Tessian Recognized as a Representative Vendor in 2021 Gartner Market Guide for Data Loss Prevention — Read more.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing

Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing and Business Email Compromise.

Human Layer Security Spear Phishing
Phishing Awareness Training: How Effective is Security Training?
By Maddie Rosenthal
30 April 2021
Phishing awareness training is an essential part of any cybersecurity strategy. But is it enough on its own? This article will look at the pros and cons of phishing awareness training—and consider how you can make your security program more effective. Still wondering how big of a problem phishing really is? Check out this collection of 50+ phishing statistics. Don’t feel like scrolling? For more information about each point, you can click the text below to jump down on the page. 
✅ Pros of phishing awareness training Employees learn how to spot phishing attacks While people working in security, IT, or compliance are all too familiar with phishing, spear phishing, and social engineering, the average employee isn’t. The reality is, they might not have even heard of these terms, let alone know how to identify them. But, by showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.   Looking for resources to help train your employees? Check out this blog with a shareable PDF. It includes examples of phishing attacks and reasons why the email is suspicious.  It’s a good chance to remind employees of existing policies and procedures Enabling employees to identify phishing attacks is important. But you have to make sure they know what to do if and when they receive one, too. Training is the perfect opportunity to remind employees of existing policies and procedures. For example, who to report attacks to within the security or IT team. Training should also reinforce the importance of other policies, specifically around creating strong passwords, storing them safely, and updating them frequently. After all, credentials are the number one “type” of data hackers harvest in phishing attacks.  Security leaders can identify particularly risky and at-risk employees By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?  These observations will help security leaders stay ahead of security incidents, can inform subsequent training sessions, and can help pinpoint gaps in the overall security strategy.
Training satisfies compliance standards While you can read more about various compliance standards – including GDPR, CCPA, HIPAA, and GLBA – on our compliance hub, they all include a clause that outlines the importance of implementing proper data security practices. What are “proper data security practices?” This criterion has – for the most part – not been formally defined. But, phishing awareness training is certainly a step in the right direction and demonstrates a concerted effort to secure data company-wide.   It helps organizations foster a strong security culture In the last several years (due in part to increased regulation) cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective.  That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement. You can read more about creating a positive security culture on our blog.
❌ Cons of phishing awareness training Training alone can’t prevent human error People make mistakes. Even if you hold a three-hour-long cybersecurity training session every day of the week, you’ll never be able to eliminate the possibility of human error. Don’t believe us? Take it from the U.K.’s National Cyber Security Centre (NCSC): “Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle.  The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.” That’s right, even the U.K.’s top cybersecurity experts can’t always spot a phishing scam. Social engineering incidents—attacks that play on people’s emotions and undermine their trust—are becoming increasingly sophisticated.  For example, using Account Takeover techniques, cybercriminals can hack your vendors’ email accounts and intercept email conversations with your employees. The signs of an account take-over attack, such as minor changes in the sender’s writing style, are imperceptible to humans. Phishing awareness training is always one step behind Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today. In the last year, we’ve seen bad actors leverage COVID-19, Tax Day, furlough schemes, unemployment checks, and the vaccine roll-out to trick unsuspecting targets.  What could be next?  Training is expensive According to Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, there are three fundamental flaws in training: it’s boring, often irrelevant, and expensive. We’ll cover the first two below but, for now, let’s focus on the cost. Needless to say, the cost of training and simulation software varies vendor-by-vendor. But, the solution itself is far from the only cost to consider. What about lost productivity? Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.  While – yes – a successful attack would cost more, we can’t forget that training alone doesn’t work. (See point 1: Phishing awareness training can’t prevent human error.)
Phishing awareness training isn’t targeted (or engaging) enough Going back to what Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply one lesson to an entire organization – whether it’s 20 people or 20,0000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy. Age is especially important.  According to Tessian’s latest research, nearly three-quarters of respondents who admitted to clicking a phishing email were aged between 18-40 years old. In comparison, just 8% of people over 51 said they had done the same. However, the older generation was also the least likely to know what a phishing email was. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, explained how tailored training programs could help.
Should I create a phishing awareness training program? The short answer: “Yes”. These programs can help teach employees what phishing is, how to spot phishing emails, what to do if they’re targeted, and the implications of falling for an attack. But, as we’ve said, training isn’t a silver bullet. It will curb the problem, but it won’t prevent mistakes from happening. That’s why security leaders need to bolster training with technology that detects and prevents inbound threats. That way, employees aren’t the last line of defense. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. How does Tessian detect and prevent targeted phishing attacks? Tessian fills a critical gap in security strategies that SEGs, spam filters, and training alone can’t.  By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to detect a wide range of impersonations, spanning more obvious, payload-based attacks to difficult-to-spot social-engineered ones like CEO Fraud and Business Email Compromise. Once detected, real-time warnings are triggered and explain exactly why the email was flagged, including specific information from the email. Best of all? These warnings are written in plain, easy-to-understand language. 
These in-the-moment warnings reinforce training and policies and help employees improve their security reflexes over time.  To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today. Not ready for a demo? Sign-up for our weekly blog digest to get more cybersecurity content, straight to your inbox.  Just fill out the form below.
Spear Phishing
Smishing and Vishing: What You Need to Know About These Phishing Attacks
10 April 2021
Whether or not you’re familiar with the terms “smishing” and “vishing,” you may have been targeted by these attacks. This article will: Explain what smishing and vishing attacks are, and how they relate to phishing Provide examples of each type of attack alongside tips on how to identify them Discuss what you should do if you’re targeted by a smishing or vishing attack Smishing, Vishing, and Phishing Smishing and vishing are two types of phishing attacks, sometimes called “social engineering attacks.” While 96% of phishing attacks arrive via email, hackers can also use social media channels. Regardless of how the attack is delivered, the message will appear to come from a trusted sender and may ask the recipient to: Follow a link, either to download a file or to submit personal information Reply to the message with personal or sensitive information Carry out an action such as purchasing vouchers or transferring funds Types of phishing include “spear phishing,” where specific individuals are targeted by name, and “whaling,” where high-profile individuals such as CEOs or public officials are targeted. All these hallmarks of phishing can also be present in smishing and vishing attacks. What Is Smishing?
These messages often contain a link (generally a shortened URL) and, like other phishing attacks, they’ll encourage the recipient to take some “urgent” action, for example: Claiming a prize Claiming a tax refund Locking their online banking account Example of a Smishing Attack Just like phishing via email, the rates of smishing continue to rise year-on-year. According to Consumer Reports, the Federal Trade Commission (FCC) received 93,331 complaints about spam or fraudulent text messages in 2018 — an increase of 30% from 2017. Here’s an example of a smishing message:
The message above appears to be from the Driver and Vehicle Licensing Agency (DVLA) and invites the recipient to visit a link. Note that the link appears to lead to a legitimate website — gov.uk is a UK government-owned domain. The use of a legitimate-looking URL is an excellent example of the increasingly sophisticated methods that smishing attackers use to trick unsuspecting people into falling for their scams. Here’s another (slightly more humorous) example…
How to Identify a Smishing Attack As we’ve said, cybercriminals are using increasingly sophisticated methods to make their messages as believable as possible. That’s why many thousands of people fall for smishing scams every year. In fact, according to a study carried out by Lloyds TSB, participants were shown 20 emails and texts, half of which were inauthentic. Only 18% of participants correctly identified all of the fakes. So, what should you look for? Just like a phishing attack via email, a smishing message will generally: Convey a sense of urgency Contain a link (even if the link appears legitimate, like in the example above) Contain a request personal information Other clues that a message might be from a hacker include the phone number it comes from (large institutions like banks will generally send text messages from short-code numbers, while smishing texts often come from “regular” 11-digit mobile numbers) and may contain typos. If you’re looking for more examples of phishing attacks (which might help you spot attacks delivered via text message) check out these articles: How to Identify and Prevent Phishing Attacks How to Catch a Phish: A Closer Look at Email Impersonation Phishing vs. Spear Phishing: Differences and Defense Strategies  COVID-19: Real-Life Examples of Opportunistic Phishing Emails What Is Vishing?
Like targets of other types of phishing attacks, the victim of a vishing attack will receive a phone call (or a voicemail) from a scammer, pretending to be a trusted person who’s attempting to elicit personal information such as credit card or login details. So, how do hackers pull this off? They use a range of advanced techniques, including: Faking caller ID, so it appears that the call is coming from a trusted number Utilizing “war dialers” to call large numbers of people en masse Using synthetic speech and automated call processes A vishing scam often starts with an automated message, telling the recipient that they are the victim of identity fraud. The message requests that the recipient calls a specific number. When doing so, they are asked to disclose personal information. Hackers then may use the information themselves to gain access to other accounts or sell the information on the Dark Web.  The Latest Vishing News: Updated August 2020 On August 20, 2020, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement warning businesses about an ongoing vishing campaign. The agencies warn that cybercriminals have been exploiting remote-working arrangements throughout the COVID-19 pandemic.  The scam involves spoofing login pages for corporate Virtual Private Networks (VPNs), so as to steal employees’ credentials. These credentials can be used to obtain additional personal information about the employee. The attackers then use unattributed VoIP numbers to call employees on their personal mobile phones. The attackers pose as IT helpdesk agents, and use a fake verification process using stolen credentials to earn the employee’s trust. The FBI and CISA recommend several steps to help avoid falling victim to this scam, including restricting VPN connections to managed devices, improving 2-Step Authentication processes, and using an authentication process for employee-to-employee phone communications. Example of a Vishing Attack Again, just like phishing via email and smishing, the rates of vishing attacks are continually rising. According to one report, 49% of organizations surveyed were victims of a vishing attack in 2018.  Vishing made headlines most recently in July 2020 after the Twitter scam. After a vishing attack, high-profile users had their accounts hacked, and sent out tweets encouraging their followers to donate Bitcoin to a specific cryptocurrency wallet, supposedly in the name of charitable giving or COVID-19 relief. This vishing attack involved Twitter employees being manipulated, via phone, into providing access to internal tools that allowed the attackers to gain control over Twitter accounts, including those of Bill Gates, Joe Biden, and Kanye West. This is an example of spear phishing, conducted using vishing as an entry-point. It’s believed that the perpetrators earned at least $100,000 in Bitcoin before Twitter could contain the attack. You can read more cybersecurity headlines from the last month here.  How to Identify a Vishing Attack Vishing attacks share many of the same hallmarks as smishing attacks. In addition to these indicators, we can categorize vishing attacks according to the person the attacker is impersonating: Businesses or charities — Such scam calls may inform you that you have won a prize, present you with you an investment opportunity, or attempt to elicit a charitable donation. If it sounds too good to be true, it probably is. Banks — Banking phone scams will usually incite alarm by informing you about suspicious activity on your account. Always remember that banks will never ask you to confirm your full card number over the phone. Government institutions — These calls may claim that you are owed a tax refund or required to pay a fine. They may even threaten legal action if you do not respond.  Tech support — Posing as an IT technician, an attacker may claim your computer is infected with a virus. You may be asked to download software (which will usually be some form of malware or spyware) or allow the attacker to take remote control of your computer. How to Prevent Smishing and Vishing Attacks The key to preventing smishing and vishing attacks is security training.  While individuals can find resources online, employers should be providing all employees with IT security training. It’s actually a requirement of data security laws, such as the General Data Protection Regulation (GDPR) and the New York SHIELD Act. You can read more about how compliance standards affect cybersecurity on our compliance hub.  Training can help ensure all employees are familiar with the common signs of smishing and vishing attacks which could reduce the possibility that they will fall victim to such an attack. But, what do you do if you receive a suspicious message? The first rule is: don’t respond.  If you receive a text requesting that you follow a link, or a phone message requesting that you call a number or divulge personal information — ignore it, at least until you’ve confirmed whether or not it’s legitimate. The message itself can’t hurt them, but acting on it can.  If the message appears to be from a trusted institution, search for their phone number and call the institution directly. For example, if a message appears to be from your phone provider, search for your phone provider’s customer service number and discuss the request directly with the operator.   If you receive a vishing or smishing message at work or on a work device, make sure you report it to your IT or security team. If you’re on a personal device, you should report significant smishing and vishing attacks to the relevant authorities in your country, such as the Federal Communications Commission (FCC) or Information Commissioner’s Office (ICO).  For more tips on how to identify and prevent phishing attacks, including vishing and smishing, follow Tessian on LinkedIn or subscribe to our monthly newsletter. 
Threat Intel Spear Phishing
Cybercriminals Take Advantage of Mass Unemployment in Phishing Scams
By Charles Brook
07 April 2021
The global COVID-19 pandemic has wreaked havoc on job markets. In the US, the unemployment rate stands at 6.2 percent and in the UK, it’s estimated that around 2.2 million people, or 6.5% of all workers, could be unemployed at the end of the year.  Cybercriminals are taking note.  When Tessian researchers analyzed suspicious emails relating to ‘unemployment’ and terms associated with unemployment that were flagged by our inbound solution Tessian Defender, they saw a notable spike in suspicious emails related to unemployment and COVID-19 in the week of 24th February – the week in which President Biden announced the third round of stimulus checks, which would send billions of dollars to people without jobs. Our researchers also noted a spike in suspicious activity during the week of 8th March which is when COVID-19 the stimulus checks started being received. They found that: In the week of 24th February, the number of suspicious unemployment and COVID-19 related emails was 40% higher than the weekly average of such emails detected since the start of 2021. The number of unemployment themed emails alone was 16% higher than the weekly average. In the week of 24th February, the number of unemployment and COVID-19 related emails was 50% higher than previous week.  In the week of 8th March, the number of suspicious unemployment and COVID-19 related emails was 51% higher than weekly average recorded since the start of 2021. The number of unemployment and COVID-19 related emails detected during this week was 69% higher than the previous week.  Over the last 12 months, cybercriminals have capitalized on the fear, uncertainty and doubt created by the global pandemic to make their scams as believable and convincing as possible. At the start of 2021, for example, Tessian reported a surge in newly registered domains related to the vaccine roll-out and confirmed that a number of these websites were malicious and designed to harvest people’s financial information and account credentials. Now, cybercriminals are launching scams to prey on people who are vulnerable, out of work and urgently looking for relief. They are well aware that these individuals may be applying a little less scrutiny to the messages they receive – especially if the emails appear to have come from a legitimate and trusted sender. How do unemployment scams work?  Here’s how a typical unemployment related scam works: A fake job posting is listed on legitimate job sites. Often, scammers will target small businesses to spoof or impersonate as it is less likely for these companies to monitor their job listings.  An applicant will respond to that ad and will be sent a generic email asking them to perform a task for the interview process. These phishing emails could contain malicious attachments that applicants are asked to download or links to fake websites that ask applicants to input sensitive or personal information. This information could, then, be used to commit identity fraud.  Scammers will also ask applicants to click on a link that refers them to a fake credit check website. Here, they will ask the applicant to share financial information or wire money. Cybercriminals can also identify targets via social media sites like LinkedIn. A recent report from Tessian found that 93% of people share job updates online, and while it’s common for people to let their networks know that they’ve been laid off and are looking for jobs, they are also unknowingly giving cybercriminals the information they need to craft convincing social engineering attacks that are designed to steal personal information.  The FBI has released warnings of unemployment scams, disclosing that many U.S. citizens have been victimized by bad actors “impersonating the victims and using the victims’ stolen identities to submit fraudulent unemployment insurance claims online.” In fact, figures from a watchdog for the U.S. Department of Labor reveal that Americans have lost a shocking $63 billion of unemployment funds during the pandemic to improper payments and fraud, while the Illinois Department of Employment Security reports having stopped around 1.1 million claims involving identity theft in the past year. In many cases, victims don’t even realize they’ve been targeted until they later try to file for unemployment insurance benefits, receive a notification from the state unemployment insurance agency or even get notified by their employer that a claim has been filed while the victim is still employed.
What can you do to avoid falling victim to the scams? It’s always worth remembering that an official government agency or state workforce agency (SWA) will not contact you out of the blue, asking you to apply for UI benefits via an email or a text. So if you do receive a message like this, then do not click on the links or comply with the actions. We also recommend that you: Inspect emails carefully. Look for the .gov URL in the sender’s email address and check that the sender’s email domain matches the sender’s name. Don’t click on anything unless it’s from a legitimate source. Verify the legitimacy of the sender by calling the organization or agency directly. Adopt two-factor authentication and try to not use the same password across different sites. Password generators like 1Password create unique passwords and protect them with encryption software. Monitor your bank accounts on a regular basis to check for any fraudulent activity.
Human Layer Security Spear Phishing
Types of Email Attacks Every Business Should Prepare For
01 April 2021
Email remains the number one tool of business communication. The email network is open to practically anyone—and its flexibility, reliability, and convenience mean it’s not going away any time soon. But for all its benefits, email can also be a vector for serious cyberattacks. Social engineering attacks like phishing can lead to data breaches, malware attacks, and billions of dollars in losses for businesses worldwide. This article will explain the major types of email attacks, provide some data on how common they are, and consider the devastating impact that email attacks can have on your business. Types of email attacks First, we’ll walk you through some of the most common types of email attacks. Phishing Phishing can mean one of two things: An “umbrella term” meaning any social engineering attack that takes place via email. A type of email attack where the attacker sends a lot of malicious emails in an untargeted way. When we use “phishing” as an umbrella term, it refers to the most common type of email attack. Any malicious email that tries to trick you into clicking a link, opening a file, or taking any other action that causes harm, can be part of a phishing attack.  All of the other types of email attacks we’ll look at below are forms of phishing, if we use the term in this broad way. When we use “phishing” as a specific term, it means a “bulk” or “spray and pray” email attack, where the malicious email is sent to many unnamed recipients. Here’s an example:
What makes this a phishing email? There’s no addressee: It says “Hello,” not “Hello Rob.” The “update account now” button leads to a credential phishing page. Most importantly — Netflix didn’t send it! Further reading: ⚡  What is Phishing? ⚡ Spam vs. Phishing: The Difference Between Spam and Phishing ⚡ How Easy is it to Phish? ⚡ How to Avoid Falling For a Phishing Attack | 6 Useful Tips Spear phishing Spear phishing is an email attack targeting a specific individual. So, whereas bulk phishing uses a net — sending emails to as many potential victims as possible — spear phishing uses a spear to target one specific victim. Again, spear phishing is can also be an umbrella term, in that there are lots of different types of phishing attacks. Some of the examples below, including Business Email Compromise (BEC) and CEO fraud, are almost always spear phishing attacks. Why? Because whenever a phishing attack targets a specific individual, it’s a spear phishing attack. Here’s an example:
What makes this a spear phishing email? It targets a specific person. The “click here” link leads to a credential phishing website. Most importantly — you guessed it — DHL didn’t send it! Further reading: ⚡  What is Spear Phishing? ⚡ What’s the Difference Between Phishing and Spear Phishing? ⚡ Spear Phishing: Screenshots of Real Email Attacks Business Email Compromise (BEC) Business Email Compromise (BEC) is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address. In the sense that the attacker is impersonating a business, the Netflix and DHL examples above are both BEC attacks. But we normally use “BEC” to refer to a more sophisticated form of email attack. For example, one of the biggest cyberattacks of all time is an example of BEC. Between 2013 and 2015, a Latvian cybercrime gang headed by Evaldas Rimasauskas scammed Facebook and Google out of around $121 million by impersonating their suppliers and sending fake invoices via email. Further reading: ⚡ What is Business Email Compromise (BEC)? ⚡  5 Real Examples of Business Email Compromise
CEO fraud In a CEO fraud attack, the attacker impersonates a company executive and targets a less senior employee. Here’s an example:
What makes this a CEO fraud attack? The sender’s email address impersonates a real company executive (note the method here is email impersonation — ”microsott.com” — but other methods such as email spoofing are also common). The sender (“Leon”) puts a lot of pressure on the recipient (Tess). Stressed people make poor decisions. The attack involves wire transfer fraud. While not all CEO fraud attacks involve wire transfer fraud, this is a very common tactic. Further reading: ⚡  What is CEO Fraud? ⚡ CEO Fraud Prevention: 3 Effective Solutions How common are email attacks? Email attacks are on the rise, and are now extremely common. According to the FBI’s Internet Crime Complaint Center (IC3), phishing incidents more than doubled from 2019 to 2020, costing victims over $54 million in direct losses. Verizon says 22% of breaches in 2019 involved phishing. Around 75% of organizations around the world experienced some kind of phishing attack in 2020. Want more data on phishing and other email attacks? See our article Phishing Statistics (Updated 2021). Consequences of email attacks What are the main consequences of email attacks on businesses and their customers? Data breaches: Attackers use techniques such as credential phishing to exfiltrate your customers’ personal information. Data breaches can attract investigations, regulatory fines, and class-action lawsuits. IBM estimates that the average data breach costs a business $3.86 million Malware: Some email attacks aim to deposit a malicious payload on the recipient’s device. This payload is normally some form of malware, for example: A virus, which can infect other devices on your network Spyware, which can log your keystrokes and online activity  Ransomware, which encrypts your valuable data and demands you pay a ransom to get it back. Wire transfer fraud: Spear phishing attacks—particularly if they involve BEC or CEO fraud—often attempt to persuade the target into transferring funds into a bank account controlled by the attacker. And it really works—that’s why the FBI calls BEC “the $26 billion scam”
Spear Phishing
Everything You Need to Know About Tax Day Scams 2021
By Maddie Rosenthal
23 March 2021
It’s that time of year again…Tax Day. But, making a payment to the IRS isn’t the only thing you need to be worried about. ‘Tis the season for tax day scams. These phishing attacks can take many different forms. In the US, these attacks will use the deadline (May 17, 2021 – extended from April 15, 2021) to file your income tax returns as bait. In the UK, these attacks will use your potential tax refund as bait.  But we’re here to help.  Here’s what you need to look out for and what to do in case you’re targeted by Tax Day scams. 
 What do Tax Day scams look like? As is the case with other phishing and spear phishing attacks, bad actors will be impersonating trusted brands and authorities and will be – in some way – motivating you to act. Want to learn more about impersonation or get a better idea of what the average phishing attack looks like? Check out these articles: What is Phishing? Phishing 101 What is Spear Phishing? The Difference Between Phishing and Spear Phishing  What is Email Impersonation? Please note: In this article, we’re exploring Tax Day scams on email. You may also receive phone calls or text messages from bad actors, claiming that you’re being investigated for tax fraud or have an overdue bill. They may also simply request more information from you, like your name and address, or bank account details. You shouldn’t give any of this information away over the phone. Government organizations will never call you or use recorded messages to demand payment. Now, let’s take a closer look at how they do both through a series of examples. Example 1: IRS Impersonation 
What’s wrong with this email? The IRS has said they never contact taxpayers by email, so any correspondence “from” them is illegitimate There is an extra “r” in “internal” in the sender’s email address Email addresses from government agencies will always contain the toplevel domain “.gov” There are spelling errors and inconsistencies in the text that you wouldn’t expect from a government agency Example 2: Tax-Preparation Software Impersonation
What’s wrong with this email? While the sender’s email address does contain the company name (Fast Tax), the toplevel domain name (.as) is unusual The sender is motivating the target to follow the embedded link by claiming their tax return is incomplete Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. These are called malicious websites. Want to learn how to spot a malicious website? Check out this article. Example 3: HMRC Impersonation
What’s wrong with this email? While the Display Name, email template, logos, and language used in the email seem consistent with HMRC, the sender’s email address contains the toplevel domain “.net” instead of “.gov.uk” Upon hovering over the link, you’ll see the URL is suspicious Example 4: Client Impersonation
What’s wrong with this email? Unfortunately, in this case, there are no obvious giveaways that this is a phishing scam. However, if Joe, the tax accountant in this scenario, knew he hadn’t met or interacted with a woman named Karen Belmont, that could be a warning sign Individuals and organizations should always be wary of attachments and should have anti-malware and/or virus protection in place This examples demonstrates the importance of having policies in place to verify clients beyond email. And remember, there’s nothing wrong with being extra cautious this time of year. Example 5: CEO Impersonation
What’s wrong with this email? The the sender’s email address (@supplier-xyz.com) is inconsistent with the recipient’s email address (@supplierxyz.com) The attacker is impersonating the CEO, hoping that the target will be less likely to question the request; this is a common social engineering tactic  The attacker is using urgency both in the subject line and the email copy to motivate the target to act quickly Because this is a zero-payload attack (an attack that doesn’t rely on a link or attachment to carry malware), anti-malware or anti-virus software wouldn’t detect the scam You can learn more about CEO impersonation (also called CEO fraud) in this article: What is CEO Fraud? Who will be targeted by Tax Day scams?  From the examples above, you can see that cybercriminals will target a range of people with their Tax Day scams. Taxpayers, tax professionals, and businesses are all susceptible and savvy hackers will use different tactics for each.  Here’s what you should look out for. Taxpayers Attackers will be impersonating trusted government agencies like the IRS and HMRC and third-parties like tax professionals and tax software vendors Attackers will use coercive language and the threat of missed deadlines or promises of refunds to motivate their targets to act Many phishing emails contain a payload; this could be in the form of a malicious link or attachment For more information on payloads, read this article: What is a Malicious Payload and How is it Delivered?  Tax Professionals Attackers will be impersonating either existing clients/customers or prospects. In either case, they’ll be pretending they need help with their tax return or tax refund Attackers will use the lure of new business or the threat of losing a customer to motivate their targets to act Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  Businesses Attackers will be impersonating CEOs, HR representatives, Finance Directors, or other individuals or agencies who need access to sensitive tax information Attackers are strategic in their impersonations of people in positions of power; people are less likely to question their superiors.  What do I do if I’m targeted by a Tax Day scam? While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals and businesses should always follow the same guidelines if they think they’ve received a phishing email.
First and foremost, always, always, always check the sender. Confirm that the domain is legitimate and that the Display Name matches the email address. Be wary of any emails that aren’t from a “.gov” address. If anything seems unusual, do not follow or click links or download attachments  Check for spelling errors or formatting issues. Be scrupulous! If anything feels off, proceed cautiously. (See below. If the email appears to come from an individual you know and trust, like a colleague, customer, or client, reach out to the individual directly by phone, text or a separate email thread If you’re an employee who’s been targeted, contact your line manager and/or IT team. Management should, in turn, warn the larger organization The best way to avoid falling victim to one of these scams is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid.
More resources As a security start-up, we’re committed to helping you stay safe. If you’re looking for more information on Tax Day scams, consult the following government websites. Advice from the IRS Advice from HMRC Looking for more advice about scams? Sign-up to our newsletter below to get articles just like this, straight to your inbox. 
Spear Phishing
Why Law Firms are Falling for Phishing Attacks
By Cai Thomas
17 March 2021
According to the FBI, phishing was the most common type of cybercrime in 2020—and phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020. And, while businesses across industries are vulnerable, law firms are especially lucrative targets. They handle an incredible amount of sensitive information, from medical and financial data to merger and acquisition (M&A) data. Speak phishing a problem law firms have to tackle to avoid the devastating consequences successful of attacks. For example a damaged reputation, lost client trust, and regulatory penalties. But, worryingly, the Solicitors Regulation Authority (SRA) has stated that it is unrealistic to expect staff to identify all phishing emails. So what can you do? We break down four tactics employed by hackers, and offer tips on how to protect your firm. 1. Hackers are leveraging publicly available information Spear phishing attacks are sophisticated impersonation attempts. Of course, the more believable the impersonation, the more successful the attack. To avoid raising any red flags and boost their chances of success and , hackers do their homework by gathering publicly available information about a firm, its employees, and counter parties. LinkedIn, OOO messages, and even a firm’s own website make it easy, especially given the fact that any lawyer regulated by the SRA must legally ensure their contact details are publicly available online. With this information at their fingertips, criminals are quickly able to understand the most effective strings to pull. Falling for the deception, some firms have unknowingly transferred anything between £5,000 and £1m to cybercriminals. By the time these law firms realized they’d been successfully attacked, it was too late. Learn more about how hackers leverage social media for business email compromise (BEC) in our latest research report: How to Hack a Human. What can you do? Make sure employees understand how the information they share can be used against them, and implement strict approval processes for wire transfers. 2. Hackers choose their targets carefully While every attack is different, there are some specific departments and individuals are are targeted more frequently than others. Let’s start with new joiners. They’re fresh into the firm, may not be familiar with internal structure or policies, and are keen to prove themselves. But this could be their – and your firm’s – downfall. One firm, for example, experienced an unfortunate incident whereby a new Finance Manager – just two months into the job – was fooled into transferring £60,000 to an impersonated supplier. But it’s not just new joiners that you need to be wary of. Leavers, too, pose a threat. A quick update on LinkedIn tells opportunist criminals that a person is switching firms.  All they have to do is create a freemail account, impersoante the leaver, and request credentials/documents or request to change their bank details. What can you do? For new starters, make security awareness training a priority and include it as a part of onboarding. For leavers, create foolproof off-boarding processes and systems to verify the identity of freemail contacts. 3. Hackers will build rapport Oftentimes, bad actors will start emails with trivial subjects such as ‘How was your weekend?’ or ‘Do you have five minutes?’ in order to test a firm’s security. These introductory emails have no URL, attachment, or payload included; they sail through a firm’s legacy defenses and SEGs, and don’t immediately appear suspicious to the target. In one particular incident, an email was sent to a law firm, supposedly from the ‘Managing Partner’, asking recipients to meet him at the local shop – you’d be surprised how many lawyers actually waited outside a nearby shop! The reason for this technique? It allows them to identify weak spots and deliver the real attack email a few weeks later. Alternatively, if criminals find that they don’t get a bite from the initial bait email, they will likely move on. What can you do? Show employees a range of spear phishing examples and explain what social engineering is (and why it’s so effective). 4. Hackers will impersonate a person in a position of authority In a number of cases, lawyers have been fooled by emails supposedly from the High or Supreme Court. These emails will include a malicious link to a ‘new legal case’. We see similar tactics used in consumer attacks. For example, hackers will impersonate a tax authority or law enforcement agency. This tactic is especially effective because these government organizations are trusted, reputable, and may even illicit fear. Targets will inherently want to comply, and fast. What can you do? Teach employees to inspect domains and URLs, and to spot those that are illegitimate or malicious. But even that may not be enough… Protect your people with Human Layer Security Cybercriminals are using sophisticated impersonation techniques to deceive unwitting victims into transferring finances or handing over credentials. And they’re only becoming more sophisticated. That means that, while training employees to spot phishing attacks and implementing strict policies can help, they’re not enough. Many organizations rely on rule-based phishing solutions. These will certainly protect your firm from some of the weak-form phishing attacks and impersonation techniques attackers are using, but these legacy tools can’t detect or prevent the strong-form impersonation and social engineering attacks that are becoming more prevalent across the legal sector. Tessian Defender can, though. Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learn every employee’s normal communication patterns. and map their trusted email relationships — both inside and outside your organization. Tessian inspects inbound emails for any suspicious or unusual content both in the body of the email and the metadata. For example, payloads or anomalous domains, geophysical locations, IP addresses, email clients, or sending patterns. Tessian alerts employees when an email might be unsafe with easy-to-understand, contextual warnings. Post adapted from an article that originally appeared in Information Age.
Spear Phishing
How to Prevent Email Impersonation | What You Can Do Now
16 March 2021
Email impersonation is a key method cybercriminals use to conduct phishing attacks. That’s because this technique is simple, accessible, and can evade many conventional security defenses.  By switching out characters in an email address, using false display names, securing top-level domains in the name of legitimate businesses, cybercriminals can impersonate your employees, vendors, or business partners — and they can do so pretty convincingly. Looking for more background on what exactly email impersonation is? We explore the definition and different types of email impersonation in this article: What is Email Impersonation? Everything You Need to Know. This article will guide you through how to recognize and combat email impersonation attacks.
We also have guidance on defending against related cybercrimes such as email spoofing, Business Email Compromise, and CEO fraud. Employee security awareness training Security leaders understand how important it is to involve the whole team in a company’s cybersecurity strategy. That’s why every security-conscious organization has an employee training program that helps staff to recognize signs of a phishing attack. But, it’s important your security awareness training is tailored, engaging, and consistently reinforced. Want more tips? Check out this article: The 7 Deadly Sins of Security Awareness Training. And – regardless of how tailored and engaging your training is – security awareness training can’t be your only defense against social engineering — many of the more sophisticated attacks just aren’t detectable by humans. Nonetheless, a security awareness program can help your team spot the more obvious signs of danger and understand the importance of cybersecurity. Signs of email impersonation Your employees should be able to realize when something suspicious is occurring. Email impersonation can be tricky to spot, but it usually is detectable — if you’re paying attention. So what are the signs to look out for that indicate email impersonation?  Let’s take a look at some of the different ways a cybercriminal could impersonate Elon Musk, CEO of Tesla, whose email (we’ll imagine) is elon.musk@tesla.com:
As you can see, cybercriminals have several options for impersonating an email address. Employees should look out for signs such as: Replacement characters (1 = l, a = 4, o = 0, etc.) Obscure or unexpected top-level domains Suspicious subdomains Incorrect domains associated with the username Display names that don’t correspond with the supposed sender We look at these email impersonation techniques in more detail in our article What Is Email Impersonation? Signs of a phishing attack Beyond recognizing the signs of email impersonation, employees must be aware of the more general signs of a phishing attack, which include: A sense of urgency: Social engineering attacks depend on exploiting the target’s emotions. A phishing email will normally use a very urgent tone. Incorrect branding: Some phishing emails attempt to imitate a company’s logos or branding. Although this is relatively easy, amateur cybercriminals can get it wrong. Poor spelling or grammar: Spelling and grammar errors are normally a sign of a phishing email, particularly if the fraudster is imitating an established business. Bear in mind that most sophisticated phishing emails don’t contain any of these giveaways. And you can’t always expect your employees to notice when they’re under threat.  We share five real-world examples of phishing attacks in this blog, which could help you educate your employees about what to look out for.  Deploy email security software As we’ve seen, email impersonation can be challenging for humans to spot.  That’s why deploying an intelligent inbound email security solution is key to preventing email impersonation. As your team switches to remote work, security software is more important than ever. Microsoft research shows that 80% of security professionals saw an increase in security incidents since employees started working from home. But traditional security solutions like Secure Email Gateways (SEGs) and spam filters can’t protect your employees against many email impersonation attacks. Tessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most subtle signs of email impersonation and phishing.  Here’s how Tessian Defender works: Tessian’s machine learning algorithms analyze your company’s email data. The software learns each employee’s usual communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of email impersonation or other phishing attacks, such as suspicious payloads, geophysical locations, IP addresses, email clients, or sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language. Click here to learn more about how Tessian Defender protects your team from email impersonation and other cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like phishing. Not ready to learn more about the solution? That’s okay! Sign-up for our newsletter below instead. You’ll be the first to know about new research and events and get helpful checklists and how-to guides straight to your inbox.
Spear Phishing
What is Email Impersonation? Everything You Need to Know
16 March 2021
Email impersonation might not be the most sophisticated phishing method, but it’s simple, it’s widespread, and it can be devastating. Keep reading to learn more. Email impersonation vs. email spoofing vs. account takeover First, we need to describe “email impersonation” and distinguish it from some closely-related concepts. Email impersonation: The attacker sets up an email address that looks like a legitimate email address (e.g. bill.gates@micr0soft.com). Email spoofing: A technical process where the attacker modifies an email’s headers so the receiving email client displays a false email address (the sender’s email address is “fraudster@cybercrime.com,” but the recipient sees “billgates@microsoft.com” in their inbox) Account takeover: The attacker gains access to another person’s account (using hacking or stolen credentials) and uses it to send phishing emails. Email spoofing and account takeover require some technical ability (or, at least, access to the dark web). With email impersonation, though, the attacker just needs to secure a domain that looks like it could belong to a legitimate business.  This is easy (and cheap!) with domain registrars like GoDaddy. We explore different types of impersonation techniques below.  Phishing methods that use email impersonation Cybercriminals can use email impersonation to facilitate any type of email-based phishing attack. There are some types of phishing in which email impersonation is particularly common, including: Business Email Compromise (BEC) — Impersonating a business CEO fraud — Impersonating a company executive and targeting one of their employees Whaling — Targeting a company executive These are all among the more sophisticated and targeted types of phishing attacks. These types of attacks must employ email impersonation, email spoofing, or account takeover to be successful. Types of email impersonation Now we’ll look at the various ways a cybercriminal can impersonate an email address. To understand these, you’ll need to know about the different parts of an email address:
Each of these elements of an email address is relevant to a different type of email impersonation. Root domain-based email impersonation A company’s root domain is usually the most distinctive part of its email address. It’s the part immediately before the top-level domain (e.g. “.com”) — the “Amazon” in “info@amazon.com”. Root domain impersonation involves creating a root domain using replacement characters, so it looks like an email has arrived from a legitimate company. Here’s an example:
In this root domain impersonation, the attacker has replaced the “l” in “external” and “supplier” with a “1”. At first glance, the recipient might not notice this, and they might treat the email as though it has come from “External Supplier.” Top-level domain-based email impersonation The top-level domain is the part after the root domain: e.g., “.com”, “.jp”, or “.net”. The top-level domain usually denotes a country or a type of organization. For example: .com — Commercial organizations .uk — Internet country code for the UK .gov — US government agency Sometimes, a second-level domain accompanies a top-level domain: .co.uk — Commercial organization from the UK .ac.jp — Higher education institution from Japan .waw.pl — Organization from Warsaw, Poland Using top-level domain impersonation, a cybercriminal can create an authentic-looking email address that the recipient might assume belongs to a legitimate organization (if they even notice it). Here’s an example:
Here we have “externalsupplier.io” imitating “externalsupplier.com”. The top-level domain “.io” is actually registered to British Indian Ocean Territory (BIOT), but Google recognizes it as “generic” because many non-BIOT organizations use it. Subdomain-based email impersonation A subdomain appears after the “@” sign, but before the root domain. For example, in “info@mail.amazon.com”, the subdomain is “mail”. Most email addresses don’t have a subdomain. An attacker can use subdomains to impersonate a legitimate company in two main ways: Using a company’s name as a subdomain to the attacker’s domain. For example, in “info@amazon.mailerinfo.com”, “amazon” is the subdomain and “mailerinfo” is the domain. Splitting a company’s name across a subdomain and domain. Here’s an example of the second type of subdomain impersonation:
Display name impersonation A display name is how an email client shows a sender’s name. You can choose your display name when you sign up for an email account. We explore display name impersonation in more detail in this article: How to Impersonate a Display Name. Display name impersonation exploits a bad habit of mobile email clients. On mobile, common email clients like Outlook and Gmail only display a sender’s display name by default. They don’t display the sender’s email address.  So, even an email address like “cybercriminal@phishing.com” might show as “Amazon Customer Services” in your mobile email client — if that’s the display name that the attacker selected when setting up the account. But this isn’t a mobile-only problem. According to new research, just 54% of employees even look at the email address of a sender before responding or actioning a request. This is good news for attackers, and bad news for businesses.  You can learn more about employees’ habits – and hacker’s tactics – in this report: How to Hack a Human. Username impersonation The username is the part of the email address that appears before the “@” symbol. For example, in “bill.gates@microsoft.com”, the username is “bill.gates”. Username impersonation is the least sophisticated form of email impersonation, but it can still work on an unsuspecting target. This technique is sometimes called “freemail impersonation,” because scammers can register false usernames with Gmail or Yahoo.  With this technique, they can create accounts that look like they could belong to your CEO, CFO, or another trusted person in your network.  Here’s an example:
More resources on email impersonation Now you know the basic techniques behind email impersonation, read our articles on preventing email impersonation, CEO fraud, and Business Email Compromise to find out how to protect your business from these cyberattacks. You can also learn how Tessian detects and prevents advanced impersonation attacks by reading our customer stories or booking a demo. Not quite ready for that? Sign-up for our newsletter below instead. You’ll be the first to know about new research and events and get helpful checklists and how-to guides straight to your inbox.
Spear Phishing
What is Whaling? Whaling Email Attacks Explained
12 March 2021
Let’s jump straight into it…
Wondering why cybercriminals often target the boss, rather than someone lower down the chain of command? The answer is simple: Senior staff members staff have the greatest power, access, and influence in a company. This article will look at how whaling works, and how it fits into the broader cybercrime landscape. Then we’ll take a look at some real examples of whaling attacks. How whaling works First, it’s important to understand that whaling is a type of phishing attack. And, broadly speaking, there are two types of phishing attacks.  Phishing “in bulk” is like using a trawl net. Cast your net wide — by sending as many phishing emails as you can — and you’re likely to catch quite a few unfortunate minnows. With spear phishing, you aim your spear — or email — at a specific fish (er, person). Targets are carefully chosen, and emails are carefully crafted with the specific target in mind. Be patient, be smart, and you might catch something valuable. So what about whaling? Well, whaling is a type of spear phishing.  Whales — or company executives — are the biggest fish in the sea: They’re hard to catch, but if you manage to harpoon one, you could make a lot of money. Scroll down the page for examples of whaling, and you’ll see what we mean.  Okay — whales are mammals, not fish… but you get our point.  A company executive is the ultimate prize for cybercriminals. The boss can access information and resources that no other employee can reach.  Why target company executives? Ultimately, a CEO or CFO is just as likely to fall victim to a social engineering attack as any other employee. In fact, they’re arguably even more likely to do so. A whaling attack email usually asks the target to make a high-pressure decision. Here’s an example of the type of email a company executive might receive as part of a whaling attack:
If the boss is busy, stressed, or overworked (and hopefully they’re busy, at least), they’re more vulnerable to these types of cyberattacks. Tessian research suggests that more than half of employees felt they were more likely to make mistakes at work when they were stressed. Furthermore, higher-level employees have greater access to money and data: the two things cybercriminals want most. Whaling vs. other types of cyberattack How does whaling fit into the cybercrime landscape?  There are many types of cybercrime. Some are interrelated; others frequently get conflated.  As we mentioned, whaling is a type of spear phishing: a phishing attack targeted at a specific individual — in this case, a company executive. Here are some types of cyberattacks that can involve whaling, if they specifically target a company executive: Business Email Compromise (BEC): A phishing attack that uses a compromised corporate email address. Wire transfer phishing: A phishing attack involving invoice fraud. Credential phishing: A phishing attack aiming to steal login credentials Smishing: Phishing via SMS Vishing: Phishing via voice (e.g., via phone or VoIP software) In other words, a whaling attack can also be a wire transfer phishing attack, for example, — if the attacker aims to persuade the target to transfer money into a bank account they control. Whaling sometimes gets conflated with another important type of cybercrime: CEO fraud. Here’s the difference: In a CEO fraud attack, the attacker impersonates a company executive and targets someone less senior. In a whaling attack, the company executive is the target. Of course, there can be some crossover between these two phishing techniques, too — where a cybercriminal impersonates one company executive and targets another. This occurred in 2017, in a scam that resulted in a $17 million loss for commodities trading company Scoular. Examples of whaling Here are some examples of businesses that fell victim to whaling attacks, to give you an idea of how damaging this type of cybercrime can be. Hedge fund co-founder targeted via Zoom In November 2020, the co-founder of Australian hedge fund Levitas Capital followed a fake Zoom link that installed malware on its network. The attackers attempted to steal $8.7 million using fraudulent invoices. In the event, they only got away with $800,000. But the reputational damage was enough to lose Levitas its biggest client, forcing the hedge fund to close. Aerospace firm fires CEO after $58 million whaling loss The CEO of Austrian aerospace company, FACC, was fired for his part in a whaling attack that cost the company around $58 million in 2016. A statement from the company said the CEO, Walter Stephen, had “severely violated his duties” by allowing the attack to occur. Small business owner loses $50,000 Whaling doesn’t just mean big companies losing millions of dollars — small businesses are affected, too. In an interview with NPR, “Mark,” the owner of a small real-estate firm, discussed how he fell victim to a targeted account takeover attack. In this sophisticated cyberattack, a hacker interrupted Mark’s email conversation with his partner, seizing the opportunity to divert a bank transfer for $50,000. How to Prevent Whaling Now you understand the dangers of whaling, you might be wondering how you can avoid falling for whaling attacks or – better yet – prevent whaling attacks from landing in your inbox in the first place.  Your best bet? In addition to security awareness training, intelligent email security software.  To learn more about how Tessian solves the problem, check out our customer stories or book a demo. Or, if you’d rather learn more about whaling and be the first to hear about the latest attacks, sign up for our newsletter. (Just fill in the short form below.)  
Spear Phishing
Spear Phishing Examples: Real Examples of Email Attacks
By Maddie Rosenthal
04 March 2021
75% of organizations experienced some kind of phishing attack in 2020. Of those attacks, almost all (96%) arrived via email. So, what does a phishing attack look like? We’re rounded up 5 REAL examples of spear phishing attacks, all detected (and prevented) by Tessian Defender. See those alerts at the top of each email? These are Defender’s in-the-moment warnings that explain exactly why the email has been flagged as suspicious.  If you’re looking for more information about phishing, check out these resources: What is Phishing? What is Spear Phishing? Must-Know Phishing Statistics: Updated 2021 Phishing vs. Spear Phishing What Does a Spear Phishing Email Look Like? Example 1: The attacker is encouraging the target to sign an “updated employee handbook” 📋
Let’s break down this spear phishing attack. In this example, the attacker is pretending to be an HR employee. But, the sender’s email address <[REDACTED]@ntlworld.com> does not match the domain of the target. In the email, the attacker is claiming that the target needs to sign a new employee handbook, and provides a link, which leads to an online Word document. 
This document prompts the target to click on another link, which leads the user to a fake O365 login page. The goal: To gain access to the target’s login credentials. This is called credential phishing. The attacker is using social engineering tactics to motivate the user to act now. For example, noting that “20% of employees have already accepted” and “we are all required to review and sign an acknowledgement of the handbook upon receipt of this email”.  COVID-19 is also used as a pretext for sending the handbook in the first place, which gives legitimacy to their request. Further reading: ⚡ COVID-19: Real-World Examples of Opportunistic Phishing Attacks   ⚡ How Hackers Are Exploiting the COVID-19 Vaccine Rollout Example 2: The email is a spoof of an MS Teams notification 🔔
Let’s break down this spear phishing attack. In this example, the attacker is leveraging a fake notification from a trusted platform – Microsoft Teams – instead of impersonating a trusted person/team. The goal? Credential theft. If the user clicks on the “Reply in Teams” button, they’ll be led to a fake login page. If they enter their details, their account will be compromised. And, if the employee uses the same password for multiple accounts (which 85% of employees do), the bad actor could have access to multiple systems.
Note: Instead of seeing “xxxxxx”, the target would see their email address. Not only does this  increase the legitimacy of the webpage and make the user feel like they’ve logged in before, it also reduces the friction for the user to move on to the next step, which will be entering their password.  If you actually did use Microsoft Teams at work, you’d have no reason to believe this is suspicious or malicious. The email looks like the real deal and was likely templated from a genuine notification. The email itself is a domain spoof, and spoofs the target’s own email address. This is particularly clever because – well – it’s not implausible that Microsoft Teams would actually send emails “from” the user’s own email address. Further reading: ⚡ What is Email Spoofing? How Does Email Spoofing Work? Example 3: The attacker is pretending to be a new starter 👋🏾
Let’s break down this spear phishing attack. In this example, the attacker is pretending to be a new starter at the target’s company’s outsourced HR management firm. This is an especially effective social engineering tactic that preys on human kindness. Who doesn’t want to help out a newbie?  The language in the email is also quite informal and friendly; this will make the target feel comfortable and lower their guard.  At face value, the email address <edwards@[REDACTED].com> isn’t suspicious. But, it may raise red flags for the target if he or she hasn’t heard from anyone with that domain before. But only 54% of employees say they look at the sender’s email address before responding to an email or actioning a request.  The attacker is trying to encourage the target to click on a link to preview a PDF urgently – “in the next two hours”. Tessian Defender has also flagged that this is a bitly link. Bad actors often use these shortened URLs to make it more difficult for the target to know what website they’ll be taken to if they do click.  Of course, the link doesn’t lead to a PDF. It leads to a malicious website. If the target were to click the download button, malware would likely be deployed.
Example 4: The email claims to be verifying account activity on GoDaddy ✅
Let’s break down this spear phishing attack. In this example, the attacker is impersonating GoDaddy – the world’s largest domain register company, with over 40 million domain names under its management. While GoDaddy appears in the Display Name and several times in the body of the email (including a logo), and there aren’t any obvious spelling errors or grammar mistakes, a savvy employee would notice that the sender’s email address <[REDACTED]@hotmail.com> doesn’t match. Remember, though: Most employees don’t examine email addresses before responding or actioning a request. Again, the name of the game here is credential phishing. If the target follows the link to “prove they’re the account holder” they’ll be sent to a fake GoDaddy sign-in page. If they enter their login details, their credentials will be compromised. This is an especially dangerous attack because – if an employee’s login credentials for GoDaddy were compromised – the attacker could (quite literally) take over your website. They could steal your customer’s data or even use your website to host other phishing websites.  Example 5: The email appears to be sent from the company’s Microsoft File Sharing service 📎
Let’s break down this phishing attack. Again, in this example, the attacker is leveraging a fake notification from Microsoft. This time, though, it’s from Microsoft File Sharing service. Unsurprisingly, the attacker is after the target’s credentials. (This is called credential phishing, remember?) If the user clicks on the “Preview Online” button – a malicious link – they’ll be taken to a lookalike website.  If the target does input their credentials, they won’t login to Microsoft File Sharing. Instead, the details will be sent directly to the hacker, who will then have easy access to the user’s account.  Notice that the notification is well-formatted and looks like a genuine email from Microsoft. There aren’t any obvious spelling or grammar errors. The average person would likely fall for this attack.  The “[REDACTED], FIY” note was included on purpose. The attacker is trying to pique the target’s interest. Wouldn’t you want to know what the message said? The more curious and emotional we get, the more likely we are to click a link without thinking of security. Did you know? Microsoft is one of the most impersonated brands in phishing attacks. Find out who else makes the list.
Spear Phishing
Phishing vs Spear Phishing: Phishing and Spear Phishing Examples
23 February 2021
Phishing and spear phishing are both “social engineering” cyberattacks. In both types of attacks, a cybercriminal impersonates a trustworthy person and tricks their target into revealing login credentials, installing malware, or making a wire transfer.
Think of it this way:  Phishing is like catching fish using a line — you cast your rod into the water and see what bites.  With spear phishing, you choose the fish you want and aim the spear right at it. Note: This distinction is a big deal, affecting how you detect, mitigate, and prevent both types of attacks.
What is phishing? As we explained in our article “What Is Phishing?,” the term “phishing” can mean two things: An umbrella term covering many types of cyberattacks A specific type of cyberattack: an untargeted social engineering attack, conducted via email In the first instance, “phishing” can refer to cyberattacks including: Business Email Compromise: A phishing attack utilizing an impersonated, spoofed, or hacked business email address Wire transfer phishing: A phishing attack that attempts to trick the target into making a fraudulent transfer to the attacker Smishing: Phishing via SMS Vishing: Phishing via voice, e.g., phone or VoIP software In the second, specific sense, phishing means a social engineering attack (conducted via email) with no specific target. We sometimes call this “spray-and-pray” phishing. The cybercriminal sends as many emails as they can in the hope that someone falls for their scam. But don’t be fooled: phishing attacks aren’t necessarily amateurish operations.  What is spear phishing? Spear phishing is a targeted phishing attack. The target receives an email that addresses them directly — by name.  Any type of targeted phishing attack is a “spear phishing” attack, including: Whaling: A spear phishing attack targeting company executive CEO fraud: A spear phishing attack where the fraudster impersonates a company’s CEO and targets another of the company’s employees. But spear phishing is broader than this: if a Business Email Compromise attack, wire transfer phishing attack — or any other type of phishing attack — targets a specific individual, it’s a spear phishing attack. Looking for more information about spear phishing? Check out this article: What is Spear Phishing? Targeted Phishing Attacks Explained. Phishing vs. spear phishing examples Now we’re going to look at some phishing attacks and spear phishing attacks side-by-side so you can understand the differences. The two emails below demonstrate the essential difference between phishing and spear phishing:
This is an example of a “bulk” phishing email. It doesn’t address the target by name and doesn’t contain any personal information. But, because it appears to come from a trusted brand (Netflix) someone is likely to click the link. 
This is an example of a spear phishing email: CEO fraud, to be precise. The attacker has exploited a professional relationship to elicit feelings of urgency and trust — the CEO urgently needs a favor and requests an employee to pay an invoice to an unknown account. But the “CEO” is a cybercriminal who controls the “new account.” These examples should help you better understand the difference between phishing and spear phishing: Phishing succeeds by sheer volume: send a fraudulent email out to enough people and someone will fall for it eventually. Spear phishing succeeds through more sophisticated methods: send one fraudulent email containing personal information to a specific individual. Looking for more resrouces? We explore  phishing, spear phishing, and other social engineering attacks in greater detail in the following articles: Phishing 101: What is Phishing? What is Spear Phishing? Targeted Phishing Attacks Explained Spear Phishing Examples: Real Examples of Email Attacks How to Hack a Human: How Attackers Use Social Media to Craft Targeted Spear Phishing Campaigns
Spear Phishing
What is Spear Phishing? Targeted Phishing Attacks Explained
22 February 2021
Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
This article will look at the different types of spear phishing, explain how a spear phishing attack works, and explore how common spear phishing is. If you’d rather learn more about phishing, check out this article: Phishing 101: What is Phishing? Types of spear phishing attacks Spear phishing attacks vary according to technique, target, and goal. But, here are some types of cyberattacks that involve spear phishing: Whaling: A spear phishing attack targeting a company executive CEO fraud: A spear phishing attack where the fraudster impersonates a company executive  Here are some cyberattacks that usually involve spear phishing: Business Email Compromise (BEC): A phishing attack using an impersonated, spoofed, or hacked corporate email account. Wire transfer phishing: A phishing attack involving invoice fraud Credential phishing: A phishing attack targeting login credentials Whenever these attacks are targeted at a specific person, they’re considered a spear phishing attack. If the attack isn’t targeted at an individual, we just call it a “phishing attack.” Struggling to understand the difference? We explain it – in detail – in this article: Phishing vs Spear Phishing: Differences and Defense Strategies.  How does spear phishing work? Most spear phishing attacks arrive via email. In fact, email is the medium of choice for around 96% of phishing attacks. However, cybercriminals also launch phishing attacks via social media, SMS (“smishing”), and phone or VoIP (“vishing”). But, let’s stay focused and look at a couple of examples of spear phishing attacks. This will help you understand how this type of cybercrime works. First, the all-too-common “delivery service” spear phishing attack. According to Check Point, shipping company DHL was the second-most impersonated brand in spear phishing attacks throughout Q4, 2020. Here’s how a spear phishing email impersonating DHL might look:
There are a few things to note about this spear phishing email: It addresses the target by name. This increases the email’s persuasiveness right off the bat. It contains authentic logos and branding. DHL’s real emails look a lot like this. The links lead to DHL’s actual website. But don’t be fooled: The sender’s email address is “info@dhl_deliveries.com.” This might look like an authentic DHL address, but it’s a crude impersonation attack. The “track your delivery” link leads to a credential phishing website. The DHL-style scam is  a simple but effective form of spear phishing that typically targets individuals.  Wondering what other brands are frequently impersonated? Check out this article (+ infographic!): Phishing Statistics (Updated 2021). Spoiler: LinkedIn, Amazon, IKEA, and Google almost made the top 10.  Let’s look at a more sophisticated example of spear phishing that targets a business instead of a consumer:
There are some similarities between this email and the DHL scam: Both target specific people Both use authentic logos But these factors make our second example more persuasive: The sender’s email address is real. Hackers can use account takeover methods to compromise real email accounts, or they can use email spoofing techniques to trick email clients into displaying bogus information. It references “real-world” personal information. Tessian research shows that 90% of people post personal information on social media — this is gold dust for hackers. It conveys a sense of urgency and exploits the target’s trust (“counting on you”). People make bad decisions under pressure. Spear phishing is becoming more refined and advanced all the time, so it’s easy to see why people keep falling for it. If you want help spotting a potential spear phishing attack, we’ve rounded up four red flags here. If you’re a security or business leader, this is a great resource to share with your employees that complements security awareness training.  How common is spear phishing? Rates of spear phishing have been climbing consistently over the past decade. Research suggests, in 2019:  88% of organizations faced spear phishing attacks 65% of US organizations suffered a successful spear phishing attack (55% worldwide) 19% of organizations faced more than 50 spear phishing attempts Note that these statistics refer to the period before the big migration to remote-working in 2020. There’s evidence that, as employees have moved into less secure working environments, cybercrime has increased considerably. Microsoft’s 2021 New Future of Work report found that: 80% of security professionals said security incidents had increased since the start of the pandemic. 62% of these said phishing campaigns showed the biggest increase. So, what’s the upshot of all this? Spear phishing damages people’s privacy, exposes confidential data, and causes major financial losses.  The FBI reports that financially-motivated Business Email Compromise (BEC), which almost always involves spear phishing, caused direct losses of over $1.8 billion in 2020 According to Verizon research, spear phishing is a major cause of data breaches. In the long-term, losing control of your customers’ data can be even more costly than losing money. IBM puts the average cost of a data breach at $3.86 million, rising to $8.64 million in the US. The biggest known spear phishing scam of all time, targeted at Google and Facebook, resulted in over $100 million in losses over a two-year period Want to know how to protect your business against this serious type of cybercrime? Read our article on how to prevent phishing to find out.  Evaluating anti-phishing solutions? Learn more about how Tessian Defender detects and prevents the most advanced spear phishing attacks by reading some of our customer stories or booking a demo.
Page
[if lte IE 8]
[if lte IE 8]