing in your inbox in the first place.  Your best bet? In addition to security awareness training, intelligent email security software.  To learn more about how Tessian solves the problem, check out our customer stories or book a demo. Or, if you’d rather learn more about whaling and be the first to hear about the latest attacks, sign up for our newsletter. (Just fill in the short form below.)  
Spear Phishing
Spear Phishing Examples: Real Examples of Email Attacks
By Maddie Rosenthal
04 March 2021
75% of organizations experienced some kind of phishing attack in 2020. Of those attacks, almost all (96%) arrived via email. So, what does a phishing attack look like? We’re rounded up 5 REAL examples of spear phishing attacks, all detected (and prevented) by Tessian Defender. See those alerts at the top of each email? These are Defender’s in-the-moment warnings that explain exactly why the email has been flagged as suspicious.  If you’re looking for more information about phishing, check out these resources: What is Phishing? What is Spear Phishing? Must-Know Phishing Statistics: Updated 2021 Phishing vs. Spear Phishing What Does a Spear Phishing Email Look Like? Example 1: The attacker is encouraging the target to sign an “updated employee handbook” 📋
Let’s break down this spear phishing attack. In this example, the attacker is pretending to be an HR employee. But, the sender’s email address <[REDACTED]@ntlworld.com> does not match the domain of the target. In the email, the attacker is claiming that the target needs to sign a new employee handbook, and provides a link, which leads to an online Word document. 
This document prompts the target to click on another link, which leads the user to a fake O365 login page. The goal: To gain access to the target’s login credentials. This is called credential phishing. The attacker is using social engineering tactics to motivate the user to act now. For example, noting that “20% of employees have already accepted” and “we are all required to review and sign an acknowledgement of the handbook upon receipt of this email”.  COVID-19 is also used as a pretext for sending the handbook in the first place, which gives legitimacy to their request. Further reading: ⚡ COVID-19: Real-World Examples of Opportunistic Phishing Attacks   ⚡ How Hackers Are Exploiting the COVID-19 Vaccine Rollout Example 2: The email is a spoof of an MS Teams notification 🔔
Let’s break down this spear phishing attack. In this example, the attacker is leveraging a fake notification from a trusted platform – Microsoft Teams – instead of impersonating a trusted person/team. The goal? Credential theft. If the user clicks on the “Reply in Teams” button, they’ll be led to a fake login page. If they enter their details, their account will be compromised. And, if the employee uses the same password for multiple accounts (which 85% of employees do), the bad actor could have access to multiple systems.
Note: Instead of seeing “xxxxxx”, the target would see their email address. Not only does this  increase the legitimacy of the webpage and make the user feel like they’ve logged in before, it also reduces the friction for the user to move on to the next step, which will be entering their password.  If you actually did use Microsoft Teams at work, you’d have no reason to believe this is suspicious or malicious. The email looks like the real deal and was likely templated from a genuine notification. The email itself is a domain spoof, and spoofs the target’s own email address. This is particularly clever because – well – it’s not implausible that Microsoft Teams would actually send emails “from” the user’s own email address. Further reading: ⚡ What is Email Spoofing? How Does Email Spoofing Work? Example 3: The attacker is pretending to be a new starter 👋🏾
Let’s break down this spear phishing attack. In this example, the attacker is pretending to be a new starter at the target’s company’s outsourced HR management firm. This is an especially effective social engineering tactic that preys on human kindness. Who doesn’t want to help out a newbie?  The language in the email is also quite informal and friendly; this will make the target feel comfortable and lower their guard.  At face value, the email address <[email protected][REDACTED].com> isn’t suspicious. But, it may raise red flags for the target if he or she hasn’t heard from anyone with that domain before. But only 54% of employees say they look at the sender’s email address before responding to an email or actioning a request.  The attacker is trying to encourage the target to click on a link to preview a PDF urgently – “in the next two hours”. Tessian Defender has also flagged that this is a bitly link. Bad actors often use these shortened URLs to make it more difficult for the target to know what website they’ll be taken to if they do click.  Of course, the link doesn’t lead to a PDF. It leads to a malicious website. If the target were to click the download button, malware would likely be deployed.
Example 4: The email claims to be verifying account activity on GoDaddy ✅
Let’s break down this spear phishing attack. In this example, the attacker is impersonating GoDaddy – the world’s largest domain register company, with over 40 million domain names under its management. While GoDaddy appears in the Display Name and several times in the body of the email (including a logo), and there aren’t any obvious spelling errors or grammar mistakes, a savvy employee would notice that the sender’s email address <[REDACTED]@hotmail.com> doesn’t match. Remember, though: Most employees don’t examine email addresses before responding or actioning a request. Again, the name of the game here is credential phishing. If the target follows the link to “prove they’re the account holder” they’ll be sent to a fake GoDaddy sign-in page. If they enter their login details, their credentials will be compromised. This is an especially dangerous attack because – if an employee’s login credentials for GoDaddy were compromised – the attacker could (quite literally) take over your website. They could steal your customer’s data or even use your website to host other phishing websites.  Example 5: The email appears to be sent from the company’s Microsoft File Sharing service 📎
Let’s break down this phishing attack. Again, in this example, the attacker is leveraging a fake notification from Microsoft. This time, though, it’s from Microsoft File Sharing service. Unsurprisingly, the attacker is after the target’s credentials. (This is called credential phishing, remember?) If the user clicks on the “Preview Online” button – a malicious link – they’ll be taken to a lookalike website.  If the target does input their credentials, they won’t login to Microsoft File Sharing. Instead, the details will be sent directly to the hacker, who will then have easy access to the user’s account.  Notice that the notification is well-formatted and looks like a genuine email from Microsoft. There aren’t any obvious spelling or grammar errors. The average person would likely fall for this attack.  The “[REDACTED], FIY” note was included on purpose. The attacker is trying to pique the target’s interest. Wouldn’t you want to know what the message said? The more curious and emotional we get, the more likely we are to click a link without thinking of security. Did you know? Microsoft is one of the most impersonated brands in phishing attacks. Find out who else makes the list.
Spear Phishing
Phishing vs. Spear Phishing: What’s the Difference?
23 February 2021
Phishing and spear phishing are both “social engineering” cyberattacks. In both types of attacks, a cybercriminal impersonates a trustworthy person and tricks their target into revealing login credentials, installing malware, or making a wire transfer.
Think of it this way:  Phishing is like catching fish using a line — you cast your rod into the water and see what bites.  With spear phishing, you choose the fish you want and aim the spear right at it. Note: This distinction is a big deal, affecting how you detect, mitigate, and prevent both types of attacks.
What is phishing? As we explained in our article “What Is Phishing?,” the term “phishing” can mean two things: An umbrella term covering many types of cyberattacks A specific type of cyberattack: an untargeted social engineering attack, conducted via email In the first instance, “phishing” can refer to cyberattacks including: Business Email Compromise: A phishing attack utilizing an impersonated, spoofed, or hacked business email address Wire transfer phishing: A phishing attack that attempts to trick the target into making a fraudulent transfer to the attacker Smishing: Phishing via SMS Vishing: Phishing via voice, e.g., phone or VoIP software In the second, specific sense, phishing means a social engineering attack (conducted via email) with no specific target. We sometimes call this “spray-and-pray” phishing. The cybercriminal sends as many emails as they can in the hope that someone falls for their scam. But don’t be fooled: phishing attacks aren’t necessarily amateurish operations.  What is spear phishing? Spear phishing is a targeted phishing attack. The target receives an email that addresses them directly — by name.  Any type of targeted phishing attack is a “spear phishing” attack, including: Whaling: A spear phishing attack targeting company executive CEO fraud: A spear phishing attack where the fraudster impersonates a company’s CEO and targets another of the company’s employees. But spear phishing is broader than this: if a Business Email Compromise attack, wire transfer phishing attack — or any other type of phishing attack — targets a specific individual, it’s a spear phishing attack. Looking for more information about spear phishing? Check out this article: What is Spear Phishing? Targeted Phishing Attacks Explained. Phishing vs. spear phishing: examples Now we’re going to look at some phishing attacks and spear phishing attacks side-by-side so you can understand the differences. The two emails below demonstrate the essential difference between phishing and spear phishing:
This is an example of a “bulk” phishing email. It doesn’t address the target by name and doesn’t contain any personal information. But, because it appears to come from a trusted brand (Netflix) someone is likely to click the link. 
This is an example of a spear phishing email: CEO fraud, to be precise. The attacker has exploited a professional relationship to elicit feelings of urgency and trust — the CEO urgently needs a favor and requests an employee to pay an invoice to an unknown account. But the “CEO” is a cybercriminal who controls the “new account.” These examples should help you better understand the difference between phishing and spear phishing: Phishing succeeds by sheer volume: send a fraudulent email out to enough people and someone will fall for it eventually. Spear phishing succeeds through more sophisticated methods: send one fraudulent email containing personal information to a specific individual. Looking for more resrouces? We explore  phishing, spear phishing, and other social engineering attacks in greater detail in the following articles: Phishing 101: What is Phishing? What is Spear Phishing? Targeted Phishing Attacks Explained 6 Social Engineering Examples: Real-World Attacks How to Hack a Human: How Attackers Use Social Media to Craft Targeted Spear Phishing Campaigns
Spear Phishing
What is Spear Phishing? Targeted Phishing Attacks Explained
22 February 2021
Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
This article will look at the different types of spear phishing, explain how a spear phishing attack works, and explore how common spear phishing is. If you’d rather learn more about phishing, check out this article: Phishing 101: What is Phishing? Types of spear phishing attacks Spear phishing attacks vary according to technique, target, and goal. But, here are some types of cyberattacks that involve spear phishing: Whaling: A spear phishing attack targeting a company executive CEO fraud: A spear phishing attack where the fraudster impersonates a company executive  Here are some cyberattacks that usually involve spear phishing: Business Email Compromise (BEC): A phishing attack using an impersonated, spoofed, or hacked corporate email account. Wire transfer phishing: A phishing attack involving invoice fraud Credential phishing: A phishing attack targeting login credentials Whenever these attacks are targeted at a specific person, they’re considered a spear phishing attack. If the attack isn’t targeted at an individual, we just call it a “phishing attack.” Struggling to understand the difference? We explain it – in detail – in this article: Phishing vs Spear Phishing: Differences and Defense Strategies.  How does spear phishing work? Most spear phishing attacks arrive via email. In fact, email is the medium of choice for around 96% of phishing attacks. However, cybercriminals also launch phishing attacks via social media, SMS (“smishing”), and phone or VoIP (“vishing”). But, let’s stay focused and look at a couple of examples of spear phishing attacks. This will help you understand how this type of cybercrime works. First, the all-too-common “delivery service” spear phishing attack. According to Check Point, shipping company DHL was the second-most impersonated brand in spear phishing attacks throughout Q4, 2020. Here’s how a spear phishing email impersonating DHL might look:
There are a few things to note about this spear phishing email: It addresses the target by name. This increases the email’s persuasiveness right off the bat. It contains authentic logos and branding. DHL’s real emails look a lot like this. The links lead to DHL’s actual website. But don’t be fooled: The sender’s email address is “[email protected]_deliveries.com.” This might look like an authentic DHL address, but it’s a crude impersonation attack. The “track your delivery” link leads to a credential phishing website. The DHL-style scam is  a simple but effective form of spear phishing that typically targets individuals.  Wondering what other brands are frequently impersonated? Check out this article (+ infographic!): Phishing Statistics (Updated 2021). Spoiler: LinkedIn, Amazon, IKEA, and Google almost made the top 10.  Let’s look at a more sophisticated example of spear phishing that targets a business instead of a consumer:
There are some similarities between this email and the DHL scam: Both target specific people Both use authentic logos But these factors make our second example more persuasive: The sender’s email address is real. Hackers can use account takeover methods to compromise real email accounts, or they can use email spoofing techniques to trick email clients into displaying bogus information. It references “real-world” personal information. Tessian research shows that 90% of people post personal information on social media — this is gold dust for hackers. It conveys a sense of urgency and exploits the target’s trust (“counting on you”). People make bad decisions under pressure. Spear phishing is becoming more refined and advanced all the time, so it’s easy to see why people keep falling for it. If you want help spotting a potential spear phishing attack, we’ve rounded up four red flags here. If you’re a security or business leader, this is a great resource to share with your employees that complements security awareness training.  How common is spear phishing? Rates of spear phishing have been climbing consistently over the past decade. Research suggests, in 2019:  88% of organizations faced spear phishing attacks 65% of US organizations suffered a successful spear phishing attack (55% worldwide) 19% of organizations faced more than 50 spear phishing attempts Note that these statistics refer to the period before the big migration to remote-working in 2020. There’s evidence that, as employees have moved into less secure working environments, cybercrime has increased considerably. Microsoft’s 2021 New Future of Work report found that: 80% of security professionals said security incidents had increased since the start of the pandemic. 62% of these said phishing campaigns showed the biggest increase. So, what’s the upshot of all this? Spear phishing damages people’s privacy, exposes confidential data, and causes major financial losses.  The FBI reports that financially-motivated Business Email Compromise (BEC), which almost always involves spear phishing, caused direct losses of over $1.8 billion in 2020 According to Verizon research, spear phishing is a major cause of data breaches. In the long-term, losing control of your customers’ data can be even more costly than losing money. IBM puts the average cost of a data breach at $3.86 million, rising to $8.64 million in the US. The biggest known spear phishing scam of all time, targeted at Google and Facebook, resulted in over $100 million in losses over a two-year period Want to know how to protect your business against this serious type of cybercrime? Read our article on how to prevent phishing to find out.  Evaluating anti-phishing solutions? Learn more about how Tessian Defender detects and prevents the most advanced spear phishing attacks by reading some of our customer stories or booking a demo.
Page
[if lte IE 8]
[if lte IE 8]