Spear Phishing
How to Spot Retail Scams (2020)
By Laura Brooks
16 November 2020
Bargain hunters beware. The popular shopping period leading up to the holidays – along with mega online shopping days like Amazon Prime Day, Singles Day, Black Friday and Cyber Monday – are creating the optimal environment for hackers’ phishing attempts.  And with more people staying home and shopping online due to the COVID-19 pandemic, there are even more opportunities for cybercriminals this year. In fact, 51% of UK consumers and 47% of US consumers told us they have done more online shopping in 2020 than in 2019.  Why do hackers prey on targets during peak shopping times? Consumers expect to receive more marketing and advertising emails from retailers during this time, touting their deals, along with updates about their orders and notifications about deliveries. Inboxes are noisier-than-usual and this makes it easier for cybercriminals to ‘hide’ their malicious messages and prey on individuals who are not security savvy.  What’s more, attackers can leverage the ‘too-good-to-be-true’ deals people are expecting to receive, using them as lures to successfully deceive their victims. When the email looks like it has come from a legitimate brand and email address, people are more likely to click on malicious links that lead to fake websites or download harmful attachments.  Impersonating a trusted brand or organization is a tried and tested method that cybercriminals use to successfully hack humans. It’s so effective that 68% of IT decision makers at UK retailers and 53% at US retailers told us, in a report we published last year, that they were worried about their brand being impersonated during the holiday shopping season.  Despite these concerns, though, our researchers this year reveal that 75% of the top 100 retailers in the US are not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records – meaning that an overwhelming number of retailers are potentially at risk of having their brand’s domain impersonated by scammers in phishing emails.  Only 16% of top 100 US retailers were found to have DMARC policies set at the strictest settings.  To learn more about phishing emails – including what they look like and how to prevent them – click here.
How do hackers impersonate brands and people? Without DMARC records in place, or without having DMARC policies set at the strictest settings, hackers can easily impersonate a company’s email domain in phishing campaigns, convincing consumers that they are opening an email from a legitimate sender.  From that phishing email, hackers could lure their targets to a fake website that has been set up to steal account credentials or personal and financial information.  Against the backdrop of holiday shopping deals, it wouldn’t seem out of the ordinary for someone to a ‘too good to be true’ deal that encourages them to click a link to ‘find out more’.  But it’s not just consumers that need to be wary.  Employees, customers, suppliers and vendors of these retailers also need to be aware of the threats that could be present in their inboxes during this time.  By spoofing the domain, a hacker could convincingly impersonate a senior executive asking an employee to share customer information or even pretend to be the CFO of an organization, requesting that the account details for invoicing be changed. Vendor impersonation (also called vendor email compromise)  is a persistent threat that many businesses are facing right now – one that has increased since the shift to remote working. In fact, Tessian research revealed that over a third (34%) of the phishing attacks organizations received between March – July 2020 purportedly came from an external supplier, while 26% supposedly came from a customer.  Hackers prey on the people-heavy nature of the retail industry. Using sophisticated social engineering techniques and clever impersonation tactics, they’re counting on people making a mistake and falling for their scams.  Looking for real-world examples of social engineering attacks? Read this article: 6 Examples of Social Engineering Attacks. How can you protect yourself from phishing scams? Retailers need to do everything they can to protect people from phishing scams.  Configuring email authentication records like DMARC and setting strict policies are both necessary first steps for preventing attackers from directly impersonating the business’s email domain. Education on the threats is incredibly important, too.  So if you suspect that you have received a phishing scam this shopping season, here’s what can do about it:   Always check the sender and verify that it’s a legitimate email address. Scammers will often take advantage of the fact that mobile email only shows a display name, as opposed to the full email address. This means that a bad actor could send a message from an unknown email address, but change the display name to “Amazon” to make it appear legitimate. Visit the retailer’s website and official social media channels to cross-check that the deal in question has been mentioned elsewhere. If you receive an email or text that has an associated action or a sense of urgency or deadline, it’s most likely a scam. Ask yourself, does this request make sense? Check for spelling or grammar mistakes. Legitimate messages from large companies will rarely have errors. Look for the padlock in the URL bar. The padlock symbol means the website you are visiting is secure. If the page you’ve been led to doesn’t have this, then it could be a scam. 
Data Exfiltration DLP Human Layer Security Spear Phishing
October Cybersecurity News Roundup
30 October 2020
October 2020 has been another remarkable month in cybersecurity. And, since COVID-19 sent the world indoors and made us ever-more reliant on the internet, the importance of information security and data protection has never been more apparent. October saw numerous high-profile data breaches, cyberattacks, and online scams — but also brought us one of the biggest GDPR fines yet, an innovative solution to deepfake technology, and even more jostling between the US government and Chinese big tech. Let’s take a look at the biggest cybersecurity headlines of October 2020. Paying Cyberattack Ransoms Could Breach International Sanctions Rules New guidance from the US Treasury has big implications for companies hit by ransomware attacks from certain countries. (Companies affected by ransomware find their files encrypted — replaced by useless strings of seemingly random characters — with cybercriminals promising to return the data if the company pays a ransom.) Paying up might be the least-worst option where a company’s critical data is at stake…ut according to an October 1 US Treasury advisory note, paying cyberattack ransoms could violate legal rules on international sanctions. Businesses suffering a ransomware attack by hackers from a sanctioned country — like Iran, China, or Russia (where many such attacks do originate) — now face the threat of huge fines and legal action if they choose to buy back their files.  The Treasury’s advice reiterates what cybersecurity leaders have been saying for many years: in cybersecurity, prevention is far better than cure. Amazon Prime Day Sees Huge Spike in Phishing Scams With millions of consumers confined to their homes, this year’s Amazon Prime Day was a chance for millions of shoppers to grab a bargain — and an unmissable opportunity for cybercriminals to steal their personal information. October 8 research from Bolster detected over 800 “spoof” Amazon webpages in September (up from 50 in January), as fraudsters ramped up their phishing efforts in anticipation of the two-day Amazon Prime Day event, hosted October 13-14. Some sites looked near-identical to Amazon’s genuine web properties, with perfectly duplicated branding and convincing domain names. Unwary shoppers were asked for details such as their CVV2 code and social security number. See what advice Tessian co-founder and CEO, Tim Sadler, offered consumers in Tech Radar. FBI Warns of Ransomware Attacks Targeting Healthcare Providers On October 29, the FBI and other agencies issued a warning regarding an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The threats include a new tool named anchor_dns, a backdoor that can reportedly “evade typical network defense products,” and the Ryuk Ransomware. Among other measures, the FBI is advising healthcare providers to create business continuity plans, patch networked systems, and implement multi-factor authentication in preparation for an attack. According to Associated Press, 59 US healthcare systems have been attacked via ransomware so far this year. Looking for more information on why the healthcare industry is especially vulnerable? We talk more about The State of Data Loss Prevention in Healthcare in this article. UK Public Body Unable to Provide Services Follow “Serious Cyberattack” On October 14, Hackney London Borough Council, a UK local government body, announced that it had fallen victim to a “serious cyberattack.”  In an update two days later, the council revealed the extent of the damage. Among other things, the council was unable to accept rent payments, process planning applications, or pay some social security benefits. The council said it was “working hard to restore services, protect data, and investigate the attack,” but that services could remain unavailable for “some time.” UK Data Regulator Issues $26 Million Fine to Airline UK airline British Airways received a £20 million ($26 million) fine on October 17 for “failing to protect the personal and financial details of more than 400,000 of its customers.” The fine relates to a cyberattack suffered by the company in 2018. The Information Commissioner’s Office — the UK’s data protection authority — found that the airline had failed to limit access to data, had not undertaken sufficiently rigorous testing, and should have implemented multi-factor authentication on its employee and third-party accounts. The British Airways fine amounts to the fourth-largest GDPR fine of all time — but the airline actually got off relatively lightly, considering that the fine was initially touted as £183 million ($238 million).  To learn more about compliance standards like the GDPR (including the largest breaches and fines to-date) check out The CEO’s Guide to Data Protection and Compliance. Adobe Launches Content Authenticity Initiative Tool to Fight Deepfakes As video and audio manipulation techniques become more accessible, cybersecurity and intelligence experts have been warning about a potential onslaught of deepfakes that could have an unprecedented impact on security, politics, and society. Not sure what a deepfake is? Read this article. Cybercriminals can use deepfake technology to create video or audio clips of high-profile and trusted individuals. Deepfakes have already been used in phishing attacks and could also be used for blackmail and disinformation campaigns. On October 20, Adobe’s Content Authenticity Initiative announced a new tool that will add “a secure layer of tamper-evident attribution data to photos, including the author’s name, location, and edit history” to help creatives authenticate their content. Once deepfakes are sufficiently convincing, there might be no way to distinguish them from genuine material. Adobe’s project marks a promising first step in this emerging security front. Hackers Discover 55 Vulnerabilities Across Apple’s Systems A group of hackers earned $300,000 via Apple’s bug bounty scheme after identifying 55 vulnerabilities across Apple’s infrastructure. The security issues included vulnerabilities that would have allowed an attacker to “(take) over a victim’s iCloud account,” “fully compromise an industrial control warehouse software used by Apple,” and “access management tools and sensitive resources.” The group said Apple had fully addressed the majority of vulnerabilities reported. Around 3 Million Credit Cards Compromised After Breach at US Restaurant Franchise On Oct 12, details of around 3 million credit cards were posted on the dark web following a huge data breach at US restaurant franchise Dickey’s Barbeque Pit. According to an investigation by Gemini Advisory, 156 of 469 Dickey’s outlets were involved in the breach, with the highest levels of exposure present in California. The details appear to have been stolen between July 2018 and August 2020. Given California’s strict data breach rules, including a private right of action under the California Consumer Privacy Act, Dickey’s could be liable for some eye-watering sums if the breach is found to have resulted from lax cybersecurity practices. Questions about the CCPA? We answer 13 of them in this article: CCPA FAQs: Your Guide to California’s New Privacy Law. Russia Planned to Launch 2020 Olympics Cyberattack The GRU, Russia’s military intelligence agency, “conducted cyber reconnaissance against officials and organizations” involved in the Tokyo 2020 Olympic and Paralympic Games, according to a UK government announcement on October 19. Russian cybercrime groups are alleged to have targeted “organizers, logistics services, and sponsors.” The Games were originally due to tale place this summer but were postponed due to COVID-19.  The UK government also revealed the full extent of Russia’s hacking campaign against the 2018 Winter Games, during which Russian hackers are alleged to have disguised themselves as Chinese and North Korean attackers to target the opening ceremony in Seoul, South Korea. ENISA 2020 Threat Landscape Report Shows Increase in Cyberattacks  The European Union Agency for Cybersecurity (ENISA) released its 2020 Threat Landscape Report on October 20, and cybersecurity leaders (unfortunately) won’t be surprised at its conclusion: cybercrime is on the increase. The report cites “a new norm,” triggered by the COVID-19 pandemic, in which the world is even more dependent on “a secure and reliable cyberspace.” ENISA found that the number of phishing victims “continues to grow,” that Business Email Compromise (BEC) resulted in “the loss of millions of euros,” and that state-sponsored actors are propagating “finely targeted and persistent attacks on high-value data.” If you’re a security leader looking for solutions to these problems, click here to learn more about how Tessian Defender detects advanced impersonation attacks that slip past SEGs, native features, and legacy tools. Researcher Breaches US President’s Twitter Account By Guessing Password Dutch “ethical hacker” Victor Gevers found himself in control of Donald Trump’s Twitter account on October 16 after guessing the US president’s password. Trump’s Twitter account has over 87 million followers and is frequently used to deliver messages of international importance. Gevers said he correctly guessed the password, “maga2020!”, after seven attempts. The incident reveals that the president was using a simple, easy-to-guess password, and that he had multi-factor authentication disabled. Rectifying either of these two basic security errors would have prevented unauthorized access to the account. Overruling of WeChat Ban Denied by California Judge Another month, another development in the long-running battle between the US government and Chinese tech firms. On October 23, California struck a blow to the Trump administration’s efforts to restrict WeChat — a Chinese app used for currency transfers, social networking, and instant messaging. In September, the US Department of Commerce ordered Apple and Google to stop distributing WeChat via their app stores, citing security issues. The order was blocked in California following a legal challenge by WeChat. The US Justice Department brought further evidence and asked the court to reverse its WeChat ruling. The court declined to change its decision, meaning that the Commerce Department’s banning order will remain unenforced in California — despite the federal government’s allegations regarding WeChat’s security issues.  Finnish Therapy Center Hacked, Exposing Patient Data One of the most shocking data breaches of 2020 was brought to light on October 24, when Finnish psychotherapy center Vastaamo revealed a hack that compromised hundreds of patient records. The highly sensitive nature of the breach means that it is being taken extremely seriously. Finland’s interior minister summoned a cabinet meeting to determine how best to respond to the breach, promising “speedy crisis help” to the affected individuals. The hackers are demanding a ransom in exchange for the return of the files, which were reportedly accessed between November 2018 and March 2019. The ransomware attack further suggests that businesses worldwide lack proper cybersecurity infrastructure — even when handling highly sensitive and valuable data. That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 
Customer Stories Data Exfiltration DLP Human Layer Security Spear Phishing
How Tessian Is Preventing Breaches and Influencing Safer Behavior in Healthcare
By Maddie Rosenthal
28 October 2020
Company: Cordaan Industry: Healthcare Seats: 6,300 Solutions: Guardian, Enforcer, Defender  About Cordaan Cordaan – one of the largest healthcare providers in Amsterdam – provides care to over 20,000 people from 120 locations across Amsterdam. They do this with the help of 6,000 employees and more than 2,500 volunteers. Cordaan also works in association with research institutes and social organizations.  To help protect the organization’s people, sensitive data, and networks, Cordaan has deployed Tessian Guardian, Enforcer, and Defender to protect over 6,300 employees on email.  Tessian solves three key problems for Cordaan, which we explore in detail in the video below. Keep reading for a summary of the discussion. Problem: Healthcare employees are especially vulnerable to inbound attacks  When it comes to inbound attacks like spear phishing and business email compromise, the healthcare industry is among the most targeted. It also has the highest costs associated with data breaches. Why? According to Cas de Bie, the Dutch healthcare provider’s Chief Information Officer, it’s not just because organizations operating in this industry handle highly sensitive data. It also has a lot to do with the very nature of the work: helping people. 
Combine this empathetic approach with the stress of a global pandemic, and you’re left with an incredibly vulnerable workforce. With Tessian, Cas is now confident Tessian will identify spear phishing emails before his employees respond to them and that employees’ workflow won’t be disrupted in the process.  When talking about inbound attacks, Cas said “It’s all about awareness. While people probably do know what they’re supposed to do when it comes to email security, it’s different in real life. It’s hard to decide in the moment. Of course, they don’t do it on purpose. They want to make the right decision. Tessian helps them do that.” Problem: Reactive and rule-based solutions weren’t preventing human error on email in the short or long-term To ensure GDPR-compliance, Cordaan prioritized investment in privacy and security solutions. But, according to Cas, “standard” email security, spam filtering solutions, and encryption alone just weren’t enough. They weren’t keeping malicious emails out of inboxes, and they weren’t preventing data loss from insiders. They also weren’t doing anything to improve employee security reflexes in the long-term. 
So, to level-up Cordaan’s email security, Cas was looking for a solution that was: Technologically advanced User-friendly Proactive With Tessian, he found all three. Powered by contextual machine learning and artificial intelligence, our solutions can detect and prevent threats and risky behavior before they become incidents or breaches. How? With the in-the-moment warnings – triggered by anomalous email activity – that look something like this.
These warnings help nudge well-intentioned employees towards safer behavior and ensure data stays within Cordaan’s perimeter. And, because Tessian works silently in the background and analyzes inbound and outbound emails in milliseconds, it’s invisible to employees until they see a warning.   This was incredibly important to Cas, who said that “The added value of Tessian is that it influences behavior. That really resonated with the board and helped me make a strong business case. While I can’t show how cybersecurity creates revenue, I can show – via a risk management calculation – the potential fines we could avoid because of our investment in Tessian”.  Problem: Cordaan’s security team had limited visibility into – and control over – data loss incidents on email  While Cordaan had invested in other email security solutions, Cas and his team still lacked visibility into the frequency of data loss incidents on email. But, after deploying Tessian for a Proof of Value, the scope of the problem became crystal clear.
The reality is that employees do actually send unauthorized and misdirected emails more frequently than expected. (We explore this in detail in our report, The State of Data Loss Prevention 2020.) But, the good news is that this behavior can be influenced and corrected—all without access restrictions that make it harder (or impossible) for employees to do their jobs.  Cas explained it well, saying that “Of course there are things that we have to police and prohibit. But, most of the time, people aren’t doing things maliciously. So it’s nice that – with Tessian – we can take a more nuanced approach. We can influence behavior and help our employees do the right thing.” Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Data Exfiltration DLP Human Layer Security Spear Phishing
Tessian Included as a Cloud Email Security Supplement Solution in Gartner’s 2020 Market Guide for Email Security
By Maddie Rosenthal
27 October 2020
Gartner recently released its Market Guide for Email Security and Tessian is thrilled to have been included as a representative vendor for Cloud Email Security Supplement Solutions. So, what does that mean? According to the report, representative vendors offer “email security capabilities in ways that are unique, innovative, and/or demonstrate forward-looking product strategies.”  How has the threat landscape changed? According to Gartner’s guide, there are a number of factors related to the market’s direction that security leaders need to consider, including the ways in which hackers are targeting organizations and how (and where) we work. Keep reading to learn more. Email is the #1 threat vector
As noted in the report, “According to the 2020 Verizon Data Breach report, 22% of breaches involved social engineering, and 96% of those breaches came through email. In the same report, another 22% of breaches were a result of “human failure” errors, where sensitive data was accidentally sent to the wrong recipient.” “Business email compromise (BEC), the takeover or fraudulent use of a legitimate account to divert funds, continues to grow, and simple payroll diversion scams accounted for  $8 million in 2019.” The bottom line: Whether it’s protecting against inbound threats like ransomware attacks, business email compromise (BEC), or account takeover (ATO) or outbound threats like accidental and malicious data exfiltration, security leaders need to prioritize email security and reevaluate the effectiveness of current solutions. This is especially pertinent as many organizations have moved to the cloud.    Increased cloud office adoption According to Gartner, “Enterprise adoption of cloud office systems, for which cloud email is a key capability, is continuing to grow, with 71% of companies using cloud or hybrid cloud email.” We can expect these numbers to rise, especially given the sudden shift to remote working set-ups in response to COVID-19 and the steep and steady rise in the use of mobile devices for work. But, there’s a problem. Despite G Suite and O365’s basic security controls as well as anti-spam, anti-phishing, and anti-malware services; advanced attachment; and URL-based threat defenses, “email threats have become sophisticated to evade detection by common email security technologies, particularly those that rely only on standard antivirus and reputation.”
What capabilities set vendors apart?  So, what capabilities set vendors apart? In other words what capabilities should security leaders be looking for? Gartner recommends that security leaders “invest in anti-phishing technology that can accurately detect BEC and account takeover attacks. In particular, seek solutions that use AI to create a baseline for communication patterns and conversation style and detect anomalies in these patterns. For account take over attacks, seek solutions that use computer vision when reviewing suspect URLs. Adjacent technologies such as multifactor authentication are used to protect against account takeover attacks.”.   Gartner also says “the following capabilities can be used as primary differentiators and selection criteria for email”. These include the ability to: “Protect against attachment-based threats” “Protect against URL-based advanced threats”  “Protect Against Impersonation and Social Engineering Tactics Used in URL-Based, Attachment-Based and Payloadless Advanced Threats” And, to help security leaders narrow down their search, Gartner identified specific categories of vendors that provide some of the above email capabilities. Tessian is recognized as a representative vendor for CESSs.  Keep reading to learn more about our products and technology.  Why Tessian?  Tessian Human Layer Security offers both inbound and outbound protection on email and satisfies criteria outlined in the report, including display name spoof detection, lookalike domain detection, anomaly detection, data protection, post delivery protection, and offers these protection for both web and mobile devices. Here’s how. Powered by machine learning, our Human Layer Security platform understands normal email behavior by analyzing content, context, and communication patterns from historical email data to establish trusted relationship graphs. Tessian can then detect anomalies in real-time using those employee relationship graphs alongside deep content analysis, natural language processing, and behavioral analysis. Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity Tessian Defender automatically detects and prevents spear phishing, Business Email Compromise and other advanced targeted impersonation attacks. Tessian’s technology updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network without hands-on maintenance from security teams. That means it gets smarter over time to keep you protected, wherever and however you work, whether that’s a desktop computer in the office or a mobile device, tablet, or laptop at home. But Tessian doesn’t just detect and prevent threats.  When a security threat is triggered, contextual warnings provide employees with in-the-moment training on why an email was flagged unsafe (or an impersonation attempt)  or reinforce data security policies and procedures and improve their security reflexes. This nudges employees towards safer behavior in the long-term.  And, with Human Layer Security Intelligence, security and compliance leaders can get greater visibility into the threats prevented, track trends, and benchmark their organization’s security posture against others. This way, they can continuously reduce Human Layer risks over time. To learn more about how Tessian protects world-leading organizations across G Suite, O365, and Outlook, check out our customer stories or book a demo. 
Gartner, Market Guide for Email Security, September 2020 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Human Layer Security Spear Phishing Tessian Culture
8 Book Recommendations for Security Professionals
By Maddie Rosenthal
22 October 2020
Most security professionals rely on recommendations from their peers when it comes to vendors, solutions, and strategies. So, why not books? We asked our own cybersecurity experts what they were reading and rounded-up eight books to add to your reading list. The Cuckoo’s Egg In 1986, Clifford Stoll – a systems administrator at the Lawrence Berkeley National Laboratory – wrote this book. Based on his field notes, this is arguably one of the first documented cases of a computer hack and the subsequent investigation, which eventually led to the arrest of Markus Hess.  It’s now considered an essential read for anyone interested in cybersecurity. CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers  While this book covers all the fundamentals of IT security governance and risk management, it also digs deeper into people. After all, being a CISO isn’t just about technology. The insights in the book come directly from CISOs. In total, 75 security leaders contributed to the book, which means there’s plenty of actionable advice you can apply to your strategies.  Looking for more insights from security leaders? Check out Tessian’s CISO Spotlight series.  Art of Deception Written by someone pretty well-known in the security field – Kevin Mitnick – Art of Deception offers readers an insider’s view on what it takes to hack a system (and therefore what you can do to protect yourself).  Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers  Politics play a big role in cybercrime.  This book is focused on Sandworm, the group of Russian hackers who, over the last decade, has targeted American utility companies, NATO, and electric grids in Eastern Europe and paralyzed some of the world’s largest businesses with malware. But the author, Wired senior writer Andy Greenberg, also provides plenty of background on both the technology and the relationships between various countries. Social Engineering: The Art of Human Hacking If you want a breakdown of every aspect of social engineering – from elicitation, protecting, influence, and manipulation – this one’s for you. Written by Christopher Hadnagy – the lead developer of the world’s first social engineering framework – this book is a sort of intro to hacking humans that could help you level-up your phishing awareness program and defenses.   We take a deep dive into the psychology of human error in this report, with insights from Stanford Psychology and Communications professor Jeff Hancock.  The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats In the same vein as Sandworm, this book explores cyberwar, nation-state hackers, and the future. While it doesn’t offer highly technical insights, there is plenty of practical advice on how organizations and individual people can avoid being hacked.  Cult of the Dead Cow Cult of the Dead Cow explores some of the world’s most infamous hacking groups – particularly the cDc – and explains how technology, data, and – well – the world has changed because of them.  CISM Certified Information Security Manager All-in-One Exam Guide Yes, this is an exam guide…and yes you should add it to your reading list. If nothing else, to have on-hand as a reference. Why? It covers everything. Security governance, risk management, security program development, and security incident management. Curious as to whether or not other security professionals have their CISM certification? We interviewed 12 women about their journeys in cybersecurity. Read their profiles here and the full report, Opportunity in Cybersecurity Report 2020.
Spear Phishing
How to Identify a Malicious Website
19 October 2020
If you’re familiar with phishing or malware, you’ve likely heard of “malicious websites”. But, do you know how to spot one?  In this article, we’ll answer 4 key questions (and provide plenty of examples). What is a malicious website? How many websites are malicious? What red flags should I look out for to spot a malicious website? How can I avoid visiting or interacting with malicious websites? So, to start, let’s define what exactly a malicious website is. What is a malicious website?  A malicious website is any website that’s been designed to cause harm. In this article, we’ll focus on phishing websites and malware websites. A phishing website – sometimes called a “spoof” or “lookalike” website – steals your data. Phishing websites look like legitimate websites. But, when visitors are prompted to enter login credentials, personal information, or credit card details, the data is directed to cybercriminals. Looking for an example? Tessian researchers discovered 75 domains spoofing websites related to mail-in voting in August. For more information, read this article: How to Avoid Falling victim to Voting Scams in the 2020 Election. In this case, attackers were after personally identifiable information (PII) and credit card details.  Once a phishing website collects your data, it can be used in hacking operations and further phishing attacks, or sold on the dark web. A malware website, on the other hand, installs malicious software on your device. While this could happen after the visitor downloads an application or file, it can also happen without the visitor even noticing.  Why deploy malware? Malicious software can serve many different purposes, including extracting data from a person’s device, taking control of the device, or using the device as an entry point into a network. But phishing and malware sites aren’t the only problems.  Other websites, such as fake news and disinformation websites, might also be considered malicious websites. These sites aim to spread discord, affect election outcomes, and disrupt the activities of human rights groups. How common are malicious websites? It’s hard to say exactly how many malicious websites are out there. But one thing we do know is that malicious websites — particularly phishing websites — are popping up more and more frequently. One source that can help us understand the prevalence of malicious websites is Google’s Safe Browsing reports.  According to Google’s stats, phishing websites are increasingly common, whereas malware sites are less likely to be favored by cybercriminals.
In September 2020, Google counted nearly 1,960,000 phishing websites. This is up from around 68,000 in September 2010 — an increase of nearly 2800%. But malware sites have actually decreased in prevalence according to Google, with around 24.500 counted in September 2020, down from 78,500 in September 2010. Venafi’s 2018 research supports the view that phishing sites are on the increase. In a study of domains associated with major retailers across five countries, Venafi found there were: Twice as many spoof retail websites as genuine retail websites 12,000 spoof domains associated with one US retailer Real-World Example: BAHAMUT Let’s look at a real-life example of how criminals use malicious websites to dupe their targets into handing over data. Research from BlackBerry, published in 2020, studied the activities of a cybercrime syndicate known as BAHAMUT. The group targets consumers, businesses, and government officials via phishing emails, fake mobile apps, and a “staggering” network of malicious websites. Among many other activities, BAHAMUT set up convincing-looking malicious “news” websites that directly copied headlines from genuine sources. Links on these sites redirected to phishing websites that harvested Google, Yahoo, Microsoft, and Telegram users’ credentials. BAHAMUT also set up websites designed to distribute a series of malicious mobile apps. Once downloaded, these malicious apps set up a “backdoor” on the target device, allowing the group to track the user’s activities and location, and access the user’s files. Perhaps the most alarming aspect of BAHAMUT’s activities is the convincing nature of the group’s fake websites. Some of these sites were previously well-established, legitimate news sources, whose domains were re-registered and used as vehicles for cybercrime. Telltale signs of a malicious website As we can see from the example of BAHAMUT, it’s not always easy to identify a malicious website. Some may display no obvious signs that they will steal your credentials or distribute malware. But, there are some traits common to many malicious websites. For example: The website automatically asks you to run software or download a file when you’re not expecting to do so. The website tells you that your device is infected with malware or that your browser extensions or software are out-of-date. The website claims you have won a prize and requests your personal information to claim it. These are outdated tactics, and most sophisticated malicious websites will not be so transparent.  There can also be technical indications that a website is fake. For example: The URL looks suspicious. https://google.com is safe. https://google.[something].com is not. This is a subdomain of [something].com — which could be a malicious website. The site does not use https. Most sites use https, rather than http, which indicates that they are protected by an SSL certificate. However, some sites have not yet made the upgrade to https, and not all https URLs are safe. It can be very difficult to tell whether you are visiting a malicious website. The best tactic is to avoid arriving at a malicious website in the first place. But how? How to avoid visiting a malicious website When it comes to avoiding the harms associated with malicious websites — security and business leaders understand that prevention is better than cure.  And, while it is possible to stumble upon a malicious website while browsing the web, search engines, like Google take steps to remove malicious sites from their search results. They can’t catch them all, though. But it’s important to note that it’s far more common to end up on a malicious website after receiving a phishing email. Phishing emails are extremely common — 88% of organizations experienced spear phishing (targeted phishing attacks) in 2019. Phishing emails can include links to malicious websites. It’s easy to fall for this type of scam — a phishing email can appear to come from a trusted person, and might look like the sort of correspondence you receive from that person regularly. That means identifying phishing emails may be more important than identifying malicious websites. If you’re looking for tips, we’ve put together this guide (including an infographic): What Does a Spear Phishing Email Look Like. Note: Phishing can also take place via social media, phone, or SMS, but 96% of phishing attacks arrive via email. That’s why email is the threat vector security leaders are most concerned about. Email security solutions can help. How can Tessian help? Tessian Defender detects and prevents advanced impersonation attacks including spear phishing.  If employees don’t fall for the phishing email, they won’t land on the malicious website.  How? Tessian’s machine learning algorithms learn from historical email data to understand specific user relationships and the context behind each email. When an email lands in your inbox, Tessian Defender automatically analyzes millions of data points, including the email address, Display Name, subject line and body copy.  If anything seems “off”, it’ll be flagged. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.
Data Exfiltration DLP Human Layer Security Spear Phishing
7 Concerns IT Leaders Have About Permanent Remote Working
By Laura Brooks
14 October 2020
According to Tessian research, 75% of IT leaders and 89% of employees believe the future of work will be “remote” or “hybrid” – a combination of working in the office and remotely.  This will have a significant impact on companies’ IT departments, who will be under pressure to deliver a seamless experience and create strategies that empower employees to work remotely and securely. In fact, 85% of IT leaders think they and their team will be under more pressure if their organization were to adopt a permanent remote working structure.  In this blog, we look at their top 7 concerns and explain how to overcome them.  1. Employee wellbeing Half of IT leaders’ are worried about staff’s wellbeing when they work remotely – making it the top concern among IT professionals.  Remote work can be incredibly stressful for employees. A survey by online employment platform Monster reported that over two-thirds of U.S. workers have experienced burnout symptoms while working from home. Why? Because people are more distracted, they’re taking less time off work, and they’re working longer hours. 61% of employees in another Tessian report said a culture of presenteeism in their organization makes them work longer hours than they need to.  The problem is that when people are stressed, tired and distracted, they make more mistakes that could compromise cybersecurity. In fact, 46% of employees say make more mistakes when they feel burned out.  IT professionals must recognize the correlation between employee wellbeing, their productivity, and security if they want to keep data and systems safe in a remote work world. Lead with empathy and find ways to prevent stressed and distracted employees from making costly cybersecurity mistakes.  2.Unsafe data practices 46% of IT leaders are also worried about employees practicing unsafe cybersecurity behaviors.  Their concerns are valid. A report published by Tessian in May 2020 revealed that 48% of employees feel they can get away with riskier cybersecurity behaviors when working from home, namely because they are working from unfamiliar devices and because they aren’t being watched by IT teams. A further 54% said they’ll find a workaround if security software or policies prevent them from doing their job. Educating employees on safe cybersecurity practices is a necessary first step. However, only 57% of companies implemented additional training at the start of the remote working period in March 2020. This isn’t trivial; businesses must continually educate staff on safe data practices because cybersecurity is rarely at the front of mind for every employee.  Businesses should also ensure that security solutions or policies do not stand in the way of people getting their jobs done. Workers will find the easiest or most convenient path, and this can often involve skirting around security rules. Security should, therefore, be as flexible as people’s working practices in order to mitigate unsafe behaviors online.
3. More data breaches Half of organizations we surveyed said they experienced a data breach or security incident between March and July 2020 – the period in which mandatory remote work arrangements were enforced. Consequently, 40% of IT leaders are worried their company will experience more data breaches if people continue to work remotely.  The causes of these data breaches included phishing attacks (49%), malware (45%) and malicious insider attacks (43%). In addition, 78% of IT leaders said they think their organization is at greater risk of insider threats when staff work from home.  To prevent data breaches caused by insider threats – and other threats caused by human error – IT teams need greater visibility into their riskiest and most at-risk employees. Only by understanding employees’ behaviors, can businesses tailor policies and training to prevent people’s actions from compromising company security and breaching sensitive data.  4. More phishing attacks Half of the security incidents reported between March-July 2020 were caused by successful phishing attacks – making phishing the top attack vector during this period of remote working.  Of the 78% of remote workers that received phishing emails while working on their personal devices, an overwhelming 68% clicked a link or downloaded an attachment from the malicious messages they received. It’s not surprising, then, that 82% of IT leaders think their organization is at greater risk of phishing attacks when people work remotely.  But why is phishing a greater risk for remote workers?  Because it is not uncommon for an employee to receive information about a new software update for a video conferencing app, or an email from a healthcare organization providing tips on how to stay safe, or a request from a supplier asking them to update payment details.  In fact, 43% of IT professionals said their staff had received phishing emails with hackers impersonating software brands, while 34% said they’d received emails from cybercriminals pretending to be an external supplier.  If the sender’s email domain looks legitimate and if hackers have used the correct logos in the body of the email, there’s very little reason why an employee would suspect they were the target of a scam. And, when working remotely, employees can’t easily verify the email with a colleague. They may, then, click the link to “join the meeting”, download the “new update” or share account credentials. To learn more about how to spot a spear phishing email, read our blog here.
5. The IT team’s bandwidth With organizations facing the threat of more data breaches and security incidents caused by unsafe cybersecurity behaviors, over a third (34%) of IT leaders worry that their teams will be stretched too far in terms of time and resource.  Security solutions powered by machine learning can help alleviate the strain. Solutions like Tessian use machine learning algorithms to understand human behaviors in order to automatically detect and prevent threats caused by human error – such as accidental data loss, data exfiltration or phishing attacks. When a potential threat is detected, the individual is alerted in real-time and a record of the incident is logged in a simple and accessible dashboard. IT professionals no longer have to spend hours manually looking back through logs to find incidents – the proverbial ‘needle in a haystack’.  When you consider that 55% of IT teams spend more time navigating manual processes than responding to vulnerabilities, finding ways to take away the manual, labor-intensive tasks will be critical in freeing up IT professionals’ time.  6. An increase to IT leaders’ workload In addition to concerns over their teams’ workloads increasing, IT leaders also fear they’ll face even longer to-do lists in a hybrid or remote working world. Why? To name a few: The majority of IT leaders will be implementing new BYOD policies, additional training programs, upgrades to endpoint protection as well as new VPNs in order to address employees’ expectations and safety.  They have to overcome challenges like data loss prevention (DLP), something 84% of IT leaders say is more difficult in distributed workforces.  They have to address and mitigate more security risks such as employees bringing infected devices or documents into the office, potentially compromising the company’s entire network.  According to Nominet’s 2020 report – The CISO Stress Report: Life Inside the Perimeter: One Year On – 88% of CISOs are moderately or tremendously stressed. What’s more, 95% work more than their contracted hours amounting to an extra 10 hours per week, on average.  As the pressure increases, businesses must find ways to alleviate stress and empower IT leaders to work effectively and efficiently in order to protect their company and employees.
7. Non-compliance with data protection regulations Nearly a third of IT leaders said that remote working could compromise compliance with data protection regulations.  In the last year, misdirected emails have been the number one cause of data breach incidents reported to the Information Commissioner’s Office. A previous Tessian report found that 58% of employees have sent an email to the wrong person during their career and, of these misdirected emails, nearly a fifth (17%) were sent to the wrong external party.  Their reasons? Nearly half said it was because they were tired and 41% said the error was made because they were distracted. Given that studies have shown people are feeling more fatigued and more distracted while working remotely, there is cause for concern that data breaches, caused by human error, will only increase.  Instead of expecting people to do the right thing 100% of the time while working away from the office, invest in security solutions that preempt these errors by detecting and preventing them from happening in the first place. That way, IT leaders can proactively stop sensitive information from leaving their environment, company IP stays secure, compliance standards are met, and customer trust is maintained. To find out more, read the full report – Securing the Future of Hybrid Work – here.
Spear Phishing
Everything You Need to Know About Wire Transfer Phishing
07 October 2020
Wire transfer phishing costs businesses billions of dollars every year — and the problem is only getting worse. That’s why business leaders and security experts are increasingly worried about this damaging form of cybercrime.  In this article, we’ll be answering the following questions: What is wire transfer phishing? How does wire transfer phishing compare to other social engineering attacks?  How can your business defend against wire transfer phishing?  We’ll also be taking a look at one of the biggest cybercrimes in history — a sustained wire transfer phishing scam against Google and Facebook. What is wire transfer phishing?
How wire transfer phishing works Like other types of social engineering attacks, cybercriminals use a number of different methods to carry out wire transfer phishing against businesses and individuals.  But, we can offer a “typical” example of this kind of attack. Imagine you’re an employee in a company’s accounts department. You routinely receive email invoices from suppliers, contractors, and service providers.  One morning, you get an email from Jane at IT Maintenance — someone who has emailed invoices regularly for the past five years. As always, Jane is friendly. She provides a normal-looking invoice for some computing services your company uses regularly. You pay the invoice in the usual way, using the bank account details provided. But you didn’t realize that Jane’s email address was subtly different this time — instead of the usual [email protected], the email came from [email protected]  You just fell victim to a wire transfer phishing attack — and paid money into a cybercriminal’s account. Can you spot the difference in the email addresses? This is just one example of email impersonation.  Wire transfer phishing vs. other types of phishing There are many types of phishing. But they all have one thing in common: the hacker is trying to trick targets into handing over information, transferring money, or granting access to networks.  Wire transfer phishing aims to trick the victim out of money by persuading them to transfer money into the attacker’s bank account. Below are other types of phishing motivated by a financial incentive.  Credential phishing involves creating a fake website designed to look like an account login page. The target believes they are logging into an online account. But in fact, they are sending their username and password to the attacker. Payroll diversion is where a scammer impersonates an employee and provides new bank details to an HR department. Gift card phishing involves persuading the target to purchase gift cards or make a payment via gift cards. But there are plenty of other “types” of phishing. While phishing typically refers to an email-based social engineering attack — 96% of phishing attacks occur via email – hackers can use other methods of delivery, too.  For example: Smishing is a type of phishing that takes place via SMS message.  Vishing takes place over phone or Voice over IP (VoIP) software. Social media phishing takes place over social media platforms. Wire transfer phishing could occur via SMS, phone, or social media — but email is much more common. For more information, see our article: Smishing and Vishing: What You Need to Know. Some types of phishing are defined by how they target victims. For example:  Spear phishing is any phishing attack that targets a specific individual. A spear-phishing email opens with “Dear [name],” whereas a bulk, “spray and pray” phishing attack addresses no-one in particular. Whaling is any phishing attack that targets a senior executive. High-profile targets typically have easier access to bigger funds. Business email compromise (BEC) involves spoofing or hacking a company email account (for example, [email protected]). Wire transfer phishing is very likely to involve spear phishing. After all, you’re not very likely to hand over money to an individual that doesn’t even use your name. Business email compromise and whaling also usually involve wire transfer phishing. Keep reading to find out just how much business lost (and hackers gained).  Wire transfer phishing statistics Businesses and banks are continually investing in new defenses against phishing. Some of these strategies work, and they are making a positive impact.  But due to the increasing volume and sophistication of such scams, businesses are losing more money than ever. Between June 2016 and July 2019, FBI statistics show that wire transfer fraud via BEC occurred 166,349 times, and cost businesses over $26 billion. In 2019, the number of bank transfer phishing scams occurring in the UK increased by 40%. In 2017, the FBI received 15,690 complaints about BEC (primarily involving wire transfer), resulting in over $675 million in losses. In 2019, this increased to 23,775 complaints and over $1.7 billion in losses. Defending against wire transfer phishing Business and cybersecurity leaders understand that wire transfer phishing is a severe threat — and they take steps to defend against it. Recognizing wire transfer scams Recognizing wire transfer scams can be extremely difficult. But, even the least sophisticated scams share some hallmarks, including: A sense of urgency — The person requesting a fraudulent transfer will often claim that the money is needed immediately or threaten late payment fines. Unsolicited contact — If you receive a request for money from a company you’ve never dealt with, this is likely to be a phishing scam (of very poor quality). Unprofessional communication — Phishing emails might be written in an unprofessional tone or contain grammatical errors. These traits are rarely present in successful wire transfer attacks, which can involve impersonations of specific people and careful recreation of invoices that appear identical to genuine documents.  If you’re a security leader who’s trying to help your employees spot spear phishing attacks, this article (and infographic) will help: What Does a Spear Phishing Email Look Like? Training can help, too. Running employee training programs It’s essential to make your employees aware of wire transfer phishing and other security threats. But employees should never be the last line of defense.
Phishing techniques have become so sophisticated that even the most tech-savvy employees can miss them (including the NSCS’s cybersecurity experts). Humans aren’t good at recognizing subtle changes in behavior and identity — no matter how much training they receive. That’s why email security is essential. Interested in learning more about the pros and cons of phishing awareness training.  Implementing email security software The best way to stop wire transfer phishing is to deploy email security software across all employee devices. Tessian Defender, for example, uses AI to learn your employees’ inboxes inside-out. Tessian knows what a “normal” email looks like — so it knows when a wire transfer phishing scam is occurring. Tessian can pick up on the tiny differences in email addresses that indicate spoofing. It can even detect behavioral changes that suggest that the sender isn’t who they say they are — and that their email has been compromised.  Once detected, employees are warned (which reinforces training), security teams are alerted, and the domain is automatically added to a denylist. Crisis averted.  Validating payments In addition to deploying email security software and increasing staff awareness, your finance team should take steps to validate wire transfers before making payments. For example: Keeping careful (and secure) records of vendors’ bank details  Verifying payments over the phone where practical Contacting the payee directly where there are any concerns These validation processes are important, but they can take time and resources — and they’re far from foolproof, as we’ll see below. Case Study: Facebook and Google $121 Million Wire Transfer Scam To help you better understand how wire transfer phishing works, let’s take a look at a real-life example. In 2019, a Lithuanian national named Evaldas Rimasauskas appeared in court in New York. Rimasauskas pleaded guilty to participating in the biggest phishing scam in history and received a 5-year prison sentence. Between 2013 and 2015, Rimasauskas and his associates used wire transfer phishing to scam Facebook and Google out of around $121 million.  So how did this team of cyber-criminals trick two of the world’s largest tech companies into giving up so much cash? First, the group set up a company with the same name as a genuine Taiwanese computer manufacturer that supplied Facebook and Google with hardware — “Quanta Computer.” Rimauskas set up bank accounts in the company’s name across Latvia and Cyprus. The scammers then emailed Facebook and Google employees from fake spoof accounts, pretending to be Quanta Computer employees. These emails were convincing enough to persuade the tech firms’ staff to pay invoices into Rimasauskas’ fake bank accounts. Once the cybercriminals had received payments from Facebook and Google, they quickly transferred the money to a network of accounts across Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. How did the group get away with making such substantial transfers for so long? Didn’t the receiving banks question where this money was coming from? Well, the group also created fake invoices, contracts, and letters — purportedly from the tech firms’ employees — to verify the transfers. What can we learn from the Rimasauskas case? Even employees at well-resourced, tech-oriented firms can fall victim to wire transfer phishing. As well as impersonating people you know, scammers can set up companies with the same names as your service providers. Banks can’t be relied upon to prevent fraudulent wire transfers. It’s hard to deny the cleverness of Rimasauskas’ scheme. If Facebook and Google — two of the wealthiest companies on the planet — can lose $121 million this way, then any company could fall victim to a similar scam. To learn more about how Tessian can detect and prevent wire transfer phishing attacks and other advanced impersonation attacks, book a demo. Or, for insight into how we’re helping world-learning organizations, check out our customers page.
Compliance Data Exfiltration Spear Phishing
September Cybersecurity News Roundup
30 September 2020
We’re back with another monthly roundup of cybersecurity news. Cybercriminals have once again been busy, with several high-profile data breaches and ransomware attacks occurring throughout September. And – rather unsurprisingly – social media platforms Twitter and TikTok have made the cut for the third month running. Here are the top cybersecurity stories from September 2020, including links to further information. Need to catch-up? Check out headlines from July and top stories from August on our blog. Researchers Predict That CEOs Will Be Personally Liable for Cyber-Physical Attacks Research and advisory firm Gartner (who recently named Tessian a Cool Vendor) predicted this month that 75% of CEOs could hold personal liability for “cyber-physical” attacks by 2024. Cyber-physical attacks aim to impact the “real world,” including critical infrastructure, internet of things devices, and healthcare equipment. Such attacks can result in physical injury and death. Gartner predicts that that cyber-physical attacks will cause up to $50 billion of damage by 2023 So what if Gartner is right? It would mean that if a company suffers a cyberattack resulting in physical harm — and it turns out that the company has not implemented appropriate cybersecurity measures — the company’s CEO could have to pay fines with their own money. 
Gartner’s research tells us what every effective business leader already knows — an effective cybersecurity program is an essential requirement for every organization. If a cyberattack occurs, the buck stops with the company’s senior executives. Argentinian Government Faces $4 Million Ransom Following Cyberattack On September 6, Argentina temporarily stopped allowing people to cross its borders after the Netwalker ransomware hit the country. The attackers encrypted government migration data and demanded 355 Bitcoins (around $4 million) to unencrypt it. This cyberattack led to chaos across border checkpoints — but the Argentinian government told domestic news website Infobae that it had no intention of negotiating with the hackers. Ransomware continues to cause havoc worldwide, and it appears the problem is only getting worse. Research by SonicWall recorded approximately 121 million ransomware attacks in the first half of 2020. Personal Information of 46,000 US Military Veterans Breached The US Veterans Association (VA) announced this month that the personal information of around 46,000 military veterans had been “accessed by unauthorized users.” The cybercriminals aimed to “divert payments” intended for healthcare providers. The VA’s financial services team wrote to the affected individuals to advise on how to mitigate the effects of the breach and offer free access to credit monitoring services. The VA serves veterans all over the US. Strict new data breach laws in several jurisdictions — including New York, Washington DC, and Oregan — mean that the VA could face huge fines given the breach’s context. Want to know more about US data security laws? Read our guidance for security leaders. 75% of IT leaders believe the future of work is hybrid In a new report – The Future of Hybrid Working – Tessian reveals that IT leaders and employees both believe the future of work will be remote or hybrid. But, it’s clear this shift won’t be easy. Check out some of the key stats below: 82% of IT leaders believe employees are at greater risk of phishing attacks when working remotely Over a third of IT leaders are worried about their teams will stretched too far in terms of time and resource Half of emoployees have been working on their personal devices since March 2020 Nearly 75% of employees said they received a phishing email while working on a personal device between March and July 2020….and 68% admitted to clicking a link or downloading an attachment within that email 78% of IT leaders think their organization is at greater risk of insider threats if their company adopts a permanent hybrid working structure Read the full report to learn more and to understand how business can balance flexibility and security without draining IT teams’ resources. Thousands of COVID-19 Patients’ Data Leaked Due to “Human Error” A massive data breach occurred in Wales this month when the personal information of 18,105 coronavirus patients was leaked following an “individual human error.” The breach affected every Welsh resident who tested positive for COVID-19 between February 27 and August 30. Public Health Wales said that the data included the “initials, date of birth, geographical area, and sex” of the affected individuals. In nearly 11% of people, though, the data also included the name of the nursing home or other healthcare setting in which the individual lived. The data was uploaded onto a public server, where it was accessible and searchable for around 20 hours. It was viewed 56 times throughout this period.  Human error is a key cause of data breaches. Statistics show that around 88% of data breaches start with human error, and almost half of all employees believe they have made an error at work leading to security repercussions. Chinese Company Holds Data About 2.4 million Influential People An academic at Fulbright University, Vietnam, has uncovered a vast Chinese database containing personal information of around 2.4 million people and their families. It looks like these individuals are “people of interest” to the Chinese Communist Party (CCP). The company responsible for maintaining this huge database “provides big data analytics as well as other functionality to support Chinese military and intelligence analysts,” according to a research paper. The research also suggests that the CCP uses the data for “intelligence, military, security, and state operations in information warfare and influence targeting.”  The database is believed to provide a way for the CCP to influence people in target sectors. It may be one of many such databases maintained by Chinese companies. Much of the information in the database has been gleaned from publicly-available sources. The Chinese database is yet another important reason you should consider limiting the amount of personal information you put online. You can learn more about how hackers are using open-source recon for deepfakes and other social engineering attacks from Elvis M. Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, who both joined us at Tessian Human Layer Security Summit. You can access their session “Safeguarding the 2020 Elections, Disarming Deepfakes via HLS On-Demand.  Twitter Provides Enhanced Security For US Election Following its spear phishing incident this July, Twitter has announced enhanced account security for certain “high-profile accounts” throughout the US election. Twitter said that various types of accounts, including those belonging to US politicians, campaign officials, and political journalists, would receive the security enhancements from September 17. So what’s changing? First, affected users must create “strong passwords,” of at least ten characters in length. They will need to confirm password reset requests via email. The affected users will also be “strongly encouraged” to enable two-factor authentication (2FA). But that’s not all. Recall that the July spear phishing incident involved “internal support tools” — it wasn’t primarily an issue with users’ account passwords. To address this, Twitter also states that it will improve internal monitoring of the affected accounts, including by using “more sophisticated detections and alerts,” “increased login defenses,” and “expedited account recovery” processes. Want to know how to avoid the issues Twitter faced this July? Read our guidance on “vishing” attacks. UHS Hospitals Hit by Reported Country-Wide Ryuk Ransomware Attack On September 27, Universal Health Services (UHS) – a Fortune 500 hospital and healthcare services provider that serves 3.5 million patients a year – was the target of a cyberattack that disable multiple antivirus programs and left hospitals around the country without access to computer and phone systems. According to employees, files were being renamed to include the .ryk extenstion, computers’ screens changed, and – eventually – shut down, leaving them without access to anything computer-based. And, in response to the attack, employees were told to shut down all systems to block attackers’ from reaching more devices on the network. While UHS hasn’t made a statement, the logistics of the incident suggest ransomware. That means patient and employee data is at risk. Energy Companies Advised to Create Cyberattack Response Plans The US Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) have released a report advising energy providers on creating an Incident Response and Recovery (IRR) plan for cyberattacks. The report is based around an existing cybersecurity framework: the National Institute of Standards and Technology (NIST) Special Publication 800-61, also known as the Computer Security Incident Handling Guide.  Governments appear to be increasingly concerned about the cybersecurity of critical infrastructure. This concern is well-founded — in 2019, 90% of security professionals surveyed across the utilities, energy, health, and transport sectors reported that their organizations had faced at least one successful cyberattack. Much of the advice to energy providers is good practice across all sectors. FERC and NERC recommend a four-part framework, consisting of security controls relating to preparation, detection and analysis, containment and eradication, and post-incident activity.
UK Agency Warns Schools and Universities About Ransomware Attacks As students worldwide return to schools, colleges, and universities, education providers are most concerned with defending against a COVID-19 outbreak. But the UK’s National Cyber Security Centre (NCSC) gave a stark warning about a different type of threat: ransomware. The NCSC’s alert describes “recent trends observed in ransomware attacks” targeting the education sector, which the agency says are increasingly common. The guidance follows a series of ransomware attacks against universities in the UK, US, and Canada this July. The agency warns that cybercriminals are exploiting out-of-date software and are accessing remote desktop protocol (RDP) software using credentials stolen via phishing attacks. It also warns that phishing emails are being used to deploy ransomware. So how does the NCSC recommend education providers protect themselves? The same ways all cyber-secure organizations protect themselves — including ”disrupting ransomware attack vectors” by implementing phishing defenses, and “enabling effective recovery” by keeping backups of data. Implementing DMARC is also essential to prevent brand impersonation and successful spear phishing attacks. And, according to Tessian research, 40% of the top 20 US universities aren’t using DMARC records.  TikTok Ban Delayed Following ByteDance Sale On September 21, US President Trump said he had approved the sale of part of ByteDance, the parent company of video-sharing platform TikTok, to Oracle and Wal-Mart. The deal temporarily averts harsh restrictions on TikTok set out by the US Department of Commerce three days earlier. The sale results from an executive order issued by President Trump in August, stating that the TikTok app “captures vast swaths of information from its users, including… location data and browsing and search histories.” TikTok maintains that this activity is standard industry practice. The US companies could take a collective 20% stake in ByteDance, with Oracle hosting TikTok user data in Oracle Cloud. Some analyses suggest that security-conscious nations and businesses are increasingly likely to implement these sorts of “data localization” measures. Trump had previously assured the public that TikTok would be “totally controlled” by the US firms. However, the president assured a press conference that the companies would be using “separate clouds and very, very powerful security.” That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 
Data Exfiltration Human Layer Security Spear Phishing
How Hybrid-Remote Working Will Affect Cybersecurity
By Laura Brooks
29 September 2020
When the world went into lockdown, ways of working changed forever.  Mandatory remote work arrangements meant people had to find ways to get their jobs done in their homes and most of us quickly settled into a new rhythm of work. Now, after months of being away from the office, the so-called “new normal” is starting to feel, well, just normal. Employees don’t want to give up the level of flexibility and autonomy they’ve come to experience.   In fact, according to our latest report, Securing the Future of Hybrid Working, just 11% of UK and US employees said they’d want to work exclusively in the office post-pandemic, with the average employee wanting to work from home at least two days a week. And, over a third of people said they wouldn’t even consider working for a company if it didn’t offer remote working in the future. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Keep reading to find out: How IT leaders think remote and hybrid working will affect cybersecurity What these new set-ups will do to IT teams’ workloads How business’ can balance flexibility and security Remote, office-based, or a bit of both?  Businesses have some big decisions to make. Do they encourage employees to come back to the office post-pandemic, or opt for a fully remote workforce?  For many, a hybrid model – where employees can split their time between working in the office and anywhere else they’d like – appears to be the best option for the long-term future of their company. Google, for example, has already announced that this is the approach it’ll take.  This way of working requires companies to completely transform the way their companies have previously run – and it may come at the IT department’s expense. The majority of IT leaders surveyed believe permanent remote work will put more pressure on their teams, while over a third (34%) are worried about their workers becoming stretched too far in terms of time and resource. This is because, while it is great for employees, a hybrid way of working actually offers the worst of both worlds for IT teams who have to simultaneously manage and mitigate security risks that occur in and out of the office, while providing a seamless experience that enables employees to work-from-anywhere. Why would permanent remote working arrangements increase IT teams’ workload?  One of IT teams’ biggest concerns is the risk of phishing attacks, with 82% of IT leaders believing employees are at greater risk of phishing attacks when working remotely. Their concerns are valid; over three-quarters of employees said they received a phishing email while working on their personal device between March and July 2020, and 68% admitted to clicking a link or downloading an attachment within that email. In fact, our report shows that nearly half of companies experienced a data breach or security incident between March and July 2020 – the remote working period enforced by the global pandemic – and half of these incidents (49%) were caused by phishing attacks.  This made phishing the leading cause of security incidents during this time.
Insider threats are another concern. Over three-quarters of IT leaders (78%) think their organization is at greater risk of insider threats if their company adopts a permanent hybrid working structure. Such risks include employees bringing infected devices or documents into the office after working remotely and sharing sensitive information with their personal accounts.  It’s also worrying that 43% of the security incidents reported between March – July 2020 were caused by malicious insiders. For more information about the different “types” of insiders and real-world examples of each, visit our blog. The problem is that insider threats are much more difficult to detect and mitigate when workforces are distributed. Why? A lack of visibility.  A previous Tessian report revealed that nearly half of employees feel like they can get away with unsafe cybersecurity practices when working away from the office because they aren’t being watched by their IT team.   Then, there are the security risks associated with Bring Your Own Device (BYOD) practices.  Half of employees we surveyed have been working on their personal devices since the world went into lockdown in March 2020. The top BYOD security risks cited by IT professionals included: The downloading of unsafe apps Malware infections Software updates.  It’s not surprising, then, that 1 in 3 IT leaders are worried about their teams being too stretched in terms of time and resource in a permanent remote working structure. 
How can businesses balance flexibility and security without draining IT teams’ resources?  Securing distributed workforces isn’t going to be easy. Why? Because businesses must transform and reinvent ways of working but IT teams are under-resourced and budgets are getting smaller and smaller. Failure to transform and deliver a seamless hybrid experience, though, could threaten companies’ security posture and see businesses losing out on talent.  Education on the threats people can be exposed to and the threats they pose to company security when working away from the office is, therefore, an important first step. So, it is encouraging to see that 58% of IT leaders are planning to introduce more security training should their company adopt a permanent remote working structure.  But approaches to training may need a rethink so that it resonates with employees and isn’t seen as “just another thing” on people’s to-do list. According to our report, despite 57% of IT departments implementing more education and security training for their employees during the pandemic, nearly 1 in 5 workers said they didn’t even take part. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); This brings us to our second recommendation – security solutions shouldn’t hinder people’s productivity.  It’s clear people want to be able to work flexibly, so tools need to be flexible, too. Solutions like Tessian are invisible to employees until threats are detected, which means we cause minimal disruption to people’s workflow. Our warnings are helpful and educational, not annoying. We give people the information they need to make safer cybersecurity decisions and improve their behaviors over time.  Lastly, IT teams need greater visibility into their riskiest and most at-risk employees – regardless of where they’re working – in order to tailor training and policies and improve cybersecurity behaviors over time. Getting this level of visibility shouldn’t be a burden to the IT team, though. IT teams have enough going on, so solutions that leverage machine learning can take away labor-intensive tasks and help free up IT professionals’ time.  The way people work is quickly changing. But one thing will stay the same; you need to protect your organization’s most important asset – your people.  Businesses that protect their people from security threats and empower them to do great work, without security getting in their way, will set themselves for long-term success.  Read the full report – Securing The Future of Hybrid Working – today.
Human Layer Security Spear Phishing
Tim Sadler on Hacking Humans Podcast: Ep 117 “It’s Human Nature”
24 September 2020
Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why people make mistakes and the importance of developing a strong security culture. While you can listen to the episode here, you can read a full transcript below. And, for more insights about The Psychology of Human Nature, read our report.
Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He’s been on our show before. He’s from an organization called Tessian, and they recently published a report called “The Psychology of Human Error.” Here’s my conversation with Tim Sadler. Tim Sadler: We commissioned this report because we believe that it’s human nature to make mistakes. The people control more sensitive data than ever before in the enterprise. So there’s customer data, financial information, employee information. And what this means is that even the smallest mistakes – like accidentally sending an email to the wrong person, clicking on a link in a phishing email – can cause significant damage to a company’s reputation and also cause major security issues for them. So we felt that businesses first need to understand why people make mistakes so that, in the future, they can prevent them from happening before these errors turn into things like data breaches. Dave Bittner: Well, let’s go through some of the findings together. I mean, it’s interesting to me that, you know, right out of the gate, the first thing that you emphasize here is that people do make mistakes. Tim Sadler: Absolutely, they do make mistakes, and I think that is human nature. We think about our daily lives and the things that we do; we factor in human error, and we factor in that we will make mistakes. And something I always come back to is if we think about something we do, you know, many of us do on a daily basis, which is, you know, driving a car, and we think about all of the assistive technology that we have in that car to protect us in the event that we do make a mistake because, of course, mistakes are expected. It’s kind of in our human nature. Dave Bittner: Well, let’s dig into some of the details here because there are some fascinating things that you all have presented. One of the things you dig into is the age factor. Now, this was interesting to me because I think we probably have some biases about who we think would be more likely to make mistakes, but you all uncovered some interesting numbers here. Tim Sadler: Yeah, completely. And, you know, just sharing some of those statistics that we found from this report, 65% of 18- to 30-year-olds admit to sending a misdirected email comparing to 34% who are over the age of 51. And we also found that younger workers were five times more likely to admit to errors that compromised their company’s cybersecurity than older generations, with 60% of 18- to 30-year-olds saying they’ve made such mistakes versus 10% of workers who are over 51. Dave Bittner: Now, what do you suppose is the disparity there? Do you have any insights as to what’s causing the spread? Tim Sadler: I think it is just speculation that I think there’s something interesting in just maybe thinking about the comfort level that younger workers might have with actually admitting mistakes or sharing that with others in the enterprise. You know, I think there’s something encouraging here, which is actually we’re seeing that if you were running a security team, you want your employees to come forward and tell you something has gone wrong, whether that’s a mistake that’s led to a bad thing or it’s a near miss. And I think that you also might find that, generally, younger people may tend to be less senior in the organization and, you know, may not have the same sense of stigma that maybe the older generations, who are more senior, may think there is. So if I tell my boss that, you know, I’ve just done something and there was a potentially bad outcome, they might feel like they may be in danger of compromising their position in the organization. Dave Bittner: Yeah, it’s a really interesting insight. I mean, that whole notion of the benefits of having a company culture that encourages the reporting of these sorts of things.
Tim Sadler: I think it’s so important. You know, I think – somebody, you know, correctly advised me, you almost need an everything’s-OK alarm in your business when you’re thinking about security. You know, if you have a risk register or if you are responsible for taking care of these incident reports, if you don’t see people reporting anything, it’s usually a more concerning sign than you have people coming forward who are openly admitting to the errors they’ve made that could lead to these security issues. It’s highly unlikely that you’ve got nothing on your risk register. That you’ve completely eliminated risk from your business. It’s more likely that actually you haven’t created the right culture that feels like it’s suitable or acceptable to actually come forward and admit mistakes. Tim Sadler: And I think this is really, really important. I think now more than ever, during this time where, you know, we have a global pandemic, a lot of people are working from home, and they’re kind of juggling the demands of their jobs with their personal lives – maybe they’re having to figure out childcare – there are lots of other things weighing in to an employee’s life right now. It’s really important to actually, I think, extend empathy and create an environment where your employees do feel comfortable actually sharing things, mistakes they’ve made or things that could pose security incidents. I think that’s how you make a stronger company, through that security culture. Dave Bittner: But let’s move on and talk about phishing, which your report digs into here. And then this was surprising to me as well. You found that 1 in 4 employees say that they’ve clicked on phishing emails. But interesting to me, there was a gap between men and women and, again, older folks and younger folks.  Tim Sadler: Yes, so we found in the report that men are twice as likely as women to click on links in a phishing email, which again I think is – I think we were as surprised as you are that that was something that came from the research that we conducted. Dave Bittner: And a much lower percentage of folks over 51 say that they’d clicked on phishing links. Tim Sadler: Yes. And, again, you know, because of the research, of course, we’re relying on people’s honesty about these kinds of things. Dave Bittner: Right. Tim Sadler: But it does seem that there are clear kind of demographic splits in terms of things like age and also gender in terms of, actually, the security outcomes that took place. Dave Bittner: I mean, that in particular seems counterintuitive to me, but when I read your report, I suppose it makes sense that, you know, people who have more life experience, they may be more wary than some of the folks who are just out of the gate. Tim Sadler: I think that does play into things. I think that younger generations who are coming into the workplace, who are maybe even used to – you know, they’ve had an email account maybe for most of their lives. In fact, I would say that they’re probably less used to using email because they’ve advanced to other communication platforms before they enter the workplace. But I do think that, you know, if you think about people who have had email accounts, you know, at school or at college, they’re going to be used to being faced with potential scams, potential phishing. They’ve maybe already been through many kind of forms of education training awareness, those kinds of things, before they’ve actually entered the world of work. Dave Bittner: Yeah, another thing that caught my eye here was that you found that tech companies were most fallible. And it seemed to be that the pace at which those companies run had something to do with it. Tim Sadler: Yeah, I think there’s something interesting here. And, again, just would say that this is speculation because we don’t have the specific data to dig further into this. But I think there’s something interesting with the concept that technology companies, as you say, if they’re, you know, high-growth startups, they tend to be maybe moving faster, where these kinds of things can slip off the radar in terms of the security focus or the security awareness culture they create. Tim Sadler: But the other thing – and I think something to be aware of – is sometimes technology companies have that kind of false sense of security that it’s all in check, right? ‘Cause they – you know, this is kind of their domain. They feel that it’s within their comfort zone, and then maybe they neglect, actually, how serious something like this could be, where they feel that, OK, we’ve actually – even if we’ve got an email system in place, in the instance of phishing – we’ve got an email system in place. We feel like it has the appropriate security controls. But then we miss out the elements of actually making sure that the person is aware or is trained, is provided with the assistive technology around them and then also feels that they’re part of a security culture where they can report these things. So I think that’s also an important factor, too. Dave Bittner: So one of the interesting results that came through your research here is the impact that stress and fatigue have on workers’ ability to kind of detect these things. Tim Sadler: Yeah, and this is a really, really important point. So 47% of employees cited distraction as the top reason for falling for a phishing scam. And 41% said that they sent an email to the wrong person because they were distracted. The interesting thing, I think, there is that – another stat that came out from this – 57% of people admitted that they were more distracted when working from home, which is, of course, a huge part of the population now. So this point about distraction seems to play a really important factor in actually the fallibility of people with regard to phishing. Tim Sadler: And then a further 93% of employees said that they were either tired or stressed at some point during the week. And 1 in 10 actually said that they feel tired every day. And then the sort of partner stat to that, which is important, is that 52% of employees said that they make more mistakes when they’re stressed. And of course, tiredness and being stressed play hand-in-hand. So these are really, really important things for companies to take note of, which is, you have to also think about the well-being of your employees with regard to how that impacts your security posture and your ability to actually prevent these kinds of human errors and mistakes from taking place. Dave Bittner: Right. Giving the employees the time they need to recharge and making sure that they’re properly tasked with things where they can meet those requirements that you have for them – I mean, that’s an investment in security as well. Tim Sadler: Completely. And I think what’s really difficult is that security is serious business. No one would doubt or question its importance. It is literally mission critical for companies to get right. Some companies take a draconian approach when it comes to security, and they penalize or they’re very heavy-handed with employees when they get things wrong. I think, again, it is really important to consider the security culture of an organization. And actually, creating a safe space for people to share their vulnerability from a security perspective – things that they may have done wrong – and actually then having a security team or security culture that helps that person with the error or the issue that may arise versus just creating a environment where if you do the wrong thing, then, you know, your job, your role might be in jeopardy. Tim Sadler: And again, it is a balance because you need to make sure that people are never being careless, and there is a responsibility that we all have in terms of the security posture of our organization. But what this report shows is that those elements are really important. You know, we don’t want to contribute to the distraction. We don’t want to contribute to the stress and tiredness of our employees. And even outside the security domain, if you do have an environment that doesn’t create a balance for your employees, you are at a higher risk of suffering from a security breach because of the likelihood of human error with your employees. Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: I really liked that interview. Tim makes some really great points. The first thing he says is at Tessian, they believe that people are prone to mistakes, right? Of course we are, right? But why, in the real world, do we act like we’re not? That is what struck out to me immediately – the fact that Tim even needs to say this or that somebody needs to say this, that people are prone to mistakes. We act as if we’re not prone to mistakes. And then the driving analogy is a great analogy, right? If everybody does everything right in a car, nobody would ever have an accident. But as we all know, that is not the case. Dave Bittner: Accidents happen (laughter). Yeah. I think in public health, too – you know, I often use the example of, you can do everything right. You can wash your hands. You can, you know, be careful when you sneeze and clean surfaces and all that stuff. But still, no matter what, every now and then, you’re still going to get a cold. Joe Carrigan: Younger people are more likely to say that they’ve made mistakes than older people, and I agree with Tim’s speculation on the disparity of responses across age groups. Younger people have less to lose than an older person who might be more senior in the organization. I also think that an older person might be more experienced with what happens when you admit your mistakes. Joe Carrigan: And that comes to my next point, which is culture. And that is probably the single-most important thing in a company. And this is my opinion, of course – but this is so much more important when we get to security. It needs to be open and honest, and people need to absolutely not fear coming forward about their mistakes in security. This is something that I’ve dealt with throughout my career, even before I was doing security, with people making mistakes. If somebody tries to cover up a mistake, that makes the cleanup effort a lot more difficult. And it’s totally natural to try to do that. You’re like, oh, I made the mistake. I better correct it. If you don’t have the technical expertise to correct it, you’re actually making more work for the people who have to actually correct it. Dave Bittner: Yeah. I also – I think there’s that impulse to sort of try to ignore it and hope it goes away. Joe Carrigan: Right (laughter). That happens, too. I find this is interesting. Men are twice as likely to click on a link than women. Older users are less likely to click on a link. I think that comes from nothing but experience. You and I are older. We’ve had email addresses for years and years and years. I’ve been on the Internet longer than a lot of people have been alive. I know how this works. And younger people may not have that level of experience. Plus, I think younger people are just more trusting of other people. And as we get older, we, of course, become more jaded. Joe Carrigan: Tech companies have a false sense of security because this is their domain. That’s one of the things Tim said. I think that’s right. You know, that’s not going to happen to us; we’re a tech company. Things are still going to happen to you because, like Tim says very early in the interview, people make mistakes. Dave Bittner: All right. Well, again, our thanks to Tim Sadler from Tessian for joining us this week. We appreciate him taking the time. Again, the report is titled “The Psychology of Human Error.” And that is our show. Of course, we want to thank all of you for listening. Dave Bittner: We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The “Hacking Humans” podcast is proudly produced in Maryland at the startup studios of DataTribe, where they’re co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I’m Dave Bittner. Joe Carrigan: And I’m Joe Carrigan. Dave Bittner: Thanks for listening.
Spear Phishing
6 Real-World Examples of Social Engineering Attacks
22 September 2020
Over the last several months, “social engineering” has been making headlines more and more frequently. But, before we dive into real-world examples of social engineering attacks, let’s define exactly what social engineering is. Social engineering attacks are a type of cybercrime wherein the attacker fools the target through impersonation. They might pretend to be your boss, your supplier, someone from our IT team, or your delivery company. Regardless of who they’re impersonating, their motivation is always the same — extracting money or data. So, what’s the biggest threat vector for social engineering attacks? Email. Why do hackers do it? According to Verizon’s 2020 data breach report, money. In fact, the rates of financially-motivated social engineering attacks doubled between 2018 and 2019 and continued to increase after the outbreak of COVID-19. In this article, we’ll look at six real-world examples of social engineering attacks — some big and some recent — all using different techniques. We’ll also tell you how to avoid falling victim to these sorts of attacks. 1.  $100 Million Google and Facebook Spear Phishing Scam The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national Evaldas Rimasauskas against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name. The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million. How to Prevent Spear Phishing The Rimasauskas case is a classic example of a spear phishing scam. The attacker hacks or impersonates a trusted person and then “spears” specific individuals.  Spear phishing is more convincing than regular, “spray and pray” phishing because they’re highly targeted. An attacker might also be impersonating someone with whom the target communicates regularly. They may have a near-identical email address, with a very subtle change in the domain name (for example, [email protected] becomes [email protected]–name.com).  You can read more about email impersonation on our blog. Unfortunately, humans — even those working at the world’s most powerful tech firms — sometimes don’t spot small changes. It could be because they’re distracted or over-worked, or it could simply be because the email was a convincing fake. Whatever the reason, it’s important people aren’t left as the last line of defense.  The best thing you can do to prevent spear phishing scams, then, is to implement technology that protects against advanced impersonation attacks like spear phishing.  Tessian Defender’s stateful machine learning technology understands each employee’s inbox inside-out and can detect anomalies in email addresses, body copy, and more. That’s how it distinguishes between safe emails and suspicious ones, alerting the target when a phishing attack occurs. Looking for more resources? These might help.  What is Spear Phishing? Defending Against Targeted Email Attacks What Does a Spear Phishing Email Look Like? Phishing vs. Spear Phishing: Differences and Defense Strategies  2. Deepfake Attack on UK Energy Company In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer. This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”   To learn more about how hackers use AI to mimic speech patterns, listen to Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI at Tessian Human Layer Security Summit. How to Prevent Deepfake Attacks Deepfakes are an emerging threat that could soon become a widespread problem. 74% of IT leaders think deepfakes threaten their organizations’ and their employees’ security. But there are some steps you can take to protect your business from this new type of fraud. Make a habit of verifying telephone requests via another medium, e.g., email or SMS. This is a type of 2-Factor Authentication (2FA) — a security step that you should implement across all channels. If a caller insists that the request is urgent, try to verify their identity in another way —  such as by asking them some specific detail about the office or an event you both attended. Work closely with your IT department to log all suspicious activity and security incidents. For more information about deepfakes, read this article: Deepfakes: What are They and Why are They a Threat? 3. $60 Million CEO Fraud Lands CEO In Court Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “CEO fraud scam” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls. While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.  How to Prevent CEO Fraud It’s easy to see why CEO fraud is a successful type of social engineering attack. Imagine working late at the office one day. You get an email from the CEO herself, asking you to make some last-minute amendments to an invoice. The tone is urgent, the email looks genuine, and you have a chance to impress the top boss — why wouldn’t you go ahead and do it? CEO fraud is a common form of Business Email Compromise (BEC). Using impersonation techniques, scammers can send emails using your CEO’s display name, or email addresses that are nearly indistinguishable. Alternatively, hackers can hijack your CEO’s email account. Tessian’s machine learning technology knows what your CEO’s emails should look like and can alert employees to tiny differences in email addresses and even subtle deviations from their “normal” tone. Learn more about how Tessian prevents CEO Fraud at some of the world’s leading businesses. Read customer stories here. 4. $75 Million Belgian Bank Whaling Attack Perhaps the most successful social engineering attack of all time was conducted against Belgian bank Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice. Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds. You can read more about whaling here: Whaling Email Attacks: Examples & Prevention Strategies. How to Prevent Whaling In defending against whaling attacks, the same principles apply as when defending against spear phishing and CEO Fraud. In addition to making sure employees – including senior executives – are trained on how to spot impersonation attacks, you need to implement email security solutions to detect and prevent successful inbound attacks.  To learn more about how Tessian bolsters training, reinforces policies and procedures, and stops threats – all without disrupting employee’s workflow – book a demo.  5. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.  The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions. Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts. Following the hack, the FBI launched an investigation into Twitter’s security procedures. The scandal saw Twitter’s share price plummet by 7% in pre-market trading the following day. How to Prevent Vishing Vishing attacks typically utilize “Voice over Internet Protocol” (VoIP) technology in order to fake their caller ID. Attackers can also use “war diallers” to contact many people in a short period. The attack may start with a recorded message directing the target to call back. The key to protecting your business from vishing attacks is staff training. Ensure your employees understand what a vishing attack might sound like (the caller has an urgent tone or offers unexpected benefits), and make it clear that they should never respond to such a call. You can read more about vishing on our blog. 6. Texas Attorney-General Warns of Delivery Company Smishing Scam Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it. Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details. The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission. How to Prevent Smishing While 96% of phishing occurs via email, smishing is an increasingly serious threat to individuals and businesses. Consumer Reports claims that the Federal Trade Commission (FCC) received 93,331 complaints about fraudulent text messages in 2018 — a 30% increase from 2017. Smishing scams follow the same patterns as other social engineering attacks. Smishing text messages are typically urgent in tone, claiming that the target is in danger or a fine or have been the victim of credit card fraud. Or they may claim that the target has won a prize, or is owed a tax refund. So, how do you avoid falling victim to a scam? In the workplace, security teams should ensure employees exercise the same caution when responding to text messages as they do with emails.  Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS. Prevent social engineering attacks in your organization While we’ve included three tips to help you detect social engineering attacks in this blog: What is Social Engineering? 4 Types of Attacks, it’s important to remember that these scams – whether delivered by email, text, or voicemail, are really, really hard to spot. That’s why technology is essential and where Tessian comes in. Powered by machine learning, Tessian Defender analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks. Best of all, it does all of this silently in the background in real-time and, in-the-moment warnings help bolster training and reinforce policies. That means employee productivity isn’t affected and security reflexes improve over time. To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today.
Page