Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit for free.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing

Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing and Business Email Compromise.

Human Layer Security Spear Phishing DLP Compliance
7 Ways CFOs Can (And Should) Support Cybersecurity
By Maddie Rosenthal
29 July 2021
We’ve said it before and we’ll say it again: cybersecurity is a team sport. That means that (like it or not) the responsibility and burden sits with everyone, including the Chief Finance Officer (CFO).  That’s right: quantifying cyber risk, navigating cyber insurance policies, and negotiating ransom with hacking groups can all be part of the job spec.  If you’re a CFO who’s struggling to understand their role in cybersecurity, keep reading. We share 7 opportunities to get involved and protect your company’s assets.  Note: Every company is different. Size, revenue, industry, and reporting structures all play a role. This is general advice meant to provide a bird’s eye view of a CFO’s potential involvement in cybersecurity. 1. Quantify risk It can be hard for the C-suite to see the value of a solution when they haven’t yet experienced any consequences without it. As the saying goes, “If it ain’t broke, don’t fix it”.  That’s why it’s so important CFOs step in to quantify risk using specific “what-if” scenarios. The most basic formula is: probability x expected cost. Let’s use the example of an email being sent to the wrong person. We know at least 800 misdirected emails are sent every year in organizations with 1,000 employees. The expected cost, of course, depends on the email content and recipient, but let’s look at the worst-case scenario. What would the cost be if your press release for an upcoming, highly confidential merger and acquisition landed in a disgruntled former employee’s inbox? How would this impact the M&A itself? The company’s reputation? Revenue? Not a risk worth taking. Learn more about the key security challenges organizations face during M&A events. 2. Benchmark spending against other organizations Just like a marketing team should use a benchmark to determine whether or not their email list is engaged, CFOs should use a benchmark to determine how much they should be spending on cybersecurity. Think of it as your North Star. Fortunately, it’s relatively easy to determine how much your competitors or industry mavericks are shelling out. At least if they’re publicly traded.  A good place to start is their S-1. Here, you’ll be able to see what percentage of the company’s revenue goes towards Sales and Marketing, Research and Development, and General and Administrative.  This should give you a good idea of how to allocate your revenue.  You can also look at more general benchmark reports. For example, according to a Deloitte study, cybersecurity spending has increased YoY, from .34% of a company’s overall revenue in 2019 to .48% in 2020.  In 2020, that equated to $2,691 per full-time employee.   Bonus: Did you know you can also benchmark your security posture against your industry peers with Tessian Human Layer Security Intelligence? Learn more.  3. Vet cyber insurance policies Today, virtually every business needs cyber liability insurance. If you run a business that stores client, customer, or partner data…you need it. But it’s money wasted if you aren’t fully familiar with the policy terms. Check to make sure your first-party cyber insurance includes: Breach response recovery (including technical and legal advice) Forensic analysis for identifying the attack source Event management (including data recovery, PR services, and notification of clients) Cyber extortion Network/business interruption (including those that are the result of an attack on a third party) Dependent business interruption Credit monitoring services Consequential reputational loss or loss of income It’s also worth exploring third-party cyber insurance to protect your company’s assets from subsequent compliance penalties and settlement costs.  For example, Facebook settled a class-action lawsuit over its use of facial recognition technology. Illinois. The case reportedly settled for $550 million for a violation of the Biometric Information Privacy Act.  Third-party cyber insurance should include: Network security failures and privacy events Regulatory defense and penalties (including coverage for GDPR liabilities) PCI-DSS liabilities and costs Media content liability  4. Communicate with the board In a sentence, the CFO is responsible for the financial security of an organization. And, in the event of a breach, financial security simply isn’t guaranteed. Don’t believe us? Check out the consequences of a breach, according to IT leaders: !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); All of these will impact a company’s bottom line, including share value and rate of growth… two things the board doesn’t want to hear and news a CFO would hate to deliver.   But this isn’t a case of shooting the messenger. The responsibility and burden of cybersecurity sits with everyone, remember?  Post-breach, the board, auditors, and other third parties will be examining how effectively budgets were allocated to prevent the worst. That’s why it’s essential the CFO is actively involved in creating and implementing cybersecurity strategies; they have skin in the game.  5. Create secure processes for the finance team While – yes – the CFO holds the power of the purse and therefore influences the overall cybersecurity strategy, they also have a massive responsibility to secure their own team’s processes. After all, the finance department is one of the most targeted, specifically by invoice fraud, wire transfer fraud, and business email compromise.  Between June 2016 and July 2019, FBI statistics show that wire transfer fraud via BEC occurred 166,349 times, and cost businesses over $26 billion. In 2019, the number of bank transfer phishing scams occurring in the UK increased by 40%. In 2017, the FBI received 15,690 complaints about BEC (primarily involving wire transfer), resulting in over $675 million in losses. In 2019, this increased to 23,775 complaints and over $1.7 billion in losses. To protect against these incidents, CFOs should work with security teams to help train employees to spot scams, implement email security software to spot suspicious domains, and create fool-proof payment validation processes. For more tips, check out this article: Everything You Need to Know About Wire Transfer Phishing. 6. Negotiate ransom in the event of a ransomware attack  This is a position no CFO wants to be in. But, more and more, we’re seeing organizations being forced to comply with cyber criminals’ extortion demands. (7 Examples of Ransomware Attacks here.) While this may seem far beyond the scope of a finance director’s role, they’re heavily involved in the process. Of course, the first question to answer is: To pay? Or not to pay? This depends on an infinite number of factors, including the data being held, the hacking group who infiltrated the network, your cyber insurance policy, the company’s liquid assets….  The list goes on.  To avoid being put between a rock and a hard place, CFOs (along with the rest of the C-Suite and security team) should take prevention seriously, including anti-malware software, patching processes, and security for email, web, and other services. Tessian can help with email by preventing ransomware attacks at the source. 7. Know how to spot a phish CFO’s are generally among the most frequently targeted by phishing attacks. They’re also frequently impersonated. It makes sense. They have access to and control over the company’s money. It’s essential, then, that CFOs are especially vigilant, know how to spot a spear phishing attack, and know what to do if they suspect an email, text, or call is malicious.  Training, technology, and processes can help. If you want to learn more about how Nudge theory plays a role, check out this article about in-the-moment warnings. Looking for more resources? Check out the following: ⚡ Relationship 15: A Framework to Help Security Leaders Influence Change ⚡ CEO’s Guide to Data Protection and Compliance ⚡ Who Are the Most Likely Targets of Spear Phishing Attacks? ⚡ Why Information Security Must Be a Priority for GCs in 2021
Spear Phishing DLP Remote Working Data Exfiltration
How to Keep Your Data Safe in The Great Resignation
28 July 2021
The pandemic has changed people and society in ways we wouldn’t have thought imaginable just 24 months ago.  Lockdown restrictions and remote working allowed many employees to reflect on what they want to do with their lives and the sort of companies they want to work for, as well as those they don’t.  Consequently, in April 2021 four million US workers quit their jobs, and according to recent research by Microsoft, over 40% of employees are considering leaving their employer this year. It’s being called ‘#TheGreatResignation’, and it presents a whole pile of problems for CISOs and other security leaders.  Here are some of the common problems you might face in keeping data secure when staff move on.  Staff burnout Let’s face it, everyone’s a little frazzled round the edges right now.  Our 2020 report, The Psychology Of Human Error, revealed that a shocking 93% of US and UK employees feel tired and stressed at some point during their working week. Staff burnout was real before the pandemic, and it’s only got worse during it as the months have turned into years.  Over half the employees (52%) we surveyed said they make more mistakes at work when they’re stressed. And we know that as some employees move on, others are left to pick up the slack, adding to their stress and further increasing the potential for human error. This goes to show that this isn’t just a cyber security issue, it’s a people issue, so get your COO and HR team involved and start exploring ways to improve company well-being. Mentally, they’ve already left Staff who are leaving will have ‘mentally uncoupled’ from your organization and its processes well before they actually make their exit. They’re distracted – perhaps even excited – about their new future and where they’re going. Our survey found that 47% of employees surveyed cited distraction as a top reason for falling for a phishing scam, while two-fifths said they sent an email to the wrong person because they were distracted.  This is made worse by the next problem…  “Hi, it’s Mark from HR, we haven’t met…” Changing jobs can bring staff into contact with people they might not have had much contact with before. In a big multinational, we doubt many staff can name every member of the payroll team – they might even be in another country! Our How to Hack a Human report found that an overwhelming 93% of workers also update their job status on social media, while 36% share information about their job.  If an employee has announced their imminent departure on social media, they can potentially be targets of spear phishing by hackers impersonating HR or operations staff. These could contain seemingly innocuous requests for key card returns, contract documents, and even IT hardware. We’ve seen it before! Check out our Threat Catalogue to see real examples of phishing attacks targeting (and impersonating!) new starters.  Notice period exfiltration Unless they’re leaving for a complete lifestyle change, like being a warden on a deserted Scottish island, many people tend to stay in the same sector or industry.  This means there’s a high probability of staff going to one of your competitors.  Our research reveals an increase in data exfiltration during an employee’s notice period. In fact, 45% of employees admit to “stealing” data before leaving or after being dismissed from a job. You can see the temptation – what better way to make a great impression on your first day than by bringing a juicy file of customer data, source code, or other highly valuable IP. People will often extract these assets by emailing them to their personal accounts. This is a particular problem in sectors such as legal, financial services, and entertainment, where a client base and extensive networks are crucial.  New staff So far all these problems have focused on leaving staff or those that remain, but another potential weak spot is the new hire that will replace them.  They’ve yet to undertake security awareness training on your systems and processes. They may have also announced their new role on social media (which means they could be victim to the same problem we explained in point 3).  It all comes back to one crucial point: 85% of data breaches are caused by human error.  How Tessian helps Security leaders have a big job; they have to secure networks, endpoints, and platforms like Slack and Microsoft Teams. But email remains the #1 threat vector. So how do you lock down email and prevent data exfiltration and successful phishing attacks? By empowering your people to do their best work, without security getting in the way. We believe employees should be experts in their respective fields, not in cybersecurity. Tessian’s suite of products secure the human layer, so that staff can concentrate on their roles and be empowered to do their best work.  Tessian Defender: Automatically prevents spear phishing, account takeover, business email compromise, and other targeted email attacks. Tessian Enforcer: Automatically prevents data exfiltration over email. Tessian Guardian: Automatically prevents accidental data loss caused by misdirected emails and misattached files.
Spear Phishing
7 Examples of Ransomware Attacks
15 July 2021
The ransomware crisis is getting out of control. With recent attacks on critical infrastructure, supply chain IT companies, and hospitals, the world is waking up to how serious this type of cyberattack can be. IT leaders understand that ransomware is preventable—and they know how to protect against it. But still, increasingly many businesses are finding their computers locked, their files encrypted, or their customers’ personal data stolen. From the widespread chaos caused by2017’s WannaCry attack to the recent REvil supply chain infection affecting up to 1,500 organizations—these seven ransomware examples will help you understand what you’re up against. Want to learn more about what ransomware is and how it’s delivered? Check out this article instead.  2017 WannaCry attack: The world’s first taste of how bad ransomware can get Let’s start with an attack from several years ago—before “ransomware” was a household name—that shocked the world into taking cybersecurity more seriously. The incident started in May 2017, when hackers infected a computer with the WannaCry ransomware. Within a day, users of over 230,000 computers worldwide found that their files had been encrypted—and that they could only retrieve their data by making a Bitcoin payment to the attackers. How could WannaCry infect so many computers?  The original infection was initially believed to have resulted from a phishing email, but researchers later concluded that the ransomware took hold via a vulnerable SMB port.  From there, the infection spread to other computers that had not downloaded a recent Microsoft security update—the hackers used a tool called EternalBlue (developed by the U.S. National Security Agency) to exploit a zero-day vulnerability in Windows. Wannacry caused chaos across multiple sectors in more than 150 countries. The U.K.’s National Health Service (NHS) was particularly badly affected—hospitals even had to cancel operations due to the disarray caused by the attack. The actual ransom payments—between $300-$600 each—added up to a meager $130,634. But estimates of the overall costs associated with the attack range between hundreds of millions and billions of dollars. Colonial Pipeline attack: ransomware affects critical infrastructure On May 6, 2021, Ransomware gang Darkside hit the Colonial Pipeline Company, a utilities firm that operates the largest refined oil pipeline in the U.S., causing chaos at gas stations across the country and netting millions of dollars in the process. Security analysts suspect that Darkside gained access to Colonial’s systems via a single compromised password—possibly after purchasing it via the dark web. The cybercriminals targeted Colonial Pipeline’s computer systems, stealing nearly 100 gigabytes of data and impacting the company’s billing operations—but not the actual technology enabling the flow of oil through the pipeline.  Nonetheless, the company halted oil supplies throughout the duration of the attack, sparking fuel shortages and panic-buying throughout parts of the southern U.S. and prompting the Biden administration to issue a state of emergency. Colonial Pipeline paid the Bitcoin ransom of around $4.4 million. But the more significant impact was on wider society. Ransomware had affected the supply and cost of gas—the hackers had broken through to people’s everyday experiences. Fake invoice leads to Ryuk ransomware infection Wire transfer phishing—where cybercriminals commit online fraud using a fake invoice and a compromised email account—costs businesses billions each year. But in this mid-2020 case, a fake invoice led not to a fraudulent wire transfer but to a ransomware infection.  An employee at a food and drink manufacturer opened a malicious Microsoft Word file attachment to an email, unleashing the Emotet and Trickbot malware onto their computer.  The malware created a backdoor into the organization’s systems, allowing the cybercriminals to gain access and deploy the Ryuk ransomware. The company declined to pay the ransom in this case—but still incurred substantial costs. Over half of the organization’s systems were unusable for 48 hours, and the firm had to contract security experts to restore access. Kaseya supply chain attack impacts 1,500 companies The biggest ransomware attack on record occurred on July 2, 2021, when the REvil gang hit software company Kaseya. Organizations using Kaseya’s IT management software downloaded a malicious update that infected their computers with ransomware.  Victims received a ransom note informing them that their files had been encrypted. The note said users could retrieve their files by purchasing the cybercriminals’ $45,000 decryption software, payable in cryptocurrency. The attack directly affected at least 60 firms—and it had downstream consequences for at least 1,500 companies. Even a Swedish supermarket chain was forced to close its doors after its payment processing equipment malfunctioned due to the attack. A few days after the attack, a post on the cybercrime gang’s dark web page promoted a universal decryptor that could unscramble all data impacted by the attack—for the bargain price of $70 million. The Kaseya ransomware attack was reminiscent of the notorious 2020 Solarwinds attack, which. while it did not involve ransomware, exposed the vulnerability of supply chains. UK health service warns of Avaddon phishing attacks In April 2021, the digital arm of the U.K.’s National Health Service (NHS) put out a warning about Avaddon ransomware, a type of ransomware that can “both steal and encrypt files” in “double extortion attacks.” Avaddon typically arrives via a phishing email. The email contains a .jpeg or .zip file which acts as a downloader for the ransomware. In some cases, the application will terminate itself if it detects that you’re using a Russian keyboard layout. As mentioned, Avaddon not only encrypts your files—it can also steal and publicly leak them if you fail to pay the ransom.  What makes this double extortion method particularly harmful?  Getting your important files encrypted is bad enough. You lose vital data and might need to cease operations until the situation is resolved. But having your files stolen as well puts you at a heightened risk of penalties from regulators for failing to protect people’s personal data. Stolen credentials lead to $4.4 million DarkSide attack The North American division of chemicals distributor Brenntag lost around 150 gigabytes of company data in May 2021, when the DarkSide ransomware gang deployed ransomware on the company’s systems. The cybercriminals reportedly demanded $7.5 million ransom, which the chemicals company managed to negotiate down to $4.4 million—a sum it reportedly paid DarkSide on May 14 to prevent the compromised data from being published. So how did DarkSide get access to Brenntag’s systems? It appears the cybercrime gang (or one of its affiliates) purchased some of Brenntag’s user credentials on the dark web. Credentials are a prime target for cybercriminals and are one of the data types most commonly compromised in phishing campaigns. For more information, see What is Credential Phishing? COVID-19 testing delayed after Irish hospitals hit by ransomware When Irish hospitals were attacked by a ransomware gang in May 2021, patient data was put at risk, appointments were cancelled, COVID-19 testing was delayed—and the world saw once again how far cybercriminals were willing to go to make money. The hackers are believed to have targeted a zero-day vulnerability in a virtual private network (VPN) operated by the Irish Health Service Executive. The Russian cybercrime group responsible for the attack, known as Wizard Spider, reportedly demanded a $19,999,000 ransom. After the Irish prime minister publicly declared that the country would not be paying the ransom, the healthcare system was forced to resort to keeping records on paper until the situation was resolved.
Spear Phishing
What is Ransomware? How is Ransomware Delivered?
15 July 2021
Ransomware is a widespread, serious threat. So far in 2021, we’ve seen ransomware attacks on hospitals, gas pipeline operators, and software firms supplying thousands of businesses. And the situation is getting worse. Research suggests that the overall cost of a ransomware attack doubled in the past year, rising from $761,106 in 2020 to $1.85 million in 2021—and that the global total cost of ransomware could exceed $265 billion per year by 2031. This article will explain what ransomware is and how ransomware spreads. We’ll then analyze a recent ransomware attack to help you understand how this serious form of cybercrime works. Types of ransomware attack There are two main types of ransomware attacks. Both involve the victim downloading a malicious ransomware program. In the first type of ransomware attack, the malicious program encrypts the victim’s files, rendering them unreadable and unusable. To decrypt their files, the victim must pay a ransom—or else they’ll never be able to access them again. In the second type of ransomware attack, the malicious program transfers the victim’s files to the attacker. In this type of attack, the victim must pay a ransom to prevent their files from being published on the open web. Either type of ransomware attack is avoidable. But ransomware can be devastating for any business, leading to extortion, recovery, and mitigation costs—not to mention a loss of your company’s time and reputation. How is ransomware delivered? For a ransomware attack to succeed, the threat actor must find a way to get the malicious ransomware program onto their target’s device. Let’s take a look at three keys ways of achieving this. Social engineering attacks Social engineering attacks—such as phishing, spear phishing, or Business Email Compromise (BEC)—are normally cited as the leading cause of ransomware infection.  In a typical social engineering attack, the target receives a malicious email encouraging them to click a download link or download an attachment. While the email may look trustworthy, it contains a payload in the form of a ransomware file. The notorious “Ryuk” strain of ransomware spreads mostly via social engineering attacks. Security experts estimate that the Ryuk ransomware has earned cybercriminals over $150 million in ransom payments from companies worldwide. Remote Desktop Protocol Remote desktop protocol (RDP) enables a third party to take remote control of a person’s computer.  RDP has legitimate uses, including enabling IT support services to troubleshoot software issues. But once a cybercriminal has admin access to your system, they can do pretty much whatever they want—including carrying out a ransomware attack. RDP was the root cause of several high-profile ransomware attacks, including the SamSam ransomware that forced Atlanta’s public authorities to pay out nearly $6 million in 2018. Drive-by website download A drive-by download attack occurs when a person downloads and installs a malicious file, for example via a website that has requested permission to download an executable file, Javascript applet, or ActiveX component. When the victim clicks “Save” or runs the malicious download—whether due to carelessness or because they believe the file is legitimate—the ransomware installs itself and takes over their computer. Analysis of a ransomware attack Here’s a recent example of a ransomware attack, to help you understand this devastating form of cybercrime works. On July 3, 2021, hours before the long Independence Day weekend started in the U.S., thousands of workers got a message on their computer screens: “Your computer has been infected!” These infected computers had recently installed an update of IT management software Kaseya—an update that had been infected with the REvil ransomware. This type of “supply chain” attack is an increasingly common vector for malware. Here’s the ransom note that workers saw (shortly before they’d planned to go home for the holidays):
Let’s break this message down. The message informs the ransomware victim that: Their computer has been infected and their files have been encrypted (rendered unreadable) They must purchase specialist decryption software from the cybercriminals. If they attempt to decrypt their files themselves, the files will be permanently deleted. They must pay in a cryptocurrency called Monero (XMR). The price is 217.29 XMR (around ~$45,000) if they pay within six days, after which the price will double. You might be surprised to see the level of sophistication involved in this attack. The victim is offered a “trial decryption”, “chat support”, and a guide to buying Monero. Ransomware is becoming a quasi-professional criminal industry. And note that $45,000 is actually a relatively modest ransom. But the Kaseya attack appears to have affected thousands of companies, directly and indirectly—so the cybercriminals are likely to make millions of dollars. The gang is also demanding $70 million for a “global” decryptor. Looking for more examples of ransomware? Check out this article.
Spear Phishing
What is Business Email Compromise (BEC)? How Does it Work?
13 July 2021
In this article, we’ll look at why cybercriminals use BEC, how it works, and why it remains a serious problem.  Looking for exampels of BEC attacks or information about how to prevent business email compromise instead? Check out these pages instead: How to overcome this multi-billion dollar threat Real-world examples of Business Email Compromise Why compromise a business email account? BEC is a tried-and-tested cyberattack method that costs consumers and businesses billions every year. So what makes BEC such a prevalent cybercrime technique?  Simply put: cybercriminals use BEC as a way to make social engineering attacks more effective.  A social engineering attack is any form of cybercrime involving impersonation. The attacker pretends to be a trusted person so that the target does what they’re told. According to Verizon’s 2021 Data Breach Investigation Report (DBIR), BEC is the second-most common type of social engineering attack. In a BEC or other social engineering attack, the threat actor pretends to be a trusted person so that the target does what they’re told. Here are some examples of social engineering attacks that can involve BEC: Phishing: A social engineering attack conducted via email (smishing and vishing are social engineering attacks conducted via SMS and voice respectively) CEO fraud: A phishing attack where the attack impersonates a company executive Whaling: A phishing attack targeting a corporate executive Wire transfer fraud: A phishing attack where the attacker persuades the target to transfer money to their account All these social engineering attacks involve some sort of impersonation. Fraudsters use every tool available to make their impersonation more convincing. And one of the best tools available is a genuine — or genuine looking — business email address. BEC attacks target both individuals and businesses and the attacker will (generally) use BEC to gain access to one of the following: Money. According to Verizon’s 2021 Data Breach Investigation Report, the vast majority of cyberattacks are financially motivated. Account credentials: A fraudulent email might contain a phishing link leading to a fake account login page. The FBI warns that this BEC variant is on the rise. Gift certificates: BEC attackers can persuade their target to purchase gift certificates rather than transferring them money. The FTC put out a warning about this increasingly common type of scam in May 2021. Now you know why cybercriminals launch BEC attacks, we’re going to look at how they do it. How does BEC work? There are various competing definitions of BEC — so before we explain the process, let’s clarify what we mean when we use this term. A BEC attack is any phishing attack where the target believes they have received an email from a genuine business. As noted by Verizon, “BEC doesn’t even have to compromise a business email address. Your.CEO@davesmailservice.com comes up all too often in our dataset.” There are several methods that a cybercriminal can use to achieve this, including:  Email impersonation Email spoofing Email account takeover Let’s look at each of these techniques. Email impersonation is where the attacker sets up an email account that looks like a business email account. Here’s an example:
In this case, we can imagine Leon Green really is Tess’ boss and that an invoice for Amazon really is due to be paid. This information is easy enough to find online. But, note that the sender’s email address is “leon.green@micrott.com”.  If you look carefully, you’ll see Microsoft is misspelled.  Many people miss small details like this. Worse still, mobile email clients typically only show the sender’s display name and hide their email address.
Email spoofing is where the attacker modifies an email’s envelope and header. The receiving mail server thinks the email came from a corporate domain and the recipient’s email client displays incorrect sender information.  You can read more about email spoofing – and see an example of a spoofed email header – in this article: What is Email Spoofing? How Does Email Spoofing Work? In account takeover (ATO), the attacker gains access to a corporate email account, whether via hacking or by using stolen account credentials. They gather information about the user’s contacts, email style, and personal data — then they use the account to send a phishing email.
Application impersonation In recent years, there’s been a rise in the number of scams that use “application impersonation”.  In an application impersonation attack, the target receives an email that appears to be an automated notification sent via a workplace application, such as Zoom, Office 365, or Gmail. Here’s an example—a phishing email masquerading as a notification from Microsoft Teams, which was detected and prevented by Tessian Defender:
Clicking the link will take the user to a sign-in page which will harvest their login credentials. Impersonation of automated business emails is an increasingly common threat. Research from GreatHorn suggests that business-related applications accounted for around 45% of impersonation-related attacks in early 2021. How serious is BEC? We know BEC is a common cyberattack method. But how many businesses are affected, and how badly? Because many BEC attacks go unnoticed — and because different organizations use different definitions of BEC —  there’s no simple answer. So what do we know about the prevalence of BEC? The best source of cybercrime statistics comes from the FBI’s Internet Crime Complaint Center (IC3), which reports that:  Between 2016 and 2020, the IC3 recorded 185,718 BEC incidents worldwide, resulting in losses totaling over $28 billion. In 2020, losses from BEC exceeded $1.8 billion—a fourfold increase since 2016. The number of BEC incidents went up by 61% between 2016 and 2020. Next steps We’ve looked at the different types of BEC, how a BEC attack works, and how serious and pervasive this form of cybercrime has become. Next, let’s look at examples of BEC attacks. This will help you learn from the experiences of other organizations. This will help you learn from the experiences of other organizations. Or you can learn how Tessian prevents BEC attacks here.
Spear Phishing
CEO Fraud Prevention: 3 Effective Solutions
08 July 2021
CEO fraud is a type of cybercrime in which the attacker impersonates a CEO or other company executive. The fraudster will most often use the CEO’s email account — or an email address that looks very similar to the CEO’s — to trick an employee into transferring them money. That means that, like other types of Business Email Compromise (BEC), CEO fraud attacks are very difficult for employees and legacy solutions like SEGs to spot. But, there are still ways to prevent successful CEO fraud attacks. The key? Take a more holistic approach by combining training, policies, and technology. If you want to learn more about BEC before diving into CEO fraud, you can check out this article: Business Email Compromise: What it is and How it Happens. You can also get an introduction to CEO Fraud in this article: What is CEO Fraud? 1. Raise employee awareness Security is everyone’s responsibility. That means everyone – regardless of department or role –  must understand what CEO fraud looks like. Using real-world examples to point out common red flags can help.
It’s important to point out the lack of spelling errors. Poor spelling and grammar can be a phishing indicator, but this is increasingly unlikely among today’s more sophisticated cybercrime environment. Also, notice the personal touches — Sam’s familiar tone, his references to Kat working from home, and his casual email sign-off. Fraudsters go to great efforts to research their subjects and their targets, whether via hacking or simply using publicly available information. These persuasive elements aside, can you spot the red flags? Let’s break them down: The sender’s email address: The domain name is “abdbank.com” (which looks strikingly similar to abcbank.com, especially on mobile). Domain impersonation is a common tactic for CEO fraudsters. The sense of urgency: The subject line, the ongoing meeting, the late invoice. Creating a sense of urgency is near-universal in social engineering attacks. Panicked people make poor decisions. The authoritative tone: “Please pay immediately”: there’s a reason cybercriminals impersonate CEOs — they’re powerful, and people tend to do what they say. Playing on the target’s trust: “I’m counting on you”. Everyone wants to be chosen to do the boss a favor. Westinghouse’s “new account details”: CEO fraud normally involves “wire transfer phishing” — this new account is controlled by the cybercriminals. Your cybersecurity staff training program should educate employees on how to recognize CEO fraud, and what to do if they detect it. Check the sender’s email address for discrepancies. This is a dead giveaway of email impersonation. But remember that corporate email addresses can also be hacked or spoofed. Feeling pressured? Take a moment. Is this really something the CEO is likely to request so urgently? New account details? Always verify the payment. Don’t pay an invoice unless you know the money’s going to the right place. Looking for a resource that you can share with your employees? We put together an infographic outlining how to spot a spear phishing email. While these are important lessons for your employees, there’s only so much you can achieve via staff training. Humans are often led by emotion, and they’re not good at spotting the small giveaways that might reveal a fraudulent email. Sometimes, even security experts can’t! More on this here: Pros and Cons of Phishing Awareness Training. 
2. Implement best cybersecurity practice Beyond staff training, every thriving company takes an all-round approach to cybersecurity that minimizes the risk of serious fallout from an attack. Here are some important security measures that will help protect your company’s assets and data from CEO fraud: Put a system in place so employees can verify large and non-routine wire transfers, ideally via phone Protect corporate email accounts and devices using multi-factor authentication (MFA) Ensure employees maintain strong passwords and change them regularly Buy domains that are similar to your company’s brand name to prevent domain impersonation Regularly patch all software Closely monitor financial accounts for irregularities such as missing deposits Deploy an email security solution All the above points are crucial cybersecurity controls. But let’s take a closer look at that final point — email security solutions. 3. Deploy intelligent inbound email security Because CEO fraud attacks overwhelmingly take place via email (along with 96% of all phishing attacks), installing email security software is one of the most effective steps you can take to prevent this type of cybercrime. But not just any email security solution. Legacy solutions like SEGs and spam filters and Microsoft and Google’s native tools generally can’t spot sophisticated attacks like CEO fraud. Why? Because they rely almost entirely on domain authentication and payload inspection. Social engineering attacks like CEO fraud easily evade these mechanisms. Tessian is different.   Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of signals indicative of CEO fraud. Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of CEO fraud. For example, suspicious payloads, anomalous geophysical locations, out-of-the-ordinary IP addresses and email clients, keywords that suggests urgency, or unusual sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.
Click here to learn more about how Tessian Defender protects your team from CEO fraud and other email-based cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like CEO Fraud.
Spear Phishing
8 Real-World Examples of Business Email Compromise (Updated 2021)
10 June 2021
Business Email Compromise (BEC) attacks use real or impersonated business email accounts to defraud employees. The FBI calls BEC a “$26 billion scam” that affects thousands of businesses every year. This article will look at some examples of BEC attacks that have cost organizations money, time, and reputation — to help you avoid making the same mistakes. Not sure what BEC is? We tell you everything you need to know about it – including how it works – in this article: What is Business Email Compromise and How Does it Work? You can also learn how Tessian prevents BEC for organizations across industires here.  1. $17.2m acquisition scam Our first example demonstrates how fraudsters can play on a target’s trust and exploit interpersonal relationships. In June 2014, Keith McMurtry, a Scoular employee, received an email supposedly from his boss, CEO Chuck Elsea. The email informed McMurty that Scoular was set to acquire a Chinese company. Elsea instructed McMurty to contact a lawyer at accounting firm KPMG. The lawyer would help facilitate a transfer of funds and close the deal.  McMurty obeyed, and he soon found himself transferring $17.2 million to a Shanghai bank account in the name of “Dadi Co.” The CEO’s email, as you might have guessed, was fraudulent. The scammers had used email impersonation to create accounts imitating both Elsea and the KPMG lawyer. Aside from the gargantuan $17.2m loss, what’s special about the Scoular scam? Take a look at this excerpt from the email, provided by FT.com, from “Elsea” to McMurty: “We need the company to be funded properly and to show sufficient strength toward the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly.” Given the emotive language, the praise, and the promise of future rewards — it’s easy to see why an employee would go along with a scam like this. 2. Law enforcement turns a blind eye to nonprofit’s $625,000 BEC loss BEC rates have been rising for several years, as demonstrated by 2021 data from the FBI’s Internet Crime Complaint Center (IC3).  The IC3 says that in 2020, losses from BEC exceeded $1.8 billion—that’s a fourfold increase since 2016. The number of BEC incidents also rose by 61% between 2016 and 2020. So perhaps it’s unsurprising—if somewhat disheartening—that law enforcement agencies are struggling to cope with all the BEC incidents that companies are reporting to them. In June 2021, we learned that San Fransisco-based homelessness charity Treasure Island fell victim to a devastating, month-long $625,000 BEC attack after hackers infiltrated the organization’s bookkeeper’s email system. The hackers found and manipulated a legitimate invoice used by one of Treasure Island’s partner organizations. Staff at Treasure Island transferred a loan intended for the partner organization straight into the cybercriminals’ bank account.  The nonprofit sadly lacked cybercrime insurance. But even worse—the U.S. Attorney’s Office in San Fransisco, which would have been responsible for leading an investigation into the BEC attack, reportedly declined to investigate the incident. This case serves as a reminder that, when it comes to cybercrime, prevention is always better than cure. Building security into your systems is the only viable way to avoid the losses associated with BEC attacks. 3. BEC scammers exploit COVID-19 fears 2020 was a turbulent year, and we saw cybercriminals exploiting people’s fear and uncertainty like never before. A particularly prevalent example was the trend of COVID-19-related BEC scams. As the pandemic spread, governments worldwide issued warnings about a surge in cyberattacks. In April 2020, for example, the FBI warned that scammers were “using the uncertainty surrounding the COVID-19 pandemic” to conduct BEC scams.  The FBI gave one example of an unnamed company, whose supposed supplier requested payments to a new account “due to the Coronavirus outbreak and quarantine processes and precautions.” Criminals will always seek to capitalize on chaos. In December 2020, Keeper reported that uncertainty caused by COVID-19, Brexit, and the move to remote-working led to 70% of U.K. finance companies experiences experiencing BEC attacks over the preceding year. Looking for more examples of scammers exploiting COVID-19 fears? We share four more and outline the red flags contained in each here. BONUS! There’s a downloadable guide at the bottom of the article.  4. Prison sentence for Atlantan BEC scammer In June 2021, an Atlanta court sentenced Anthony Dwayne King to two and a half years in prison for his role in a BEC scam—but only after he’d earned nearly $250,000 ripping off businesses and individuals across four U.S. states. Between October 2018 and February 2019, King and his accomplices conducted BEC and vishing (phone phishing) operations, setting up fake companies and opening fraudulent bank accounts to redirect wire transfers.  The cybercriminals targeted law firms and home movers but were thwarted by Georgia’s Cyber Fraud Task Force. As well as serving federal prison time, King will have to repay the money he stole from his victims. 5. Hacker group behind Solarwinds attack launches BEC campaign The cybersecurity world was rocked in 2020 by the Solarwinds attacks, in which Russian group Nobelium (also known as Cozy Bear and APT29, among other names) pushed its malware into thousands of organizations’ systems via a software update. In March 2021, we learned about Nobelium’s new campaign. Rather than hijacking software updates provided by a trusted software provider, Nobelium’s most recent cybercrime spree leverages a trusted mass email provider. Nobelium reportedly used email provider Constant Contact to send more than 3,000 emails to over 150 organizations, including government agencies.  The emails were disguised as information about electoral fraud and contained a malicious payload designed to create a backdoor into the recipient’s computer. As companies worldwide attempt to recover from the impact of the Solarwinds attack, Nobelium’s follow-on campaign reminds us about the variety of threat vectors available to cybercrime groups. If you want to learn more about the SolarWinds attack, check out our conversation with world-renowed hacker Samy 6. $46.7m vendor fraud In August 2015, IT company Ubiquiti filed a report to the U.S. Securities and Exchange Commission revealing it was the victim of a $46.7 million “business fraud.” This attack was an example of a type of BEC, sometimes called Vendor Email Compromise (VEC). The scammers impersonated employees at a third-party company and targeted Ubiquiti’s finance department. We still don’t know precisely how the cybercriminals pulled off this massive scam. VEC attacks previously relied on domain impersonation and email spoofing techniques, but these days, scammers are increasingly turning to the more sophisticated account takeover method. 7. Snapchat payroll information breach Many high-profile BEC attacks target a company’s finance department and request payment of an invoice to a new account. But not all BEC scams involve wire transfer fraud. Here’s an example of how BEC scams can target data, as well as money. In February 2016, cybercriminals launched a BEC attack against social media firm Snapchat. Impersonating Snapchat’s CEO, the attackers obtained “payroll information about some current and former employees.” The scam resulted in a breach of some highly sensitive data, including employees’ Social Security Numbers, tax information, salaries, and healthcare plans. Snapchat offered each affected employee two years of free credit monitoring and up to $1 million in reimbursement. 8. The big one: $121m BEC scam targeting Facebook and Google  Last — but by no means least — let’s look at the biggest known BEC scam of all time: a VEC attack against tech giants Facebook and Google that resulted in around $121 million in collective losses. The scam took place between 2013 and 2015 — and the man at the center of this BEC attack, Evaldas Rimasauskas, was sentenced to five years in prison in 2019. So how did some of the world’s most tech-savvy employees fall for this elaborate hoax?  Rimasauskas and associates set up a fake company named “Quanta Computer”  — the same name as a real hardware supplier. The group then presented Facebook and Google with convincing-looking invoices, which they duly paid to bank accounts controlled by Rimasauskas. As well as fake invoices, the scammers prepared counterfeit lawyers’ letters and contracts to ensure their banks accepted the transfers. The Rimasauskas scam stands as a lesson to all organizations. If two of the world’s biggest tech companies lost millions to BEC over a two-year period — it could happen to any business. Want to explore other examples of email attacks? Check out these articles: 6 Examples of Social Engineering Attacks COVID-19: Real-Life Examples of Opportunistic Phishing Emails  Phishing Statistics (Updated 2021)
Human Layer Security Spear Phishing
Is Your Office 365 Email Secure?
By Maddie Rosenthal
02 June 2021
In July last year, Microsoft took down a massive fraud campaign that used knock-off domains and malicious applications to scam its customers in 62 countries around the world.  But this wasn’t the first time a successful phishing attack was carried out against Office 365 (O365) customers. In December 2019, the same hackers gained unauthorized access to hundreds of Microsoft customers’ business email accounts.  According to Microsoft, this scheme “enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website…as they would in a more traditional phishing campaign.” Why are O365 accounts so vulnerable to attacks? Exchange Online/Outlook – the cloud email application for O365 users – has always been a breeding ground for phishing, malware, and very targeted data breaches.  Though Microsoft has been ramping up its O365 email security features with Advanced Threat Protection (ATP) as an additional layer to Exchange Online Protection (EOP), both tools have failed to meet expectations because of their inability to stop newer and more innovative social engineering attacks, business email compromise (BEC), and impersonations.  One of the biggest challenges with ATP in particular is its time-of-click approach, which requires the user to click on URLs within emails to activate analysis and remediation.   Is O365 ATP enough to protect my email? We believe that O365’s native security controls do protect users against bulk phishing scams, spam, malware, and domain spoofing. And these tools are great when it comes to stopping broad-based, high-volume, low-effort attacks – they offer a baseline protection.  For example, you don’t need to add signature-based malware protection if you have EOP/ATP for your email, as these are proven to be quite efficient against such attacks. These tools employ the same approach used by network firewalls and email gateways – they rely on a repository of millions of signatures to identify ‘known’ malware.  But, this is a big problem because the threat landscape has changed in the last several years.  Email attacks have mutated to become more sophisticated and targeted and  hackers exploit user behavior to launch surgical and highly damaging campaigns on people and organizations. Attackers use automation to make small, random modifications to existing malware signatures and use transformation techniques to bypass these native O365 security tools. Unsuspecting – and often untrained – users fall prey to socially engineered attacks that mimic O365 protocols, domains, notifications, and more.  See below for a convincing example.
It is because such loopholes exist in O365 email security that Microsoft continues to be one of the most breached brands in the world.  What are the consequences of a compromised account? There is a lot at stake if an account is compromised.  With ~180 million O365 active email accounts, organizations could find themselves at risk of data loss or a breach, which means revenue loss, damaged reputation, customer churn, disrupted productivity, regulatory fines, and penalties for non-compliance. This means they need to quickly move beyond relying on largely rule- and reputation-based O365 email filters to more dynamic ways of detecting and mitigating email-originated risks. Enter machine learning and behavioral analysis. There has been a surge in the availability of platforms that use machine learning algorithms. Why? Because these platforms detect and mitigate threats in ways other solutions can’t and help enterprises improve their overall security posture. Instead of relying on static rules to predict human behavior, solutions powered by machine learning actually adapt and evolve in tandem with relationships and circumstances. Machine learning algorithms “study” the email behavior of users, learn from it, and – finally – draw conclusions from it.  But, not all of ML platforms are created equal. There are varying levels of complexity (going beyond IP addresses and metadata to natural language processing); algorithms learn to detect behavior anomalies at different speeds (static vs. in real-time); and they can achieve different scales (the number of data points they can simultaneously study and analyze). How does Tessian prevent threats that O365 security controls miss? Tessian’s Human Layer Security platform is designed to offset the rule-based and sandbox approaches of O365 ATP to detect and stop newer and previously unknown attacks from external sources, domain / brand / service impersonations, and data exfiltration by internal actors.  Learn more about why rule-based approaches to spear phishing attacks fail. By dynamically analyzing current and historical data, communication styles, language patterns, and employee project relationships both within and outside the organization, Tessian generates contextual employee relationship graphs to establish a baseline normal behavior. By doing this, Tessian turns both your employees and the email data into an organization’s biggest defenses against inbound and outbound email threats.  Conventional tools focus on just securing the machine layer – the network, applications, and devices. By uniquely focusing on the human layer, Tessian can make clear distinctions between legitimate and malicious email interactions and warn users in real-time to reinforce training and policies to promote safer behavior.  How can O365 ATP and Tessian work together?  Often, customers ask us which approach is better: the conventional, rule-based approach of the O365 native tools, or Tessian’s powered by machine learning? The answer is, each has their unique place in building a comprehensive email security strategy for O365. But, no organization that deals with sensitive, critical, and personal data can afford to overlook the benefits of an approach based on machine learning and behavioral analysis.  A layered approach that leverages the tools offered by O365 for high-volume attacks, reinforced with next-gen tools for detecting the unknown and evasive ones, would be your best bet.  A very short implementation time coupled with the algorithm’s ability to ‘learn’ from historical email data over the last year – all within 24 hours of deployment – means Tessian could give O365 users just the edge they need to combat modern day email threats. 
Spear Phishing
What are Deepfakes? Are They a Security Threat?
26 May 2021
According to a recent Tessian survey, 74% of IT leaders think deepfakes are a threat to their organizations’ and their employees’ security*. Are they right to be worried? We take a look. What is a deepfake?
Deepfakes are highly convincing— and successfully track people into believing that a person did or said something that never happened.  Most people associate deepfakes with misinformation—and the use of deepfakes to imitate leaders or celebrities could present a major risk to people’s reputations and to political stability.  Deepfake tech is still young, and not yet sophisticated enough to deceive the public at scale. But some reasonably deepfake clips of Barack Obama and Mark Zuckerberg have provided a glimpse of what the technology is capable of. But deepfakes are also an emerging cybersecurity concern and businesses increasingly will need to defend against them as the technology improves.  Here’s why security leaders are taking steps to protect their companies against deepfakes. How could deepfakes compromise security? Cybercriminals can use deepfakes in social engineering attacks to trick their targets into providing personal information, account credentials, or money. Social engineering attacks, such as phishing, have always relied on impersonation—some of the most effective types involve pretending to be a trusted corporation (business email compromise), a company’s supplier (vendor email compromise), or the target’s boss (CEO fraud). Typically, this impersonation takes place via email. But with deepfakes, bad actors can leverage multiple channels. Imagine your boss emails you to make an urgent wire transfer. It seems like an odd request for her to make but, just as you’re reading the email, your phone rings. You pick it up and hear a voice that sounds exactly like your bosses, confirming the validity of the email and asking you to transfer the funds ASAP. What would you do?  The bottom line is: Deepfake generation adds new ways to impersonate specific people and leverage employees’ trust.
Examples of deepfakes The first known deepfake attack occurred in March 2019 and was revealed by insurance company Euler Hermes (which covered the cost of the incident). The scam started when the CEO of a U.K. energy firm got a call from his boss, the head of the firm’s German parent company—or rather, someone the CEO thought was his boss. According to Euler Hermes, the U.K.-based CEO heard his boss’s voice—which had exactly the right tone, intonation, and subtle German accent—asking him to transfer $243,000, supposedly into the account of a Hungarian supplier. The energy firm’s CEO did as he was asked—only to learn later that he had been tricked. Fraud experts at the insurance firm believe this was an example of an AI-driven deepfake phishing attack. And in July 2020, Motherboard reported a failed deepfake phishing attempt targeting a tech firm. Even more concerning—an April 2021 report from Recorded Future found evidence that malicious actors are increasingly looking to leverage deepfake technology to use in cybercrime. The report shows how users of certain dark web forums, plus communities on platforms like Discord and Telegram, are discussing how to use deepfakes to carry out social engineering, fraud, and blackmail. Consultancy Technologent has also warned that new patterns of remote working are putting employees at an even greater risk of falling victim to deepfake phishing—and reported three such cases among its clients in 2020.
But is deepfake technology really that convincing? Deepfake technology is improving rapidly.  In her book Deepfakes: The Coming Infopocalypse, security advisor Nina Schick describes how recent innovations have substantially reduced the amount of time and data required to generate a convincing fake audio or video clip via AI. According to her, “this is not an emerging threat. This threat is here. Now”.   Perhaps more worryingly—deepfakes are also becoming much easier to make.  Deepfake expert Henry Ajder notes that the technology is becoming “increasingly democratized” thanks to “intuitive interfaces and off-device processing that require no special skills or computing power.” And last year, Philip Tully from security firm FireEye warned that non-experts could already use AI tools to manipulate audio and video content. Tully claimed that businesses were experiencing the “calm before the storm”—the “storm” being an oncoming wave of deepfake-driven fraud and cyberattacks.
How could deepfakes compromise election security? There’s been a lot of talk about how deepfakes could be used to compromise the security of the 2020 U.S. presidential election. In fact, an overwhelming 76% of IT leaders believe deepfakes will be used as part of disinformation campaigns in the election*.  Fake messages about polling site disruptions, opening hours, and voting methods could affect turnout or prevent groups of people from voting. Worse still, disinformation and deepfake campaigns -whereby criminals swap out the messages delivered by trusted voices like government officials or journalists – threaten to cause even more chaos and confusion among voters.  Elvis Chan, a Supervisory Special Agent assigned to the FBI told us that people are right to be concerned.  “Deepfakes may be able to elicit a range of responses which can compromise election security,” he said. “On one end of the spectrum, deepfakes may erode the American public’s confidence in election integrity. On the other end of the spectrum, deepfakes may promote violence or suppress turnout at polling locations,” he said. So, how can you spot a deepfake and how can you protect your people from them? 
How to protect yourself and your organization from deepfakes AI-driven technology is likely to be the best way to detect deepfakes in the future. Machine learning techniques already excel at detecting phishing via email because of how they can detect tiny irregularities and anomalies that humans can’t spot. But for now, here are some of the best ways to help ensure you’re prepared for deepfake attacks: Ensure employees are aware of all potential security threats, including the possibility of deepfakes. Tessian research* suggests that 61% of IT leaders are already training their teams about deepfakes, with a further 27% planning to do so. Create a system whereby employees can verify calls via another medium, such as email. Verification is a good way to defend against conventional vishing (phone phishing) attacks, as well as deepfakes. Maintain a robust security policy—so that everyone on your team knows what to do if they have a concern.
Threat Intel Spear Phishing
How Cybercriminals Exploited The Covid-19 Vaccine Roll-Out
By Tessian
10 May 2021
The National Cyber Security Centre (NCSC) recently revealed that it removed more online scams in 2020 than in 2016-2019 combined, due to a surge in malicious activity related to the Covid-19 pandemic.  In a report published by the NCSC’s Active Cyber Defence program, it’s revealed that more than 120 phishing campaigns in which the NHS was impersonated were detected in 2020 – up from 36 in 2019. The lure commonly used in these scams? The vaccine roll-out. How have cybercriminals taken advantage of the Covid-19 vaccine? Tessian researchers have been monitoring phishing campaigns related to the vaccination roll-out since the start of 2021, and their findings clearly demonstrate how quickly cybercriminals will jump on milestone moments to craft convincing scams.  In fact, in the week commencing January 4th 2021, Tessian data shows that the number of scam emails related to the vaccine was 188% higher than the weekly average of such scams detected in 2021. It was during this week that the UK began distributing the AstraZeneca/Oxford vaccine. Our researchers also saw significant spikes in suspicious emails related to the vaccine during the: Week commencing 25th January, when the Biden administration promised to have enough coronavirus vaccine for the entire US population by the end of summer. During this week, the number of suspicious emails relating to vaccines increased by 585% compared to the previous week.  Week commencing February 8th, when U.S. government officials announced that around 1 in 10 Americans had received the first dose of the two-part Covid-19 vaccine. The number of suspicious emails was 148% higher than the weekly average of vaccine related scams detected by Tessian in 2021.  Week commencing February 15th, when G7 countries pledged $4 billion to global Covid-19 vaccine initiatives. Suspicious emails related to the vaccine were 133% higher than the weekly average.  Week commencing March 1st, when President Biden announced that vaccines will be available for every US adult by May. The number of suspicious emails related to vaccines during this week were up by 161% compared to the previous week.  Now that the vaccine roll-out is well and truly underway, with many people having received both doses of the jab, Tessian researchers reported a significant drop in the number of scams. This a clear indication that hackers were responding to hot topics in the news to apply a sense of urgency and timeliness to their malicious campaigns.
Why are these phishing attacks so effective?  After a year of stress and uncertainty, people were desperately waiting for the vaccine roll-out. People urgently wanted to find out things such as when they will get the vaccine, where they can receive the jab, and many more wanted to research and understand potential side effects.  In response, cybercriminals capitalized on people’s desire for more information. They created fake websites, in which people were lured to via phishing scams, and tricked their targets into sharing personal or financial data in exchange for the information they were looking for. Tying their campaigns to timely moments in the news added another layer of urgency.  In fact, additional Tessian research revealed that a significant of website domains related to the Covid-19 vaccine were registered in the early days of the roll-out, with over 2,600 new website domains being created between 5 December 2020 and 10 January 2021. Many of these domains impersonated legitimate healthcare websites, touted misinformation around injection side effects, and falsely claimed to offer guidance around timing and logistics of distribution. The reason why these phishing scams are so effective is because hackers use techniques to prey on people’s vulnerabilities during times of crisis. In a report we published with Jeff Hancock, Professor of Communication at Stanford University and expert in trust and deception, he said, “when people are stressed and distracted, they tend to make mistakes or decisions they later regret.”  What does a vaccine scam look like?  Oftentimes, cybercriminals impersonated trusted healthcare organizations or government agencies to trick their victims into thinking they’d received an email from a legitimate source, as shown in the example below. 
In other examples detected by Tessian, bad actors would impersonate Human Resource departments, urging staff to click on links or download malicious attachments that supposedly contained information about the vaccine roll-out and/or infected employees. Below is an example received by a global financial services enterprise, and detected by Tessian Defender. In this case: The attacker registered a domain to impersonate an outsourced Human Resources function in a phishing email.  The phishing email used Covid-19 as the theme and used fear and urgency tactics to announce an “Covid-19 Emergency”, seemingly providing a list of known infected persons.  The aim of this was to encourage those who received the email to click a link to a PDF which claimed to contain information about the emergency and a list of infected individuals.  The attacker used the name of the financial services organization in the name of the file which was linked to in the URL. This implies that this attack was highly targeted; the recipient would assume that the link was legitimate.  It’s likely that the PDF linked to in the URL would have contained malicious macros designed to infect the target’s device. 
How to spot a Covid-19 scam Always be wary of emails purporting to come from healthcare organizations asking you to click on links to ‘find out more’. Always check the sender name and address, particularly if you have received an email on your phone in order to verify the sender’s identity. It’s also important to question any websites that request personal data. Domains that spoof government healthcare websites, like the Centers for Disease Control and Prevention (CDC) are especially dangerous, as cyber criminals could potentially steal extremely sensitive information such as Social Security numbers and health information like insurance or medical history details.  At a time when phishing scams are only growing in frequency and sophistication, always think twice before entering your personal information online and remember, if it doesn’t look right, it probably isn’t. Remember, you can always verify any question by contacting the sender directly, via another means of communication, to check it’s the real thing. 
Spear Phishing
11 Examples of Social Engineering: Real-World Attacks
07 May 2021
In this article, we’ll look at 11 social engineering examples — some big and some recent — all using different techniques. We’ll also tell you how to avoid falling victim to these sorts of attacks. Did you know? Social engineering is the most commonly seen pattern in breaches last year according to Verizon’s 2021 DBIR. 
11 Social Engineering Examples 1.  $100 Million Google and Facebook Spear Phishing Scam The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national Evaldas Rimasauskas against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name. The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million. Further reading: ⚡ What is Spear Phishing? ⚡ What Does a Spear Phishing Email Look Like? 2. Deepfake Attack on UK Energy Company In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer. This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”   To learn more about how hackers use AI to mimic speech patterns, listen to Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI at Tessian Human Layer Security Summit. Further reading: ⚡ Deepfakes: What are They and Why are They a Threat? 3. $60 Million CEO Fraud Lands CEO In Court Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “CEO fraud scam” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls. While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.  Further reading: ⚡ What is CEO Fraud? (Tips for Identifying Attacks) ⚡ How to Prevent CEO Fraud
4. Microsoft 365 phishing scam steals user credentials In April 2021, security researchers discovered a Business Email Compromise (BEC) scam that tricks the recipient into installing malicious code on their device. Here’s how the attack works. Pay attention—it’s actually pretty clever, The target receives a blank email with a subject line about a “price revision.” The email contains an attachment that looks like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” is actually a .html file in disguise. Upon opening the (disguised) .html file, the target is directed to a website containing malicious code. The code triggers a pop-up notification, telling the user they’ve been logged out of Microsoft 365, and inviting them to re-enter their login credentials. You can guess what happens next—the fraudulent web form sends the user’s credentials off to the cybercriminals running the scam.  This type of phishing—which relies on human error combined with weak defenses—has thrived during the pandemic. Phishing rates doubled in 2020, according to the latest FBI data. Further reading: ⚡ Is Your Office 365 Email Secure? ⚡ Most Impersonated Brands in Phishing Scams 5. Ransomware gang hijacks victim’s email account In April 2021, several employees of U.K. rail operator Merseyrail received an unusual email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from several newspapers and tech sites were also copied in. The email—sent by a fraudster impersonating Merseyrail’s director—revealed that the company had been hacked and had tried to downplay the incident. The email also included an image of a Merseyrail employee’s personal data. It’s not clear how Merseyrail’s email system got compromised (although security experts suspect a spear phishing attack)—but the “double extortion” involved makes this attack particularly brutal. The “Lockbit” gang not only exfiltrated Merseyrail’s personal data and demanded a ransom to release it—the scammers used their access to the company’s systems to launch an embarrassing publicity campaign on behalf of its director. 6. Phishing scam uses HTML tables to evade traditional email security Criminals are always looking for new ways to evade email security software. One BEC attack, discovered in April 2021, involves a particularly devious way of sneaking through traditional email security software like Secure Email Gateways (SEGs) and rule-based Data Loss Prevention (DLP). BEC attacks often rely on impersonating official emails from respected companies. This means embedding the company’s logos and branding into the email as image files. Some “rule-based” email security software automatically treats image files as suspicious. If a phishing email contains a .png file of the Microsoft Windows logo, the email is more likely to be detected—but without that distinctive branding, the email won’t look like it came from Microsoft. But once again, cyber criminals have found a way to exploit the rule-based security approach.  To imitate Microsoft’s branding, this attack uses a table instead of an image file—simply a four-square grid, colored to look like the Windows logo. The average employee is unlikely to closely inspect the logo and will automatically trust the contents of the email. This isn’t the first time fraudsters have used tables to evade rule-based DLP software. For example, some email security filters are set up to detect certain words, like “bitcoin.” One way around this is to create a borderless table and split the word across the columns: “bi | tc | oin.” Further reading: ⚡ What is Email DLP? 7. Google Drive collaboration scam In late 2020, a novel but simple social engineering scam emerged that exploited Google Drive’s notification system. The fraud begins with the creation of a document containing malicious links to a phishing site. The scammer then tags their target in a comment on the document, asking the person to collaborate. Once tagged, the target receives a legitimate email notification from Google containing the comment’s text and a link to the relevant document.  If the scam works, the victim will view the document, read the comments, and feel flattered at they’re being asked to collaborate. Then, the victim will click one of the malicious links, visit the phishing site, and enter their login credentials or other personal data. This scam is particularly clever because it exploits Google’s email notification system for added legitimacy. Such notifications come straight from Google and are unlikely to trigger a spam filter. But like all social engineering attacks, the Google Drive collaboration scam plays on the victim’s emotions: in this case, the pride and generosity we might feel when called upon for help. Want to see a screenshot of a similar attack? We breakdown a spear phishing attack in which the attacker impersonates Microsoft Teams. Check it out here. 8. Sharepoint phishing fraud targets home workers April 2021 saw yet another phishing attack emerge that appears specifically designed to target remote workers using cloud-based software. The attack begins when the target receives an email—written in the urgent tone favored by phishing scammers—requesting their signature on a document hosted in Microsoft Sharepoint. The email looks legitimate. It includes the Sharepoint logo and branding familiar to many office workers. But the link leads to a phishing site designed to siphon off users’ credentials. Phishing attacks increasingly aim to exploit remote collaboration software—Microsoft research suggests nearly half of IT professionals cited the need for new collaboration tools as a major security vulnerability during the shift to working from home. Further reading: ⚡ 7 Concerns IT Leaders Have About Permanent Remote Working ⚡ Ultimate Guide to Staying Security While Working Remotely
9. $75 Million Belgian Bank Whaling Attack Perhaps the most successful social engineering attack of all time was conducted against Belgian bank Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice. Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds. Further reading: ⚡ Whaling Email Attacks: Examples & Prevention Strategies 10. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.  The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions. Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts. Following the hack, the FBI launched an investigation into Twitter’s security procedures. The scandal saw Twitter’s share price plummet by 7% in pre-market trading the following day. Further reading: ⚡ What You Need to Know About Vishing 11. Texas Attorney-General Warns of Delivery Company Smishing Scam Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it. Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details. The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission. Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS. Further reading: ⚡ Examples of Smishing Attacks Prevent social engineering attacks in your organization There’s one common thread through all of these attacks, whether delivered by email, text, or voicemail: they’re really, really hard to spot. That’s why technology is essential and where Tessian comes in. Powered by machine learning, Tessian Defender analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks. To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today. Or, if you’d rather just stay up-to-date with the latest social engineering attacks, subscribe to our weekly blog digest. You’ll get news, threat intel, and insights from security leaders for security leaders straight to your inbox.
Human Layer Security Spear Phishing
Phishing Awareness Training: How Effective is Security Training?
By Maddie Rosenthal
30 April 2021
Phishing awareness training is an essential part of any cybersecurity strategy. But is it enough on its own? This article will look at the pros and cons of phishing awareness training—and consider how you can make your security program more effective. Still wondering how big of a problem phishing really is? Check out this collection of 50+ phishing statistics. Don’t feel like scrolling? For more information about each point, you can click the text below to jump down on the page. 
✅ Pros of phishing awareness training Employees learn how to spot phishing attacks While people working in security, IT, or compliance are all too familiar with phishing, spear phishing, and social engineering, the average employee isn’t. The reality is, they might not have even heard of these terms, let alone know how to identify them. But, by showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.   Looking for resources to help train your employees? Check out this blog with a shareable PDF. It includes examples of phishing attacks and reasons why the email is suspicious.  It’s a good chance to remind employees of existing policies and procedures Enabling employees to identify phishing attacks is important. But you have to make sure they know what to do if and when they receive one, too. Training is the perfect opportunity to remind employees of existing policies and procedures. For example, who to report attacks to within the security or IT team. Training should also reinforce the importance of other policies, specifically around creating strong passwords, storing them safely, and updating them frequently. After all, credentials are the number one “type” of data hackers harvest in phishing attacks.  Security leaders can identify particularly risky and at-risk employees By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?  These observations will help security leaders stay ahead of security incidents, can inform subsequent training sessions, and can help pinpoint gaps in the overall security strategy.
Training satisfies compliance standards While you can read more about various compliance standards – including GDPR, CCPA, HIPAA, and GLBA – on our compliance hub, they all include a clause that outlines the importance of implementing proper data security practices. What are “proper data security practices?” This criterion has – for the most part – not been formally defined. But, phishing awareness training is certainly a step in the right direction and demonstrates a concerted effort to secure data company-wide.   It helps organizations foster a strong security culture In the last several years (due in part to increased regulation) cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective.  That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement. You can read more about creating a positive security culture on our blog.
❌ Cons of phishing awareness training Training alone can’t prevent human error People make mistakes. Even if you hold a three-hour-long cybersecurity training session every day of the week, you’ll never be able to eliminate the possibility of human error. Don’t believe us? Take it from the U.K.’s National Cyber Security Centre (NCSC): “Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle.  The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.” That’s right, even the U.K.’s top cybersecurity experts can’t always spot a phishing scam. Social engineering incidents—attacks that play on people’s emotions and undermine their trust—are becoming increasingly sophisticated.  For example, using Account Takeover techniques, cybercriminals can hack your vendors’ email accounts and intercept email conversations with your employees. The signs of an account take-over attack, such as minor changes in the sender’s writing style, are imperceptible to humans. Phishing awareness training is always one step behind Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today. In the last year, we’ve seen bad actors leverage COVID-19, Tax Day, furlough schemes, unemployment checks, and the vaccine roll-out to trick unsuspecting targets.  What could be next?  Training is expensive According to Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, there are three fundamental flaws in training: it’s boring, often irrelevant, and expensive. We’ll cover the first two below but, for now, let’s focus on the cost. Needless to say, the cost of training and simulation software varies vendor-by-vendor. But, the solution itself is far from the only cost to consider. What about lost productivity? Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.  While – yes – a successful attack would cost more, we can’t forget that training alone doesn’t work. (See point 1: Phishing awareness training can’t prevent human error.)
Phishing awareness training isn’t targeted (or engaging) enough Going back to what Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply one lesson to an entire organization – whether it’s 20 people or 20,0000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy. Age is especially important.  According to Tessian’s latest research, nearly three-quarters of respondents who admitted to clicking a phishing email were aged between 18-40 years old. In comparison, just 8% of people over 51 said they had done the same. However, the older generation was also the least likely to know what a phishing email was. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, explained how tailored training programs could help.
Should I create a phishing awareness training program? The short answer: “Yes”. These programs can help teach employees what phishing is, how to spot phishing emails, what to do if they’re targeted, and the implications of falling for an attack. But, as we’ve said, training isn’t a silver bullet. It will curb the problem, but it won’t prevent mistakes from happening. That’s why security leaders need to bolster training with technology that detects and prevents inbound threats. That way, employees aren’t the last line of defense. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. How does Tessian detect and prevent targeted phishing attacks? Tessian fills a critical gap in security strategies that SEGs, spam filters, and training alone can’t.  By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to detect a wide range of impersonations, spanning more obvious, payload-based attacks to difficult-to-spot social-engineered ones like CEO Fraud and Business Email Compromise. Once detected, real-time warnings are triggered and explain exactly why the email was flagged, including specific information from the email. Best of all? These warnings are written in plain, easy-to-understand language. 
These in-the-moment warnings reinforce training and policies and help employees improve their security reflexes over time.  To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today. Not ready for a demo? Sign-up for our weekly blog digest to get more cybersecurity content, straight to your inbox.  Just fill out the form below.
Page