Human Layer Security Summit is back. Register now to save your spot.

Spear Phishing
Phishing vs Spear Phishing: What’s The Difference?
23 February 2021
Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
Phishing and spear phishing are both “social engineering” cyberattacks. In both types of attacks, a cybercriminal impersonates a trustworthy person and tricks their target into revealing login credentials, installing malware, or making a wire transfer. So what’s the difference between phishing and spear phishing? Think of it this way:  Phishing is like catching fish using a line — you cast your rod into the water and see what bites.  With spear phishing, you choose the fish you want and aim the spear right at it. Phishing is “bulk” social engineering; spear phishing is targeted. This distinction is a big deal, affecting how you detect, mitigate, and prevent both types of attacks. What is phishing? As we explained in our article “What Is Phishing?,” the term “phishing” can mean two things: An umbrella term covering many types of cyberattacks A specific type of cyberattack: an untargeted social engineering attack, conducted via email In the first instance, “phishing” can refer to cyberattacks including: Business Email Compromise: A phishing attack utilizing an impersonated, spoofed, or hacked business email address Wire transfer phishing: A phishing attack that attempts to trick the target into making a fraudulent transfer to the attacker Smishing: Phishing via SMS Vishing: Phishing via voice, e.g., phone or VoIP software In the second, specific sense, phishing means a social engineering attack (conducted via email) with no specific target. We sometimes call this “spray-and-pray” phishing. The cybercriminal sends as many emails as they can in the hope that someone falls for their scam. But don’t be fooled: phishing attacks aren’t necessarily amateurish operations.  What is spear phishing? Spear phishing is a targeted phishing attack. The target receives an email that addresses them directly — by name.  Any type of targeted phishing attack is a “spear phishing” attack, including: Whaling: A spear phishing attack targeting company executive CEO fraud: A spear phishing attack where the fraudster impersonates a company’s CEO and targets another of the company’s employees. But spear phishing is broader than this: if a Business Email Compromise attack, wire transfer phishing attack — or any other type of phishing attack — targets a specific individual, it’s a spear phishing attack. Looking for more information about spear phishing? Check out this article: What is Spear Phishing? Targeted Phishing Attacks Explained. Phishing vs. spear phishing: examples Now we’re going to look at some phishing attacks and spear phishing attacks side-by-side so you can understand the differences. The two emails below demonstrate the essential difference between phishing and spear phishing:
This is an example of a “bulk” phishing email. It doesn’t address the target by name and doesn’t contain any personal information. But, because it appears to come from a trusted brand (Netflix) someone is likely to click the link. 
This is an example of a spear phishing email: CEO fraud, to be precise. The attacker has exploited a professional relationship to elicit feelings of urgency and trust — the CEO urgently needs a favor and requests an employee to pay an invoice to an unknown account. But the “CEO” is a cybercriminal who controls the “new account.” These examples should help you better understand the difference between phishing and spear phishing: Phishing succeeds by sheer volume: send a fraudulent email out to enough people and someone will fall for it eventually. Spear phishing succeeds through more sophisticated methods: send one fraudulent email containing personal information to a specific individual. Looking for more resources? We explore  phishing, spear phishing, and other social engineering attacks in greater detail in the following articles: Phishing 101: What is Phishing? What is Spear Phishing? Targeted Phishing Attacks Explained 6 Social Engineering Examples: Real-World Attacks How to Hack a Human: How Attackers Use Social Media to Craft Targeted Spear Phishing Campaigns
Spear Phishing
What is Spear Phishing? Targeted Phishing Attacks Explained
22 February 2021
Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
This article will look at the different types of spear phishing, explain how a spear phishing attack works, and explore how common spear phishing is. If you’d rather learn more about phishing, check out this article: Phishing 101: What is Phishing? Types of spear phishing attacks Spear phishing attacks vary according to technique, target, and goal. But, here are some types of cyberattacks that involve spear phishing: Whaling: A spear phishing attack targeting a company executive CEO fraud: A spear phishing attack where the fraudster impersonates a company executive  Here are some cyberattacks that usually involve spear phishing: Business Email Compromise (BEC): A phishing attack using an impersonated, spoofed, or hacked corporate email account. Wire transfer phishing: A phishing attack involving invoice fraud Credential phishing: A phishing attack targeting login credentials Whenever these attacks are targeted at a specific person, they’re considered a spear phishing attack. If the attack isn’t targeted at an individual, we just call it a “phishing attack.” Struggling to understand the difference? We explain it – in detail – in this article: Phishing vs Spear Phishing: Differences and Defense Strategies.  How does spear phishing work? Most spear phishing attacks arrive via email. In fact, email is the medium of choice for around 96% of phishing attacks. However, cybercriminals also launch phishing attacks via social media, SMS (“smishing”), and phone or VoIP (“vishing”). But, let’s stay focused and look at a couple of examples of spear phishing attacks. This will help you understand how this type of cybercrime works. First, the all-too-common “delivery service” spear phishing attack. According to Check Point, shipping company DHL was the second-most impersonated brand in spear phishing attacks throughout Q4, 2020. Here’s how a spear phishing email impersonating DHL might look:
There are a few things to note about this spear phishing email: It addresses the target by name. This increases the email’s persuasiveness right off the bat. It contains authentic logos and branding. DHL’s real emails look a lot like this. The links lead to DHL’s actual website. But don’t be fooled: The sender’s email address is “[email protected]” This might look like an authentic DHL address, but it’s a crude impersonation attack. The “track your delivery” link leads to a credential phishing website. The DHL-style scam is  a simple but effective form of spear phishing that typically targets individuals.  Wondering what other brands are frequently impersonated? Check out this article (+ infographic!): Phishing Statistics (Updated 2021). Spoiler: LinkedIn, Amazon, IKEA, and Google almost made the top 10.  Let’s look at a more sophisticated example of spear phishing that targets a business instead of a consumer:
There are some similarities between this email and the DHL scam: Both target specific people Both use authentic logos But these factors make our second example more persuasive: The sender’s email address is real. Hackers can use account takeover methods to compromise real email accounts, or they can use email spoofing techniques to trick email clients into displaying bogus information. It references “real-world” personal information. Tessian research shows that 90% of people post personal information on social media — this is gold dust for hackers. It conveys a sense of urgency and exploits the target’s trust (“counting on you”). People make bad decisions under pressure. Spear phishing is becoming more refined and advanced all the time, so it’s easy to see why people keep falling for it. If you want help spotting a potential spear phishing attack, we’ve rounded up four red flags here. If you’re a security or business leader, this is a great resource to share with your employees that complements security awareness training.  How common is spear phishing? Rates of spear phishing have been climbing consistently over the past decade. Research suggests, in 2019:  88% of organizations faced spear phishing attacks 65% of US organizations suffered a successful spear phishing attack (55% worldwide) 19% of organizations faced more than 50 spear phishing attempts Note that these statistics refer to the period before the big migration to remote-working in 2020. There’s evidence that, as employees have moved into less secure working environments, cybercrime has increased considerably. Microsoft’s 2021 New Future of Work report found that: 80% of security professionals said security incidents had increased since the start of the pandemic. 62% of these said phishing campaigns showed the biggest increase. So, what’s the upshot of all this? Spear phishing damages people’s privacy, exposes confidential data, and causes major financial losses.  The FBI reports that financially-motivated Business Email Compromise (BEC), which almost always involves spear phishing, caused direct losses of over $1.7 billion in 2019.  According to Verizon research, spear phishing is a major cause of data breaches. In the long-term, losing control of your customers’ data can be even more costly than losing money. IBM puts the average cost of a data breach at $3.86 million, rising to $8.64 million in the US. The biggest known spear phishing scam of all time, targeted at Google and Facebook, resulted in over $100 million in losses over a two-year period. Want to know how to protect your business against this serious type of cybercrime? Read our article on how to prevent phishing to find out.  Evaluating anti-phishing solutions? Learn more about how Tessian Defender detects and prevents the most advanced spear phishing attacks by reading some of our customer stories or booking a demo.
Spear Phishing
How to Avoid Falling For a Phishing Attack
17 February 2021
Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way. Phishing is a decades-old social engineering attack that costs people and businesses billions each year. One small mistake can have serious consequences. But you can take a few simple and effective steps to avoid falling for one. This article will explain how to recognize a phishing email, how cybercriminals can leverage publicly-available information, and what technical solutions are available to help businesses prevent successful phishing attacks.  If you’d rather learn more about what phishing is, don’t worry. We can help. Read this article first: Phishing 101: What is Phishing? Learn to recognize a phishing email There are some hallmarks of a phishing email that you should be able to recognize.  But be careful —  none of these traits are common to every phishing email, and most of them won’t be present in more sophisticated phishing campaigns. And remember! Phishing and spear phishing are different. If you’re looking for tips to help you spot spear phishing emails, read this article instead: What Does a Spear Phishing Email Look Like? 4 Red Flags. 1. Branding When you receive an email, ask yourself “Does this look right?” A good first step is to check for inauthentic or amateurish logos and email signatures. Here’s an example: on the left is a genuine email from shipping company DHL, and on the right is a fake, taken from a 2020 phishing campaign:
You can see that the email on the right is trying to look like DHL. It’s using DHL’s red and yellow branding, but it’s clearly a cheap imitation. If you receive an email looking like this, alarm bells should immediately start ringing. 2. Spelling and grammar Second, check the email for spelling and grammar mistakes. Again, while poor spelling and grammar is a good indicator that an email is inauthentic, it’s increasingly common for phishing campaigns to contain very few errors. Check out this example:
This fake Netflix email is a real-life example of a credential phishing attack that has been circulating since at least May 2018.  Not sure what credential phishing is? We explain everything you need to know in this article: What is Credential Phishing? How Does it Work? Unlike the DHL email, this Netflix scam is pretty convincing, except for a couple of tiny errors that give it away. There’s an unnecessary space in the greeting (“Hello ,”) and a missing apostrophe (We re here if you need it).  These errors don’t necessarily indicate a phishing email — they might have gotten past Netflix’s quality control team — but they’re a red flag (if you notice them). 3. Sense of urgency Third, a phishing attack usually conveys some sense of urgency. Whether the attacker is trying to persuade you to make a payment, download a file, or click a link — they know you’re more likely to do so if you’re feeling anxious. Stressed people make bad decisions. We explore this in detail here: The Psychology of Human Error.  Here’s an example of an American Express scam that emerged in 2020:
Many people will panic when receiving this and immediately click “NO.” They might even do this despite having second thoughts about the nature of the email. Of course, this is exactly what the cybercriminal wants. 4. Inauthentic sender address Finally, there might be some more subtle indicators that the email you’ve received is part of a phishing scam. These have to do with the sender’s email address. A phishing email is more likely to succeed if it appears to come from an authentic email address. This type of phishing is called Business Email Compromise (BEC), and the FBI estimates that it cost businesses $1.7 billion in 2019. Cybercriminals use three main techniques to make email addresses look authentic: Email impersonation: The email looks similar to a genuine business email address (think “[email protected]” or “[email protected]”). Impersonation can be easy to spot if you’re paying attention. Email spoofing: The fraudster amends the email’s headers, so the receiving email client displays a false address. In some cases, spoofing is only noticeable if you inspect the email header information. Account takeover (ATO): The email arrives from an authentic account that has been hacked. ATO is nearly impossible for a person to detect and requires email security software. Limit your publicly available personal information Spear phishing is a subcategory of phishing targeting a specific person by name. Cybercriminals can find your name and email address easily — but they probably have access to a lot more of your personal information, too. According to Tessian research, 90% of people post personal and professional information online. Many employees also appear in company publicity or press releases. Even out-of-office auto-replies can give away personal information.  This information is gold dust for hackers seeking to impersonate someone the target trusts. Drop in a few personal references — whether about the target or the person the cybercriminal is impersonating — and a spear phishing email becomes a lot more persuasive. Wondering what you should (and shouldn’t) post online? Read the full report to find out.
Deploy email security software If you’re an individual looking for advice, skip this section. This piece of advice is for security and business leaders. As we’ve seen, phishing is becoming increasingly hard for humans to spot. It’s also an email-based attack 96% of the time. That’s why deploying an intelligent inbound email security solution is the key to preventing phishing. Email security is particularly important as teams move into a remote working environment, away from the protection of CISOs and IT departments. Microsoft research shows that 80% of security professionals saw an increase in security incidents since employees started working from home. Phishing emails almost always carry some signals that reveal they are dangerous. The more subtle phishing indicators aren’t detectable by humans — or traditional solutions like Secure Email Gateways (SEGs) and spam filters. Tessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most discrete phishing signals. Click here to learn more about how Tessian Defender protects your team from phishing and other email-based cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like phishing.
Spear Phishing
Phishing 101: What is Phishing?
17 February 2021
Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way. First things first: let’s answer the question at hand.
That’s the short and sweet definition. But, there’s more you need to know. Phishing is a common type of social engineering attack that cybercriminals have been conducting for decades. In this article, we’ll take a look at some different types of phishing, how these differ from “traditional” phishing, and how phishing attacks work. Wondering what social engineering is? Check out this article, which includes plenty of real-world examples.  Definitions of phishing If you look at the definition above, you’ll notice we made an important distinction in the last sentence. “Phishing is typically bulk in nature and not personalized for an individual target.” But, oftentimes, you’ll hear the word “phishing” used as an umbrella term to cover many types of online social engineering attacks, including:  Spear phishing: A phishing attack targeting a specific individual Whaling: A phishing attack targeting a company executive Smishing: Phishing via SMS Vishing: Voice-phishing, via phone or VoIP software What links all these types of attacks? They all involve some form of “impersonation” — the attacker pretends to be a person or institution that the target is likely to trust. But, in this article, we’ll focus on traditional “spray and pray” phishing attacks. It’s one of the most straightforward types of online social engineering attacks.  Importantly, this “old-school” form of cybercrime is distinct from all the examples above because: Unlike smishing or vishing, phishing attacks occur via email.  Unlike spear phishing and whaling, traditional phishing isn’t targeted. Attackers send phishing emails indiscriminately, rather than emailing a specific individual. If you’re scratching your head trying to figure out how phishing is different from spam, we’ve answered all your questions in this article: Spam vs. Phishing: The Difference Between Spam and Phishing. How phishing works Let’s take a real-life example of a phishing attack to see how this type of cybercrime works. It appears to comes from a brand most of us know and trust: Netflix. 
So, what makes it a phishing email? The “UPDATE ACCOUNT NOW” button leads to a malicious website (not Netflix’s genuine website) designed to steal payment information.  But, the average person wouldn’t know that. The email arrived from “[email protected]” — a person could reasonably believe this was a genuine Netflix email address The “Help Center” and “Communications Settings” links lead to Netflix’s actual website The Netflix logo and branding look authentic But look a little closer, and you’ll notice a few giveaways. The greeting is generic (“Hello ,”). This suggests that this is a bulk email sent to many recipients. The email asks for payment details. Netflix will never request payment information via email. There’s a typo (“We re here if you need it”). Typos are increasingly rare in phishing emails, but they should always raise a red flag. This is not your typical “Nigerian prince” scam and it’s easy to see why so many people – both consumers and employees – fall for these scams. If you’re looking for statistics to back this up, check out this article: Must-Know Phishing Statistics (Updated 2021). Note that this scam appears to use “email impersonation”: the sender address ( looks like it could be an authentic Netflix domain, but Netflix doesn’t own that domain at all.  Hackers can also use account takeover and email spoofing for more advanced phishing attacks. What is phishing for? We’ve looked at how criminals use different methods to conduct phishing scams and target different types of people. But why do they do it? Attackers use phishing scams to target different types of resources. For example: Credentials. Cybercriminals steal usernames and passwords to sell them on the dark web, access company data, or conduct account take-over attacks. Personal information. Addresses, social security numbers — even lists of names associated with a particular platform can be valuable to cybercriminals, who can use them to target spear phishing attacks. Money. Phishing attacks aiming to trick the target into transferring money to the attacker are common, but they’re normally reserved for more sophisticated types of phishing such as Business Email Compromise (BEC), which the FBI calls “the $26 billion scam.” Want to know which of these resources hackers target the most frequently? Download this infographic.  How common is phishing? Phishing has become a huge criminal industry, and there’s no sign of it getting smaller.  Here are some of the latest statistics: According to Verizon’s 2020 data breach report, 96% of phishing attacks arrive by email (smishing and vishing account for 3% and 1% of attacks, respectively). Phishing is on the rise. Microsoft’s 2021 Future of Work report shows that 80% of organizations experienced an increase in security threats in 2020 — and of these, 62% said phishing showed the most significant increase. As a major cause of data breaches, phishing is a considerable business expense. According to IBM, the average cost of a data breach in 2020 was $3.86 million. Want more of the most up-to-date figures on phishing? Subscribe to our newsletter for monthly updates, straight to your inbox.  Now you know what “phishing” means, how common it is, and how much damage it can cause. If you want to learn how to protect yourself from phishing, check out our guidance on how to avoid falling for phishing attacks.
Spear Phishing
How Hackers Are Exploiting The COVID-19 Vaccine Rollout
By Laura Brooks
16 February 2021
Where there is uncertainty, there are cybercriminals. And the uncertainty surrounding the roll-out of the Covid-19 vaccine is creating the perfect environment for cybercriminals and their phishing scams. According to new Tessian research: 2,697 new website domains, related to the Covid-19 vaccine, were registered between 5 December 2020 and 10 January 2021. Many of these domains impersonate legitimate healthcare websites, tout misinformation around injection side effects, and falsely claim to offer guidance around timing and logistics of distribution to dupe people. Some of the newly registered domains were confirmed as malicious. Tessian researchers found specific examples of domains that impersonate a legitimate O365 login in page and Apple ID login page. These pages have been designed to steal people’s account credentials. 22% of the live domains take advantage of a technique called “typo-squatting” – a technique where one or two letters of a word are changed, in the hope that people make mistakes when typing the website into the URL bar or just simply miss the typo when landing on the page. One example of this is Why do newly registered domains pose a threat? The NHS recently issued a warning about scam emails that invite people to click on fake invitations to “register” for the vaccine. However, no registration is actually required for the real vaccine. The fake website, the BBC reports, also asks people for their bank details either to verify identification or to make a payment. Often, scammers will register new domains to lure people to a page after they’ve clicked a link in a phishing email. Tessian researchers found that many of the vaccine-related websites contain online forms designed to harvest financial or healthcare information and, in some cases, steal people’s account credentials. For example, some of the confirmed-malicious websites impersonate an Office 365 or Apple ID page and prompt people to log-in and share their username and password. People urgently want to find out things such as when they will get the vaccine, where can receive the jab, and many more want to research and understand potential side effects. As we’ve seen throughout the pandemic, cybercriminals are capitalizing on people’s desire for more information and are finding ways to trick people into clicking on links to fake websites or enter their valuable details.
Who is most at risk from the vaccine scams? Anyone who is eligible for the vaccine, and anyone who is looking for information about the vaccine roll-out, should be wary about the websites they land on. For example, concerns have been raised over U.S. health officials’ use of ticketing website Eventbrite to schedule vaccination appointments. Health departments have warned citizens of scams whereby fraudulent Eventbrite websites have been created, while The Tampa Bay Times reported that people had been charged money for vaccination slots that turned out to be fake. One of the main concerns surrounding vaccine scams is how hackers will target older generations – those at the top of the list for the vaccine. A Tessian report published in 2020 – The Psychology of Human Error – found that people over 55 years old were the least likely to know what a phishing email was. Awareness is crucial; people must think twice before responding to these messages and be sceptical of emails or websites requesting payment or personal information at this time.
Vaccine scams: what to look out for Be wary of emails purporting to come from healthcare organizations asking you to click on links to ‘find out more’. Always check the sender name and address, particularly if you have received an email on your phone in order to verify the sender’s identity. It’s also important to questions any websites that request personal data. Domains that spoof government healthcare websites, like the Centers for Disease Control and Prevention (CDC) are especially dangerous, as bad actors could potentially steal extremely sensitive information such as Social Security numbers and health information like insurance or medical history details. At a time when phishing scams are rife, always think twice before entering your personal information online and remember, if it doesn’t look right, it probably isn’t.
Human Layer Security Spear Phishing
Romance Fraud Scams Are On The Rise
By Laura Brooks
11 February 2021
Cybercriminals are exploiting “lockdown loneliness” for financial gain, according to various reports this week, which reveal that the number of incidents of romance fraud and romance scams increased in 2020.  UK Finance, for example, reported that bank transfer fraud related to romance scams rose by 20% in 2020 compared to 2019, while Action Fraud revealed that £68m was lost by people who had fallen victim to romance fraud last year – an increase on the year before. Why? Because people have become more reliant on online dating and dating apps to connect with others amid social distancing restrictions put in place for the Covid-19 pandemic.
With more people talking over the internet, there has been greater opportunity for cybercriminals to trick people online. Adopting a fake identity and posing as a romantic interest, scammers play on people’s emotions and build trust with their targets over time, before asking them to send money (perhaps for medical care), provide access to bank accounts or share personal information that could be used to later commit identity fraud. Cybercriminals will play the long-game; they have nothing but time on their hands.  A significant percentage of people have been affected by these romance scams. In a recent survey conducted by Tessian, one in five US and UK citizens has been a victim of romance fraud, with men and women being targeted equally.
Interestingly, people aged between 25-34 years old were the most likely to be affected by romance scams. Tessian data shows that of the respondents who said they had been a victim of romance fraud, 45% were aged between 25-34 versus just 4% of respondents who were aged over 55 years old.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//"); This may be because romance fraud victims are most commonly targeted on social media platforms like Facebook or Instagram, with a quarter of respondents (25%) saying they’d been successfully scammed on these channels.  This was closely followed by email (23%) while one in five people said they’d been targeted on mobile dating apps, and 16% said they’d been scammed via online dating websites.  This behavior is quite typical, say experts. Often romance fraud will start on dating apps or official dating websites but scammers will move to social media, email or text in order to reduce the trail of evidence.
How to avoid falling for a romance scam It’s important to remember that most dating apps and websites are completely safe. However, as social distancing restrictions remain in place for many regions, people should consider how they could be targeted by social engineering attacks and phishing scams at this time. We advise people to question any requests for personal or financial information from individuals they do not know or have not met in person, and to verify the identity of someone they’re speaking to via a video call. We also recommend the following: Never send money or a gift online to someone who you haven’t met in person. Be suspicious of requests from someone you’ve met on the internet. Scammers will often ask for money via wire transfers or reload cards because they’re difficult to reverse. Be wary of any email or DM you receive from someone you don’t know. Never click on a link or download an attachment from an unusual email address.  Keep social media profiles and posts private. Don’t accept friend requests or DMs from people you don’t know personally.  The FBI and Action Fraud have also provided citizens with useful advice on how to avoid falling for a romance scam and guidance for anyone who thinks they may have already been targeted by a scammer.  And if you want to learn more about social engineering attacks, you can read Tessian’s research How to Hack a Human. 
Human Layer Security Spear Phishing
Must-Know Phishing Statistics: Updated 2021
By Maddie Rosenthal
10 February 2021
We’ve rounded up the latest phishing statistics, including: The frequency of phishing attacks How phishing attacks are delivered The most common subject lines The prevalence of phishing websites The most common malicious attachments  The data that’s compromised in phishing attacks The cost of a breach The most targeted industries The most impersonated brands  Facts and figures related to COVID-19 scams Phishing and the future of work Looking for something more visual? Check out this infographic with key statistics.
The frequency of phishing attacks According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing. While this is down 6.6% from the previous year, it’s still the “threat action variety” most likely to cause a breach.  The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 75% of organizations around the world experienced some kind of phishing attack in 2020. Another 35% experienced spear phishing, and 65% faced BEC attacks. But, there’s a difference between an attempt and a successful attack. 74% of organizations in the United States experienced a successful phishing attack. This is 30% higher than the global average, and 14% higher than last year. Want to learn how to prevent successful attacks? Check out this page all about BEC prevention. ESET’s Threat Report reveals that malicious email detections rose 9% between Q2 and Q3, 2020. This followed a 9% rise from Q1 to Q2, 2020. How phishing attacks are delivered Hackers are relying more and more heavily on the credentials they’ve stolen via phishing attacks to access sensitive systems and data. That’s one reason why breaches involving malware have decreased by over 40%. According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace.  When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 
The most common subject lines 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020: IT: Annual Asset Inventory Changes to your health benefits Twitter: Security alert: new or unusual Twitter login Amazon: Action Required | Your Amazon Prime Membership has been declined Zoom: Scheduled Meeting Error Google Pay: Payment sent Stimulus Cancellation Request Approved Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription RingCentral is coming! Workday: Reminder: Important Security Upgrade Required The prevalence of phishing websites Google Safe Browsing uncovers unsafe URLs across the web. The latest data shows a world-wide-web rife with phishing websites. Since 2016, phishing has replaced malware as the leading type of unsafe website. While there were once twice as many malware sites as phishing sites, there are now nearly 75 times as many phishing sites as there are malware sites. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months). This compares to malware sites rising from 21,803 to 28,803 over the same period (up 32%). Here you can see how phishing sites have rocketed ahead of malware sites over the years.
The most common malicious attachments Many phishing emails contain malicious payloads such as malware files. ESET’s Threat Report reports that in Q3 2020, these were the most common type of malicious files attached to phishing emails: Windows executables (74%) Script files (11%) Office documents (5%) Compressed archives (4%) PDF documents (2%) Java files (2%) Batch files (2%) Shortcuts (>1%) Android executables (>1%) You can learn more about malicious payloads here. The data that’s compromised in phishing attacks The top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) While instances of financially-motivated social engineering incidents have more than doubled since 2015, this isn’t a driver for targeted attacks. Just 6% of targeted attacks are motivated by financial incentives, while 96% are motivated by intelligence gathering. The other 10% are simply trying to cause chaos and disruption. When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences:  60% of organizations lost data 52% of organizations had credentials or accounts compromised 47% of organizations were infected with ransomware 29% of organizations were infected with malware 18% of organizations experienced financial losses
The cost of a breach According to IBM’s Cost of a Data Breach Report, the average cost per compromised record has steadily increased over the last three years. In 2019, the cost was $150. For some context, 5.2 million records were stolen in Marriott’s most recent breach. That means the cost of the breach could amount to $780 million. But, the average breach costs organizations $3.92 million. This number will generally be higher in larger organizations and lower in smaller organizations.  Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2019, BEC scammers made nearly $1.8 billion. That’s over half of the total losses reported by organizations. And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter. This cost can be broken down into several different categories, including: Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees Costs associated remediation generally account for the largest chunk of the total.  Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industries While the Manufacturing industry saw the most breaches from social attacks (followed by Healthcare and then Professional services), employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year.   According to a different data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries. The industries most at risk in companies with 1-249 employees are: Healthcare & Pharmaceuticals Education Manufacturing The industries most at risk in companies with 250-999 employees are: Construction Healthcare & Pharmaceuticals Business Services The industries most at risk in companies with 1,000+ employees are: Technology Healthcare & Pharmaceuticals Manufacturing The most impersonated brands New research found the brands below to be the most impersonated brands used in phishing attacks throughout Q4, 2020. In order of the total number of instances the brand appeared in phishing attacks: Microsoft (related to 43% of all brand phishing attempts globally) DHL (18%) LinkedIn (6%) Amazon (5%) Rakuten (4%) IKEA (3%) Google (2%) Paypal (2%) Chase (2%) Yahoo (1%) The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information.
Facts and figures related to COVID-19 scams Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April. And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%. h2 id=”future-work”>Phishing and the future of work According to Microsoft’s New Future of Work Report:  80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.  Of these, 62% said phishing campaigns had increased more than any other type of threat. Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the offic Tessian’s own research supports this. The Future of Hybrid Work shows the phishing was the leading cause of security incidents while employees have been working remotely.
What can individuals and organizations do to prevent being targeted by phishing attacks? While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received. You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action. Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply We’ve created several resources to help employees identify phishing attacks. You can download a shareable PDF with examples of phishing emails and tips at the bottom of this blog: Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.
Spear Phishing
6 Reasons to Download “How to Hack a Human” Now
By Maddie Rosenthal
02 February 2021
Over the last decade, phishing has evolved from spam to something much (much) more targeted. It’s now the threat most likely to cause a breach. At the same time, the number of adults on social media networks like Facebook has jumped by almost 1,300%. We explore the correlation between the two in our latest research report “How to Hack a Human”. You can download it here. Need a few good reasons to download it? Keep reading.  1. You’ll get a hacker’s perspective Actually, you’ll get ten (ethical) hackers’ perspectives. We partnered with HackerOne and other social engineering experts to learn how they use publicly available information – like social media posts, OOO messages, press releases, and more – to craft highly targeted,  highly effective social engineering attacks. In the end, we found out that they use everything. A photo from your gender reveal party can help them uncover your home address. A post about your dog can help them guess your password. An OOO message can tell them who to target, who to impersonate, and give them a sense of their window of opportunity. 2. You’ll learn how vulnerable organizations are to attack  By surveying 4,000 employees and using Tessian platform data, we were able to uncover how frequently people (and the companies they work for) are being targeted by social engineering attacks, business email compromise (BEC), wire transfer fraud, and more. The numbers are staggering. 88% of people have received a suspicious message in the last year.  Of course, some industries are more vulnerable than others. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//"); And, we expect to see more next year. Why? Between H1 2020 and H2 2020, we saw a 15% increase in attacks.  Read the report to find out more.  3. We show two examples of social engineering – including the “clues” that enabled hackers to carry out the attack Using social media posts, news headlines, and OOO messages, we breakdown two attacks. CEO Fraud in Financial Services Account Takeover (ATO) in Healthcare We explain the hacker’s motivation, what the attack looked like, and – in the end – how it could have been prevented. (More on that below). 4. You’ll get access to a free, educational guide to help employees level-up their personal and professional cybersecurity  As we’ve said, hackers hack humans to hack the companies they work for. So, to help security leaders communicate the threat and teach their employees how to prevent being targeted and how to spot an attack if it lands their inbox, we put together a comprehensive list of do’s and don’ts.  You can find it on page 20. Bonus: Are you a Tessian customer? We’re happy to co-brand the list. Get in touch with your Customer Success Executive for more information. 5. The dataset is global In addition to interviewing employees in the US and the UK, Tessian platform data accounts for organizations across continents.  Why does this matter? It goes to show that this isn’t a problem that’s isolated to a specific region. Everyone is being targeted by social engineering attacks. But – interestingly – the online habits of Americans vs. Brits vary considerably. For example, while 93% of US employees say they update their job status on social media when they start a new role, just 63% of UK employees said the same.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//"); Top tip: New starters are prime targets of social engineering attacks. They’re typically given their full access credentials when they start, but don’t yet know who’s who. They may also not have had their security training yet. Finally, given that they’re new, they’ll be especially keen to make a good impression. 6. You’ll get a peek inside a hacker’s toolkit  Yes, all of the information hacker’s use is easy enough to find  online (esspecially if they’re motivated to find it). But. there are plenty of tools that hackers use that make connecting the dots and cracking passwords quick and easy. We outline ten in the report. You’ll likely recognize some of them… Most – if not all – of these tools were designed for the “good guys”. Penetration testers, compliance teams, and even law enforcement. In fact, some are even marketing and sales tools! Flip to page 16 to learn more. Bonus: The report is ungated…for now For the next few weeks, you’ll be able to download the report without filling out a form. Yep, you just click “download” and it’s yours. Starting at the end of February, you’ll just need to provide your email address and a few other pieces of information about your role and company.  Ready? Set? Download.
Spear Phishing
Tessian Launches Account Takeover (ATO) Protection
By Harry Wetherald
27 January 2021
Today, a comprehensive email security strategy needs to do more more than just secure an organization’s own email platform and users. Why? Because more and more often, bad actors are gaining access to the email accounts of trusted senders (suppliers, customers, and other third-parties) to breach a target company. This is called account takeover (ATO) and one in seven organizations have experienced this kind of attack. And, since legitimate business email accounts are used to carry out these attacks, it is one of the most difficult impersonation attacks to detect, making most organizations vulnerable to ATO.  But, not Tessian customers. Tessian Defender can now detect and prevent ATO. How does Tessian Defender detect ATO? Unlike Secure Email Gateways (SEGs) – which rely almost exclusively on domain authentication and payload inspection – Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of ATO signals:  Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses  Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments  Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too
Importantly, Tessian’s ML algorithm gets smarter as it continuously analyzes email communications across its global network. This way, it can build profiles of organizations (and their employees) to understand what “normal” email communications look like at a granular level.  This allows Tessian Defender to catch even the most subtle ATO attacks. Once it detects a threat, Tessian alerts employees and admins that an email might be unsafe. The warnings are written in easy-to-understand language and explain why an email has been flagged, which prevents the users from responding to the email or clicking on malicious links or attachments. These warnings also act as in-the-moment training and help improve email behavior over time.  Administrators get real-time alerts of ATO and can track events in the Human Layer Security Intelligence portal. You can learn more about how Tessian detects and prevents ATO here. Keep reading to see an admin’s view of the portal and what a warning looks like for employees.
What are the benefits of Tessian ATO threat protection?  The consequences of ATO are far-reaching.  Attackers could gain access to credentials, employee data, and computer data. They could initiate fraudulent wire transfers, conduct bank fraud, and sell data. That means organizations could suffer significant financial loss, reputational damage, and lose customers (and their trust). And this doesn’t even account for lost productivity, data loss, or regulatory fines.  Between 2013 and 2015, Facebook and Google were scammed out of $121 million after a hacker impersonated a trusted vendor. And that’s just one example.  Tessian’s ATO threat protection minimizes these risks by preventing successful attacks. But, detecting and preventing threats is just one of the benefits of Tessian.   For security teams
Detection is automated, which means it’s not just effective, but also effortless for security teams Real-time alerts of ATO events and robust tools (like single-click quarantine) allow for rapid investigation and remediation directly in the portal  Tessian’s API can be integrated with SIEMs like Splunk and Rapid7, allowing security analysts and SOC teams to analyze Tessian data alongside insights from other solutions In-the-moment warnings reinforce security awareness training and help nudge employees towards safer email behavior For the C-suite
ATO protection doesn’t just keep your organization safe and compliant (and help you avoid reputational damage or financial loss). It’s a competitive differentiator and can help build trust with existing customers, clients, and your supply chain. Multi-layer threat insights, visualized data, and industry benchmarks help CISOs understand their organization’s security posture compared to their industry peers Automated reports make it easy to communicate success to the board and other key stakeholders For employees
Contextual warnings are helpful – not annoying – and act as in-the-moment training. This helps employees improve their security reflexes over time for safer email behavior. Flag rates are low (and false positives are rare) which means employees can do the job they were hired to do, without security getting in the way Learn more about Tessian Interested in learning more about Tessian Defender and ATO Protection? Current Tessian customers can get in touch with their Customer Success Manager. Not yet a Tessian customer? Learn more about our technology, explore our customer stories, or book a demo now.
Spear Phishing
5 Real-World Examples of Business Email Compromise (Updated 2021)
25 January 2021
Business Email Compromise (BEC) attacks use real or impersonated business email accounts to defraud employees. The FBI calls BEC a “$26 billion scam” that affects thousands of businesses every year. This article will look at some examples of BEC attacks that have cost organizations money, time, and reputation — to help you avoid making the same mistakes. Not sure what BEC is? We tell you everything you need to know about it – including how it works – in this article: What is Business Email Compromise and How Does it Work?  1. $17.2m acquisition scam Our first example demonstrates how fraudsters can play on a target’s trust and exploit interpersonal relationships. In June 2014, Keith McMurtry, a Scoular employee, received an email supposedly from his boss, CEO Chuck Elsea. The email informed McMurty that Scoular was set to acquire a Chinese company. Elsea instructed McMurty to contact a lawyer at accounting firm KPMG. The lawyer would help facilitate a transfer of funds and close the deal.  McMurty obeyed, and he soon found himself transferring $17.2 million to a Shanghai bank account in the name of “Dadi Co.” The CEO’s email, as you might have guessed, was fraudulent. The scammers had used email impersonation to create accounts imitating both Elsea and the KPMG lawyer. Aside from the gargantuan $17.2m loss, what’s special about the Scoular scam? Take a look at this excerpt from the email, provided by, from “Elsea” to McMurty: “We need the company to be funded properly and to show sufficient strength toward the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly.” Given the emotive language, the praise, and the promise of future rewards — it’s easy to see why an employee would go along with a scam like this. 2. BEC scammers exploit COVID-19 fears 2020 was a turbulent year, and we saw cybercriminals exploiting people’s fear and uncertainty like never before. A particularly prevalent example was the trend of COVID-19-related BEC scams. As the pandemic spread, governments worldwide issued warnings about a surge in cyberattacks. In April 2020, for example, the FBI warned that scammers were “using the uncertainty surrounding the COVID-19 pandemic” to conduct BEC scams.  The FBI gave one example of an unnamed company, whose supposed supplier requested payments to a new account “due to the Coronavirus outbreak and quarantine processes and precautions.” Criminals will always seek to capitalize on chaos. In December 2020, Keeper reported that uncertainty caused by COVID-19, Brexit, and the move to remote-working led to 70% of U.K. finance companies experiences experiencing BEC attacks over the preceding year. Looking for more examples of scammers exploiting COVID-19 fears? We share four more and outline the red flags contained in each here. BONUS! There’s a downloadable guide at the bottom of the article.  3. $46.7m vendor fraud In August 2015, IT company Ubiquiti filed a report to the U.S. Securities and Exchange Commission revealing it was the victim of a $46.7 million “business fraud.” This attack was an example of a type of BEC, sometimes called Vendor Email Compromise (VEC). The scammers impersonated employees at a third-party company and targeted Ubiquiti’s finance department. We still don’t know precisely how the cybercriminals pulled off this massive scam. VEC attacks previously relied on domain impersonation and email spoofing techniques, but these days, scammers are increasingly turning to the more sophisticated account takeover method. 4. Snapchat payroll information breach Many high-profile BEC attacks target a company’s finance department and request payment of an invoice to a new account. But not all BEC scams involve wire transfer fraud. Here’s an example of how BEC scams can target data, as well as money. In February 2016, cybercriminals launched a BEC attack against social media firm Snapchat. Impersonating Snapchat’s CEO, the attackers obtained “payroll information about some current and former employees.” The scam resulted in a breach of some highly sensitive data, including employees’ Social Security Numbers, tax information, salaries, and healthcare plans. Snapchat offered each affected employee two years of free credit monitoring and up to $1 million in reimbursement. 5. The big one: $121m BEC scam targeting Facebook and Google  Last — but by no means least — let’s look at the biggest known BEC scam of all time: a VEC attack against tech giants Facebook and Google that resulted in around $121 million in collective losses. The scam took place between 2013 and 2015 — and the man at the center of this BEC attack, Evaldas Rimasauskas, was sentenced to five years in prison in 2019. So how did some of the world’s most tech-savvy employees fall for this elaborate hoax?  Rimasauskas and associates set up a fake company named “Quanta Computer”  — the same name as a real hardware supplier. The group then presented Facebook and Google with convincing-looking invoices, which they duly paid to bank accounts controlled by Rimasauskas. As well as fake invoices, the scammers prepared counterfeit lawyers’ letters and contracts to ensure their banks accepted the transfers. The Rimasauskas scam stands as a lesson to all organizations. If two of the world’s biggest tech companies lost millions to BEC over a two-year period — it could happen to any business. If you’re worried that your organization might be targeted by a BEC attack and are looking for a solution, click here. You can also explore other examples of email attacks in these articles: 6 Examples of Social Engineering Attacks COVID-19: Real-Life Examples of Opportunistic Phishing Emails  Phishing Statistics (Updated 2021)
Spear Phishing
What is Business Email Compromise (BEC)? How Does it Work?
25 January 2021
In this article, we’ll look at why cybercriminals use BEC, how it works, and why it remains a serious problem.  Looking for exampels of BEC attacks or information about how to prevent business email compromise instead? Check out these pages instead: How to overcome this multi-billion dollar threat Real-world examples of Business Email Compromise Why compromise a business email account? BEC is a tried-and-tested cyberattack method that costs consumers and businesses billions every year. So what makes BEC such a prevalent cybercrime technique?  Simply put: cybercriminals use BEC as a way to make social engineering attacks more effective.  A social engineering attack is any form of cybercrime involving impersonation. The attacker pretends to be a trusted person so that the target does what they’re told.  Here are some examples of social engineering attacks that can involve BEC: Spear Phishing: A social engineering attack conducted via email (smishing and vishing are social engineering attacks conducted via SMS and voice respectively) CEO fraud: A phishing attack where the attack impersonates a company executive Whaling: A phishing attack targeting a corporate executive Wire transfer fraud: A phishing attack where the attacker persuades the target to transfer money to their account All these social engineering attacks involve some sort of impersonation. Fraudsters use every tool available to make their impersonation more convincing. And one of the best tools available is a genuine — or genuine looking — business email address. BEC attacks target both individuals and businesses and the attacker will (generally) use BEC to gain access to one of the following: Money. According to Verizon’s 2020 Data Breach Investigation Report, most BEC attacks now involve wire transfer fraud. Account credentials: A fraudulent email might contain a phishing link leading to a fake account login page. The FBI warns that this BEC variant is on the rise. Gift certificates: BEC attackers can persuade their target to purchase gift certificates rather than transferring them money. Now you know why cybercriminals launch BEC attacks, we’re going to look at how they do it. How does BEC work? There are various competing definitions of BEC — so before we explain the process, let’s clarify what we mean when we use this term. A BEC attack is any phishing attack where the target believes they have received an email from a genuine business. There are several methods that a cybercriminal can use to achieve this, including:  Email impersonation Email spoofing Email account takeover Let’s look at each of these techniques. Email impersonation is where the attacker sets up an email account that looks like a business email account. Here’s an example:
In this case, we can imagine Leon Green really is Tess’ boss and that an invoice for Amazon really is due to be paid. This information is easy enough to find online. But, note that the sender’s email address is “[email protected]”.  If you look carefully, you’ll see Microsoft is misspelled.  Many people miss small details like this. Worse still, mobile email clients typically only show the sender’s display name and hide their email address.
Email spoofing is where the attacker modifies an email’s envelope and header. The receiving mail server thinks the email came from a corporate domain and the recipient’s email client displays incorrect sender information.  You can read more about email spoofing – and see an example of a spoofed email header – in this article: What is Email Spoofing? How Does Email Spoofing Work? In account takeover (ATO), the attacker gains access to a corporate email account, whether via hacking or by using stolen account credentials. They gather information about the user’s contacts, email style, and personal data — then they use the account to send a phishing email.
How serious is BEC? We know BEC is a common cyberattack method. But how many businesses are affected, and how badly? Because many BEC attacks go unnoticed — and because different organizations use different definitions of BEC —  there’s no simple answer. So what do we know about the prevalence of BEC? The best source of cybercrime statistics comes from the FBI’s Internet Crime Complaint Center (IC3), which reports that: BEC is a “$26 billion scam” targeting consumers and all types of business Rates of BEC doubled between May 2018 and July 2019 Between June 2016 and July 2019, the IC3 recorded 166,349 BEC incidents worldwide, resulting in losses totaling $26,201,775,589 Next steps We’ve looked at the different types of BEC, how a BEC attack works, and how serious and pervasive this form of cybercrime has become. Next, let’s look at examples of BEC attacks. This will help you learn from the experiences of other organizations.
Spear Phishing
What is Email Spoofing? How Does Email Spoofing Work?
22 January 2021
Let’s start with a definition of email spoofing.
While email spoofing can have serious consequences, it’s not particularly difficult for a hacker to do. And, despite the fact that email filters and apps are getting better at detecting spoofed emails… they can still slip through.  Keep reading to find out: What motivates someone to spoof an email address How email spoofing works How common email spoofing is If you’re here to learn how to prevent email spoofing, check out this article instead: How to Prevent Email Spoofing. Why do people spoof emails? You might be wondering why someone would want to spoof another person or company’s email address in the first place. It’s simple: they want the recipient to believe that the email came from a trusted person. Most commonly it is used for activities such as: Spear phishing: A type of “social engineering” attack where the attacker impersonates a trusted person and targets a specific individual. Business Email Compromise (BEC): A phishing attack involving a spoofed, impersonated, or hacked corporate email address. CEO fraud: A BEC attack where the attacker impersonates a high-level company executive and targets an employee. Vendor Email Compromise (VEC): A BEC attack where the attack impersonates a vendor or another business in a company’s supply chain. Spamming: Sending unsolicited commercial email to large numbers of people. Now let’s look at the technical process behind email spoofing. How email spoofing works First, we need to distinguish between “email spoofing,” and “domain impersonation.” Sometimes these two techniques get conflated.  Here’s the difference: In an email spoofing attack, the sender’s email address looks identical to the genuine email address ([email protected]).  In a domain impersonation attack, the fraudster uses an email address that is very similar to another email address ([email protected]). When you receive an email, your email client (e.g. Outlook or Gmail) tells you who the email is supposedly from. When you click “reply,” your client automatically fills in the “to” field in your return email. It’s all done automatically and behind the scenes. But, this information is not as reliable as you might think. An email consists of several parts: Envelope: Tells the receiving server who sent the email and who will receive it. When you get an email, you don’t normally see the envelope. Header: Contains metadata about the email: including the sender’s name and email address, send date, subject, and “reply-to” address. You can see this part. Body: The content of the email itself. Spoofing is so common because it’s surprisingly easy to forge the “from” elements of an email’s envelope and header, to make it seem like someone else has sent it.  Obviously, we’re not going to provide instructions on how to spoof an email. But we can break down a spoofed email to help you understand how the process works.  Let’s take a look at the email header:
First, look at the “Received From” header, highlighted in blue, which shows that the email came from the domain “” But now look at the parts highlighted in yellow — the “Return-Path,” “From,” and “Reply-To” headers — which all point to “Mickey Mouse,” or “[email protected]”. These headers dictate what the recipient sees in their inbox, and they’ve all been forged. The standard email protocol (SMTP) has no default way of authenticating an email. There are authentication checks that depend on the domain owner protecting its domain. In this case, the spoof email failed two important authentication processes (also highlighted in blue, above): SPF, short for Sender Policy Framework: Checks if the sender’s IP address is associated with the domain specified in the envelope. DMARC, short for Domain-based Message Authentication, Reporting, and Conformance: Verifies an email’s header information. DKIM, short for DomainKeys Identified Mail: Designed to make sure messages aren’t altered in transit between the sending and recipient servers. As you can see, DMARC, SPF, and DKIM all = none. That means our spoofed email slipped right through. Here’s how the email looks in the recipient’s inbox:
The email above appears to have been sent by Mickey Mouse, using the email address [email protected] But we know from the header that it actually came from This demonstrates the importance of setting up DMARC policies. You can learn more about how to do that here. Note: Disney does have DMARC enabled. This is a hypothetical example! Want to find out which companies don’t have DMARC set-up? Check out this website.  How common is spoofing? Measuring the precise number of spoofed emails sent and received every day is impossible. But we can look at how many cybercrime incidents involving spoofing get reported each year. A good place to start is the U.S. Federal Bureau of Investigation (FBI)’s Internet Crime Complaint Center (IC3) annual report.  In 2019, the IC3 reported that: 25,789 of the 467,361 complaints the IC3 received related to spoofing. The losses associated with spoofing complaints totaled over $300 million. Spoofing was the third most costly type of cybercrime (after BEC and confidence fraud). The number of spoofing attacks rose 65% from the previous year. Losses from spoofing jumped by 329% from the previous year. Note that the IC3’s definition of “spoofing” includes incidents involving spoofed phone numbers. But we already know that 96% of phishing attacks start with email. Now you understand what email spoofing is, and how serious a threat it can be, it’s time to read our article on how to prevent email spoofing.