Spear Phishing
Spotting the Stimulus Check Scams
16 April 2020
Since the US government announced that citizens who make less than $75K would receive $1,200 checks, we have found that there have been 673 newly registered domains related to the $2T stimulus package.  Unlike the domains spoofing the U.S. Census that we discovered earlier this month, these URLs aren’t intended to mimic official government websites. Rather, these domains have been set up to take advantage of the stimulus package, using common questions or key words to lure users in such as whereismystimuluscheck.com or covid-19-stimulus.com.  Where do these new domains go? When we looked at the newly registered domains more closely, we found that nearly half of the newly registered domains hosted websites offer the following services: Consultancy: helping people with the paperwork to get their checks Calculators: asking users to enter their personal information, such as their age and address, to find out how much money they are entitled to Donations: giving people the opportunity to donate their check to a Covid-19 related cause Business loans We also found that 7% of these spoofed domains were spam websites, with no clear call to action. With hackers capitalizing on this global health crisis to launch targeted phishing scams, people need to be mindful of what information they share on these sites.  The thing is that cybercriminals will always follow the money, looking for ways to take advantage of the fact people will be seeking more information or guidance on the stimulus package. Although not every domain registered in the last month may be malicious, it’s possible that these websites offering consulting and business loans could be set up to trick people into sharing money or personal information.  Our advice? Always check the URL of the domain and verify the legitimacy of the service by calling them directly before taking action.  Think twice about sharing your data It’s also important to consider what data you are being asked to share via websites offering calculators or status checks, and what the websites offer after you have taken an action. Cybercriminals could use the information you shared to craft targeted phishing emails that include the ‘results’ of your assessment, tricking you to click on malicious links with the intention of stealing money, credentials or installing malware onto your device. Earlier this week, the IRS launched a new online resource for citizens to check on their payment status. We anticipate that even more URLs will crop up as a result of this. How to avoid potential scams Think twice before sharing personal information to calculator websites. If it doesn’t look right, it probably isn’t  Make sure the educational sites offering consultancy services are legitimate before sharing information or money. Always check the URL and, if you’re still not sure, verify by calling the company directly Never share direct deposit details or your Social Security number on an unfamiliar website Take care when sharing your email address and other personal information on websites like the calculator ones and question the legitimacy of the emails sharing your results before clicking on any links Always use different passwords when setting up new accounts on these websites  
Spear Phishing
COVID-19: Real-Life Examples of Opportunistic Phishing Emails
15 April 2020
A few weeks ago we published the post below, which included real-world examples of opportunistic phishing attacks exploiting COVID-19. One of the phishing attacks pretended to be from “Management” and contained an attachment with guidance on how to stay safe. Another attack was designed to look like an account activation email for a remote-working tool; it was sent by “IT Support.” We have two more real-world examples, and this time the attackers are impersonating a company that has seen tremendous attention and adoption with the rise of remote-working: Zoom.  Phishing Email #1: Your CEO is Waiting for You
What’s wrong with this email? The Display Name ([email protected]) and the email address do not match. The actual sender address is [email protected] The attacker, who sent the email on a Friday afternoon, is hoping that the target will a) be motivated to respond quickly to a meeting request from the CEO and b) be less scrutinizing and security-conscious as it’s the end of the week.  The target is being encouraged to click on a seemingly legitimate Zoom link, which would likely lead to a malicious site or could deploy malware.  Upon hovering over the provided link, you’ll find the URL is actually different than the hyperlink would lead you to believe The closing of the email is suspicious: “This message is from your company’s IT.” NB: This phishing email is a direct spoof and was prevented because of DMARC; it was automatically sent to a Spam folder. If you haven’t set your DMARC records correctly, these emails will fly past existing defenses.
Phishing Email #2: Generic Zoom Spoof
What’s wrong with this email? The Display Name (tessian.com ZoomCall) and the email address do not match, but the attacker is hoping the recipient doesn’t look beyond the sender Display Name. The conference call time and date in the email subject line seem to have already passed, based on when the attack was received. Note this email was received at 3:22am, so would likely be the first email the recipient reads in the morning.  The email contains the message “Zoom will only keep this message for 48 hours.” This combined with the subject line adds a sense of urgency and could potentially convince the recipient they’ve missed something important and should quickly try to remedy it.  The target is being encouraged to click on a seemingly legitimate Zoom link, which would likely lead to a malicious site or could deploy malware.  We’ve been pulling together guidance and resources to help employees and businesses stay safe while working remotely. If you suspect you’ve been targeted by a phishing attack, do not click any links or download attachments. Instead, directly contact the sender via phone or a messaging app to confirm legitimacy of the email and immediately alert your IT or security team.
__________________________________________ Original post from Tuesday March 24, 2020 Over the last several weeks, there’s been a surge in opportunistic phishing attacks in which hackers are using the outbreak of COVID-19 to dupe targets into following links, downloading attachments, or otherwise divulging sensitive information.  We highlighted a few examples of phishing scams both consumers and employees should be aware of in our blog post, Coronavirus and Cybersecurity: How to Stay Safe from Phishing Attacks. Importantly, though, the examples were anecdotal.  Now, we want to share two real-life examples that Tessian Defender has flagged internally since the original blog was published.  Phishing Email #1: The Attacker is Capitalizing on Fear Around COVID-19
What’s wrong with this email? The Display Name (Information Unit) and the email address do not match at all. (What’s more, ‘Information Unit’ is not a genuine internal group at Tessian.) The attacker, who sent the email late-afternoon on a Friday, is no doubt hoping that the target – our marketing team –  is less scrutinizing and security-conscious as the week comes to a close, especially when employees across the globe are working from home. The target is being encouraged to download an attachment, which opens a fake login page to steal the victim’s credentials. The email is rife with spelling and grammar errors as well as formatting inconsistencies and the unconcerned, mechanical language is out-of-character for anyone in management, especially given the content of the email.  The attacker used complex encoding to try to evade traditional phishing detection tools that would scan for certain keywords in the email’s body. How? By interspacing different invisible characters between other characters so that the content looks like gibberish. Below is a screenshot of encoding in the email body for reference. Here, you see the characters marked “transparent”; those are the invisible characters.
Phishing Email #2: The Attacker Baits the Target With a Remote-Working Tool
What’s wrong with this email? The Display Name ([email protected]) and the email address are in stark contrast. This sender’s email address is a direct spoof of the domain (tessian.com). The attacker is taking advantage of the fact that many employees around the world are now suddenly working from home and in need of remote-working tools. Therefore, targets are more likely to trust that their employer has, in fact, set them up for remote connection provided by a VPN vendor. The way this email is constructed – poor grammar and impersonal – makes it obvious to a Tessian employee that this is not legitimately from our IT manager. The target is being encouraged to follow a link, which looks inconspicuous. But, upon hovering, you’ll see that the link the target will actually be led to is suspicious.
Important: Because Tessian has DMARC enabled, emails that spoof our domain are automatically sent to “quarantine”. That means the email was never actually received by the target and instead went straight to a spam folder. Unfortunately, though, a lot of companies don’t have DMARC enabled. In fact, nearly 80% of domains have no DMARC policy. Now that you know what these opportunistic phishing emails look like, what do you do if you’re targeted? That is, after all, what’s really important when it comes to preventing a data breach.  What to Do If You’re Targeted by a Phishing Attack If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  If you’re an employee who’s been targeted, contact your line manager and/or IT team. Unfortunately, hackers are taking advantage of other opportunities to target individuals and businesses, including: Tax Day The US Census Stimulus Checks  You can also find information, including the types of brands and people hackers try to impersonate and how to spot a suspicious or spoofed email address, here. 
Compliance Data Loss Prevention Spear Phishing
Advice from Security Leaders for Security Leaders: How to Navigate New Remote-Working Challenges
15 April 2020
As a part of our ongoing efforts to help security professionals around the world manage their new remote workforces, we’ve been holding virtual panel discussions and roundtables with ethical hackers and security and compliance leaders from some of the world’s leading institutions to discuss cybersecurity best practice while working from home. Our panelists and speakers have included David Kennedy, Co-Founder and Chief Hacking Officer at TrustedSec, Jenna Franklin, Managing Counsel, Privacy & Data at Santander, Stacey Champagne, Head of Insider Threat at Blackstone, Ben Sadeghipour, Head of Hacker Education at HackerOne, Chris Turek, CIO at Evercore, Jon Washburn, CISO at Stoel Rives, Peter Keenan, CISO at Lazard, Gil Danieli, Director of Information security at Stroock, and Justin Daniels, General Counsel at Baker Donelson We’ve compiled some of the key takeaways to help IT, privacy, and security professionals and employees stay secure wherever they’re working. 
How to defend against spear phishing (inbound threats) Communicate new threats. Cybercriminals are carrying out opportunistic phishing attacks around COVID-19 and the mass transition from office-to-home. Keep employees in the loop by showing them examples of these threats. But, it’s important to not over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen. Create policies and procedures around authenticating requests. Communicating new threats isn’t enough to stop them. To protect your employees and your data, you should also set up a system for verifying and authorizing requests via a known communication channel. For example, if an employee receives an email requesting an invoice be paid, they should contact the relevant department or individual via phone before making any payments. Enable multi-factor authentication. This easy-to-implement security precaution helps prevent unauthorized individuals from accessing systems and data in the event a password is compromised.   Encourage reporting. Creating and maintaining a positive security culture is one of the best ways to help defend against phishing and spear phishing attacks. If employees make a habit of reporting new threats, security and IT teams have a better chance of remediating them and preventing future threats.  Update security awareness training. Remote-working brings with it a host of new security challenges. From the do’s and don’t of using personal devices to identifying new threat vectors for phishing, employees need to refresh their security know-how now more than ever.
How to defend against data exfiltration (outbound threats) Exercise strict control over your VPN. Whether it’s disabling split tunneling on your  VPN or limiting local admin access, it’s absolutely vital that you minimize lateral movements within your network. This will not only help prevent insider threats from stealing data, but it will also prevent hackers from moving quickly from one device to another.  Block downloads of software and applications. This is one of the easiest ways to minimize the attack vectors within your network. By preventing downloads by individual users, you’ll be able to exercise more control over the software and applications your employees use. This way, only vetted tools and solutions will be available for use.  Secure your cloud services. As workforces around the world are suddenly remote, cloud services are more important than ever. But, it’s important to ensure the infrastructure is configured properly in order to reduce risk. We recommend limiting access whenever possible (without impeding productivity) and creating policies around how to safely share documents externally. Create a system for onboarding and offboarding employees. Both negligent and malicious incidents of data exfiltration are on the rise. To prevent new starters or bad leavers from mishandling your data, make sure you create and communicate new policies for onboarding and offboarding employees. In order to be truly effective, this will need to be a joint effort between HR, IT and security teams. Update security awareness training. Again, remote-working brings with it a host of new security challenges. Give your employees the best chance of preventing data loss by updating your security awareness training. Bonus: Check your cybersecurity insurance. Organizations are now especially vulnerable to cyber attacks. While preventative measures like the above should be in place, if you have cybersecurity insurance, now is the time to review your policy to ensure you’re covered across both new and pre-existing threat vectors.  Our panelist cited two key points to review: If you are allowing employees to use personal devices for anything work-related, check whether personal devices are included in your insurance policy. Verify whether or not your policy places a cap on scams and social engineering attacks and scrutinize the language around both terms. In some instances, there may be different caps placed on these different types of attacks which means your policy may not be as comprehensive as you might have thought. For example, under your policy, what would a phishing attack fall under? 
How to stay compliant Share updated policies and detailed guides with employees. While employees may know and understand security policies in the context of an office environment, they may not understand how to apply them in the context of their homes. In order to prevent data loss (and fines), ensure your employees know exactly how to handle sensitive information. This could mean wearing a headset while on calls with clients or customers, avoiding any handwritten notes, and – in general – storing information electronically. Update security awareness training. As we’ve mentioned, organizations around the world have seen a spike in inbound attacks like phishing. And, when you consider that 91% of data breaches start with a phishing attack, you can begin to understand why it’s absolutely essential that employees in every department know how to catch a phish and are especially cautious and vigilant when responding to emails. Conduct a Data Protection Impact Assessment (DPIA). As employees have moved out of offices and into their homes, businesses need to ensure personal data about employees and customers is protected while the employees are accessing it and while it’s in transit, wherever that may be. That means compliance teams need to consider localized regulations and compliance standards and IT and security teams have to take necessary steps to secure devices with software, restricted access, and physical security. Note: personal devices will also have to be safeguarded if employees are using those devices to access work.  Remember that health data requires special care. In light of COVID-19, a lot of organizations are monitoring employee health. But, it’s important to remember that health data is a special category under GDPR and requires special care both in terms of obtaining consent and how it’s processed and stored.  This is the case unless one of the exceptions apply. For example, processing is necessary for health and safety obligations under employment law. Likewise, processing is necessary for reasons of public interest in the area of public health. An important step here is to update employee privacy notices so that they know what information you’re collecting and how you’re using it, which meets the transparency requirement under GDPR.   Revise your Business Continuity Plan (BCP). For many organizations, recent events will have been the ultimate stress test for BCPs. With that said, though, these plans should continually be reviewed. For the best outcome, IT, security, legal, and compliance teams should work cross-functionally. Beyond that, you should stay in touch with suppliers to ensure service can be maintained, consistently review the risk profile of those suppliers, and scrutinize your own plans, bearing in mind redundancies and furloughs.  Stay up-to-date with regulatory authorities. Some regulators responsible for upholding data privacy have been releasing guidance around their attitude and approach to organizations meeting their regulatory obligations during this public health emergency.  In some cases, fines may be reduced, there may be fewer investigations, they may stand down new audits, and – while they cannot alter statutory deadlines – there is an acknowledgment that there may be some delays in fulfilling certain requests such as Data Subject Access Requests (DSARs). The UK privacy regulator, the ICO, has said they will continue acting proportionately, taking into account the challenges organizations face at this time. But, regulators won’t accept excuses and they will take strong action against those who take advantage of the pandemic; this crisis should not be used as an artificial reason for not investing in security.  
Looking for more advice around remote-working and the new world of work? We’ve created a hub with curated content around remote working security which we’ll be updating regularly with more helpful guides and tips.
Spear Phishing
How to Spot and Avoid 2020 Census Scams
By Maddie Rosenthal
07 April 2020
In case you missed it, Tessian recently published a blog around the most common types of Tax Day scams in both the US and the UK.  Unfortunately, though, these aren’t the only opportunistic phishing attacks bad actors are carrying out this time of the year. They’re also launching Census scams.  As they do in Tax Day scams, cybercriminals will be impersonating government agencies. In this case, you’ll find they’re generally impersonating either the U.S. Census Bureau or an agent, or a third-party agency working for the U.S. Census Bureau. What do Census scams look like? Hackers have a range of threat vectors they can use to carry malware or gain access to sensitive information. In the past, we’ve seen attacks via email, phone, social media, job boards, and even traditional mail.  The common thread between all of these attacks is the request for sensitive personal information like home addresses, social security numbers, ethnicity and information related to the members of your household. This information could be used to make you a victim of identity theft. It’s important to remember that attacks may not ask directly for this information and may instead direct you to another webpage or portal via a link or QR code.  In this post, though, we’ll focus on email scams.  Example: Email Survey Scam
What’s wrong with this email? The US Census Bureau conducts surveys online, over the phone, via mail, or in-person, not via email.  While the Display Name looks authentic, the full email address is suspicious and inconsistent and doesn’t match the legitimate domain, which is @census.gov. Upon hovering over the link, you’ll see the URL is suspicious. Not only is the website connection not secure (remember: https indicates a secure connection), but the format and website name are both unusual.  Who will be targeted by Census scams?  Because it’s mandatory for all households to participate in the census, every US resident over 18 years of age is at risk of being targeted. That means that over the next several weeks, everyone in every state needs to exercise caution when responding to a request for personal information that appears to be coming from the U.S. Census Bureau or an affiliated individual or organization.   What do I do if I’m targeted by a phishing attack?  While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals should always follow the same guidelines if they think they’ve received a fraudulent request for information, whether by mail, email, SMS, or another online forum.  If anything seems unusual, do not follow or click links or download attachments.  The best way to avoid falling victim to one of these scams – whether over email, online, or over the phone – is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid. If you’ve been targeted, report the attack to the Census Bureau. Call 1-800-354-7271, in English, or 1-800-833-5625, in Spanish. More resources The best way to stay safe is to stay informed.  The Census Bureau has issued its own advice on how to stay safe from phishing scams online and over the phone. Read their tips here. 
Spear Phishing
Everything You Need to Know About Tax Day Scams 2020
By Maddie Rosenthal
07 April 2020
While the world’s workforce has been adjusting to remote-working over the last several weeks and has, at the same time, become aware of opportunistic phishing attacks around COVID-19, attackers have been plotting their next attack: Tax Day Scams. These phishing attacks can take many different forms and target both US and UK residents. In the US, these attacks will use the deadline to file your income tax returns as bait. In the UK, these attacks will use your potential tax refund as bait.  But we’re here to help.  Here’s what you need to look out for and what to do in case you’re targeted by Tax Day scams. 
 What do Tax Day scams look like? As is the case with other phishing and spear phishing attacks, hackers will be impersonating trusted brands and authorities and will be – in some way – motivating you to act. Let’s take a closer look at how they do both through a series of examples. Example 1: IRS Impersonation 
What’s wrong with this email? The IRS has said they never contact taxpayers by email, so any correspondence “from” them is illegitimate. There is an extra “r” in “internal” in the sender’s email address Email addresses from government agencies will contain the toplevel domain “.gov”. There are spelling errors and inconsistencies in the text that you wouldn’t expect from a government agency. Example 2: Tax-Preparation Software Impersonation
What’s wrong with this email? While the sender’s email address does contain Fast Tax, the company name, the toplevel domain name (.as) is unusual. The sender is motivating the target to follow the embedded link by claiming their tax return is incomplete. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. Example 3: HMRC Impersonation
What’s wrong with this email? While the Display Name, email template, logos, and language used in the email seem consistent with HMRC, the sender’s email address contains the toplevel domain “.net” instead of “.gov.uk” Upon hovering over the link, you’ll see the URL is suspicious.  Example 4: Client Impersonation
What’s wrong with this email? Unfortunately, in this case, there are no obvious giveaways that this is a phishing scam. However, if Joe, the tax accountant in this scenario, knew he hadn’t met or interacted with a woman named Karen Belmont, that could be a warning sign. Individuals and organizations should always be wary of attachments and should have anti-malware and/or virus protection in place. Example 5: CEO Impersonation
What’s wrong with this email? The root domain (supplier-xyz) in the sender’s email address is inconsistent with the toplevel domain (.com) in the recipient’s email address. The attacker is  impersonating the CEO in hopes that the target will be less likely to question the request.  The attacker is using urgency both in the subject line and the email copy to motivate the target to act quickly. Because this is a zero-payload attack (an attack that doesn’t rely on a link or attachment to carry malware), anti-malware or anti-virus software wouldn’t detect the scam. Who will be targeted by Tax Day scams?  From the examples above, you can see that cybercriminals will target a range of people with their Tax Day scams. Taxpayers, tax professionals, and businesses are all susceptible and savvy hackers will use different tactics for each.  Here’s what you should look out for. Taxpayers Attackers will be impersonating trusted government agencies like HMRC and IRS and third-parties like tax professionals and tax software vendors. Attackers will use coercive language and the threat of missed deadlines or promises of refunds to motivate their targets to act. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  For more information on payloads, read this comprehensive guide to phishing scams. Tax Professionals Attackers will be impersonating either existing clients/customers or prospects. In either case, they’ll be pretending to need help with their tax return or tax refund. Attackers will use the lure of new business or the threat of losing a customer to motivate their targets to act. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  Businesses Attackers will be impersonating CEOs, HR representatives, Finance Directors, or other individuals or agencies who need access to sensitive tax information. Attackers are strategic in their impersonations of people in positions of power; people are less likely to question their superiors.  What do I do if I’m targeted by a phishing attack? While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals and businesses should always follow the same guidelines if they think they’ve received a phishing email.
If anything seems unusual, do not follow or click links or download attachments.  The best way to avoid falling victim to one of these scams is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid. If the email appears to come from an individual you know and trust, like a colleague, customer, or client, reach out to the individual directly by phone, text or a separate email thread. If you’re an employee who’s been targeted, contact your line manager and/or IT team. Management should, in turn, warn the larger organization.
More resources As a security start-up, we’re committed to helping you stay safe. If you’re looking for more information on Tax Day scams, consult the following government websites. Advice from the IRS Advice from HMRC
How to protect your organization from phishing attacks year-round As we’ve mentioned, Tax Day scams are just one of the ways bad actors will try to get hold of sensitive information or infect devices with malware. The best way to avoid falling for these scams year-round is to educate your employees and stay vigilant.  If you’re an organization, it only takes one mistake, one time for your most sensitive data to fall into the wrong hands. If you’re an IT or Security professional looking for a solution that’s more effective than awareness training and SEGs at preventing advanced phishing threats, consider Tessian Defender.  Book a demo now to find out how Tessian uses contextual machine learning to detect and prevent advanced spear phishing attacks without impeding on employee’s productivity. 
Spear Phishing
Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks
17 March 2020
Hackers love emergencies and times of general uncertainty. Why? Because people are scared, distracted, potentially desperate, and are therefore vulnerable—making them ideal targets. As COVID-19 continues to spread and global concern about the pandemic rises, bad actors will be impersonating trusted institutions like healthcare organizations, insurance companies, banks, and airlines in order to steal money, harvest credentials, or install malware on your computer…and that’s just on the consumer side.  When it comes to business, trusted individuals and brands will be impersonated. For example, hackers will impersonate out-of-office CxOs and popular web conferencing applications, especially as organizations encourage and rely on remote-working. Internally at Tessian, we’ve shared tips with our employees on how to spot this type of scam and what to do in case you’re targeted. We think it’s important to spread the message and raise awareness with everyone.  Consumers: What Should You Look For? Hackers will be impersonating trusted brands. Carefully inspect all emails, but be especially wary of those coming from healthcare organizations, insurance companies, banks, and airlines, especially those that ask you to “Confirm you are safe”, “Confirm you haven’t traveled to recently affected COVID-19 countries”, or anything similar.  Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors or branding inconsistencies either in the logo, email template, or a landing page.  Employees: What Should You Look For? Hackers will be impersonating people within your organization and third-parties like suppliers or vendors. You should be cautious when responding to any internal email that mentions the sender being out-of-office and any third-party email that comes from a source you don’t recognize or that requires urgent action. Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors, language or requests that are out-of-character, and branding inconsistencies. These red flags are all a bit easier to spot when you have a bit more context. Below are just a few examples of phishing emails that you may see over the next few weeks. The Fraudulent Third-Party
What’s wrong with this email? The sender’s email address contains irregular characters and doesn’t match the Display Name. Organizations should send internal communications to let their employees know they’ve implemented new tools or platforms. You shouldn’t be hearing about it from the third-party first. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The Out-Of-Office Boss
What’s wrong with this email? The sender’s email address is from a freemail domain (@yahoo.com) and not from within the organization. The attacker is giving the email a sense of urgency. That attacker is using remote-working as a ploy to encourage the target to do something unusual. The attacker is impersonating a person in power; this is a common tactic in social engineering schemes. The Concerned Counterparty
What’s wrong with this email? The toplevel domain (.net) is unusual and inconsistent with previous emails from this supplier. The attacker is using fear and urgency to motivate the target to act. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The “Helpful” Government Organization
What’s wrong with this email? All valid email correspondence from WHO will come from @who.int, not any other variation. The attacker is using the fear of COVID-19 to motivate the target to download the malicious attachment. Like many other organizations, WHO has stipulated they will never send unsolicited emails containing attachments. The Proactive Health Insurance Provider
What’s wrong with this SMS? The attacker is using fear to motivate the target to act. Because no health insurance provider is mentioned by name, you can assume this text has been sent to a large pool of targets. Legitimate organizations will never ask you to update your payment details via text. The text message contains a shortened link; the target can’t see the URL of the website they’re being led to. Of course, knowing what these opportunistic phishing emails look like is just the first step. Actually knowing what to do if you’re targetted is what’s really important. What to Do If You’re Targeted  If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  If you’re an employee who’s been targeted, contact your line manager and/or IT team. We’ve all heard the phrase “prevention is better than cure” and phishing attacks are no exception. While knowing what to do if and when you’re targetted is incredibly valuable, it’s also important that both individuals and organizations know how to avoid being impersonated in the first place.  How to Avoid Being Impersonated For those of you who are working remotely or are otherwise Out of Office, don’t include any personally identifiable information (PII) in your automated emails or on social media. For example, don’t provide your personal mobile number or email address. Don’t tell people to email a colleague in your absence; this information helps bad actors map connections and relationships within an organization, which can be used to make future phishing emails seem more convincing. Hackers can use this to their advantage to target your colleagues. Organizations should implement SPF, DKIM, and DMARC to help prevent hackers from directly spoofing their domain.   Both brands and senior leadership should advise customers and employees what they will and will not ask for via email, phone, or text. People will then have a better sense of what requests are out of the ordinary and therefore suspicious.  As we continue sharing best practice tips with our employees to keep them secure while working remotely, we’ll share them with you, too. Check back on our blog for the latest updates.
Human Layer Security Spear Phishing
Hacker’s Advice: 7 Tips for Avoiding Phishing Scams
09 March 2020
The final speaker at Tessian’s first Human Layer Security Summit was Glyn Wintle, the CTO and co-founder of Tradecraft (formerly DXW Cyber), a security consulting agency that uses social engineering tactics, technical work, open intelligence sources, and attacks on physical locations to breach clients’ systems. In other words, he’s an ethical hacker, although he prefers “friendly hacker”.  During his presentation, he explained how hackers combine psychology and technical know-how to create highly targeted and highly effective phishing attacks on people. Based on his insights, we’ve put together 7 tips to help you avoid social engineering schemes like phishing attacks.
1. Don’t Underestimate Hackers or Overestimate Your Ability to Spot a Phish Glyn started his presentation with one clear and concise statement: Breaking in is easier than defending. And, he’s right.  Attacks like phishing emails rely on power in numbers, meaning that only one person has to follow a link, click an attachment, share personal information, or make a bank transfer for the hacker to be successful.  Interestingly, though, employees tend to be incredibly confident in their ability to spot phishing emails; only 3% of people think it’s difficult to spot a phish. The general consensus, especially amongst employees at organizations where security awareness training is required, is that “only idiots fall for scams”.  While that may be the case with the more blatantly obvious scams – for example, an email coming from a Nigerian Prince claiming they’d like to share their fortune with you if you share your bank account details – hackers have an arsenal of techniques to dupe even the most discerning eye. This is especially the case in spear phishing attacks where hackers might spend days or even weeks researching their target to craft a perfectly believable email. With social platforms like LinkedIn, they can easily uncover not just a company’s organizational structure, but more timely information about individuals like when they’re attending a conference. This is powerful ammunition for a spear phishing attack. 2. Look Out for Both Emotive and Enterprising Scams People tend to be familiar with phishing and spear phishing attacks that rely on an emotional response – fear, urgency, stress – often triggered by an email that appears to be sent from a person in power. They work, really well. But enterprising scams are just as powerful.
Glyn cited an example in which a company made a public announcement that it recently received VC funding. Based on the press release, a savvy hacker contacted the Venture Capital firm impersonating the company. The hacker was able to create a convincing email relationship with the Venture Capital firm and this trust enabled the hacker to successfully get the VC to transfer the funds into their account.  People sometimes mistakenly think the solution to this is to hide all information. But often there’s a reason why information was and is made public. Making sure people know what information is public or not can help. 3. Relying on hyper vigilance isn’t enough People – especially in work environments – tend to move and work quickly. Because of that, and despite training, they might not think twice about irregularities in email addresses, URLs, or landing pages in pursuit of being productive. What’s more, expecting people to double check every thing will not work. They will not get any work done. Management must understand that people make mistakes; expecting them to be hyper vigilant at all times cannot be the solution. There are technical measures that can be used to warn someone that something abnormal is happening. Showing users who do have the privileges to do harmful things what real targeted phishing emails look like can help. But you must also find ways to make their lives easier. Telling them “this is really hard” then saying “best of luck”, is not setting them up for success. 4. Don’t take the “secret” bait If nothing else, hackers are inventive. Glyn cited one example where, instead of emailing a target pretending to be someone else, they’ll simply CC individuals into a conversation that genuinely has nothing to do with them. The email message will allude to a secret or piece of sensitive information; potentially with a malicious link to the alleged source or malicious attachment. It seems rudimentary but it works.  More often than not, the target will follow the link or attachment, thinking they’re gaining access to something highly confidential. In reality, they will have installed malware on their computer. 5. Beware of Urgent Requests and Reasonable Requests While a lot of hackers will use urgency to incite action, that’s not the only tactic they employ. In fact, a tried-and-tested technique according to Glyn is to request an action within two working days.  “If you’re impersonating a company and targeting employees, and you say something must be actioned within two working days, you will get much higher hit rates.”
6. Take Extra Caution on Your Mobile While mobile phones have no doubt made it easier for us to stay connected, they’ve also made it even easier for hackers to pull off successful phishing attacks given the smaller screens and differences in functionality, especially after hours. “I love mobiles. But if you’re targeting someone on mobile, the rules change. You probably want to do it on a Friday night, when alcohol might be involved, especially because the smaller web browser makes it hard to see who the sender is or tell what exactly the URL is.” But, it’s not smaller browsers that make mobiles risky. Smishing and vishing are also on the rise, meaning email isn’t the only threat vector to be weary of. 7. Implement a Security Solution While there are certainly steps individuals can take to prevent themselves from falling victim to a phishing scam, if organizations really want to protect their people, they have to implement security solutions.
#HumanLayerSecuritySummit20
Human Layer Security Spear Phishing
Tim Sadler on Hacking Humans Podcast: Episode 87 “The Art of Cheating”
28 February 2020
Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why email is so risky and inboxes remain dangerous territory. Listen to Hacking Humans Episode 87 “The Art Of Cheating.” Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He is from a company called Tessian. And we discuss the human element of cybersecurity, along with some details on some phishing schemes. Here’s my conversation with Tim Sadler. Tim Sadler: I think, for a long time, when we’ve spoken about securing people, we’ve always defaulted to training and awareness rather than thinking about how we can use technology to take the burden of security away from people. So I think there’s a challenge at the moment in that humans are unpredictable. They break the rules. They make mistakes. And they’re easily tricked. And that’s what’s leading to so many data breaches today that are ultimately caused by people and human error. Dave Bittner: And so the bad guys, knowing this, have adjusted their tactics. Tim Sadler: I think that’s right. I mean, if you think about email for an organization, it is an open gateway. So it is one of the only pieces of infrastructure an organization has where anybody can send anything into an organization without pre-approval. And I think that’s one of the reasons why we’re seeing such a high level of threat around phishing, spear-phishing, business email compromise, those kinds of attacks. It is the – really, the entry point for every attacker that wants to get into an organization today, and it’s so effortless to execute one of these scams. Dave Bittner: So what kind of things are you tracking? What are some of the specific campaigns that are popular these days? Tim Sadler: So I think, you know, we see everything from the well-known trends like the fact that, you know, it’s tax season and the W-9 form scam – so attackers putting malicious attachments in emails trying to get people to open them because, you know, it’s tax season, and that’s something that everybody is watching out for. And then some of the more interesting things that we’re seeing specifically are around attackers scraping LinkedIn data to automate attacks based on people moving jobs. So a new joiner to an organization will – you know, is – may have a higher propensity to be duped by a phishing scam. They won’t know the protocol that an organization has in place. So we’re seeing a lot of attacks that come through when people are new to an organization. It’s maybe in their first or second week, and then they’ll receive a spear-phishing email pretending to be the CFO or pretending to be the CEO, trying to dupe them into doing something and, again, use those techniques of deception and urgency on emails. Dave Bittner: Now, what about some of the more targeted campaigns – you know, things like spear-phishing, even – you hear it referred to sometimes as whaling, where they’re targeting high-level people within organizations?
Tim Sadler: And actually, you can – for attackers, it is fairly scalable to do this. You can build a LinkedIn scraper. You can be pulling names. And you can be automating the purchase of domains that look like legitimate domains but, in fact, aren’t. And then you can automate the sending of those emails into organizations. And, you know, the rewards from doing this kind of thing can be enormous for attackers. So I read about that charity in the U.K. this morning who fell victim to a spear-phishing scam where they lost almost a million dollars over three transactions. So it is a huge, huge payoff for these attackers when they actually – you know, they get their target to do the thing they want them to. Dave Bittner: What are your recommendations for organizations to best protect themselves? Tim Sadler:  So I think, you know, it does start with awareness. You have to make sure that employees are aware that their inbox is dangerous. And they need to pause, if only for five seconds, just with every email they get and do some basic checks. So check, who is this email from? Does the domain look legitimate? Tim Sadler: But really, what is extremely difficult is, for most organizations today, their entire security strategy is reliant on their employees doing the right thing 100% of the time. So if you are only relying on security training and awareness, there are going to be things that creep through. There are going to be attacks that are successful. And in the same way that organizations use advanced technology to secure their networks and secure their devices, we believe that organizations today need to be using advanced technology to secure their people. Dave Bittner: Well, how does that technology play out? What sort of things are you describing here? Tim Sadler: In order to secure people – so again, we come back to this point that people are unpredictable. They break the rules. They make mistakes, and they’re easily hacked. A system needs to understand the normal patterns of behavior that a person exhibits on email in order to understand what looks like a security threat and what looks like a normal email. So what organizations can do is they can use a platform – like Tessian, for example – that uses machine learning to analyze historical email patterns and behaviors to understand, on every incoming email, does this email look legitimate or not? And that’s something that we’ve pioneered and we use and is much more effective than some of the traditional approaches, which use rules or policies to control the flow of inbound email. Dave Bittner: You know, it reminds me of a story that a colleague of mine shared with some friends who work for a nonprofit. And they got an email from the chief financial officer, who had just gone on vacation, and it said, I know; I realize I’m out of town, but I need you all to transfer this large sum of money, and I need it done immediately; you know, please don’t let me down. And to a person, they all said, this is the last thing in the world this person would ever say or do. And that tipped them off to the problem. It sounds like – I mean, that’s a similar thing to how you’re coming at this from a technological point of view or looking – making sure that the behavior isn’t anomalous. Tim Sadler: Yeah, that’s exactly right. We use machine learning in the way that it’s been applied to other fields – for example, credit card fraud detection. You look at their normal spending patterns and behaviors on card transactions, and then you use that intelligence to then spot the fraudulent transactions. And that’s what we’re doing. We’re looking at normal email behavior in order to spot the fraudulent email behavior. And in the same way that you would try and train a person to look out for the unusual aspects of an email that may give a clue as to whether it’s a phishing email or not, you can train a machine-learning algorithm to do the same. Tim Sadler: Now, the difference and the advantage to doing this is that a machine-learning algorithm can traverse millions and millions and millions of data points in a split second, whereas a human is only going to have a limited number of data points that they can remember or they can go back to in their mind. Dave Bittner: Where do you suppose we’re headed with this? As you look towards the future and this problem with email continues to be an issue, do you suppose the types of things that you’re offering here are going to become just a standard part of doing business? Tim Sadler: I think it’s critical that organizations today realize that their security strategy cannot be reliant on training people to do the right thing 100% of the time. And again, it comes back to – at the beginning of my career, I was working for one of the world’s largest banks and saw a massive problem, and that is that banks spend millions of dollars on securing their networks and devices using advanced technology, but they completely neglect the security of their people. So instead, they’re relying on training them to do the right thing 100% of the time. And that, obviously, doesn’t work. Tim Sadler: I saw people who would send highly sensitive information to completely the wrong person. They would email documents to their personal email account, or they would fall for phishing scams. So we thought this was a huge problem that needed solving, and that’s why we built the product that we’re building today – because we believe that in the same way you have a firewall for your network and you have an EDR platform for your devices, we believe you need a human-layer security platform to protect your people. Dave Bittner: All right. Interesting stuff. Joe? Joe Carrigan: Yeah. A couple things stick out to me. One, your inbox is dangerous, and Tim does a really good job of describing why that is. He calls it an open gateway because anyone – literally anyone – can use your inbox.
Spear Phishing
How to Prevent and Avoid Falling for Email Spoofing Attacks
By Maddie Rosenthal
25 February 2020
Email spoofing – also known as a domain spoof or direct spoof –  is a type of phishing attack in which an attacker sends an email that appears to be from a legitimate source. These emails are sent with the intention of tricking the target into following a link, downloading an attachment, or performing some other kind of action that will result in the attacker capturing login details or other sensitive information like their banking or credit card information. While some spoofed emails may be flagged by inbound security solutions, they’re often mistaken for legitimate emails, which can lead to serious consequences for both individuals and businesses. This blog explores how and why email spoofing works, how to identify spoofed emails, and what you can do to protect yourself and your organization from such attacks. What does a spoofed email look like? While email impersonation attacks often rely on imperceptible misspellings, spoofed emails appear to be sent from the real domain, look genuine to most users, and can bypass spam filters and security tools.  For example, a bad actor might craft an email that appears to be “from” a well-known courier service, which for the purposes of this example doesn’t have DMARC set-up. The email will claim there was a problem with your delivery and that you must follow a link to log in and confirm your details. Savvy people may look for Display Name impersonations, but, because it’s a domain spoof, they won’t notice any inconsistencies. 
And, if such an email is sent to many thousands of users (which is one of the techniques hackers use when sending phishing emails) this increases the chance that at least one recipient will be expecting a delivery from the spoofed courier, and, because of that, the target may do what the email instructs.  Incidents of email spoofing  Email spoofing is on the rise.  The FBI’s 2019 Internet Crime Report states that the agency received complaints of spoofing attacks from over 25,000 victims last year alone, making it the fifth most popular form of cybercrime. The total loss reported from these victims was over $300,000,000. How does email spoofing work? Email spoofing attacks can be successful simply because people assume that the information in email headers – specifically about where the email comes from – is trustworthy. The reality is that the original protocols that still underpin email, such as the Simple Mail Transfer Protocol (SMTP), were never designed to authenticate the sender information.  In other words, there is no inherent way to confirm that an email comes from the email address specified in the Sender parameter in the email header. When an email is sent, the initial connection to the receiving mail server contains two parameters, MAIL FROM and RCPT TO, which specify the address the email is sent from and to, respectively. These parameters are commonly known as the “envelope” of the email. However, there are no default checks on the MAIL FROM parameter to ensure that the connecting mail server is authorized to send emails on behalf of that domain. Therefore, if the RCPT TO parameter is correct, the receiving server indicates it will accept the email and the sending server proceeds with the rest of the email, including the From, Reply to, and Sender header items, which are similarly not checked by default. Therefore, an attacker with the right tools at their disposal can easily create and send emails as if they were someone else. This is not hard to achieve, and there are many tools available for them to do this. They can also create a legitimate seeming link in the email that, if followed, will take the recipient to a server under the attacker’s control. Spoofed emails from the attacker’s perspective The easiest way to explain how an attack might unfold is to explain it from the attacker’s perspective. Example scenario: An attacker of moderate skill decides to launch a phishing attack on a company. The attack takes the form of an email asking the recipient to read and indicate acceptance of a company security policy update; this will be a document attached to the email. The file itself will contain malicious code, which will give the attacker a foothold on the machine of anyone who opens it. Target: Copper Duck, a finance company. Copper Duck hasn’t configured DMARC, nor does it have other protections in place. Objective: The attacker’s aim is to run malicious code on Copper Duck machines, in an attempt to gain information on the company network that will uncover further vulnerabilities and also capture usernames and passwords. The ultimate goal is to gain access to Copper Duck’s sensitive financial and personal data. Research: The attacker researches Copper Duck, and from publicly available information discovers that it has not registered its domain – @copperduck.com – with DMARC. They also search for Copper Duck email addresses in public repositories so they can copy the header and footer information. Additionally, they’ll look for any other information, such as employee names and job titles on LinkedIn, which could help them target the attack and create a believable email.  Attack preparation: The attacker can obtain phishing kits and code suited to their purpose on the dark web. There are many such kits, and while it only takes moderate skill for an attacker to launch a phishing attack, these make it even easier. They compile a list of email addresses to target, sometimes from addresses discovered in the public domain, or by making informed guesses. For example, if the attacker has a number of addresses in the form [email protected], it’s likely that other employee addresses follow the same format. Once they have the list, the attacker creates the phishing email and the attachment file containing the malicious code. Because Copper Duck has not implemented a method to protect their domain from spoofing, the attacker can easily forge the Sender and other information in the email header. The attack: The emails are sent early in the morning on a weekday, to arrive shortly before employees begin working their way through their inboxes.  Every employee who clicks the link and opens the document will activate the malicious code it contains. It runs on their machine, and sends any sensitive data it can find back to the attacker. Even if not every employee clicks through, there is a good chance that at least one will. One is all it takes for an attacker to gain a foothold in the network. Bonus: The time of day an email is sent is one of many important factors that attackers may consider; there are several instances where an employee’s ability to make the right cybersecurity decision may be impaired. Read the full report here. What if there are protections in place? If Copper Duck used DMARC or a mail application that scanned attachments for malicious code, this would make life more difficult for the attacker, but not impossible. As previously mentioned, they could register a domain almost identical to that of Copper Duck (for example, copper-duck.com or coppperduck.com), and prompt the user to follow a link to a server under their control instead. However, protections like DMARC only stop spoofs of your domain; it won’t protect against all spoofs you might receive (for example, a spoof of one of your suppliers). This means you have to be vigilant both as a consumer and an employee when it comes to protecting yourself from these types of attacks. What can you do to protect yourself from email spoofing attacks? Phishing attacks employing spoofed emails are inevitable. So how can you spot them, what should you do when you’re targeted, and how can a business protect itself against the threat they pose? As a private individual… Watch for emails that try to instill a sense of urgency in the reader. Attackers often rely on inspiring fear or worry to try to get their targets to act in the way they want Try to get into the habit of reading emails thoroughly and exercise caution, especially if they contain a call to action, such as following a link, downloading an attachment, or sharing sensitive information If you have any reason to doubt an email’s legitimacy, such as poor spelling or an unusual tone of voice, check the email address it’s sent from, not just the Sender field or Display Name Also check  any links the email contains for grammatical errors or suspicious URLs Perhaps most importantly, do not open attachments or follow links that prompt you to log in unless you are absolutely sure they are legitimate. In the case of links, you’re better off searching for the organization and following links directly from their website As an employee… In addition to all of the precautions listed above, you should report suspected phishing attacks through the normal channels, such as your system administrators or IT helpdesk If you suspect you have fallen victim to a phishing attack, again, report it as soon as possible. Everyone makes mistakes, and the better phishing attacks can be hard to spot. The quicker you report it, the better the chances are of remediating the situation. For IT and security teams, oversight is essential  As a business… Set up proper DMARC records with a quarantine or reject policy, and use other protections such as SPF to help identify spoofed emails before they arrive in your inboxes  Train your employees to spot phishing emails by sharing information with them, such as this article Actively encourage employees to report the attacks. It is especially important that they feel they can come forward if they’ve fallen victim to one, without fear of blame. This is why creating a positive security culture is paramount. Unfortunately, though, DMARC, training, and a positive security culture simply aren’t enough. Cybersecurity strategies have to account for the fact that DMARC doesn’t stop bad actors from domain lookalike impersonations, training is ineffective long-term, and people won’t do the right thing 100% of the time.  To combat the threat of email spoofing, security teams should also deploy enterprise-level security applications to identify and block phishing attacks, such as Tessian Defender. What is Tessian Defender? Tessian Defender is powered by machine learning (ML). By learning from historical email data, Tessian’s ML algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of advanced phishing scams, including email spoofing attacks. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts.
Spear Phishing
Phishing vs. Spear Phishing: Differences and Defense Strategies
13 February 2020
On average, 246.5 billion emails are sent and received every single day. Of those, 6.4 billion will be “fake”. People use email to communicate with brands like Netflix and Booking.com to confirm subscriptions or make reservations, and employees communicate on a loop with suppliers, vendors, and colleagues to schedule meetings, make payments and share data. The bottom line: email is an essential part of our daily personal and professional lives. It’s no surprise, then, that email remains the most popular channel for cybercriminals to target victims through email scams like phishing or spear phishing attacks. What is the difference between phishing and spear phishing? There are three key differences between phishing and spear phishing. Phishing attacks are high-volume, most often targeting hundreds or thousands of people while spear phishing attacks are low-volume, meaning only one person or a small group of people are targeted. Phishing attacks are non-personalized while spear phishing attacks are highly personalized. Phishing emails more often employ malicious links or attachments (called “payloads”) to deliver malware or capture sensitive information, while spear phishing emails don’t always carry payloads; these are called “zero-payload attacks”.
What is phishing? Phishing is one of the oldest, most prevalent, and most disruptive cyber attacks in the world. For some perspective, we’ve seen a 250% increase in the frequency of phishing attacks from 2018 to 2019. Likewise, we’ve seen the cost of the average data breach climb to $3.92 million and – you guessed it – phishing attacks are the number one cause of these breaches. Phishing attacks rely largely on impersonation – often of trusted brands – to obtain money or sensitive information from unsuspecting targets or to install malware on their computers. While it may come as a surprise, it’s likely that at some point, most of us have actually been a target, whether via our personal email accounts or business email accounts. These attacks have even evolved past email, with bad actors now using telephone and SMS as entry vectors. This is referred to as smishing. Don’t think it could happen to you? Over the last several years alone, customers of big brands like Amazon, Apple, and Microsoft have all been targeted, impacting millions of people. This is, of course, in addition to the more blatantly obvious scams in which Bill Gates, Donald Trump or a Nigerian Prince offer to share their fortune with you. Surprisingly, many of these scams aren’t particularly sophisticated and require little technical know-how from attackers. Instead of relying on the quality of the scam, phishing attacks target large numbers of people to increase their odds. The logic: more targets equal more opportunity for success.
Looking at the email above, you’ll see that the email appears to be sent from FedEx Customer Service, the greeting is generic and un-personalized, and the content of the message – from the subject line to email body – motivates the user to act. Of course, the link won’t lead to an authentic page. Instead, it will lead users to a look-a-like page. While this page will contain branded elements that resemble the genuine FedEx site, any information inputted will be collected by the scammer, not FedEx. Just like that, a crook can have access to your personal data. It’s important to note, though, that it’s more likely that only someone who was actually expecting a delivery from FedEx will follow the link and enter information like their name, address, or phone number in order to arrange a new delivery time. Attackers know this, hence why an email like this will have been sent to hundreds or even thousands of people. Remember: more targets equal more opportunity for success. But, not all cyber attacks are bulk in nature; spear phishing is highly targeted and extremely difficult to detect.
What is spear phishing? Like phishing attacks, spear phishing attacks rely on impersonation to obtain money or sensitive information or install malware. But, instead of using generic email content and the front of a trusted brand, bad actors will use personalized correspondence to manipulate targets into transferring money, handing over sensitive information, or granting access to an otherwise secure network. Because of the personalized nature of these emails, they are not sent to hundreds of people. Instead, they’re sent to one person or a small, targeted group like a specific department within an organization, oftentimes “from” a source that’s trusted by the target(s) like a supplier, a line manager, or CEO. Whereas a phishing scam simply requires a believable email template, potentially a look-a-like landing page or an infected attachment, a successful spear phishing attack requires more effort. Given the personalized nature of a spear phishing email, a cybercriminal will have to do a bit of due diligence to ensure the email is believable and therefore effective.
Looking at the example above, we can see how a spear phishing email resembles a phishing email. The sender is impersonating someone else, in this case, Tom Adams, a senior employee at Dorling Clayton. Likewise, there’s a clear call to action that motivates the user to act. There are noteworthy differences, though. To start, the email is highly personalized. The target is addressed by name and the sender demonstrates a lot of knowledge related specifically to Laura’s organization and, it would seem, Tom Adams himself, including conferences he’s speaking at and organizations within his supply chain. What’s more, the attacker is leveraging Tom’s senior position within the company to coerce the target to act quickly. If you got an email with an urgent request from a Senior Partner, what would you do? A savvy recipient may notice that the sender domain looks suspicious. But, it’s rare for people to scrutinize sender domains and almost impossible for them to do so on mobile phones – where a lot of us send and receive emails – because the domain is usually hidden, with only the display name visible.
Under pressure to perform, many people would pay the £11,522 into the account requested without asking any questions. Unfortunately, this swift action would be bad news for Dorling Clayton as the money would be delivered to a scammer, not SoBank. This is a classic example of CEO Fraud.
Defense strategies for phishing Because phishing schemes have been around since the mid-90s, there are a handful of solutions for both consumers and businesses that can help decrease the number of fraudulent emails that land in your inbox. These include the following: Spam Filters: Created and installed by Email Service Providers (ESPs) like Gmail, spam filters sort incoming messages based on a programmed set of rules. Emails with known viruses or sent from blacklisted domains will either be automatically redirected from your inbox into a junk folder or won’t be delivered at all. Think of this as your first line of defense. Secure Email Gateways (SEGs): A step above spam filters, SEGs are optimized for better spam detection and have therefore historically been an important part of  business’ security framework, in particular for large-scale bulk email detection. Training: Whether done via regular phishing simulations or cybersecurity awareness sessions, training is invaluable for both individual employees and the larger organization. After all, it is people who are controlling all of our data and networks. Email Authentication: In order to prevent direct impersonation of an organization’s domain, the organization can enforce a DMARC policy. Unfortunately, though, only 51% of Fortune 500 companies have adopted this email-authentication standard. These solutions certainly help mitigate risk, but millions of phishing emails evade detection by filters and gateways and dupe well-trained people everyday. That means individuals must still be vigilant in inspecting emails before downloading an attachment, clicking a link, or otherwise divulging sensitive information. To stay safe on email we recommend that you: Review the email address of senders and look out for impersonations of trusted brands, including display name impersonation and domain impersonation. Always inspect URLs in emails for legitimacy by hovering over links before clicking on them Pay attention to differences – that may be very subtle – in website content if you follow a URL after inspecting it Never divulge personal information if you don’t trust or recognize the sender or if you have any doubts about the legitimacy of the email. Genuine brands generally won’t ask you to share sensitive personal information via email. If you’ve been prompted to, investigate and contact the brand directly, rather than hitting reply Interested in learning a bit more? Click here for more information on how to identify and prevent phishing attacks.
Defense strategies for spear phishing The very nature of spear phishing attacks – low-volume, high-personalization, and often zero-payload – means that they’re even more difficult to spot and prevent than phishing attacks. Unfortunately, though, many businesses are employing the same tools and techniques to protect their employees against these more targeted variants. The problem? Impersonation can be nearly impossible for people and rule-based technology to detect when bad actors put a great deal of effort into researching their target and the people or companies they impersonate. An individual or tool would require an in-depth understanding of the minutiae of human relationships within a particular company and advanced knowledge of common impersonation techniques to detect this type of threat. That’s a tall order. While SEGs might reject or flag emails sent from well-known domain impersonations, they can struggle to detect complex variants or domain spoof. Employees – armed only with some security training at best – are then left as the last line of defense. And, with average click through rates of spear phishing attacks at 10% – this can put a business’ people, data, and systems at risk.
How can machine learning detect impersonation? To manage the problem of sophisticated impersonation, businesses need to invest in machine learning (ML) tools like Tessian Defender. Trained on historical email data, Tessian Defender understands a company’s complex network of relationships and the context behind each email. This way, it’s able to detect a wide range of impersonations, from obvious payload-based attacks to subtle social-engineered ones. By analyzing hundreds of data points – from the language patterns in an email to the domain and IP address contained in the header, among others – Tessian’s explainable ML algorithms successfully prevent spear phishing attacks by flagging anomalous emails to users with clear, educational warnings. A warning will look something like this: Notice what’s been flagged as suspicious about the email: the domain, the reply-to address, and the language. The user is then empowered to make a more informed decision about how to interact with the email, and administrators have oversight into which employees are targeted by these inbound attacks and whether or not they’re heeding the warning. While Tessian Defender can and will help protect employees from spear phishing attacks and help organizations monitor trends in activity, it’s important to understand from the outset whether or not you’re an especially susceptible target.
Who is most likely to be targeted by a spear phishing attack? When you consider the aim of a spear phishing attack – to steal data or money or infect a network with malware – it’s not surprising who the most likely targets are. They’ll tend to be those people with more privileged access to all of the above as well as those most embedded in supply chains. Here are some of the most targeted departments: Finance Human Resources Operations Legal Of course, with so much information available online through a company’s website, press releases, and social media like LinkedIn, cybercriminals can craft an email that could fool anyone, from any department. New joiners tend to be especially vulnerable targets in Business Email Compromise or CEO Fraud because they may be unfamiliar with an organization’s processes and may be particularly keen to impress the colleagues or customers bad agents often impersonate. High-ranking employees, high-risk With that said, though, even the most risk-aware individuals can be duped, depending on when the email is sent, the tone in which it’s delivered, and who the perceived sender is.  For example, whaling scams are targeted specifically at C-level executives because they simultaneously have their attention divided across many parts of the business and have access to significant amounts of sensitive information. That, combined with busy schedules and a tremendous amount of pressure, means that critical mistakes can – and have – happened. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account.
Ever-evolving threats to hack the human Cybercriminals are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks, and it’s imperative that organizations stay ahead of the curve. After all, just one successful spear phishing attack can result in the extraction of millions of dollars, devastating data loss, and incalculable reputational damage. Prevent spear phishing attacks in your organization with Tessian Defender To learn more about how organizations across industries are using Tessian Defender to prevent sophisticated, highly-targeted spear phishing attacks, read some of our customer success stories here. For more information about how Tessian can be quickly and easily deployed to Office 365, Exchange, and G-Suite to protect your people, data, and networks all without disrupting workflow or impeding on productivity, request a demo now.
Spear Phishing
How to Identify and Prevent Phishing Attacks
13 February 2020
Imagine you receive an email from FedEx with the subject line: You Missed a Delivery. Because you had, in fact, recently placed an order online and are expecting a delivery, you immediately open the email and follow the link to track your package. Everything about the email looks exactly as you’d expect it to; you recognize the sender as FedEx, the FedEx logo appears in the signature, the email itself is addressed to you, and it seems to contain information related specifically to you and your delivery. But, after following the link, your computer begins to slow and, behind the scenes, malware is consuming large chunks of your computer’s information, including personal data like saved credit card information and contact lists. What happened? You’ve fallen victim to one of the oldest and most prevalent cyber attacks in the book…phishing. What is phishing?
Although the technique was first described in a paper by HP back in 1987, the term “phishing” was actually coined in the mid-90s in a Usenet group for AOL by the well-known hacker Khan C Smith. Shortly thereafter, the term appeared for the first time in the AOHell hacking tool, which was used to generate and send fraudulent spam “from” AOL’s customer service team to users, tricking them into revealing passwords, birthdates, social security numbers, and more. While there are dozens of different “types” of phishing schemes that rely on different methods of obtaining data, the following criterion helps define this type of cyber attack. The sender is impersonating another person or company The content of the correspondence motivates users to act The message isn’t highly personalized and is sent to large amounts of people
Is phishing really a problem? While it’s been over two decades since the first phishing attack and today, most of us are attuned to what less sophisticated impersonations look like – for example, fake Nigerian princes asking targets for bank details in return for a share of their fortune – the threat is evolving and the stakes are higher than ever. Amazon, Apple, Booking.com, PayPal, Target, and Qatar Airways have all made headlines in the last several years because of successful phishing campaigns in which attackers impersonated their brands and targeted their customers. While it’s difficult to quantify the total cost to individuals and the reputational damage inflicted on the spoofed brands, these scams negatively impacted tens of millions of people. The fact is, we’re spending more time online creating and sharing more data than ever before; in fact, employees now spend 40% of their screen time on email, which is why phishing is just as big of a problem for businesses as it is for consumers. While the intent and top-level tactics employed by bad actors can be the same for these two types of targets, the brands impersonated often differ. Why? Because employees tend to trust and interact with different types of brands and be motivated by different types of content. For example, while news of a missed delivery from FedEx might motivate a consumer, an employee is more likely to trust an email from Microsoft and will, therefore, be more motivated to follow a link to a login portal for Office 365. Hence why Microsoft is consistently a favorite amongst phishers.
Phishing tools and techniques Surprisingly, cybercriminals don’t actually need an arsenal of technical skills to create a successful phishing campaign. Phishing kits are readily available on the dark web and contain everything a “bad guy” needs to hook a phish including source code, images, scripts, spamming software, and sometimes, even lists of email addresses to target. In short, these kits make it easy for anyone with a bit of IT knowledge to clone a webpage and host their own look-a-like version. From there, attackers can (and do) effectively harvest data that unsuspecting victims enter into mirror versions of legitimate, branded login pages. Again, Microsoft tends to be a go-to, with 62 phishing kit variants used to target the brand’s users within an observation window of just 262 days. Of course, even without a phishing kit, it’s not terribly difficult to design a convincing email template that instills a sense of trust and confidence in targets to the point that they click a link, send a reply, or complete a form. What’s more, not all phishing schemes rely on look-a-like pages. Some attackers simply need to buy (or create) malware. Impersonation 101 As we’ve mentioned, at the core of every phishing attack is email impersonation. So, how do you successfully impersonate a person or brand? Let’s use the FedEx example and imagine that the only legitimate email address associated with the brand is [email protected] While cybercriminals can actually replicate that exact email address by spoofing the fedex.com domain, it’s risky. To start, many major brands have adopted DMARC email authentication, which could prevent someone from directly spoofing their domain. But, with risk comes reward. Recipients of emails that are sent from spoofed domains have no way of knowing that an email wasn’t actually sent from its apparent sender.
Nonetheless, it’s more common for attackers to use domain variations that in some way resemble the authentic email address. The easiest way is to simply change the display name. Anyone – yes, anyone – can change their display name via their email account settings. That means that someone using an email address that’s in stark contrast to [email protected] can still use the display name FedEx Customer Service.
Likewise, attackers can register domains with the specific purpose of impersonating a legitimate company. There are dozens of phishing domain tactics, which include registering domains with just a one letter difference to the authentic domain and creating convincing sub, top-level or root domains.
Playing the odds Once the email itself has been crafted, it has to be disseminated. Importantly, time is of the essence. Since phishing by definition relies on a large pool of targets, it’s vital that the email is sent to as many unsuspecting victims as possible before the domain and/or servers used by the attacker are blacklisted. Phishing campaigns can be identified by the IP address and domain they’ve been sent from, which means that once a domain or IP address is known to be associated with malicious emails, email systems will redirect the email to a junk folder or reject it altogether. Let’s consider the odds. Phishing attacks have a 3% click rate. If the email is sent to 100 people, only 3 of them are statistically likely to open a malicious link or a download malicious attachment. If the email is sent to 1,000 people, 30 of them might fall for the scam, and so on. More targets equal more opportunity for success. An introduction to payloads Cybercriminals go to great lengths to deceive their targets, almost always with the intent of extracting data or infecting computers. As we’ve mentioned, data can be “extracted” by way of look-a-like sites that rely on the victims themselves willingly (albeit unknowingly) following a link and entering information. But, the data can also be captured over an extended period of time via an attachment that’s downloaded or installed. In the world of cyber attacks, these harmful links and attachments are called malicious payloads. When these malicious payloads take the form of an email attachment, they often fall under the larger umbrella of malware. It’s important to note, though, that not all phishing emails rely on malicious payloads. Zero-payload attacks simply use coercive language to implore the target to reply to or action a request, whether that be handing over an account number for an invoice or sharing credentials to a security tool. These types of attacks – often seen in more sophisticated schemes – are especially disquieting because cybercriminals are able to circumvent and evade legacy tools, payload inspection systems, spam filters and secure firewalls. Needless to say, there’s more than one way for bad actors to get whatever it is they’re after – from money to credentials – and as these payloads become more sophisticated, they’re harder for people and security software solutions to spot. Consequences of a successful phishing attack Today, phishing attacks are the most persistent threat to cybersecurity, with a marked 250% increase in frequency from 2018 to 2019 according to Microsoft’s annual Security Intelligence Report. That means that this year, you’re almost 3x more likely to have a phishing email land in your inbox than you were last year. So, what happens if you’re one of the 3% that falls for a phishing attack? The consequences are virtually limitless, ranging from identity theft to a wiped hard drive. Unfortunately for the average person, the phishing business is becoming more and more profitable for cybercriminals as the price tag for personal information continues to increase. But the consequences for businesses can be even more devastating, especially when you consider that the average cost of a data breach in 2019 was an incredible $3.92 million, a 1.5% increase from 2018. Needless to say, phishing is the number one cause of these types of breaches. In particular, spear phishing, phishing’s more targeted, personalized, and often more damaging counterpart. Phishing vs. spear phishing At face value, phishing and spear phishing seem almost impossibly similar. After all, the intent is identical. But, there are two key differences. While a phishing campaign casts a very wide net and is relatively easy to execute, spear phishing campaigns are targeted at fewer people, and with more personalized correspondence. Spear phishing requires more thought and time to successfully execute. In addition to the tactics that we see employed in phishing, bad actors in these more customized attacks will use information from company websites, social media, news articles, and more to engineer an email that’s believable, even to someone who’s been through extensive security awareness training. Oftentimes, cybercriminals impersonate someone in an authoritative position – for example, the CEO or a line manager – because employees tend to be less likely to question their superiors, are generally keen to help someone in power, and tend to act with a greater sense of urgency.
Zero-payload attacks like the one shown above can be particularly effective because a bad actor is able to build rapport with the victim by posing as a co-worker or superior, sometimes over a series of emails. How can you spot and stop phishing attacks? Unfortunately, innovation in email hasn’t evolved in tandem with the fast-paced digital transformation, which is one reason why reports of phishing attacks have continued to increase year-on-year. 6.4 billion fake emails will be sent today alone. Because this number continues to grow, it’s quite clear that spam filters, antivirus software, and other legacy security solutions aren’t able to keep pace with attacks that are becoming more and more complex by the day. That’s why it’s so important that individuals are scrupulous and inspect attachments and links before they’re downloaded or clicked. In particular, we recommend that you: Review the email address of senders and look out for impersonations of trusted brands Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand directly, rather than hitting reply But what about businesses? While staff training, blacklists, URL and attachment inspection systems, and legacy rule-based solutions may be enough to block some phishing attacks, they aren’t always capable of stopping the more sophisticated incarnations. Even Secure Email Gateways (SEGs) – which were designed to stop high-volume spam and keep inboxes safe from malicious emails – can’t always identify more advanced, targeted attacks, in particular zero-day attacks, zero-payload attacks, and spear phishing attacks.
Businesses need to protect their human layer The tactics employed by legacy solutions – namely identifying malicious payloads and flagging blacklisted domains – are simply ineffective against the advanced impersonation tactics used by cybercriminals in spear phishing attacks. When the attacker is pretending to be someone the target trusts, it becomes a human problem, not a filter or software problem. Hence why 86% of data breaches are caused by human error. Businesses, therefore, need an adaptive, highly personalized tool that can help them detect impersonations on email in order to protect their users. That tool is Tessian Defender, and it’s powered by machine learning (ML). By learning from historical email data, Tessian’s ML algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.  
Data Loss Prevention Human Layer Security Spear Phishing
A Year in Review: 2019 Product Updates
By Harry Wetherald
01 January 2020
2019 was a big year for email security. While the world did see a record number of data breaches (up 33% from 2018) we also saw tighter security-related policies and regulations drafted and implemented, and, in general, an increased awareness amongst businesses about the importance of proactive security strategies. While we may be biased, it seems note-worthy that human error became more and more of a talking point in the cybersecurity space. In fact, human error and the importance of machine learning and artificial intelligence in protecting people has been one of the most talked about trends by analysts going into the new year. Similarly, companies are waking up to the fact that humans are their biggest risk. It’s about time. After all, misdirected emails – emails accidentally sent to the wrong person – have been one of the top data security incidents reported under GDPR according to the Information Commissioner’s Office. We believe it’s unreasonable to expect employees to do the right thing 100% of the time when it comes to making security-related decisions; people break the rules, people make mistakes, and people can be hacked. To err is human! What’s more, we have seen how quickly the threat landscape continues to evolve, which is why throughout 2019, we rolled out a series of important product updates that have kept our user base – which saw triple digit growth over the last 12 months – safe. Here are the most important product updates to Tessian’s Human Layer Security platform for 2019.
1. Human error, quantified. The new Tessian Dashboard gives customers an at-a-glance view of breaches and near-misses on email Keen to discover trends related to the number of breaches that were prevented by Tessian over the last 30 days? Our easy-to-navigate dashboard gives administrators a complete overview of activity, including any malicious and anomalous emails detected, misdirected emails prevented, and unauthorized email attempts thwarted. Module performance for Tessian Defender, Guardian, Enforcer, and Constructor are all visible on one page, and visual representations of data make it easy to monitor and drill down on activity day-by-day. If suspicious activity is spotted, you can quickly and easily generate a report without navigating off the page. The Tessian Dashboard also allows administrators to view user health at a glance, including the percentage of users active on the Add-in and Gateway and any connection issues across the network. This will help in-house security teams ensure every employee within their organization is protected by Tessian’s modules at all times. 2. Evolving algorithms. Tessian Defender can now detect and prevent more spear phishing attempts than ever Throughout 2019, Tessian Defender was improved through a series of subtle but impactful tweaks to our algorithms to be even more adept at detecting spear phishing attempts, including advanced, difficult-to-detect direct spoof attacks. The fact is, bad actors are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks. It’s imperative that we stay ahead of the curve, hence the regular updates. Tessian Defender has improved over time – and will continue to improve – enabling the detection and prevention of even the most advanced spear phishing attempts.
3. Thwarted first-attempts. It’s now even more difficult for employees to exfiltrate sensitive data Tessian Enforcer can now detect the first attempt an employee makes to exfiltrate data over email. How? By inferring what is and isn’t likely to be authorized communication based on the vast amount of data Tessian’s ML algorithm was trained on, which doesn’t necessarily rely on prior email history of a particular email address. For example, if an employee attempts to send an email to their personal, freemail account and that email address contains the employee’s first name or surname, Tessian Enforcer presents a warning to the user advising them that the behavior is potentially unsafe and prompting them to reconsider the action. Data exfiltration remains an incredibly unwieldy problem for businesses. Tessian gives businesses much-needed oversight of the problem over email.
4. In-situ learning opportunities. Employees have an opportunity to understand why an email is unsafe with contextual warnings While Tessian prides itself on low flag rates so that security doesn’t impede productivity, we wanted to maximize the opportunity to educate users through our warnings. This way, when users do see a notification, they understand why. Improved warnings across all four modules were designed for a more user-friendly experience that seamlessly reinforces any previous or ongoing security training. With more context included, employees can now see exactly why an email is being flagged as suspicious and – importantly – they can make their own decision on how to proceed. This is at the core of Tessian’s mission. Employees should be empowered by security solutions instead of burdened by them. 5. New detection capabilities. Customers can create rules that are specific to their environment Every business or enterprise is different and IT and Infosec security leaders need some flexibility in creating filter conditions that are applicable specifically to their operations. Because we’ve introduced new detection capabilities, users can now combine more conditions to create filters for their individual use cases; for example, scanning attachment content, identifying hidden fields in spreadsheets, and reading Azure Information Protect and other DLP labels. At the most basic level, these rules look something like this: If A and B, then C, except when D or E. These variables can apply to a number of elements contained in an email, from the recipient(s) to language patterns. One way an administrator might use these new detection capabilities would be to configure a filter which only allows the finance team, for example, to share spreadsheets with people outside of their organization if the recipient’s email address is recognized as a customer, except when the attachment contains a hidden row titled “social security numbers”. Protect your most valuable asset: your people Tessian is committed to creating the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the human layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration. Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with productivity in mind. To understand how Tessian can fit into your existing security framework, request a demo now.
Page