Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Human Layer Security Spear Phishing
Romance Fraud Scams Are On The Rise
By Laura Brooks
11 February 2021
Cybercriminals are exploiting “lockdown loneliness” for financial gain, according to various reports this week, which reveal that the number of incidents of romance fraud and romance scams increased in 2020.  UK Finance, for example, reported that bank transfer fraud related to romance scams rose by 20% in 2020 compared to 2019, while Action Fraud revealed that £68m was lost by people who had fallen victim to romance fraud last year – an increase on the year before. Why? Because people have become more reliant on online dating and dating apps to connect with others amid social distancing restrictions put in place for the Covid-19 pandemic.
With more people talking over the internet, there has been greater opportunity for cybercriminals to trick people online. Adopting a fake identity and posing as a romantic interest, scammers play on people’s emotions and build trust with their targets over time, before asking them to send money (perhaps for medical care), provide access to bank accounts or share personal information that could be used to later commit identity fraud. Cybercriminals will play the long-game; they have nothing but time on their hands.  A significant percentage of people have been affected by these romance scams. In a recent survey conducted by Tessian, one in five US and UK citizens has been a victim of romance fraud, with men and women being targeted equally.
Interestingly, people aged between 25-34 years old were the most likely to be affected by romance scams. Tessian data shows that of the respondents who said they had been a victim of romance fraud, 45% were aged between 25-34 versus just 4% of respondents who were aged over 55 years old.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); This may be because romance fraud victims are most commonly targeted on social media platforms like Facebook or Instagram, with a quarter of respondents (25%) saying they’d been successfully scammed on these channels.  This was closely followed by email (23%) while one in five people said they’d been targeted on mobile dating apps, and 16% said they’d been scammed via online dating websites.  This behavior is quite typical, say experts. Often romance fraud will start on dating apps or official dating websites but scammers will move to social media, email or text in order to reduce the trail of evidence.
How to avoid falling for a romance scam It’s important to remember that most dating apps and websites are completely safe. However, as social distancing restrictions remain in place for many regions, people should consider how they could be targeted by social engineering attacks and phishing scams at this time. We advise people to question any requests for personal or financial information from individuals they do not know or have not met in person, and to verify the identity of someone they’re speaking to via a video call. We also recommend the following: Never send money or a gift online to someone who you haven’t met in person. Be suspicious of requests from someone you’ve met on the internet. Scammers will often ask for money via wire transfers or reload cards because they’re difficult to reverse. Be wary of any email or DM you receive from someone you don’t know. Never click on a link or download an attachment from an unusual email address.  Keep social media profiles and posts private. Don’t accept friend requests or DMs from people you don’t know personally.  The FBI and Action Fraud have also provided citizens with useful advice on how to avoid falling for a romance scam and guidance for anyone who thinks they may have already been targeted by a scammer.  And if you want to learn more about social engineering attacks, you can read Tessian’s research How to Hack a Human. 
Human Layer Security Spear Phishing
Must-Know Phishing Statistics: Updated 2021
By Maddie Rosenthal
10 February 2021
We’ve rounded up the latest phishing statistics, including: The frequency of phishing attacks How phishing attacks are delivered The most common subject lines The prevalence of phishing websites The most common malicious attachments  The data that’s compromised in phishing attacks The cost of a breach The most targeted industries The most impersonated brands  Facts and figures related to COVID-19 scams Phishing and the future of work Looking for something more visual? Check out this infographic with key statistics.
The frequency of phishing attacks According to the FBI, phishing was the most common type of cybercrime in 2020—and phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020.  The FBI said there were more than 11 times as many phishing complaints in 2020 compared to 2016. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing. While this is down 6.6% from the previous year, it’s still the “threat action variety” most likely to cause a breach.  The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 75% of organizations around the world experienced some kind of phishing attack in 2020. Another 35% experienced spear phishing, and 65% faced BEC attacks. But, there’s a difference between an attempt and a successful attack. 74% of organizations in the United States experienced a successful phishing attack. This is 30% higher than the global average, and 14% higher than last year. Want to learn how to prevent successful attacks? Check out this page all about BEC prevention. ESET’s Threat Report reveals that malicious email detections rose 9% between Q2 and Q3, 2020. This followed a 9% rise from Q1 to Q2, 2020. How phishing attacks are delivered Hackers are relying more and more heavily on the credentials they’ve stolen via phishing attacks to access sensitive systems and data. That’s one reason why breaches involving malware have decreased by over 40%. According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace.  When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 
The most common subject lines 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020: IT: Annual Asset Inventory Changes to your health benefits Twitter: Security alert: new or unusual Twitter login Amazon: Action Required | Your Amazon Prime Membership has been declined Zoom: Scheduled Meeting Error Google Pay: Payment sent Stimulus Cancellation Request Approved Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription RingCentral is coming! Workday: Reminder: Important Security Upgrade Required The prevalence of phishing websites Google Safe Browsing uncovers unsafe URLs across the web. The latest data shows a world-wide-web rife with phishing websites. Since 2016, phishing has replaced malware as the leading type of unsafe website. While there were once twice as many malware sites as phishing sites, there are now nearly 75 times as many phishing sites as there are malware sites. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months). This compares to malware sites rising from 21,803 to 28,803 over the same period (up 32%). Here you can see how phishing sites have rocketed ahead of malware sites over the years.
The most common malicious attachments Many phishing emails contain malicious payloads such as malware files. ESET’s Threat Report reports that in Q3 2020, these were the most common type of malicious files attached to phishing emails: Windows executables (74%) Script files (11%) Office documents (5%) Compressed archives (4%) PDF documents (2%) Java files (2%) Batch files (2%) Shortcuts (>1%) Android executables (>1%) You can learn more about malicious payloads here. The data that’s compromised in phishing attacks The top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) While instances of financially-motivated social engineering incidents have more than doubled since 2015, this isn’t a driver for targeted attacks. Just 6% of targeted attacks are motivated by financial incentives, while 96% are motivated by intelligence gathering. The other 10% are simply trying to cause chaos and disruption. When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences:  60% of organizations lost data 52% of organizations had credentials or accounts compromised 47% of organizations were infected with ransomware 29% of organizations were infected with malware 18% of organizations experienced financial losses
The cost of a breach According to IBM’s Cost of a Data Breach Report, the average cost per compromised record has steadily increased over the last three years. In 2019, the cost was $150. For some context, 5.2 million records were stolen in Marriott’s most recent breach. That means the cost of the breach could amount to $780 million. But, the average breach costs organizations $3.92 million. This number will generally be higher in larger organizations and lower in smaller organizations.  Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime. And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter. This cost can be broken down into several different categories, including: Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees Costs associated remediation generally account for the largest chunk of the total.  Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industries While the Manufacturing industry saw the most breaches from social attacks (followed by Healthcare and then Professional services), employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year.   According to a different data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries. The industries most at risk in companies with 1-249 employees are: Healthcare & Pharmaceuticals Education Manufacturing The industries most at risk in companies with 250-999 employees are: Construction Healthcare & Pharmaceuticals Business Services The industries most at risk in companies with 1,000+ employees are: Technology Healthcare & Pharmaceuticals Manufacturing The most impersonated brands New research found the brands below to be the most impersonated brands used in phishing attacks throughout Q4, 2020. In order of the total number of instances the brand appeared in phishing attacks: Microsoft (related to 43% of all brand phishing attempts globally) DHL (18%) LinkedIn (6%) Amazon (5%) Rakuten (4%) IKEA (3%) Google (2%) Paypal (2%) Chase (2%) Yahoo (1%) The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information.
Facts and figures related to COVID-19 scams Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April. And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%. h2 id=”future-work”>Phishing and the future of work According to Microsoft’s New Future of Work Report:  80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.  Of these, 62% said phishing campaigns had increased more than any other type of threat. Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the offic Tessian’s own research supports this. The Future of Hybrid Work shows the phishing was the leading cause of security incidents while employees have been working remotely.
What can individuals and organizations do to prevent being targeted by phishing attacks? While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received. You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action. Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply We’ve created several resources to help employees identify phishing attacks. You can download a shareable PDF with examples of phishing emails and tips at the bottom of this blog: Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.
Spear Phishing
6 Reasons to Download “How to Hack a Human” Now
By Maddie Rosenthal
02 February 2021
Over the last decade, phishing has evolved from spam to something much (much) more targeted. It’s now the threat most likely to cause a breach. At the same time, the number of adults on social media networks like Facebook has jumped by almost 1,300%. We explore the correlation between the two in our latest research report “How to Hack a Human”. You can download it here. Need a few good reasons to download it? Keep reading.  1. You’ll get a hacker’s perspective Actually, you’ll get ten (ethical) hackers’ perspectives. We partnered with HackerOne and other social engineering experts to learn how they use publicly available information – like social media posts, OOO messages, press releases, and more – to craft highly targeted,  highly effective social engineering attacks. In the end, we found out that they use everything. A photo from your gender reveal party can help them uncover your home address. A post about your dog can help them guess your password. An OOO message can tell them who to target, who to impersonate, and give them a sense of their window of opportunity. 2. You’ll learn how vulnerable organizations are to attack  By surveying 4,000 employees and using Tessian platform data, we were able to uncover how frequently people (and the companies they work for) are being targeted by social engineering attacks, business email compromise (BEC), wire transfer fraud, and more. The numbers are staggering. 88% of people have received a suspicious message in the last year.  Of course, some industries are more vulnerable than others. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); And, we expect to see more next year. Why? Between H1 2020 and H2 2020, we saw a 15% increase in attacks.  Read the report to find out more.  3. We show two examples of social engineering – including the “clues” that enabled hackers to carry out the attack Using social media posts, news headlines, and OOO messages, we breakdown two attacks. CEO Fraud in Financial Services Account Takeover (ATO) in Healthcare We explain the hacker’s motivation, what the attack looked like, and – in the end – how it could have been prevented. (More on that below). 4. You’ll get access to a free, educational guide to help employees level-up their personal and professional cybersecurity  As we’ve said, hackers hack humans to hack the companies they work for. So, to help security leaders communicate the threat and teach their employees how to prevent being targeted and how to spot an attack if it lands their inbox, we put together a comprehensive list of do’s and don’ts.  You can find it on page 20. Bonus: Are you a Tessian customer? We’re happy to co-brand the list. Get in touch with your Customer Success Executive for more information. 5. The dataset is global In addition to interviewing employees in the US and the UK, Tessian platform data accounts for organizations across continents.  Why does this matter? It goes to show that this isn’t a problem that’s isolated to a specific region. Everyone is being targeted by social engineering attacks. But – interestingly – the online habits of Americans vs. Brits vary considerably. For example, while 93% of US employees say they update their job status on social media when they start a new role, just 63% of UK employees said the same.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Top tip: New starters are prime targets of social engineering attacks. They’re typically given their full access credentials when they start, but don’t yet know who’s who. They may also not have had their security training yet. Finally, given that they’re new, they’ll be especially keen to make a good impression. 6. You’ll get a peek inside a hacker’s toolkit  Yes, all of the information hacker’s use is easy enough to find  online (esspecially if they’re motivated to find it). But. there are plenty of tools that hackers use that make connecting the dots and cracking passwords quick and easy. We outline ten in the report. You’ll likely recognize some of them… Most – if not all – of these tools were designed for the “good guys”. Penetration testers, compliance teams, and even law enforcement. In fact, some are even marketing and sales tools! Flip to page 16 to learn more. Bonus: The report is ungated…for now For the next few weeks, you’ll be able to download the report without filling out a form. Yep, you just click “download” and it’s yours. Starting at the end of February, you’ll just need to provide your email address and a few other pieces of information about your role and company.  Ready? Set? Download.
Spear Phishing
Tessian Launches Account Takeover (ATO) Protection
By Harry Wetherald
27 January 2021
Today, a comprehensive email security strategy needs to do more more than just secure an organization’s own email platform and users. Why? Because more and more often, bad actors are gaining access to the email accounts of trusted senders (suppliers, customers, and other third-parties) to breach a target company. This is called account takeover (ATO) and one in seven organizations have experienced this kind of attack. And, since legitimate business email accounts are used to carry out these attacks, it is one of the most difficult impersonation attacks to detect, making most organizations vulnerable to ATO.  But, not Tessian customers. Tessian Defender can now detect and prevent ATO. How does Tessian Defender detect ATO? Unlike Secure Email Gateways (SEGs) – which rely almost exclusively on domain authentication and payload inspection – Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of ATO signals:  Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses  Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments  Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too
Importantly, Tessian’s ML algorithm gets smarter as it continuously analyzes email communications across its global network. This way, it can build profiles of organizations (and their employees) to understand what “normal” email communications look like at a granular level.  This allows Tessian Defender to catch even the most subtle ATO attacks. Once it detects a threat, Tessian alerts employees and admins that an email might be unsafe. The warnings are written in easy-to-understand language and explain why an email has been flagged, which prevents the users from responding to the email or clicking on malicious links or attachments. These warnings also act as in-the-moment training and help improve email behavior over time.  Administrators get real-time alerts of ATO and can track events in the Human Layer Security Intelligence portal. You can learn more about how Tessian detects and prevents ATO here. Keep reading to see an admin’s view of the portal and what a warning looks like for employees.
What are the benefits of Tessian ATO threat protection?  The consequences of ATO are far-reaching.  Attackers could gain access to credentials, employee data, and computer data. They could initiate fraudulent wire transfers, conduct bank fraud, and sell data. That means organizations could suffer significant financial loss, reputational damage, and lose customers (and their trust). And this doesn’t even account for lost productivity, data loss, or regulatory fines.  Between 2013 and 2015, Facebook and Google were scammed out of $121 million after a hacker impersonated a trusted vendor. And that’s just one example.  Tessian’s ATO threat protection minimizes these risks by preventing successful attacks. But, detecting and preventing threats is just one of the benefits of Tessian.   For security teams
Detection is automated, which means it’s not just effective, but also effortless for security teams Real-time alerts of ATO events and robust tools (like single-click quarantine) allow for rapid investigation and remediation directly in the portal  Tessian’s API can be integrated with SIEMs like Splunk and Rapid7, allowing security analysts and SOC teams to analyze Tessian data alongside insights from other solutions In-the-moment warnings reinforce security awareness training and help nudge employees towards safer email behavior For the C-suite
ATO protection doesn’t just keep your organization safe and compliant (and help you avoid reputational damage or financial loss). It’s a competitive differentiator and can help build trust with existing customers, clients, and your supply chain. Multi-layer threat insights, visualized data, and industry benchmarks help CISOs understand their organization’s security posture compared to their industry peers Automated reports make it easy to communicate success to the board and other key stakeholders For employees
Contextual warnings are helpful – not annoying – and act as in-the-moment training. This helps employees improve their security reflexes over time for safer email behavior. Flag rates are low (and false positives are rare) which means employees can do the job they were hired to do, without security getting in the way Learn more about Tessian Interested in learning more about Tessian Defender and ATO Protection? Current Tessian customers can get in touch with their Customer Success Manager. Not yet a Tessian customer? Learn more about our technology, explore our customer stories, or book a demo now.
Spear Phishing
5 Real-World Examples of Business Email Compromise (Updated 2021)
25 January 2021
Business Email Compromise (BEC) attacks use real or impersonated business email accounts to defraud employees. The FBI calls BEC a “$26 billion scam” that affects thousands of businesses every year. This article will look at some examples of BEC attacks that have cost organizations money, time, and reputation — to help you avoid making the same mistakes. Not sure what BEC is? We tell you everything you need to know about it – including how it works – in this article: What is Business Email Compromise and How Does it Work?  1. $17.2m acquisition scam Our first example demonstrates how fraudsters can play on a target’s trust and exploit interpersonal relationships. In June 2014, Keith McMurtry, a Scoular employee, received an email supposedly from his boss, CEO Chuck Elsea. The email informed McMurty that Scoular was set to acquire a Chinese company. Elsea instructed McMurty to contact a lawyer at accounting firm KPMG. The lawyer would help facilitate a transfer of funds and close the deal.  McMurty obeyed, and he soon found himself transferring $17.2 million to a Shanghai bank account in the name of “Dadi Co.” The CEO’s email, as you might have guessed, was fraudulent. The scammers had used email impersonation to create accounts imitating both Elsea and the KPMG lawyer. Aside from the gargantuan $17.2m loss, what’s special about the Scoular scam? Take a look at this excerpt from the email, provided by FT.com, from “Elsea” to McMurty: “We need the company to be funded properly and to show sufficient strength toward the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly.” Given the emotive language, the praise, and the promise of future rewards — it’s easy to see why an employee would go along with a scam like this. 2. BEC scammers exploit COVID-19 fears 2020 was a turbulent year, and we saw cybercriminals exploiting people’s fear and uncertainty like never before. A particularly prevalent example was the trend of COVID-19-related BEC scams. As the pandemic spread, governments worldwide issued warnings about a surge in cyberattacks. In April 2020, for example, the FBI warned that scammers were “using the uncertainty surrounding the COVID-19 pandemic” to conduct BEC scams.  The FBI gave one example of an unnamed company, whose supposed supplier requested payments to a new account “due to the Coronavirus outbreak and quarantine processes and precautions.” Criminals will always seek to capitalize on chaos. In December 2020, Keeper reported that uncertainty caused by COVID-19, Brexit, and the move to remote-working led to 70% of U.K. finance companies experiences experiencing BEC attacks over the preceding year. Looking for more examples of scammers exploiting COVID-19 fears? We share four more and outline the red flags contained in each here. BONUS! There’s a downloadable guide at the bottom of the article.  3. $46.7m vendor fraud In August 2015, IT company Ubiquiti filed a report to the U.S. Securities and Exchange Commission revealing it was the victim of a $46.7 million “business fraud.” This attack was an example of a type of BEC, sometimes called Vendor Email Compromise (VEC). The scammers impersonated employees at a third-party company and targeted Ubiquiti’s finance department. We still don’t know precisely how the cybercriminals pulled off this massive scam. VEC attacks previously relied on domain impersonation and email spoofing techniques, but these days, scammers are increasingly turning to the more sophisticated account takeover method. 4. Snapchat payroll information breach Many high-profile BEC attacks target a company’s finance department and request payment of an invoice to a new account. But not all BEC scams involve wire transfer fraud. Here’s an example of how BEC scams can target data, as well as money. In February 2016, cybercriminals launched a BEC attack against social media firm Snapchat. Impersonating Snapchat’s CEO, the attackers obtained “payroll information about some current and former employees.” The scam resulted in a breach of some highly sensitive data, including employees’ Social Security Numbers, tax information, salaries, and healthcare plans. Snapchat offered each affected employee two years of free credit monitoring and up to $1 million in reimbursement. 5. The big one: $121m BEC scam targeting Facebook and Google  Last — but by no means least — let’s look at the biggest known BEC scam of all time: a VEC attack against tech giants Facebook and Google that resulted in around $121 million in collective losses. The scam took place between 2013 and 2015 — and the man at the center of this BEC attack, Evaldas Rimasauskas, was sentenced to five years in prison in 2019. So how did some of the world’s most tech-savvy employees fall for this elaborate hoax?  Rimasauskas and associates set up a fake company named “Quanta Computer”  — the same name as a real hardware supplier. The group then presented Facebook and Google with convincing-looking invoices, which they duly paid to bank accounts controlled by Rimasauskas. As well as fake invoices, the scammers prepared counterfeit lawyers’ letters and contracts to ensure their banks accepted the transfers. The Rimasauskas scam stands as a lesson to all organizations. If two of the world’s biggest tech companies lost millions to BEC over a two-year period — it could happen to any business. If you’re worried that your organization might be targeted by a BEC attack and are looking for a solution, click here. You can also explore other examples of email attacks in these articles: 6 Examples of Social Engineering Attacks COVID-19: Real-Life Examples of Opportunistic Phishing Emails  Phishing Statistics (Updated 2021)
Spear Phishing
What is Business Email Compromise (BEC)? How Does it Work?
25 January 2021
In this article, we’ll look at why cybercriminals use BEC, how it works, and why it remains a serious problem.  Looking for exampels of BEC attacks or information about how to prevent business email compromise instead? Check out these pages instead: How to overcome this multi-billion dollar threat Real-world examples of Business Email Compromise Why compromise a business email account? BEC is a tried-and-tested cyberattack method that costs consumers and businesses billions every year. So what makes BEC such a prevalent cybercrime technique?  Simply put: cybercriminals use BEC as a way to make social engineering attacks more effective.  A social engineering attack is any form of cybercrime involving impersonation. The attacker pretends to be a trusted person so that the target does what they’re told.  Here are some examples of social engineering attacks that can involve BEC: Spear Phishing: A social engineering attack conducted via email (smishing and vishing are social engineering attacks conducted via SMS and voice respectively) CEO fraud: A phishing attack where the attack impersonates a company executive Whaling: A phishing attack targeting a corporate executive Wire transfer fraud: A phishing attack where the attacker persuades the target to transfer money to their account All these social engineering attacks involve some sort of impersonation. Fraudsters use every tool available to make their impersonation more convincing. And one of the best tools available is a genuine — or genuine looking — business email address. BEC attacks target both individuals and businesses and the attacker will (generally) use BEC to gain access to one of the following: Money. According to Verizon’s 2020 Data Breach Investigation Report, most BEC attacks now involve wire transfer fraud. Account credentials: A fraudulent email might contain a phishing link leading to a fake account login page. The FBI warns that this BEC variant is on the rise. Gift certificates: BEC attackers can persuade their target to purchase gift certificates rather than transferring them money. Now you know why cybercriminals launch BEC attacks, we’re going to look at how they do it. How does BEC work? There are various competing definitions of BEC — so before we explain the process, let’s clarify what we mean when we use this term. A BEC attack is any phishing attack where the target believes they have received an email from a genuine business. There are several methods that a cybercriminal can use to achieve this, including:  Email impersonation Email spoofing Email account takeover Let’s look at each of these techniques. Email impersonation is where the attacker sets up an email account that looks like a business email account. Here’s an example:
In this case, we can imagine Leon Green really is Tess’ boss and that an invoice for Amazon really is due to be paid. This information is easy enough to find online. But, note that the sender’s email address is “leon[email protected]”.  If you look carefully, you’ll see Microsoft is misspelled.  Many people miss small details like this. Worse still, mobile email clients typically only show the sender’s display name and hide their email address.
Email spoofing is where the attacker modifies an email’s envelope and header. The receiving mail server thinks the email came from a corporate domain and the recipient’s email client displays incorrect sender information.  You can read more about email spoofing – and see an example of a spoofed email header – in this article: What is Email Spoofing? How Does Email Spoofing Work? In account takeover (ATO), the attacker gains access to a corporate email account, whether via hacking or by using stolen account credentials. They gather information about the user’s contacts, email style, and personal data — then they use the account to send a phishing email.
How serious is BEC? We know BEC is a common cyberattack method. But how many businesses are affected, and how badly? Because many BEC attacks go unnoticed — and because different organizations use different definitions of BEC —  there’s no simple answer. So what do we know about the prevalence of BEC? The best source of cybercrime statistics comes from the FBI’s Internet Crime Complaint Center (IC3), which reports that: Between 2016 and 2020, the IC3 recorded 185,718 BEC incidents worldwide, resulting in losses totaling over $28 billion. In 2020, losses from BEC exceeded $1.8 billion—a fourfold increase since 2016. The number of BEC incidents went up by 61% between 2016 and 2020. Next steps We’ve looked at the different types of BEC, how a BEC attack works, and how serious and pervasive this form of cybercrime has become. Next, let’s look at examples of BEC attacks. This will help you learn from the experiences of other organizations.
Spear Phishing
What is Email Spoofing? How Does Email Spoofing Work?
22 January 2021
Let’s start with a definition of email spoofing.
While email spoofing can have serious consequences, it’s not particularly difficult for a hacker to do. And, despite the fact that email filters and apps are getting better at detecting spoofed emails… they can still slip through.  Keep reading to find out: What motivates someone to spoof an email address How email spoofing works How common email spoofing is If you’re here to learn how to prevent email spoofing, check out this article instead: How to Prevent Email Spoofing. Why do people spoof emails? You might be wondering why someone would want to spoof another person or company’s email address in the first place. It’s simple: they want the recipient to believe that the email came from a trusted person. Most commonly it is used for activities such as: Spear phishing: A type of “social engineering” attack where the attacker impersonates a trusted person and targets a specific individual. Business Email Compromise (BEC): A phishing attack involving a spoofed, impersonated, or hacked corporate email address. CEO fraud: A BEC attack where the attacker impersonates a high-level company executive and targets an employee. Vendor Email Compromise (VEC): A BEC attack where the attack impersonates a vendor or another business in a company’s supply chain. Spamming: Sending unsolicited commercial email to large numbers of people. Now let’s look at the technical process behind email spoofing. How email spoofing works First, we need to distinguish between “email spoofing,” and “domain impersonation.” Sometimes these two techniques get conflated.  Here’s the difference: In an email spoofing attack, the sender’s email address looks identical to the genuine email address ([email protected]).  In a domain impersonation attack, the fraudster uses an email address that is very similar to another email address ([email protected]). When you receive an email, your email client (e.g. Outlook or Gmail) tells you who the email is supposedly from. When you click “reply,” your client automatically fills in the “to” field in your return email. It’s all done automatically and behind the scenes. But, this information is not as reliable as you might think. An email consists of several parts: Envelope: Tells the receiving server who sent the email and who will receive it. When you get an email, you don’t normally see the envelope. Header: Contains metadata about the email: including the sender’s name and email address, send date, subject, and “reply-to” address. You can see this part. Body: The content of the email itself. Spoofing is so common because it’s surprisingly easy to forge the “from” elements of an email’s envelope and header, to make it seem like someone else has sent it.  Obviously, we’re not going to provide instructions on how to spoof an email. But we can break down a spoofed email to help you understand how the process works.  Let’s take a look at the email header:
First, look at the “Received From” header, highlighted in blue, which shows that the email came from the domain “cybercrime.org.” But now look at the parts highlighted in yellow — the “Return-Path,” “From,” and “Reply-To” headers — which all point to “Mickey Mouse,” or “[email protected]”. These headers dictate what the recipient sees in their inbox, and they’ve all been forged. The standard email protocol (SMTP) has no default way of authenticating an email. There are authentication checks that depend on the domain owner protecting its domain. In this case, the spoof email failed two important authentication processes (also highlighted in blue, above): SPF, short for Sender Policy Framework: Checks if the sender’s IP address is associated with the domain specified in the envelope. DMARC, short for Domain-based Message Authentication, Reporting, and Conformance: Verifies an email’s header information. DKIM, short for DomainKeys Identified Mail: Designed to make sure messages aren’t altered in transit between the sending and recipient servers. As you can see, DMARC, SPF, and DKIM all = none. That means our spoofed email slipped right through. Here’s how the email looks in the recipient’s inbox:
The email above appears to have been sent by Mickey Mouse, using the email address [email protected] But we know from the header that it actually came from cybercrime.org. This demonstrates the importance of setting up DMARC policies. You can learn more about how to do that here. Note: Disney does have DMARC enabled. This is a hypothetical example! Want to find out which companies don’t have DMARC set-up? Check out this website.  How common is spoofing? Measuring the precise number of spoofed emails sent and received every day is impossible. But we can look at how many cybercrime incidents involving spoofing get reported each year. A good place to start is the U.S. Federal Bureau of Investigation (FBI)’s Internet Crime Complaint Center (IC3) annual report.  In 2020, the IC3 reported that: 28,218 of the 791,790 complaints the IC3 received related to spoofing The losses associated with spoofing complaints totaled over $216 million Spoofing was the sixth most costly type of cybercrime The number of spoofing attacks rose 81% since 2018 The losses from spoofing have more than doubled since 2018 Note that the IC3’s definition of “spoofing” includes incidents involving spoofed phone numbers. But we already know that 96% of phishing attacks start with email. Now you understand what email spoofing is, and how serious a threat it can be, it’s time to read our article on how to prevent email spoofing.
Spear Phishing
How to Prevent and Avoid Falling for Email Spoofing Attacks
By Maddie Rosenthal
22 January 2021
Email spoofing is a common way for cybercriminals to launch phishing attacks — and just one successful phishing attack can devastate your business. That’s why every secure organization has a strategy for detecting and filtering out spoofed emails. Do you? This article will walk you through some of the best methods for preventing email spoofing. Want to learn more about email spoofing, how hackers do it, and how common these attacks are? Check out this article: What is Email Spoofing and How Does it Work? And, if you’re wondering how to prevent your email address or domain from being spoofed…the first step is to enable DMARC. But, even that isn’t enough. We explain why in this article: Why DMARC Isn’t Enough to Stop Impersonation Attacks.  Security awareness training Email spoofing is a common tactic in social engineering attacks such as spear phishing, CEO fraud, and Business Email Compromise (BEC). Social engineering attacks exploit people’s trust to persuade them to click a phishing link, download a malicious file, or make a fraudulent payment. That means part of the solution lies in educating the people being targeted.  It’s important to note that cyberattacks target employees at every level of a company — which means cybersecurity is everyone’s responsibility. Security awareness training can help employees recognize when such an attack is underway and understand how to respond.  In this article  – What Is Email Spoofing and How Does it Work? – we looked at how an email’s header can reveal that the sender address has been spoofed. Looking “under the hood” of an email’s header is a useful exercise to help employees understand how email spoofing works. You can see if the email failed authentication processes like SPF, DKIM, and DMARC, and check whether the “Received” and “From” headers point to different domains. But it’s not realistic to expect people to carefully inspect the header of every email they receive. So what are some other giveaways that might suggest that an email spoofing scam is underway? The email doesn’t look how you expect. The sender might be “paypal.com.” But does the email really look like PayPal’s other emails? Most sophisticated cybercriminals use the spoofed company’s branding — but some can make mistakes. The email contains spelling and grammar errors. Again, these mistakes aren’t common among professional cybercriminals, but they still can occur. The email uses an urgent tone. If the boss emails you, urgently requesting that you pay an invoice into an unrecognized account — take a moment. This could be CEO fraud. You must get your whole team on board to defend against cybersecurity threats, and security awareness training can help you do this. However, Tessian research suggests that the effectiveness of security training is limited.  Email provider warnings Your mail server is another line of defense against spoofing attacks. Email servers check whether incoming emails have failed authentication processes, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Many email providers will warn the user if an email has failed authentication. Here’s an example of such a warning from Protonmail:
As part of your company’s security awareness training, you can urge employees to pay close attention to these warnings and report them to your IT or cybersecurity team. However, it’s not safe to rely on your email provider. A 2018 Virginia Tech study looked at how 35 popular email providers handled email spoofing. The study found: All except one of the email providers allowed fraudulent emails to reach users’ inboxes. Only eight of the providers provided a warning about suspicious emails on their web apps.  Only four of the providers provided such a warning on their mobile apps. Authentication protocols As noted by the Virginia Tech study, email providers often allow fraudulent emails through their filters — even when they fail authentication. But, perhaps more importantly, whether a fraudulent email fails authentication in the first place is out of your hands. For example, SPF lets a domain owner list which email servers are authorized to send emails from its domain. And DMARC enables domain owners to specify whether recipient mail servers should reject, quarantine, or allow emails that have failed SPF authentication.  So, for domain owners, setting up SPF, DKIM, and DMARC records is an essential step to prevent cybercriminals and spammers from sending spoofed emails using their domain name. But as the recipient, you can’t control whether the domain owner has properly set up its authentication records. You certainly don’t want your cybersecurity strategy to be dependent on the actions of other organizations.  Email security software Effective email spoofing attacks are very persuasive. The email arrives from a seemingly valid address — and it might contain the same branding, tone, and content you’d expect from the supposed sender. This makes email spoofing attacks one of the hardest cybercrimes to detect manually. Humans aren’t good at spotting the subtle and technical indicators of a well-planned email spoofing attack. Legacy solutions like Secure Email Gateways and native tools like spam filters aren’t either.  The best approach to tackling spoofing — or any social engineering attack — is intelligent technology. Email security solutions powered by machine learning (ML) automates the process of detecting and flagging spoofed emails, making it easier, more consistent, and more effective. Here’s how Tessian Defender solves the problem of email spoofing: Tessian’s machine learning algorithms analyze each employee’s email data. The software learns each employee’s email style and maps their trusted email relationships. It learns what “normal” looks like so it can spot suspicious email activity. Tessian performs a deep inspection on inbound emails. By checking the sender’s IP address, email client, and other metadata, Tessian can detect indications of email spoofing and other threats.  If it suspects an email is malicious, Tessian alerts employees using easy-to-understand language. Want to learn more? Here are some resources: Tessian Defender Data Sheet Customer Stories Report: To Prevent Spear Phishing Look for Impersonation If you’d rather talk to someone about your specific challenges, you can talk to an expert at Tessian.  
Spear Phishing
CISA Warns of New Attacks Targeting Remote Workers
14 January 2021
tl;dr: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of a string of successful phishing attacks exploiting weak cyber hygiene in remote work environments to access companies’ cloud services via employees’ corporate laptops and personal devices.*  According to the report, “the cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account. … A variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” 
Once the hackers had access an employee’s account, they were able to: Send other phishing emails to contacts in the employee’s network.  Modify existing forwarding rules so that emails that would normally automatically be forwarded to personal accounts were instead forwarded directly to the hacker’s inbox.  Create new mailbox rules to have emails containing specific keywords (i.e. finance-related terms) forwarded to the hacker’s account. This type of malicious activity targeting remote workers isn’t new. Henry Trevelyan Thomas, Tessian’s VP of Customer Success has seen many instances this year. “The shift to remote work has resulted in people needing more flexibility, and personal accounts provide that—for example, access to home printers or working from a partner’s computer. Personal accounts are easier to compromise as they almost always have less security controls, are outside organizations’ secure environments, and your guard is down when logging on to your personal account. Attackers have realized this and are seeing it as a soft underbelly and entry point into a full corporate account takeover.” Learn more about Account Takeover (ATO), and take a look at some real-life examples of phishing attacks we spotted last year.  CISA recommends the following steps for organizations to strengthen their cloud security practices: Establish a baseline for normal network activity within your environment Implement MFA for all users, without exception Routinely review user-created email forwarding rules and alerts, or restrict forwarding Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution. Consider restricting users from forwarding emails to accounts outside of your domain Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities. Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently. For more practical advice on how to avoid falling for a phishing scam, download Tessian’s guide to Remote Work and Cybersecurity. What Tessian’s Experts Say
Free resources to help keep your employees and organization secure.
*Note: the activity and information in this Analysis Report is not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.
Spear Phishing
What is CEO Fraud? How to Identify CEO Email Attacks
14 January 2021
Typically, the attacker will target an employee at a target organization and trick them into transferring them money. A CEO fraud email will usually urgently request the employee to pay a supplier’s “invoice” using new account details. Cybercriminals use sophisticated techniques and meticulous research to make the attack as persuasive as possible.  Why do cybercriminals impersonate CEOs and other high-level executives? Two reasons: Power: CEOs have the authority to instruct staff to make payments. Status: Employees tend to do what CEOs ask. No-one wants to upset the boss. CEO fraud vs. other types of cybercrime There’s some confusion about CEO fraud and how it relates to other types of cybercrime. Let’s clear a few things up before looking at CEO fraud in more detail. CEO fraud is related to the following types of cybercrime: Social engineering attack: Any cyberattack in which the attacker impersonates someone that their target is likely to trust. Phishing: A social engineering attack conducted via email (there are other forms of phishing, such as “smishing” and “vishing” via SMS and phone). Spear phishing: A phishing attack targeting a named individual. Business Email Compromise (BEC): A phishing attack conducted via a hacked or spoofed corporate email account. CEO fraud is not to be confused with “whaling”: a phishing attack where the cybercriminal targets — rather than impersonates — a CEO or other senior company employee. More on that in this article: Whaling: Examples and Prevention Strategies. How do CEO fraud attacks work? There are three main ways cybercriminals can compromise a CEO’s email account: Hacking: Forcing entry into the CEO’s business email account and using it to send emails. Spoofing: Sending an email from a forged email address and evading authentication techniques. Impersonation: Using an email address that looks similar to a CEO’s email address. A CEO fraud attack usually involves one of the following types of cybercrime: Wire transfer phishing: The attacker asks the target to pay an invoice. Gift certificate phishing: The attacker asks the targets to buy them gift certificates Malicious payload: The email contains a malware attachment Like all social engineering attacks, CEO fraud attacks exploit people’s feelings of trust and urgency. When the CEO is “in a meeting” or “at a conference” and needs an urgent favor, employees don’t tend to second-guess them.  Here’s how a CEO fraud email might look. Now, for the sake of the example, imagine your boss is Thomas Edison. Yes, that Thomas Edison.
There are a few things to note about this CEO fraud email: Note the subject line, “Urgent request,” and the impending payment deadline. This sense of urgency is ubiquitous among CEO fraud emails. The fraudster uses Thomas’s casual email tone and his trademark lightbulb emoji. Fraudsters can do a great impersonation of a CEO by scraping public data (plenty is available on social media!) or by hacking their email and observing their written style. Cybercriminals do meticulous research. Thomas probably is in Florida. “Filament Co.” might be a genuine supplier and an invoice might even actually be due tomorrow. There’s one more thing to note about the email above. Look at the display name — it’s “Thomas Edison”. But anyone can choose whatever email display name they want. Mobile email apps don’t show the full email address, leaving people vulnerable to crude “display name impersonation” attacks. That’s why it’s so important to examine the sender’s email address and make sure it matches the display name. Remember: on mobile, you’ll have to take an extra step to view the email address. But, it’s worth it.  It’s important to note that the difference between the display name and email address won’t always be easy to spot. Why? Because fraudsters can create look-a-like email addresses via “domain impersonation”. Let us explain. An email domain is the part of the email address after the “@” sign. A cybercriminal impersonating Bill Gates, for example, might purchase a domain such as “micros0ft.com” or “microsoft.co”.  Likewise, using “freemail impersonation”, a more unsophisticated attacker might simply set up an email account with any free email provider using the CEO’s name (think “[email protected]”). We explain domain impersonation in more detail – including plenty of examples – in this blog: Inside Email Impersonation: Why Domain Name Spoofs Could be Your Biggest Risk. How common is CEO fraud? It’s undeniable that cybercrime is on the increase. FBI statistics show that the total losses from cybercrime rose from $1.5 billion in 2016 to $4.3 billion in 2020. Business Email Compromise (BEC) has also “increased, grown in sophistication, and become more targeted” due to the COVID-19 pandemic, according to Interpol. But what about CEO fraud itself? CEO fraud once dominated the cybercrime landscape. However, there is some evidence that cybercriminals are moving away from CEO fraud and towards a broader range of more sophisticated social engineering attacks. The FBI’s Internet Crime Complaint Center (IC3) estimates the global losses associated with BEC at over $28 billion in the period from 2016-20 and cites a 61% increase in BEC incidents over the same period. But this figure doesn’t distinguish CEO fraud from other types of BEC. The IC3’s 2019 cybercrime report suggests while CEO fraud previously dominated BEC, cybercriminals now impersonate a broader range of actors, including vendors, lawyers, and payroll departments. These days, employees don’t only have to be wary of CEO fraud attacks. They also need to watch out for more advanced cybercrime techniques like Account Takeover (ATO), deepfakes, and ransomware. But CEO fraud is still a big deal. In December 2020, the Bank of Ireland warned of an increase in Brexit-related CEO fraud attacks. The bank’s staff were reportedly dealing with two to three CEO fraud attacks per week, with some attacks compromising millions of euros. Want to know how to protect yourself and your business from CEO fraud? Read our article: How to Prevent CEO Fraud Attacks.
Spear Phishing
CEO Fraud Prevention: 3 Effective Solutions
14 January 2021
CEO fraud is a type of cybercrime in which the attacker impersonates a CEO or other company executive. The fraudster will most often use the CEO’s email account — or an email address that looks very similar to the CEO’s — to trick an employee into transferring them money. That means that, like other types of Business Email Compromise (BEC), CEO fraud attacks are very difficult for employees and legacy solutions like SEGs to spot. But, there are still ways to prevent successful CEO fraud attacks. The key? Take a more holistic approach by combining training, policies, and technology. If you want to learn more about BEC before diving into CEO fraud, you can check out this article: Business Email Compromise: What it is and How it Happens. You can also get an introduction to CEO Fraud in this article: What is CEO Fraud? 1. Raise employee awareness Security is everyone’s responsibility. That means everyone – regardless of department or role –  must understand what CEO fraud looks like. Using real-world examples to point out common red flags can help.
It’s important to point out the lack of spelling errors. Poor spelling and grammar can be a phishing indicator, but this is increasingly unlikely among today’s more sophisticated cybercrime environment. Also, notice the personal touches — Sam’s familiar tone, his references to Kat working from home, and his casual email sign-off. Fraudsters go to great efforts to research their subjects and their targets, whether via hacking or simply using publicly available information. These persuasive elements aside, can you spot the red flags? Let’s break them down: The sender’s email address: The domain name is “abdbank.com” (which looks strikingly similar to abcbank.com, especially on mobile). Domain impersonation is a common tactic for CEO fraudsters. The sense of urgency: The subject line, the ongoing meeting, the late invoice. Creating a sense of urgency is near-universal in social engineering attacks. Panicked people make poor decisions. The authoritative tone: “Please pay immediately”: there’s a reason cybercriminals impersonate CEOs — they’re powerful, and people tend to do what they say. Playing on the target’s trust: “I’m counting on you”. Everyone wants to be chosen to do the boss a favor. Westinghouse’s “new account details”: CEO fraud normally involves “wire transfer phishing” — this new account is controlled by the cybercriminals. Your cybersecurity staff training program should educate employees on how to recognize CEO fraud, and what to do if they detect it. Check the sender’s email address for discrepancies. This is a dead giveaway of email impersonation. But remember that corporate email addresses can also be hacked or spoofed. Feeling pressured? Take a moment. Is this really something the CEO is likely to request so urgently? New account details? Always verify the payment. Don’t pay an invoice unless you know the money’s going to the right place. Looking for a resource that you can share with your employees? We put together an infographic outlining how to spot a spear phishing email. While these are important lessons for your employees, there’s only so much you can achieve via staff training. Humans are often led by emotion, and they’re not good at spotting the small giveaways that might reveal a fraudulent email. Sometimes, even security experts can’t! More on this here: Pros and Cons of Phishing Awareness Training. 
2. Implement best cybersecurity practice Beyond staff training, every thriving company takes an all-round approach to cybersecurity that minimizes the risk of serious fallout from an attack. Here are some important security measures that will help protect your company’s assets and data from CEO fraud: Put a system in place so employees can verify large and non-routine wire transfers, ideally via phone Protect corporate email accounts and devices using multi-factor authentication (MFA) Ensure employees maintain strong passwords and change them regularly Buy domains that are similar to your company’s brand name to prevent domain impersonation Regularly patch all software Closely monitor financial accounts for irregularities such as missing deposits Deploy an email security solution All the above points are crucial cybersecurity controls. But let’s take a closer look at that final point — email security solutions. 3. Deploy intelligent inbound email security Because CEO fraud attacks overwhelmingly take place via email (along with 96% of all phishing attacks), installing email security software is one of the most effective steps you can take to prevent this type of cybercrime. But not just any email security solution. Legacy solutions like SEGs and spam filters and Microsoft and Google’s native tools generally can’t spot sophisticated attacks like CEO fraud. Why? Because they rely almost entirely on domain authentication and payload inspection. Social engineering attacks like CEO fraud easily evade these mechanisms. Tessian is different.   Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of signals indicative of CEO fraud. Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of CEO fraud. For example, suspicious payloads, anomalous geophysical locations, out-of-the-ordinary IP addresses and email clients, keywords that suggests urgency, or unusual sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.
Click here to learn more about how Tessian Defender protects your team from CEO fraud and other email-based cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like CEO Fraud.
Spear Phishing Customer Stories
How Tessian Is Preventing Advanced Impersonation Attacks in Manufacturing
By Maddie Rosenthal
12 January 2021
Company: SPG Dry Cooling Industry: Manufacturing Seats: 368 Solutions: Defender About SPG Dry Cooling SPG Cooling is an innovative, global leading manufacturer of air-cooled condensers that has been providing exceptional quality equipment to coal, oil, and gas industrial plants for over a century. They employee a global workforce and have over 1,000 customer references. We talked to Thierry Clerens, Global IT Manager at SPG Dry Cooling, to learn more about the problems Tessian helps solve and why he chose Tessian Defender over other solutions.  Problem: The most advanced threats can slip past other controls  Phishing is a big problem across all industries.  But, because inbound email attacks are becoming more and more sophisticated and hackers continue using tactics like domain impersonation and email spoofing, Thierry knew he needed to implement a new solution that could stop the phishing emails that might slip past his O365 controls and trained employees. He cited one specific incident where a hacker impersonated a company in SPG Cooling’s supply chain and attempted to initiate a wire transfer.  How? A tiny, difficult-to-spot change in the domain name.  “They created a fake domain with exactly the same name as the real user. But the top-level domain .tr was missing at the end. So it was just .com. No user – not even IT! – is looking at the domain name that closely. They tried to get us to deliver money to another account,” Thierry explained. While the attack wasn’t successful (SPG Dry Cooling has strong policies and procedures in place to confirm the legitimacy of requests like this) he wanted to level-up his inbound email security and help users spot these advanced impersonation attacks. So, he invested in Tessian. Thierry explained why. 
Tessian Defender analyzes up to 12 months of historical email data to learn what “normal” looks like. It then uses natural language processing, behavioral analysis, and communication analysis to determine if a particular email is suspicious or not in real-time. To learn more, read the data sheet.  Problem: You can’t train employees to spot all phishing attacks Tessian also helps employees get better at spotting malicious emails with in-the-moment warnings (written in plain English) that reinforce training by explaining exactly why an email is being flagged. Here is an example:
This feature is especially important to Thierry, who values phishing awareness training but understands it has to be ongoing.  “We like to empower our users and we like that, with Tessian, our users learn and become better and better and better. That’s what we’re trying to do at SPG Dry Cooling. We’re trying to train and educate our users as much as possible. We’re trying to be innovative in the ways that we get our users, our company, our members, everybody, to better themselves,” he said. In evaluating solutions, he wanted something that would protect his people, while also empowering them to make smarter security decisions. He found that in Tessian, explaining that “the most interesting feature for me is the user education. You have to train your users. You have to help them get better at spotting threats by helping them understand the threats. Tessian does that.” Problem: It’s nearly impossible for IT teams to manually investigate all potential inbound threats Before Tessian, Thierry and his team had to manually investigate all emails that employees flagged as suspicious. With limited time and resources – and given the fact that “some are really good and are even hard for IT people to find” – it was nearly impossible for them to keep up. 
Thierry explained that Tessian extends the capabilities of his team. How?  It automatically detects and prevents threats Domains can be added to the denylist in a single click, before they even land in employee’s mailboxes Tessian dashboards make it easy for IT to see trends and create targeted security campaigns to help educate users.  Tessian was also easy to deploy. “As a part of our proof of concept, Tessian started ingesting historical data about employee’s IP addresses, what emails they normally send, who they normally communicate with. We saw how it was helping in just a few weeks. After that, we connected Tessian to Office 36. It took just 15 minutes,” he said.  Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
SPG Dry Cooling Case Study hbspt.cta.load(1670277, '18e021b3-d228-43a7-9fa6-e3f44190d20c', {"region":"na1"});
Page
[if lte IE 8]
[if lte IE 8]