Step Into The Future of Cybersecurity — Save your spot at the Human Layer Security Summit for free.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing

Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing and Business Email Compromise.

Spear Phishing
How Hackers Are Exploiting The COVID-19 Vaccine Rollout
By Laura Brooks
16 February 2021
Where there is uncertainty, there are cybercriminals. And the uncertainty surrounding the roll-out of the Covid-19 vaccine is creating the perfect environment for cybercriminals and their phishing scams. According to new Tessian research: 2,697 new website domains, related to the Covid-19 vaccine, were registered between 5 December 2020 and 10 January 2021. Many of these domains impersonate legitimate healthcare websites, tout misinformation around injection side effects, and falsely claim to offer guidance around timing and logistics of distribution to dupe people. Some of the newly registered domains were confirmed as malicious. Tessian researchers found specific examples of domains that impersonate a legitimate O365 login in page and Apple ID login page. These pages have been designed to steal people’s account credentials. 22% of the live domains take advantage of a technique called “typo-squatting” – a technique where one or two letters of a word are changed, in the hope that people make mistakes when typing the website into the URL bar or just simply miss the typo when landing on the page. One example of this is covidvaccime.com Why do newly registered domains pose a threat? The NHS recently issued a warning about scam emails that invite people to click on fake invitations to “register” for the vaccine. However, no registration is actually required for the real vaccine. The fake website, the BBC reports, also asks people for their bank details either to verify identification or to make a payment. Often, scammers will register new domains to lure people to a page after they’ve clicked a link in a phishing email. Tessian researchers found that many of the vaccine-related websites contain online forms designed to harvest financial or healthcare information and, in some cases, steal people’s account credentials. For example, some of the confirmed-malicious websites impersonate an Office 365 or Apple ID page and prompt people to log-in and share their username and password. People urgently want to find out things such as when they will get the vaccine, where can receive the jab, and many more want to research and understand potential side effects. As we’ve seen throughout the pandemic, cybercriminals are capitalizing on people’s desire for more information and are finding ways to trick people into clicking on links to fake websites or enter their valuable details.
Who is most at risk from the vaccine scams? Anyone who is eligible for the vaccine, and anyone who is looking for information about the vaccine roll-out, should be wary about the websites they land on. For example, concerns have been raised over U.S. health officials’ use of ticketing website Eventbrite to schedule vaccination appointments. Health departments have warned citizens of scams whereby fraudulent Eventbrite websites have been created, while The Tampa Bay Times reported that people had been charged money for vaccination slots that turned out to be fake. One of the main concerns surrounding vaccine scams is how hackers will target older generations – those at the top of the list for the vaccine. A Tessian report published in 2020 – The Psychology of Human Error – found that people over 55 years old were the least likely to know what a phishing email was. Awareness is crucial; people must think twice before responding to these messages and be sceptical of emails or websites requesting payment or personal information at this time.
Vaccine scams: what to look out for Be wary of emails purporting to come from healthcare organizations asking you to click on links to ‘find out more’. Always check the sender name and address, particularly if you have received an email on your phone in order to verify the sender’s identity. It’s also important to questions any websites that request personal data. Domains that spoof government healthcare websites, like the Centers for Disease Control and Prevention (CDC) are especially dangerous, as bad actors could potentially steal extremely sensitive information such as Social Security numbers and health information like insurance or medical history details. At a time when phishing scams are rife, always think twice before entering your personal information online and remember, if it doesn’t look right, it probably isn’t.
Spear Phishing
COVID-19: Screenshots of Phishing Emails
15 February 2021
Immediately after the outbreak of COVID-19, there was a surge in opportunistic phishing attacks in which hackers leveraged  the pandemic to dupe targets into following links, downloading attachments, or otherwise divulging sensitive information. Wondering what to look out for? We break down 4 emails below, including impersonations of Zoom, HR, and a VPN provider.  Looking for examples of spear phishing attacks that don’t leverage COVID-19? Check out this article instead. Phishing Email #1: Your CEO is Waiting for You
What’s wrong with this email? The Display Name (zoom_meeting@tessian.com) and the email address do not match. The actual sender address is fd29eaab47504bfa8bd773ee581bc7d4@tessian.com. The attacker, who sent the email on a Friday afternoon, is hoping that the target will a) be motivated to respond quickly to a meeting request from the CEO and b) be less scrutinizing and security-conscious as it’s the end of the week.  The target is being encouraged to click on a seemingly legitimate Zoom link, which would likely lead to a malicious site or could deploy malware.  Upon hovering over the provided link, you’ll find the URL is actually different than the hyperlink would lead you to believe The closing of the email is suspicious: “This message is from your company’s IT.” NB: This phishing email is a direct spoof and was prevented because of DMARC; it was automatically sent to a Spam folder. If you haven’t set your DMARC records correctly, these emails will fly past existing defenses.
Phishing Email #2: Generic Zoom Spoof
What’s wrong with this email? The Display Name (tessian.com ZoomCall) and the email address do not match, but the attacker is hoping the recipient doesn’t look beyond the sender Display Name. The conference call time and date in the email subject line seem to have already passed, based on when the attack was received. Note this email was received at 3:22am, so would likely be the first email the recipient reads in the morning.  The email contains the message “Zoom will only keep this message for 48 hours.” This combined with the subject line adds a sense of urgency and could potentially convince the recipient they’ve missed something important and should quickly try to remedy it.  The target is being encouraged to click on a seemingly legitimate Zoom link, which would likely lead to a malicious site or could deploy malware.  We’ve been pulling together guidance and resources to help employees and businesses stay safe while working remotely. If you suspect you’ve been targeted by a phishing attack, do not click any links or download attachments. Instead, directly contact the sender via phone or a messaging app to confirm legitimacy of the email and immediately alert your IT or security team.
Phishing Email #3: The Attacker is Capitalizing on Fear Around COVID-19
What’s wrong with this email? The Display Name (Information Unit) and the email address do not match at all. (What’s more, ‘Information Unit’ is not a genuine internal group at Tessian.) The attacker, who sent the email late-afternoon on a Friday, is no doubt hoping that the target – our marketing team –  is less scrutinizing and security-conscious as the week comes to a close, especially when employees across the globe are working from home. The target is being encouraged to download an attachment, which opens a fake login page to steal the victim’s credentials. The email is rife with spelling and grammar errors as well as formatting inconsistencies and the unconcerned, mechanical language is out-of-character for anyone in management, especially given the content of the email.  The attacker used complex encoding to try to evade traditional phishing detection tools that would scan for certain keywords in the email’s body. How? By interspacing different invisible characters between other characters so that the content looks like gibberish. Below is a screenshot of encoding in the email body for reference. Here, you see the characters marked “transparent”; those are the invisible characters.
Phishing Email #4: The Attacker Baits the Target With a Remote-Working Tool
What’s wrong with this email? The Display Name (Helpdesk_admin@tessian.com) and the email address are in stark contrast. This sender’s email address is a direct spoof of the domain (tessian.com). The attacker is taking advantage of the fact that many employees around the world are now suddenly working from home and in need of remote-working tools. Therefore, targets are more likely to trust that their employer has, in fact, set them up for remote connection provided by a VPN vendor. The way this email is constructed – poor grammar and impersonal – makes it obvious to a Tessian employee that this is not legitimately from our IT manager. The target is being encouraged to follow a link, which looks inconspicuous. But, upon hovering, you’ll see that the link the target will actually be led to is suspicious.
Important: Because Tessian has DMARC enabled, emails that spoof our domain are automatically sent to “quarantine”. That means the email was never actually received by the target and instead went straight to a spam folder. Unfortunately, though, a lot of companies don’t have DMARC enabled. In fact, nearly 80% of domains have no DMARC policy. Now that you know what these opportunistic phishing emails look like, what do you do if you’re targeted? That is, after all, what’s really important when it comes to preventing a data breach.  What to Do If You’re Targeted by a Phishing Attack If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  If you’re an employee who’s been targeted, contact your line manager and/or IT team. You can download this advice in PDF format (perfect for sharing with others peers and friends!) here. Further Reading: ⚡ Tax Day Scams ⚡ The US Census Scams ⚡ Stimulus Checks Scams  ⚡ Vaccine scams Want to stay up-to-date on the latest threats, get tips on how to stay safe, and advice for security leaders from security leaders? Sign-up for our weekly blog digest and get new content, straight to your inbox.
Human Layer Security Spear Phishing
Romance Fraud Scams Are On The Rise
By Laura Brooks
11 February 2021
Cybercriminals are exploiting “lockdown loneliness” for financial gain, according to various reports this week, which reveal that the number of incidents of romance fraud and romance scams increased in 2020.  UK Finance, for example, reported that bank transfer fraud related to romance scams rose by 20% in 2020 compared to 2019, while Action Fraud revealed that £68m was lost by people who had fallen victim to romance fraud last year – an increase on the year before. Why? Because people have become more reliant on online dating and dating apps to connect with others amid social distancing restrictions put in place for the Covid-19 pandemic.
With more people talking over the internet, there has been greater opportunity for cybercriminals to trick people online. Adopting a fake identity and posing as a romantic interest, scammers play on people’s emotions and build trust with their targets over time, before asking them to send money (perhaps for medical care), provide access to bank accounts or share personal information that could be used to later commit identity fraud. Cybercriminals will play the long-game; they have nothing but time on their hands.  A significant percentage of people have been affected by these romance scams. In a recent survey conducted by Tessian, one in five US and UK citizens has been a victim of romance fraud, with men and women being targeted equally.
Interestingly, people aged between 25-34 years old were the most likely to be affected by romance scams. Tessian data shows that of the respondents who said they had been a victim of romance fraud, 45% were aged between 25-34 versus just 4% of respondents who were aged over 55 years old.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); This may be because romance fraud victims are most commonly targeted on social media platforms like Facebook or Instagram, with a quarter of respondents (25%) saying they’d been successfully scammed on these channels.  This was closely followed by email (23%) while one in five people said they’d been targeted on mobile dating apps, and 16% said they’d been scammed via online dating websites.  This behavior is quite typical, say experts. Often romance fraud will start on dating apps or official dating websites but scammers will move to social media, email or text in order to reduce the trail of evidence.
How to avoid falling for a romance scam It’s important to remember that most dating apps and websites are completely safe. However, as social distancing restrictions remain in place for many regions, people should consider how they could be targeted by social engineering attacks and phishing scams at this time. We advise people to question any requests for personal or financial information from individuals they do not know or have not met in person, and to verify the identity of someone they’re speaking to via a video call. We also recommend the following: Never send money or a gift online to someone who you haven’t met in person. Be suspicious of requests from someone you’ve met on the internet. Scammers will often ask for money via wire transfers or reload cards because they’re difficult to reverse. Be wary of any email or DM you receive from someone you don’t know. Never click on a link or download an attachment from an unusual email address.  Keep social media profiles and posts private. Don’t accept friend requests or DMs from people you don’t know personally.  The FBI and Action Fraud have also provided citizens with useful advice on how to avoid falling for a romance scam and guidance for anyone who thinks they may have already been targeted by a scammer.  And if you want to learn more about social engineering attacks, you can read Tessian’s research How to Hack a Human. 
Spear Phishing
6 Reasons to Download “How to Hack a Human” Now
By Maddie Rosenthal
02 February 2021
Over the last decade, phishing has evolved from spam to something much (much) more targeted. It’s now the threat most likely to cause a breach. At the same time, the number of adults on social media networks like Facebook has jumped by almost 1,300%. We explore the correlation between the two in our latest research report “How to Hack a Human”. You can download it here. Need a few good reasons to download it? Keep reading.  1. You’ll get a hacker’s perspective Actually, you’ll get ten (ethical) hackers’ perspectives. We partnered with HackerOne and other social engineering experts to learn how they use publicly available information – like social media posts, OOO messages, press releases, and more – to craft highly targeted,  highly effective social engineering attacks. In the end, we found out that they use everything. A photo from your gender reveal party can help them uncover your home address. A post about your dog can help them guess your password. An OOO message can tell them who to target, who to impersonate, and give them a sense of their window of opportunity. 2. You’ll learn how vulnerable organizations are to attack  By surveying 4,000 employees and using Tessian platform data, we were able to uncover how frequently people (and the companies they work for) are being targeted by social engineering attacks, business email compromise (BEC), wire transfer fraud, and more. The numbers are staggering. 88% of people have received a suspicious message in the last year.  Of course, some industries are more vulnerable than others. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); And, we expect to see more next year. Why? Between H1 2020 and H2 2020, we saw a 15% increase in attacks.  Read the report to find out more.  3. We show two examples of social engineering – including the “clues” that enabled hackers to carry out the attack Using social media posts, news headlines, and OOO messages, we breakdown two attacks. CEO Fraud in Financial Services Account Takeover (ATO) in Healthcare We explain the hacker’s motivation, what the attack looked like, and – in the end – how it could have been prevented. (More on that below). 4. You’ll get access to a free, educational guide to help employees level-up their personal and professional cybersecurity  As we’ve said, hackers hack humans to hack the companies they work for. So, to help security leaders communicate the threat and teach their employees how to prevent being targeted and how to spot an attack if it lands their inbox, we put together a comprehensive list of do’s and don’ts.  You can find it on page 20. Bonus: Are you a Tessian customer? We’re happy to co-brand the list. Get in touch with your Customer Success Executive for more information. 5. The dataset is global In addition to interviewing employees in the US and the UK, Tessian platform data accounts for organizations across continents.  Why does this matter? It goes to show that this isn’t a problem that’s isolated to a specific region. Everyone is being targeted by social engineering attacks. But – interestingly – the online habits of Americans vs. Brits vary considerably. For example, while 93% of US employees say they update their job status on social media when they start a new role, just 63% of UK employees said the same.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Top tip: New starters are prime targets of social engineering attacks. They’re typically given their full access credentials when they start, but don’t yet know who’s who. They may also not have had their security training yet. Finally, given that they’re new, they’ll be especially keen to make a good impression. 6. You’ll get a peek inside a hacker’s toolkit  Yes, all of the information hacker’s use is easy enough to find  online (esspecially if they’re motivated to find it). But. there are plenty of tools that hackers use that make connecting the dots and cracking passwords quick and easy. We outline ten in the report. You’ll likely recognize some of them… Most – if not all – of these tools were designed for the “good guys”. Penetration testers, compliance teams, and even law enforcement. In fact, some are even marketing and sales tools! Flip to page 16 to learn more. Bonus: The report is ungated…for now For the next few weeks, you’ll be able to download the report without filling out a form. Yep, you just click “download” and it’s yours. Starting at the end of February, you’ll just need to provide your email address and a few other pieces of information about your role and company.  Ready? Set? Download.
Spear Phishing
Tessian Launches Account Takeover (ATO) Protection
By Harry Wetherald
27 January 2021
Today, a comprehensive email security strategy needs to do more more than just secure an organization’s own email platform and users. Why? Because more and more often, bad actors are gaining access to the email accounts of trusted senders (suppliers, customers, and other third-parties) to breach a target company. This is called account takeover (ATO) and one in seven organizations have experienced this kind of attack. And, since legitimate business email accounts are used to carry out these attacks, it is one of the most difficult impersonation attacks to detect, making most organizations vulnerable to ATO.  But, not Tessian customers. Tessian Defender can now detect and prevent ATO. How does Tessian Defender detect ATO? Unlike Secure Email Gateways (SEGs) – which rely almost exclusively on domain authentication and payload inspection – Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of ATO signals:  Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses  Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments  Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too
Importantly, Tessian’s ML algorithm gets smarter as it continuously analyzes email communications across its global network. This way, it can build profiles of organizations (and their employees) to understand what “normal” email communications look like at a granular level.  This allows Tessian Defender to catch even the most subtle ATO attacks. Once it detects a threat, Tessian alerts employees and admins that an email might be unsafe. The warnings are written in easy-to-understand language and explain why an email has been flagged, which prevents the users from responding to the email or clicking on malicious links or attachments. These warnings also act as in-the-moment training and help improve email behavior over time.  Administrators get real-time alerts of ATO and can track events in the Human Layer Security Intelligence portal. You can learn more about how Tessian detects and prevents ATO here. Keep reading to see an admin’s view of the portal and what a warning looks like for employees.
What are the benefits of Tessian ATO threat protection?  The consequences of ATO are far-reaching.  Attackers could gain access to credentials, employee data, and computer data. They could initiate fraudulent wire transfers, conduct bank fraud, and sell data. That means organizations could suffer significant financial loss, reputational damage, and lose customers (and their trust). And this doesn’t even account for lost productivity, data loss, or regulatory fines.  Between 2013 and 2015, Facebook and Google were scammed out of $121 million after a hacker impersonated a trusted vendor. And that’s just one example.  Tessian’s ATO threat protection minimizes these risks by preventing successful attacks. But, detecting and preventing threats is just one of the benefits of Tessian.   For security teams
Detection is automated, which means it’s not just effective, but also effortless for security teams Real-time alerts of ATO events and robust tools (like single-click quarantine) allow for rapid investigation and remediation directly in the portal  Tessian’s API can be integrated with SIEMs like Splunk and Rapid7, allowing security analysts and SOC teams to analyze Tessian data alongside insights from other solutions In-the-moment warnings reinforce security awareness training and help nudge employees towards safer email behavior For the C-suite
ATO protection doesn’t just keep your organization safe and compliant (and help you avoid reputational damage or financial loss). It’s a competitive differentiator and can help build trust with existing customers, clients, and your supply chain. Multi-layer threat insights, visualized data, and industry benchmarks help CISOs understand their organization’s security posture compared to their industry peers Automated reports make it easy to communicate success to the board and other key stakeholders For employees
Contextual warnings are helpful – not annoying – and act as in-the-moment training. This helps employees improve their security reflexes over time for safer email behavior. Flag rates are low (and false positives are rare) which means employees can do the job they were hired to do, without security getting in the way Learn more about Tessian Interested in learning more about Tessian Defender and ATO Protection? Current Tessian customers can get in touch with their Customer Success Manager. Not yet a Tessian customer? Learn more about our technology, explore our customer stories, or book a demo now.
Spear Phishing
What is Email Spoofing? How Does Email Spoofing Work?
22 January 2021
Let’s start with a definition of email spoofing.
While email spoofing can have serious consequences, it’s not particularly difficult for a hacker to do. And, despite the fact that email filters and apps are getting better at detecting spoofed emails… they can still slip through.  Keep reading to find out: What motivates someone to spoof an email address How email spoofing works How common email spoofing is If you’re here to learn how to prevent email spoofing, check out this article instead: How to Prevent Email Spoofing. Why do people spoof emails? You might be wondering why someone would want to spoof another person or company’s email address in the first place. It’s simple: they want the recipient to believe that the email came from a trusted person. Most commonly it is used for activities such as: Spear phishing: A type of “social engineering” attack where the attacker impersonates a trusted person and targets a specific individual. Business Email Compromise (BEC): A phishing attack involving a spoofed, impersonated, or hacked corporate email address. CEO fraud: A BEC attack where the attacker impersonates a high-level company executive and targets an employee. Vendor Email Compromise (VEC): A BEC attack where the attack impersonates a vendor or another business in a company’s supply chain. Spamming: Sending unsolicited commercial email to large numbers of people. Now let’s look at the technical process behind email spoofing. How email spoofing works First, we need to distinguish between “email spoofing,” and “domain impersonation.” Sometimes these two techniques get conflated.  Here’s the difference: In an email spoofing attack, the sender’s email address looks identical to the genuine email address (jeff.bezos@amazon.com).  In a domain impersonation attack, the fraudster uses an email address that is very similar to another email address (jeff.bezos@amaz0n.co). When you receive an email, your email client (e.g. Outlook or Gmail) tells you who the email is supposedly from. When you click “reply,” your client automatically fills in the “to” field in your return email. It’s all done automatically and behind the scenes. But, this information is not as reliable as you might think. An email consists of several parts: Envelope: Tells the receiving server who sent the email and who will receive it. When you get an email, you don’t normally see the envelope. Header: Contains metadata about the email: including the sender’s name and email address, send date, subject, and “reply-to” address. You can see this part. Body: The content of the email itself. Spoofing is so common because it’s surprisingly easy to forge the “from” elements of an email’s envelope and header, to make it seem like someone else has sent it.  Obviously, we’re not going to provide instructions on how to spoof an email. But we can break down a spoofed email to help you understand how the process works.  Let’s take a look at the email header:
First, look at the “Received From” header, highlighted in blue, which shows that the email came from the domain “cybercrime.org.” But now look at the parts highlighted in yellow — the “Return-Path,” “From,” and “Reply-To” headers — which all point to “Mickey Mouse,” or “m.mouse@disney.com”. These headers dictate what the recipient sees in their inbox, and they’ve all been forged. The standard email protocol (SMTP) has no default way of authenticating an email. There are authentication checks that depend on the domain owner protecting its domain. In this case, the spoof email failed two important authentication processes (also highlighted in blue, above): SPF, short for Sender Policy Framework: Checks if the sender’s IP address is associated with the domain specified in the envelope. DMARC, short for Domain-based Message Authentication, Reporting, and Conformance: Verifies an email’s header information. DKIM, short for DomainKeys Identified Mail: Designed to make sure messages aren’t altered in transit between the sending and recipient servers. As you can see, DMARC, SPF, and DKIM all = none. That means our spoofed email slipped right through. Here’s how the email looks in the recipient’s inbox:
The email above appears to have been sent by Mickey Mouse, using the email address m.mouse@disney.com. But we know from the header that it actually came from cybercrime.org. This demonstrates the importance of setting up DMARC policies. You can learn more about how to do that here. Note: Disney does have DMARC enabled. This is a hypothetical example! Want to find out which companies don’t have DMARC set-up? Check out this website.  How common is spoofing? Measuring the precise number of spoofed emails sent and received every day is impossible. But we can look at how many cybercrime incidents involving spoofing get reported each year. A good place to start is the U.S. Federal Bureau of Investigation (FBI)’s Internet Crime Complaint Center (IC3) annual report.  In 2020, the IC3 reported that: 28,218 of the 791,790 complaints the IC3 received related to spoofing The losses associated with spoofing complaints totaled over $216 million Spoofing was the sixth most costly type of cybercrime The number of spoofing attacks rose 81% since 2018 The losses from spoofing have more than doubled since 2018 Note that the IC3’s definition of “spoofing” includes incidents involving spoofed phone numbers. But we already know that 96% of phishing attacks start with email. Now you understand what email spoofing is, and how serious a threat it can be, it’s time to read our article on how to prevent email spoofing.
Spear Phishing
How to Prevent and Avoid Falling for Email Spoofing Attacks
By Maddie Rosenthal
22 January 2021
Email spoofing is a common way for cybercriminals to launch phishing attacks — and just one successful phishing attack can devastate your business. That’s why every secure organization has a strategy for detecting and filtering out spoofed emails. Do you? This article will walk you through some of the best methods for preventing email spoofing. Want to learn more about email spoofing, how hackers do it, and how common these attacks are? Check out this article: What is Email Spoofing and How Does it Work? And, if you’re wondering how to prevent your email address or domain from being spoofed…the first step is to enable DMARC. But, even that isn’t enough. We explain why in this article: Why DMARC Isn’t Enough to Stop Impersonation Attacks.  Security awareness training Email spoofing is a common tactic in social engineering attacks such as spear phishing, CEO fraud, and Business Email Compromise (BEC). Social engineering attacks exploit people’s trust to persuade them to click a phishing link, download a malicious file, or make a fraudulent payment. That means part of the solution lies in educating the people being targeted.  It’s important to note that cyberattacks target employees at every level of a company — which means cybersecurity is everyone’s responsibility. Security awareness training can help employees recognize when such an attack is underway and understand how to respond.  In this article  – What Is Email Spoofing and How Does it Work? – we looked at how an email’s header can reveal that the sender address has been spoofed. Looking “under the hood” of an email’s header is a useful exercise to help employees understand how email spoofing works. You can see if the email failed authentication processes like SPF, DKIM, and DMARC, and check whether the “Received” and “From” headers point to different domains. But it’s not realistic to expect people to carefully inspect the header of every email they receive. So what are some other giveaways that might suggest that an email spoofing scam is underway? The email doesn’t look how you expect. The sender might be “paypal.com.” But does the email really look like PayPal’s other emails? Most sophisticated cybercriminals use the spoofed company’s branding — but some can make mistakes. The email contains spelling and grammar errors. Again, these mistakes aren’t common among professional cybercriminals, but they still can occur. The email uses an urgent tone. If the boss emails you, urgently requesting that you pay an invoice into an unrecognized account — take a moment. This could be CEO fraud. You must get your whole team on board to defend against cybersecurity threats, and security awareness training can help you do this. However, Tessian research suggests that the effectiveness of security training is limited.  Email provider warnings Your mail server is another line of defense against spoofing attacks. Email servers check whether incoming emails have failed authentication processes, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Many email providers will warn the user if an email has failed authentication. Here’s an example of such a warning from Protonmail:
As part of your company’s security awareness training, you can urge employees to pay close attention to these warnings and report them to your IT or cybersecurity team. However, it’s not safe to rely on your email provider. A 2018 Virginia Tech study looked at how 35 popular email providers handled email spoofing. The study found: All except one of the email providers allowed fraudulent emails to reach users’ inboxes. Only eight of the providers provided a warning about suspicious emails on their web apps.  Only four of the providers provided such a warning on their mobile apps. Authentication protocols As noted by the Virginia Tech study, email providers often allow fraudulent emails through their filters — even when they fail authentication. But, perhaps more importantly, whether a fraudulent email fails authentication in the first place is out of your hands. For example, SPF lets a domain owner list which email servers are authorized to send emails from its domain. And DMARC enables domain owners to specify whether recipient mail servers should reject, quarantine, or allow emails that have failed SPF authentication.  So, for domain owners, setting up SPF, DKIM, and DMARC records is an essential step to prevent cybercriminals and spammers from sending spoofed emails using their domain name. But as the recipient, you can’t control whether the domain owner has properly set up its authentication records. You certainly don’t want your cybersecurity strategy to be dependent on the actions of other organizations.  Email security software Effective email spoofing attacks are very persuasive. The email arrives from a seemingly valid address — and it might contain the same branding, tone, and content you’d expect from the supposed sender. This makes email spoofing attacks one of the hardest cybercrimes to detect manually. Humans aren’t good at spotting the subtle and technical indicators of a well-planned email spoofing attack. Legacy solutions like Secure Email Gateways and native tools like spam filters aren’t either.  The best approach to tackling spoofing — or any social engineering attack — is intelligent technology. Email security solutions powered by machine learning (ML) automates the process of detecting and flagging spoofed emails, making it easier, more consistent, and more effective. Here’s how Tessian Defender solves the problem of email spoofing: Tessian’s machine learning algorithms analyze each employee’s email data. The software learns each employee’s email style and maps their trusted email relationships. It learns what “normal” looks like so it can spot suspicious email activity. Tessian performs a deep inspection on inbound emails. By checking the sender’s IP address, email client, and other metadata, Tessian can detect indications of email spoofing and other threats.  If it suspects an email is malicious, Tessian alerts employees using easy-to-understand language.
Further reading: ⚡ Tessian Defender Data Sheet ⚡ Customer Stories ⚡ Report: To Prevent Spear Phishing Look for Impersonation If you’d rather talk to someone about your specific challenges, you can talk to an expert at Tessian.
Spear Phishing Remote Working
CISA Warns of New Attacks Targeting Remote Workers
14 January 2021
tl;dr: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of a string of successful phishing attacks exploiting weak cyber hygiene in remote work environments to access companies’ cloud services via employees’ corporate laptops and personal devices.*  According to the report, “the cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account. … A variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” 
Once the hackers had access an employee’s account, they were able to: Send other phishing emails to contacts in the employee’s network.  Modify existing forwarding rules so that emails that would normally automatically be forwarded to personal accounts were instead forwarded directly to the hacker’s inbox.  Create new mailbox rules to have emails containing specific keywords (i.e. finance-related terms) forwarded to the hacker’s account. This type of malicious activity targeting remote workers isn’t new. Henry Trevelyan Thomas, Tessian’s VP of Customer Success has seen many instances this year. “The shift to remote work has resulted in people needing more flexibility, and personal accounts provide that—for example, access to home printers or working from a partner’s computer. Personal accounts are easier to compromise as they almost always have less security controls, are outside organizations’ secure environments, and your guard is down when logging on to your personal account. Attackers have realized this and are seeing it as a soft underbelly and entry point into a full corporate account takeover.” Learn more about Account Takeover (ATO), and take a look at some real-life examples of phishing attacks we spotted last year.  CISA recommends the following steps for organizations to strengthen their cloud security practices: Establish a baseline for normal network activity within your environment Implement MFA for all users, without exception Routinely review user-created email forwarding rules and alerts, or restrict forwarding Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution. Consider restricting users from forwarding emails to accounts outside of your domain Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities. Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently. For more practical advice on how to avoid falling for a phishing scam, download Tessian’s guide to Remote Work and Cybersecurity. What Tessian’s Experts Say
Free resources to help keep your employees and organization secure.
*Note: the activity and information in this Analysis Report is not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.
Spear Phishing Customer Stories
How Tessian Is Preventing Advanced Impersonation Attacks in Manufacturing
By Maddie Rosenthal
12 January 2021
Company: SPG Dry Cooling Industry: Manufacturing Seats: 368 Solutions: Defender About SPG Dry Cooling SPG Cooling is an innovative, global leading manufacturer of air-cooled condensers that has been providing exceptional quality equipment to coal, oil, and gas industrial plants for over a century. They employee a global workforce and have over 1,000 customer references. We talked to Thierry Clerens, Global IT Manager at SPG Dry Cooling, to learn more about the problems Tessian helps solve and why he chose Tessian Defender over other solutions.  Problem: The most advanced threats can slip past other controls  Phishing is a big problem across all industries.  But, because inbound email attacks are becoming more and more sophisticated and hackers continue using tactics like domain impersonation and email spoofing, Thierry knew he needed to implement a new solution that could stop the phishing emails that might slip past his O365 controls and trained employees. He cited one specific incident where a hacker impersonated a company in SPG Cooling’s supply chain and attempted to initiate a wire transfer.  How? A tiny, difficult-to-spot change in the domain name.  “They created a fake domain with exactly the same name as the real user. But the top-level domain .tr was missing at the end. So it was just .com. No user – not even IT! – is looking at the domain name that closely. They tried to get us to deliver money to another account,” Thierry explained. While the attack wasn’t successful (SPG Dry Cooling has strong policies and procedures in place to confirm the legitimacy of requests like this) he wanted to level-up his inbound email security and help users spot these advanced impersonation attacks. So, he invested in Tessian. Thierry explained why. 
Tessian Defender analyzes up to 12 months of historical email data to learn what “normal” looks like. It then uses natural language processing, behavioral analysis, and communication analysis to determine if a particular email is suspicious or not in real-time. To learn more, read the data sheet.  Problem: You can’t train employees to spot all phishing attacks Tessian also helps employees get better at spotting malicious emails with in-the-moment warnings (written in plain English) that reinforce training by explaining exactly why an email is being flagged. Here is an example:
This feature is especially important to Thierry, who values phishing awareness training but understands it has to be ongoing.  “We like to empower our users and we like that, with Tessian, our users learn and become better and better and better. That’s what we’re trying to do at SPG Dry Cooling. We’re trying to train and educate our users as much as possible. We’re trying to be innovative in the ways that we get our users, our company, our members, everybody, to better themselves,” he said. In evaluating solutions, he wanted something that would protect his people, while also empowering them to make smarter security decisions. He found that in Tessian, explaining that “the most interesting feature for me is the user education. You have to train your users. You have to help them get better at spotting threats by helping them understand the threats. Tessian does that.” Problem: It’s nearly impossible for IT teams to manually investigate all potential inbound threats Before Tessian, Thierry and his team had to manually investigate all emails that employees flagged as suspicious. With limited time and resources – and given the fact that “some are really good and are even hard for IT people to find” – it was nearly impossible for them to keep up. 
Thierry explained that Tessian extends the capabilities of his team. How?  It automatically detects and prevents threats Domains can be added to the denylist in a single click, before they even land in employee’s mailboxes Tessian dashboards make it easy for IT to see trends and create targeted security campaigns to help educate users.  Tessian was also easy to deploy. “As a part of our proof of concept, Tessian started ingesting historical data about employee’s IP addresses, what emails they normally send, who they normally communicate with. We saw how it was helping in just a few weeks. After that, we connected Tessian to Office 36. It took just 15 minutes,” he said.  Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
SPG Dry Cooling Case Study hbspt.cta.load(1670277, '18e021b3-d228-43a7-9fa6-e3f44190d20c', {"region":"na1"});
Spear Phishing
What is a Malicious Payload and How is it Delivered?
12 January 2021
The term “payload” traditionally refers to the load carried by a vehicle — for example, the passengers in an aircraft or the cargo in a truck. But, in computing, “payload” refers to the content of a message.  When you send an email, you’re transmitting several pieces of data, including a header, some metadata, and the message itself. In this scenario, the message is the payload — it’s whatever content you want the recipient to receive. The term “malicious payload” comes into play when we talk about cybersecurity specifically.
We talk more about malicious websites in this article: How to Identify a Malicious Website. How is a malicious payload delivered? Malicious payloads first need to find their way onto a target’s device. How? There are a couple of methods hackers use to do this. Social engineering attacks DNS hijacking  The most common way to deliver a malicious payload is via social engineering attacks like phishing, spear phishing, CEO Fraud, and other types of advanced impersonation attacks.  If you’re not sure what social engineering is – or if you want real-world examples of attacks – you can check out this article: 6 Real-World Examples of Social Engineering Attacks. Here’s how a typical phishing attack typically starts… Suppose your office has ordered some printer ink. You get an email from someone claiming to be “FedEx” that says: “click here to track your order.” Since you are – in fact – expecting a delivery, you click the link. The link appears to lead to FedEx’s order-tracking page, but the page causes a file to download onto your computer. This file is the malicious payload.  While email is the most common delivery vector for malicious payloads, they can also appear via vishing (via phone or VoIP) and smishing (via SMS) attacks. Another way to deliver a malicious payload is via DNS hijacking. Here, the attacker forces the target’s browser to redirect to a website where it will download the payload in the form of a malware file. Types of malicious payloads Malicious payloads can take a number of forms. The examples below are all types of “malware” (malicious software). Virus: A type of malware that can replicate itself and insert its code into other programs. Ransomware: Encrypts data on the target computer, rendering it unusable, and then demands a ransom to restore access. Spyware: A program that tracks user activity on a device — including which websites the user visits, which applications they use, and which keys they press (and, therefore, the user’s passwords). Trojan: Any file which appears to be innocent but performs malicious actions when executed. Adware: Hijacks the target computer and displays annoying pop-up ads, affecting performance. But a payload doesn’t need to come in the form of a file. “Fileless malware” uses your computer’s memory and existing system tools to carry out malicious actions — without the need for you to download any files. Fileless malware is notoriously hard to detect. Malicious payload vs. zero payload Not all phishing attacks rely on a malicious payload. Some attacks simply persuade the victim to action a request. Keep reading for examples.  Suppose someone claiming to be a regular supplier sends you an email. The email claims that there’s been a problem with your recent payment. With a malicious payload attack, the email might contain an attachment disguised as your latest invoice.  With a zero payload attack, the email may encourage you to simply initiate a wire transfer or manually update account details to divert the payment from the genuine supplier to the hacker.   Zero payload attacks can be just as devastating as malicious payload attacks, and traditional antivirus and anti-phishing software struggles to detect them. Case study: KONNI Malware, August 2020 Let’s look at a real-world example of a malicious payload attack. This example demonstrates how easy it can be to fall victim to a malicious payload. On August 14, 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that: “cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware”  So, in this example, the malicious payload is a .doc file, delivered via a spear phishing email. The .doc file contains the “KONNI” malware. When the target opens the malicious payload, the KONNI malware is activated. It uses a “macro” (simple computer code used to automate tasks in Microsoft Office) to contact a server and download further files onto the target computer. The KONNI malware can perform different attacks, including: Logging the user’s keystrokes Taking screenshots Stealing credentials from web browsers Deleting files These actions would allow cybercriminals to steal crucial information — such as passwords and payment card details — and to cause critical damage to your device. How to stop malicious payloads You should take every reasonable step to ensure malicious payloads do not make their way onto your devices. Email security is a crucial means of achieving this. Why? Because email is the threat vector security and IT leaders are most concerned about. It’s also the most common medium for phishing attacks and a key entry-point for malicious payloads. If you want to learn more about preventing phishing, spear phishing, and other types of inbound attacks that carry malicious payloads, check out these resources: Must-Know Phishing Statistics: Updated 2021 How to Identify and Prevent Phishing Attacks What is Spear Phishing? How to Identify a Malicious Website What Does a Spear Phishing Email Look Like? And, if you want to stay-up-to-date with cybersecurity news, trends, and get the latest insights (and invites to events!) before anyone else, subscribe to our newsletter. 
Human Layer Security Spear Phishing DLP Data Exfiltration
Worst Email Mistakes at Work and How to Fix Them
By Maddie Rosenthal
05 January 2021
Everyone makes mistakes at work. It could be double-booking a meeting, attaching the wrong document to an email, or misinterpreting directions from your boss. While these snafus may cause red-faced embarrassment, they generally won’t have any long-term consequences. But, what about mistakes that compromise cybersecurity? This happens more often than you might think. In fact, nearly half of employees say they’ve done it, and employees under 40 are among the most likely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In this article, we’ll focus on email mistakes. You’ll learn: The top five email mistakes that compromise cybersecurity How frequently these incidents happen What to do if you make a mistake on email
I sent an email to the wrong person At Tessian, we call this a misdirected email. If you’ve sent one, you’re not alone. 58% of people say they’ve done it and, according to Tessian platform data, at least 800 are fired off every year in organizations with over 1,000 people. It’s also the number one security incident reported to the Information Commissioner’s Office (ICO) under the GDPR. (More on the consequences related to data privacy below.) Why does it happen so often? Well, because it’s incredibly easy to do. It could be a simple typo (for example, sending an email to jon.doe@gmail.com instead of jan.doe@gmail.com) or it could be an incorrect suggestion from autocomplete.  What are the consequences of sending a misdirected email? While we’ve written about the consequences of sending an email to the wrong person in this article, here’s a high-level overview:  Embarrassment  Fines under compliance standards like GDPR and CCPA Lost customer trust and increased churn Job loss Revenue loss Damaged reputation
Real-world example of a misdirected email In 2019, the names of 47 claimants who were the victims of sexual abuse were leaked in an email from the program administrator after her email client auto-populated the wrong email address.  While the program administrator is maintaining that this doesn’t qualify as a data leak or breach, the recipient of the email – who worked in healthcare and understands data privacy requirements under HIPAA – continues to insist that the 47 individuals must be notified.  As of September 2020, they still haven’t been. I attached the wrong file to an email Employees can do more than just send an email to the wrong person. They can also send the wrong file(s) to the right person. We call this a misattached file and, like fat fingering an email, it’s easy to do. Two files could have similar names, you may not attach the latest version of a document, or you might click on the wrong file entirely.  What are the consequences of sending a misattached file? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. Of course, the consequences depend entirely on what information was contained in the attachment. If it’s a presentation containing financial projections for the wrong client or a spreadsheet containing the PII of customers, you have a problem.  Real-world example of sending the wrong attachment A customer relations advisor at Caesars Entertainment UK – a part of Caesars Entertainment – was sending emails to the casino’s VIPs. In the emails, the employee was meant to attach a customized invitation to an event. But, in one email, the employee accidentally attached the wrong document, which was a spreadsheet containing personal information related to some of their top 100 customers.   Luckily, they also spelled the email address incorrectly, so it was never actually sent.  Charles Rayer, Group IT Director, details the incident – and explains why this prompted him to invest in Tessian Guardian – in a Q&A.  You can watch the interview here. I accidentally hit “reply all” or cc’ed someone instead of bcc’ing them Like sending a misdirected email, accidentally hitting “reply all” or cc instead of bcc are both easy mistakes to make.  What are the consequences of hitting “reply all” or cc instead of bcc? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. And, importantly, the consequences depend entirely on what information was contained in, or attached to, the email. For example, if you drafted a snarky response to a company-wide email and intended to send it to a single co-worker but ended up firing it off everyone, you’ll be embarrassed and may worry about your professional credibility.  But, if you replace that snarky response with a spreadsheet containing medical information about employees, you’ll have to report the data loss incident which could have long-term consequences. Real-world example of hitting “reply all” In 2018, an employee at the Utah Department of Corrections accidentally sent out a calendar invite for her division’s annual potluck. Harmless, right? Wrong. Instead of sending the invite to 80 people, it went to 22,000; nearly every employee in Utah government. While there were no long-term consequences (i.e., it wasn’t considered a data loss incident or breach) it does go to show how easily data can travel and land in the wrong hands.  Real-world example of cc’ing someone instead of bcc’ing them On January 21, 2020, 450 customer email addresses were inadvertently exposed after they were copied, rather than blind copied, into an email. The email was sent by an employee at speaker-maker Sonos and, while it was an accident, under GDPR, the mistake is considered a potential breach.  I fell for a phishing scam According to Tessian research, 1 in 4 employees has clicked on a phishing email. But, the odds aren’t exactly in our favor. In 2019, 22% of breaches in 2019 involved phishing…and 96% of phishing attacks start on email. (You can find more Phishing Statistics here.) Like sending an email to the wrong person, it’s easy to do, especially when we’re distracted, stressed, or tired. But, it doesn’t just come down to psychology. Phishing scams are getting harder and harder to detect as hackers use increasingly sophisticated techniques to dupe us.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); What are the consequences of falling for a phishing scam? Given the top five “types” of data that are compromised in phishing attacks (see below), the consequences of a phishing attack are virtually limitless. Identify theft. Revenue loss. Customer churn. A wiped hardrive. But, the top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) Real-world example of a successful phishing attack In August 2020, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. But, most phishing attacks have serious consequences. According to one report, 60% of organizations lose data. 50% have credentials or accounts compromised. Another 50% are infected with ransomware. 35% experience financial losses. I sent an unauthorized email As a part of a larger cybersecurity strategy, most organizations will have policies in place that outline what data can be moved outside the network and how it can be moved outside the network. Generally speaking, sending data to personal email accounts or third-parties is a big no-no. At Tessian, we call these emails “unauthorized” and they’re sent 38x more than IT leaders estimate. Tessian platform data shows that nearly 28,000 unauthorized emails are sent in organizations with 1,000 employees every year.  So, why do people send them? It could be well-intentioned. For example, sending a spreadsheet to your personal email address to work over the weekend. Or, it could be malicious. For example, sending trade secrets to a third-party in exchange for a job opportunity.  What are the consequences of sending an unauthorized email Whether well-intentioned or malicious, the consequences are the same: if the email contains data, it could be considered a data loss incident or even a breach. In that case, the consequences include: Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation No sensitive data involved? The consequences will depend on the organization and existing policies. But, you should (at the very least) expect a warning.  Real-world example of an unauthorized email In 2017, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees was exposed, including employee ID data, places of birth, and accounting department codes. You can find more real-word examples of “Insider Threats” in this article: Insider Threats: Types And Real-World Examples How can I avoid making mistakes on email? The easiest answer is: be vigilant. Double-check who you’re sending emails to and what you’re sending. Make sure you understand your company’s policies when it comes to data. Be cautious when responding to requests for information or money.  But vigilance alone isn’t enough. To err is human and, as we said at the beginning of this article, everyone makes mistakes.  That’s why to prevent email mistakes, data loss, and successful targeted attacks, organizations need to implement email security solutions that prevent human error. That’s exactly what Tessian does. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. That means it gets smarter over time to keep you protected, always.  Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Spear Phishing DLP
December Cybersecurity News Roundup
30 December 2020
December 2020 might have been the most significant month in cybersecurity history.  Private companies continued to be used as attack vectors in the ongoing international cyberwar. The plague of COVID-19-related phishing scams showed no signs of stopping. And yet another big tech company faced a fine following a data breach. This month, we’ve split our cybersecurity roundup into two parts. Part 1 deals with the SolarWinds hack and the subsequent fallout, affecting tens of thousands of companies worldwide. Part 2 looks at some of December’s other major cybersecurity headlines. Part 1: SolarWinds Hack The cybersecurity headlines this month have been dominated by the discovery that US software company SolarWinds had been hacked by state-sponsored Russian hackers.  The SolarWinds story will continue to develop throughout 2021. Part 1 of our December cybersecurity news roundup sets out the major developments so far, to help you understand how this major cybersecurity incident is unfolding. FireEye’s “red team” tools compromised in cyberattack December’s cybersecurity saga begins with an announcement from security firm FireEye, made via a December 8 blog post.  FireEye reported that a “highly sophisticated state-sponsored adversary” had stolen “red team” tools, used to mimic the sorts of attacks and exploits carried out by malicious actors. When such tools fall into the wrong hands, they can be used to carry out real-life attacks. FireEye sought to reassure its clients in a further blog post on the same day, noting that none of the compromised tools contained zero-day exploits. We explored the danger of zero-day vulnerabilities in our article: What is a Zero-Day Vulnerability? Blame for the attack fell on the Russian cybercrime group known as “Cozy Bear.” FireEye’s revelations were newsworthy in themselves, but the full implications of the company’s announcement remained unclear until a few days later. SolarWinds discloses “highly-sophisticated, targeted and manual” attack On December 13, Texas-based IT company SolarWinds said that some of the software it released between March and June had been subject to a “highly-sophisticated, targeted and manual supply chain attack by a nation state.” SolarWinds’ announcement was the first clear indication that one of the biggest cyberattacks of all time might be underway. But why was SolarWinds’ announcement so significant?  SolarWinds software is used by thousands of organizations —  including many US governments organizations. The company’s announcement revealed that many of SolarWinds’ clients had had malware embedded in their systems for up to nine months. US government reveals massive data breach The next chapter in 2020’s biggest cybersecurity story came on December 13, when Reuters reported that internal email traffic had been compromised at the US Treasury and Department of Commerce. Just like FireEye, who had reported its breach five days earlier, these US government departments used the IT-monitoring software platform Orion. Orion is created by — you guessed it — SolarWinds.  When the organizations updated their Orion software back in March, they unwittingly installed malware. The blame for the hack continued to fall on Russia, which denied involvement via a statement on Facebook. Emergency directive urges US agencies to disconnect Orion products Shortly after the SolarWinds hack was announced, the US Cybersecurity and Infrastructure Agency (CISA) issued Emergency Directive 21-01. The directive’s full name is “Mitigate SolarWinds Orion Code Compromise,” and it instructs federal agencies to “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.” Agencies were also told to “block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.” The severity of CISA’s directive stood in stark contrast to SolarWinds’ reassuring press releases. SolarWinds attack thought to impact over 18,000 customers The full extent of the SolarWinds hack became clearer on December 14, when the company filed a report with the US Securities and Exchange Commission revealing that around 18,000 organizations may have installed the malicious Orion update. To put this in context, SolarWinds has roughly 300,000 customers in total. Around 33,000 of these use Orion, and more than half of these Orion users are believed to have been compromised by the hack. But these aren’t just any customers. According to SolarWinds’ website, Orion users include US public bodies such as the Department of Defense, Secret Service, and Airforce — not to mention private firms like Symantec, AT&T, and — crucially — Microsoft. CISA announces APT compromise of public institutions and infrastructure The SolarWinds saga continued on December 17, when US cybersecurity agency CISA announced an “advanced persistent threat compromise of government agencies, critical infrastructure, and private sector organizations.” CISA described the attacker as a “patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks” that, among other activities, was “targeting email accounts belonging to key personnel, including IT and incident response personnel.” Once a hacker gains control of a target email account, it can use it to carry out advanced phishing operations. Read our articles on Business Email Compromise (BEC) and Account Takeover (ATO) attacks to learn how to avoid falling victim to these sorts of scams. US National Nuclear Security Administration confirms breach One of the more shocking threads of the SolarWinds story was revealed by Politico on December 17, when the US National Nuclear Security Administration (NNSA) and Department of Energy (DoE) revealed they had been affected by the hack. For many, this took an already deeply concerning event into “borderline terrifying” territory, as the NNSA maintains the world’s most powerful stockpile of nuclear weapons. However, a DoE spokesperson said that only business networks had been affected. The revelations came shortly after reports that CISA had been “overwhelmed” by the attacks, owing in part to staff shortages. CISA director Chris Krebs was fired by President Trump last month after Krebs defended the integrity of the 2020 election. Microsoft customers in at least seven countries affected by cyberattack In a December 17 blog post, Microsoft President Brad Smith claimed that the SolarWinds attack had impacted more than 40 Microsoft customers located across seven countries.  While 80 percent of Microsoft’s affected customers were in the US, others were located in Canada, Mexico, Belgium, Spain, the UK, Israel, and the UEA. Smith also said it was “certain” that more locations and victims would emerge. Smith’s blog post also called for “a more effective national and global strategy to protect against cyberattacks,” underpinned by better information sharing, stricter cybersecurity rules, and stronger accountability of nation-state cyber actors. NSA Cybersecurity Advisory warns of Microsoft exploits December 17 saw yet another newsworthy cybersecurity event when the US National Security Agency (NSA) issued a rare Cybersecurity Advisory, warning that “malicious cyber actors are abusing trust in federated authentication environments to access protected data.” The issue originated in Microsoft’s Active Directory Federation Services (ADFS) software, which provides single sign-on access across organizations, including via multi-factor authentication. The NSA’s Microsoft advisory followed a December 14 report by Volexity, revealing that an attacker had bypassed Duo’s multi-factor authentication service to gain access to a Microsoft Outlook Web App (OWA) inbox. These incidents serve as a stark reminder that while multi-factor authentication might be a crucial component of your cybersecurity ecosystem, you cannot rely on it to keep your email accounts safe. Part 2: Other Important Cybersecurity News While the SolarWinds hack generated the most headlines, December saw many other important, unrelated cybersecurity news stories. Part 2 of our December cybersecurity news roundup presents some of the month’s other big cybersecurity events. FBI warns of threats against ransomware victims The US Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) on December 10, advising businesses to take steps to improve cybersecurity safeguards against ransomware attacks.  Perhaps most interestingly, the PIN warns that cybercriminals have been following up ransomware attacks with phone calls attempting to “extort payments through intimidation” and “threatening to release exfiltrated data.” The FBI does not advocate paying a ransom after falling victim to a ransomware attack. It suggests taking steps to mitigate or prevent attacks, including creating secure backups, monitoring network traffic, and enabling multi-factor authentication. Since many ransomware attacks occur via email, it’s essential to protect your business using email security software. Read our article on How to Choose the Right Email Security Software for more information. Research reveals COVID-19 phishing remains a serious problem Research reported by Health IT Security on December 11 showed that cyberattackers continue to exploit the COVID-19 pandemic through phishing scams. The report cites research by KnowBe4, which reveals a new batch of spear phishing emails relating to vaccinations. Armorblox also reports emails impersonating the US Internal Revenue Service (IRS) and purporting to offer COVID-19 financial relief.  The majority of COVID-19 phishing attacks target credentials — a common strategy which we discuss in our article What is Credential Phishing? You can also check out four real-world examples of other COVID-19 phishing attacks in this article.  These phishing scams are a new variant on the COVID-19 phishing theme started hitting inboxes in March — and, like all social engineering attacks, they seek to exploit people’s trust in authority. Want to learn how to avoid falling victim to these sorts of scams? See our article: How to Identify and Prevent Phishing Attacks. Irish regulator fines Twitter over data breach Ireland’s data protection authority, the Data Protection Commission (DPC) , issued a €450,000 fine against Twitter on December 15 over the company’s handling of a 2018 data breach affecting Android users. Twitter’s violations of the EU’s General Data Protection Regulation (GDPR) included failing to notify the DPC about a data breach within the required 72 hour period, and failing to document the breach properly. While nearly half a million euro is a lot of money, it’s fairly small beer for a company as large as Twitter. The GDPR allows fines of up to 2% of global turnover for this type of violation, which could have led to a maximum fine of around €60 million in Twitter’s case. We outline the biggest GDPR fines of 2020 in this article.  But the DPC originally proposed an even smaller fine of €135,000 and €275,000. This proposal was seen as excessively lenient by other EU data protection authorities, who disputed it under the first ever use of the GDPR’s Article 65 procedure. Other DPAs, such as Germany’s BfDI, argued that a higher fine of up to €22 million would be more appropriate. These arguments were put forward in a binding decision of the European Data Protection Board (EDPB) which required the DPC to reconsider its proposed fine. The regulator’s response — raising the fine to just 0.1% of Twitter’s 2019 turnover — will lead many to suggest that the social media giant got off lightly. Contact details of 270,000 cryptocurrency users leaked On December 22, BleepingComputer reported that the contact details of over 270,000 users of cryptocurrency wallet Ledger were being offered for sale on the dark web, following a data breach that occurred in July. Two text files were reportedly for sale, one containing 1,075,382 people’s email addresses, and the other containing 272,853 people’s names, mailing addresses, and phone numbers. Although this type of personal data is not considered sensitive, it is highly valuable to hackers as it can be used to launch phishing attacks against the users. Earlier this month, Ledger users reported receiving phishing emails from an actor impersonating Ledger’s security team. That’s all for this month. If we missed anything, please email madeline.rosenthal@tessian.com and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.
Page