Spear Phishing
How to Spot and Avoid 2020 Census Scams
By Maddie Rosenthal
07 April 2020
In case you missed it, Tessian recently published a blog around the most common types of Tax Day scams in both the US and the UK.  Unfortunately, though, these aren’t the only opportunistic phishing attacks bad actors are carrying out this time of the year. They’re also launching Census scams.  As they do in Tax Day scams, cybercriminals will be impersonating government agencies. In this case, you’ll find they’re generally impersonating either the U.S. Census Bureau or an agent, or a third-party agency working for the U.S. Census Bureau. What do Census scams look like? Hackers have a range of threat vectors they can use to carry malware or gain access to sensitive information. In the past, we’ve seen attacks via email, phone, social media, job boards, and even traditional mail.  The common thread between all of these attacks is the request for sensitive personal information like home addresses, social security numbers, ethnicity and information related to the members of your household. This information could be used to make you a victim of identity theft. It’s important to remember that attacks may not ask directly for this information and may instead direct you to another webpage or portal via a link or QR code.  In this post, though, we’ll focus on email scams.  Example: Email Survey Scam
What’s wrong with this email? The US Census Bureau conducts surveys online, over the phone, via mail, or in-person, not via email.  While the Display Name looks authentic, the full email address is suspicious and inconsistent and doesn’t match the legitimate domain, which is @census.gov. Upon hovering over the link, you’ll see the URL is suspicious. Not only is the website connection not secure (remember: https indicates a secure connection), but the format and website name are both unusual.  Who will be targeted by Census scams?  Because it’s mandatory for all households to participate in the census, every US resident over 18 years of age is at risk of being targeted. That means that over the next several weeks, everyone in every state needs to exercise caution when responding to a request for personal information that appears to be coming from the U.S. Census Bureau or an affiliated individual or organization.   What do I do if I’m targeted by a phishing attack?  While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals should always follow the same guidelines if they think they’ve received a fraudulent request for information, whether by mail, email, SMS, or another online forum.  If anything seems unusual, do not follow or click links or download attachments.  The best way to avoid falling victim to one of these scams – whether over email, online, or over the phone – is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid. If you’ve been targeted, report the attack to the Census Bureau. Call 1-800-354-7271, in English, or 1-800-833-5625, in Spanish. More resources The best way to stay safe is to stay informed.  The Census Bureau has issued its own advice on how to stay safe from phishing scams online and over the phone. Read their tips here. 
Spear Phishing
Everything You Need to Know About Tax Day Scams 2020
By Maddie Rosenthal
07 April 2020
While the world’s workforce has been adjusting to remote-working over the last several weeks and has, at the same time, become aware of opportunistic phishing attacks around COVID-19, attackers have been plotting their next attack: Tax Day Scams. These phishing attacks can take many different forms and target both US and UK residents. In the US, these attacks will use the deadline to file your income tax returns as bait. In the UK, these attacks will use your potential tax refund as bait.  But we’re here to help.  Here’s what you need to look out for and what to do in case you’re targeted by Tax Day scams. 
 What do Tax Day scams look like? As is the case with other phishing and spear phishing attacks, hackers will be impersonating trusted brands and authorities and will be – in some way – motivating you to act. Let’s take a closer look at how they do both through a series of examples. Example 1: IRS Impersonation 
What’s wrong with this email? The IRS has said they never contact taxpayers by email, so any correspondence “from” them is illegitimate. There is an extra “r” in “internal” in the sender’s email address Email addresses from government agencies will contain the toplevel domain “.gov”. There are spelling errors and inconsistencies in the text that you wouldn’t expect from a government agency. Example 2: Tax-Preparation Software Impersonation
What’s wrong with this email? While the sender’s email address does contain Fast Tax, the company name, the toplevel domain name (.as) is unusual. The sender is motivating the target to follow the embedded link by claiming their tax return is incomplete. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. Example 3: HMRC Impersonation
What’s wrong with this email? While the Display Name, email template, logos, and language used in the email seem consistent with HMRC, the sender’s email address contains the toplevel domain “.net” instead of “.gov.uk” Upon hovering over the link, you’ll see the URL is suspicious.  Example 4: Client Impersonation
What’s wrong with this email? Unfortunately, in this case, there are no obvious giveaways that this is a phishing scam. However, if Joe, the tax accountant in this scenario, knew he hadn’t met or interacted with a woman named Karen Belmont, that could be a warning sign. Individuals and organizations should always be wary of attachments and should have anti-malware and/or virus protection in place. Example 5: CEO Impersonation
What’s wrong with this email? The root domain (supplier-xyz) in the sender’s email address is inconsistent with the toplevel domain (.com) in the recipient’s email address. The attacker is  impersonating the CEO in hopes that the target will be less likely to question the request.  The attacker is using urgency both in the subject line and the email copy to motivate the target to act quickly. Because this is a zero-payload attack (an attack that doesn’t rely on a link or attachment to carry malware), anti-malware or anti-virus software wouldn’t detect the scam. Who will be targeted by Tax Day scams?  From the examples above, you can see that cybercriminals will target a range of people with their Tax Day scams. Taxpayers, tax professionals, and businesses are all susceptible and savvy hackers will use different tactics for each.  Here’s what you should look out for. Taxpayers Attackers will be impersonating trusted government agencies like HMRC and IRS and third-parties like tax professionals and tax software vendors. Attackers will use coercive language and the threat of missed deadlines or promises of refunds to motivate their targets to act. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  For more information on payloads, read this comprehensive guide to phishing scams. Tax Professionals Attackers will be impersonating either existing clients/customers or prospects. In either case, they’ll be pretending to need help with their tax return or tax refund. Attackers will use the lure of new business or the threat of losing a customer to motivate their targets to act. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment.  Businesses Attackers will be impersonating CEOs, HR representatives, Finance Directors, or other individuals or agencies who need access to sensitive tax information. Attackers are strategic in their impersonations of people in positions of power; people are less likely to question their superiors.  What do I do if I’m targeted by a phishing attack? While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals and businesses should always follow the same guidelines if they think they’ve received a phishing email.
If anything seems unusual, do not follow or click links or download attachments.  The best way to avoid falling victim to one of these scams is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid. If the email appears to come from an individual you know and trust, like a colleague, customer, or client, reach out to the individual directly by phone, text or a separate email thread. If you’re an employee who’s been targeted, contact your line manager and/or IT team. Management should, in turn, warn the larger organization.
More resources As a security start-up, we’re committed to helping you stay safe. If you’re looking for more information on Tax Day scams, consult the following government websites. Advice from the IRS Advice from HMRC
How to protect your organization from phishing attacks year-round As we’ve mentioned, Tax Day scams are just one of the ways bad actors will try to get hold of sensitive information or infect devices with malware. The best way to avoid falling for these scams year-round is to educate your employees and stay vigilant.  If you’re an organization, it only takes one mistake, one time for your most sensitive data to fall into the wrong hands. If you’re an IT or Security professional looking for a solution that’s more effective than awareness training and SEGs at preventing advanced phishing threats, consider Tessian Defender.  Book a demo now to find out how Tessian uses contextual machine learning to detect and prevent advanced spear phishing attacks without impeding on employee’s productivity. 
Compliance Data Exfiltration DLP Human Layer Security Spear Phishing
Ultimate Guide to Staying Secure While Working Remotely
By Maddie Rosenthal
27 March 2020
The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture. In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
The risk involved in sending work emails “home” It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.  Personal email accounts can be compromised, especially as they are often configured with weak passwords Email is not a default encrypted medium. If an attacker were in a position to intercept your email, they would be able to read them, and any attachments if not encrypted Devices used to access personal email, such as personal laptops and mobile phones, may also be more easily compromised than work devices safeguarded by your company The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.  Public Wi-Fi vs. using a personal device as a hotspot While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access. While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place. As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted. For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.  As an employee, here’s what you can do to be safe: When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and let alert your IT team of the oversight.  Ensure you keeping VPN software on work devices up-to-date Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.  From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.  This may be easier to understand with an example. Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.  Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
Best practice around using cloud storage to share documents For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information. Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password. But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider: How the data is backed up Risks associated with denial of service (DOS) attacks  Legal complications that may arise from certain types of data being stored overseas Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service. At Tessian, we use Google Drive. It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution. Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important. Conferencing and collaboration tools Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations. IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.  We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely. Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.  For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.   
How to physically protect your devices Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device. In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft. While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated. Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.  This has the added benefit of showing clients or other professional contacts that the business takes security seriously. About that OOO message… “Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…” It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker. When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker. Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away. Top tips for businesses setting up remote-working policies…. Keep policy points clear and concise and support them with similarly written procedures. Employees cannot practically absorb or retain 60+ pages of security policy, especially not overnight. When approving the use of new tools or software, always communicate the change to your employees, including guidelines on how and where to access them. Remember that users are going to make mistakes because they are human. Support them and encourage them to report issues, rather than making them afraid to admit to a mistake. Give clear channels for reporting such issues, supported by technical and human resources; for example, guidance on how to report a potential phishing email along with a method to contact support in the event of account lockout. Consider other technical challenges, such as how your support team can verify user identity when asked to reset a password or perform other remote technical support functions. Ensure your support team is trained and briefed to offer remote workers reassurance and understanding when a security issue arises. Remote workers need to feel connected with their colleagues during difficult moments. Top tips for employees working from home… Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. Avoid public Wi-Fi and don’t rely on personal hotspots; whenever possible, find a secure, stable network to connect to. Before you join that call or connect to that site – especially if it requires installing new software – stop and think about the potential implications. If you’re not sure, ask your colleagues or support team for help. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you. Report near misses. If you almost make a mistake, the odds are that others have also almost done the same thing. By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue ever occurring. During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.  FTC online security tips for working from home NCSC issues guidance as home working increases in response to COVID-19 We’ll also continue sharing best practice tips both on our blog and on LinkedIn. 
Spear Phishing
Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks
17 March 2020
Hackers love emergencies and times of general uncertainty. Why? Because people are scared, distracted, potentially desperate, and are therefore vulnerable—making them ideal targets. As COVID-19 continues to spread and global concern about the pandemic rises, bad actors will be impersonating trusted institutions like healthcare organizations, insurance companies, banks, and airlines in order to steal money, harvest credentials, or install malware on your computer…and that’s just on the consumer side.  When it comes to business, trusted individuals and brands will be impersonated. For example, hackers will impersonate out-of-office CxOs and popular web conferencing applications, especially as organizations encourage and rely on remote-working. Internally at Tessian, we’ve shared tips with our employees on how to spot this type of scam and what to do in case you’re targeted. We think it’s important to spread the message and raise awareness with everyone.  Consumers: What Should You Look For? Hackers will be impersonating trusted brands. Carefully inspect all emails, but be especially wary of those coming from healthcare organizations, insurance companies, banks, and airlines, especially those that ask you to “Confirm you are safe”, “Confirm you haven’t traveled to recently affected COVID-19 countries”, or anything similar.  Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors or branding inconsistencies either in the logo, email template, or a landing page.  Employees: What Should You Look For? Hackers will be impersonating people within your organization and third-parties like suppliers or vendors. You should be cautious when responding to any internal email that mentions the sender being out-of-office and any third-party email that comes from a source you don’t recognize or that requires urgent action. Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors, language or requests that are out-of-character, and branding inconsistencies. These red flags are all a bit easier to spot when you have a bit more context. Below are just a few examples of phishing emails that you may see over the next few weeks. The Fraudulent Third-Party
What’s wrong with this email? The sender’s email address contains irregular characters and doesn’t match the Display Name. Organizations should send internal communications to let their employees know they’ve implemented new tools or platforms. You shouldn’t be hearing about it from the third-party first. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The Out-Of-Office Boss
What’s wrong with this email? The sender’s email address is from a freemail domain (@yahoo.com) and not from within the organization. The attacker is giving the email a sense of urgency. That attacker is using remote-working as a ploy to encourage the target to do something unusual. The attacker is impersonating a person in power; this is a common tactic in social engineering schemes. The Concerned Counterparty
What’s wrong with this email? The toplevel domain (.net) is unusual and inconsistent with previous emails from this supplier. The attacker is using fear and urgency to motivate the target to act. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The “Helpful” Government Organization
What’s wrong with this email? All valid email correspondence from WHO will come from @who.int, not any other variation. The attacker is using the fear of COVID-19 to motivate the target to download the malicious attachment. Like many other organizations, WHO has stipulated they will never send unsolicited emails containing attachments. The Proactive Health Insurance Provider
What’s wrong with this SMS? The attacker is using fear to motivate the target to act. Because no health insurance provider is mentioned by name, you can assume this text has been sent to a large pool of targets. Legitimate organizations will never ask you to update your payment details via text. The text message contains a shortened link; the target can’t see the URL of the website they’re being led to. Of course, knowing what these opportunistic phishing emails look like is just the first step. Actually knowing what to do if you’re targetted is what’s really important. What to Do If You’re Targeted  If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  If you’re an employee who’s been targeted, contact your line manager and/or IT team. We’ve all heard the phrase “prevention is better than cure” and phishing attacks are no exception. While knowing what to do if and when you’re targetted is incredibly valuable, it’s also important that both individuals and organizations know how to avoid being impersonated in the first place.  How to Avoid Being Impersonated For those of you who are working remotely or are otherwise Out of Office, don’t include any personally identifiable information (PII) in your automated emails or on social media. For example, don’t provide your personal mobile number or email address. Don’t tell people to email a colleague in your absence; this information helps bad actors map connections and relationships within an organization, which can be used to make future phishing emails seem more convincing. Hackers can use this to their advantage to target your colleagues. Organizations should implement SPF, DKIM, and DMARC to help prevent hackers from directly spoofing their domain.   Both brands and senior leadership should advise customers and employees what they will and will not ask for via email, phone, or text. People will then have a better sense of what requests are out of the ordinary and therefore suspicious.  As we continue sharing best practice tips with our employees to keep them secure while working remotely, we’ll share them with you, too. Check back on our blog for the latest updates.
Human Layer Security Spear Phishing
Hacker’s Advice: 7 Tips for Avoiding Phishing Scams
09 March 2020
The final speaker at Tessian’s first Human Layer Security Summit was Glyn Wintle, the CTO and co-founder of Tradecraft (formerly DXW Cyber), a security consulting agency that uses social engineering tactics, technical work, open intelligence sources, and attacks on physical locations to breach clients’ systems. In other words, he’s an ethical hacker, although he prefers “friendly hacker”.  During his presentation, he explained how hackers combine psychology and technical know-how to create highly targeted and highly effective phishing attacks on people. Based on his insights, we’ve put together 7 tips to help you avoid social engineering schemes like phishing attacks.
1. Don’t Underestimate Hackers or Overestimate Your Ability to Spot a Phish Glyn started his presentation with one clear and concise statement: Breaking in is easier than defending. And, he’s right.  Attacks like phishing emails rely on power in numbers, meaning that only one person has to follow a link, click an attachment, share personal information, or make a bank transfer for the hacker to be successful.  Interestingly, though, employees tend to be incredibly confident in their ability to spot phishing emails; only 3% of people think it’s difficult to spot a phish. The general consensus, especially amongst employees at organizations where security awareness training is required, is that “only idiots fall for scams”.  While that may be the case with the more blatantly obvious scams – for example, an email coming from a Nigerian Prince claiming they’d like to share their fortune with you if you share your bank account details – hackers have an arsenal of techniques to dupe even the most discerning eye. This is especially the case in spear phishing attacks where hackers might spend days or even weeks researching their target to craft a perfectly believable email. With social platforms like LinkedIn, they can easily uncover not just a company’s organizational structure, but more timely information about individuals like when they’re attending a conference. This is powerful ammunition for a spear phishing attack. 2. Look Out for Both Emotive and Enterprising Scams People tend to be familiar with phishing and spear phishing attacks that rely on an emotional response – fear, urgency, stress – often triggered by an email that appears to be sent from a person in power. They work, really well. But enterprising scams are just as powerful.
Glyn cited an example in which a company made a public announcement that it recently received VC funding. Based on the press release, a savvy hacker contacted the Venture Capital firm impersonating the company. The hacker was able to create a convincing email relationship with the Venture Capital firm and this trust enabled the hacker to successfully get the VC to transfer the funds into their account.  People sometimes mistakenly think the solution to this is to hide all information. But often there’s a reason why information was and is made public. Making sure people know what information is public or not can help. 3. Relying on hyper vigilance isn’t enough People – especially in work environments – tend to move and work quickly. Because of that, and despite training, they might not think twice about irregularities in email addresses, URLs, or landing pages in pursuit of being productive. What’s more, expecting people to double check every thing will not work. They will not get any work done. Management must understand that people make mistakes; expecting them to be hyper vigilant at all times cannot be the solution. There are technical measures that can be used to warn someone that something abnormal is happening. Showing users who do have the privileges to do harmful things what real targeted phishing emails look like can help. But you must also find ways to make their lives easier. Telling them “this is really hard” then saying “best of luck”, is not setting them up for success. 4. Don’t take the “secret” bait If nothing else, hackers are inventive. Glyn cited one example where, instead of emailing a target pretending to be someone else, they’ll simply CC individuals into a conversation that genuinely has nothing to do with them. The email message will allude to a secret or piece of sensitive information; potentially with a malicious link to the alleged source or malicious attachment. It seems rudimentary but it works.  More often than not, the target will follow the link or attachment, thinking they’re gaining access to something highly confidential. In reality, they will have installed malware on their computer. 5. Beware of Urgent Requests and Reasonable Requests While a lot of hackers will use urgency to incite action, that’s not the only tactic they employ. In fact, a tried-and-tested technique according to Glyn is to request an action within two working days.  “If you’re impersonating a company and targeting employees, and you say something must be actioned within two working days, you will get much higher hit rates.”
6. Take Extra Caution on Your Mobile While mobile phones have no doubt made it easier for us to stay connected, they’ve also made it even easier for hackers to pull off successful phishing attacks given the smaller screens and differences in functionality, especially after hours. “I love mobiles. But if you’re targeting someone on mobile, the rules change. You probably want to do it on a Friday night, when alcohol might be involved, especially because the smaller web browser makes it hard to see who the sender is or tell what exactly the URL is.” But, it’s not smaller browsers that make mobiles risky. Smishing and vishing are also on the rise, meaning email isn’t the only threat vector to be weary of. 7. Implement a Security Solution While there are certainly steps individuals can take to prevent themselves from falling victim to a phishing scam, if organizations really want to protect their people, they have to implement security solutions.
Human Layer Security Spear Phishing
Tim Sadler on Hacking Humans Podcast: Episode 87 “The Art of Cheating”
28 February 2020
Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why email is so risky and inboxes remain dangerous territory. Listen to Hacking Humans Episode 87 “The Art Of Cheating.” Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He is from a company called Tessian. And we discuss the human element of cybersecurity, along with some details on some phishing schemes. Here’s my conversation with Tim Sadler. Tim Sadler: I think, for a long time, when we’ve spoken about securing people, we’ve always defaulted to training and awareness rather than thinking about how we can use technology to take the burden of security away from people. So I think there’s a challenge at the moment in that humans are unpredictable. They break the rules. They make mistakes. And they’re easily tricked. And that’s what’s leading to so many data breaches today that are ultimately caused by people and human error. Dave Bittner: And so the bad guys, knowing this, have adjusted their tactics. Tim Sadler: I think that’s right. I mean, if you think about email for an organization, it is an open gateway. So it is one of the only pieces of infrastructure an organization has where anybody can send anything into an organization without pre-approval. And I think that’s one of the reasons why we’re seeing such a high level of threat around phishing, spear-phishing, business email compromise, those kinds of attacks. It is the – really, the entry point for every attacker that wants to get into an organization today, and it’s so effortless to execute one of these scams. Dave Bittner: So what kind of things are you tracking? What are some of the specific campaigns that are popular these days? Tim Sadler: So I think, you know, we see everything from the well-known trends like the fact that, you know, it’s tax season and the W-9 form scam – so attackers putting malicious attachments in emails trying to get people to open them because, you know, it’s tax season, and that’s something that everybody is watching out for. And then some of the more interesting things that we’re seeing specifically are around attackers scraping LinkedIn data to automate attacks based on people moving jobs. So a new joiner to an organization will – you know, is – may have a higher propensity to be duped by a phishing scam. They won’t know the protocol that an organization has in place. So we’re seeing a lot of attacks that come through when people are new to an organization. It’s maybe in their first or second week, and then they’ll receive a spear-phishing email pretending to be the CFO or pretending to be the CEO, trying to dupe them into doing something and, again, use those techniques of deception and urgency on emails. Dave Bittner: Now, what about some of the more targeted campaigns – you know, things like spear-phishing, even – you hear it referred to sometimes as whaling, where they’re targeting high-level people within organizations?
Tim Sadler: And actually, you can – for attackers, it is fairly scalable to do this. You can build a LinkedIn scraper. You can be pulling names. And you can be automating the purchase of domains that look like legitimate domains but, in fact, aren’t. And then you can automate the sending of those emails into organizations. And, you know, the rewards from doing this kind of thing can be enormous for attackers. So I read about that charity in the U.K. this morning who fell victim to a spear-phishing scam where they lost almost a million dollars over three transactions. So it is a huge, huge payoff for these attackers when they actually – you know, they get their target to do the thing they want them to. Dave Bittner: What are your recommendations for organizations to best protect themselves? Tim Sadler:  So I think, you know, it does start with awareness. You have to make sure that employees are aware that their inbox is dangerous. And they need to pause, if only for five seconds, just with every email they get and do some basic checks. So check, who is this email from? Does the domain look legitimate? Tim Sadler: But really, what is extremely difficult is, for most organizations today, their entire security strategy is reliant on their employees doing the right thing 100% of the time. So if you are only relying on security training and awareness, there are going to be things that creep through. There are going to be attacks that are successful. And in the same way that organizations use advanced technology to secure their networks and secure their devices, we believe that organizations today need to be using advanced technology to secure their people. Dave Bittner: Well, how does that technology play out? What sort of things are you describing here? Tim Sadler: In order to secure people – so again, we come back to this point that people are unpredictable. They break the rules. They make mistakes, and they’re easily hacked. A system needs to understand the normal patterns of behavior that a person exhibits on email in order to understand what looks like a security threat and what looks like a normal email. So what organizations can do is they can use a platform – like Tessian, for example – that uses machine learning to analyze historical email patterns and behaviors to understand, on every incoming email, does this email look legitimate or not? And that’s something that we’ve pioneered and we use and is much more effective than some of the traditional approaches, which use rules or policies to control the flow of inbound email. Dave Bittner: You know, it reminds me of a story that a colleague of mine shared with some friends who work for a nonprofit. And they got an email from the chief financial officer, who had just gone on vacation, and it said, I know; I realize I’m out of town, but I need you all to transfer this large sum of money, and I need it done immediately; you know, please don’t let me down. And to a person, they all said, this is the last thing in the world this person would ever say or do. And that tipped them off to the problem. It sounds like – I mean, that’s a similar thing to how you’re coming at this from a technological point of view or looking – making sure that the behavior isn’t anomalous. Tim Sadler: Yeah, that’s exactly right. We use machine learning in the way that it’s been applied to other fields – for example, credit card fraud detection. You look at their normal spending patterns and behaviors on card transactions, and then you use that intelligence to then spot the fraudulent transactions. And that’s what we’re doing. We’re looking at normal email behavior in order to spot the fraudulent email behavior. And in the same way that you would try and train a person to look out for the unusual aspects of an email that may give a clue as to whether it’s a phishing email or not, you can train a machine-learning algorithm to do the same. Tim Sadler: Now, the difference and the advantage to doing this is that a machine-learning algorithm can traverse millions and millions and millions of data points in a split second, whereas a human is only going to have a limited number of data points that they can remember or they can go back to in their mind. Dave Bittner: Where do you suppose we’re headed with this? As you look towards the future and this problem with email continues to be an issue, do you suppose the types of things that you’re offering here are going to become just a standard part of doing business? Tim Sadler: I think it’s critical that organizations today realize that their security strategy cannot be reliant on training people to do the right thing 100% of the time. And again, it comes back to – at the beginning of my career, I was working for one of the world’s largest banks and saw a massive problem, and that is that banks spend millions of dollars on securing their networks and devices using advanced technology, but they completely neglect the security of their people. So instead, they’re relying on training them to do the right thing 100% of the time. And that, obviously, doesn’t work. Tim Sadler: I saw people who would send highly sensitive information to completely the wrong person. They would email documents to their personal email account, or they would fall for phishing scams. So we thought this was a huge problem that needed solving, and that’s why we built the product that we’re building today – because we believe that in the same way you have a firewall for your network and you have an EDR platform for your devices, we believe you need a human-layer security platform to protect your people. Dave Bittner: All right. Interesting stuff. Joe? Joe Carrigan: Yeah. A couple things stick out to me. One, your inbox is dangerous, and Tim does a really good job of describing why that is. He calls it an open gateway because anyone – literally anyone – can use your inbox.
Spear Phishing
How to Prevent and Avoid Falling for Email Spoofing Attacks
By Maddie Rosenthal
25 February 2020
Email spoofing – also known as a domain spoof or direct spoof –  is a type of phishing attack in which an attacker sends an email that appears to be from a legitimate source. These emails are sent with the intention of tricking the target into following a link, downloading an attachment, or performing some other kind of action that will result in the attacker capturing login details or other sensitive information like their banking or credit card information. While some spoofed emails may be flagged by inbound security solutions, they’re often mistaken for legitimate emails, which can lead to serious consequences for both individuals and businesses. This blog explores how and why email spoofing works, how to identify spoofed emails, and what you can do to protect yourself and your organization from such attacks. What does a spoofed email look like? While email impersonation attacks often rely on imperceptible misspellings, spoofed emails appear to be sent from the real domain, look genuine to most users, and can bypass spam filters and security tools.  For example, a bad actor might craft an email that appears to be “from” a well-known courier service, which for the purposes of this example doesn’t have DMARC set-up. The email will claim there was a problem with your delivery and that you must follow a link to log in and confirm your details. Savvy people may look for Display Name impersonations, but, because it’s a domain spoof, they won’t notice any inconsistencies. 
And, if such an email is sent to many thousands of users (which is one of the techniques hackers use when sending phishing emails) this increases the chance that at least one recipient will be expecting a delivery from the spoofed courier, and, because of that, the target may do what the email instructs.  Incidents of email spoofing  Email spoofing is on the rise.  The FBI’s 2019 Internet Crime Report states that the agency received complaints of spoofing attacks from over 25,000 victims last year alone, making it the fifth most popular form of cybercrime. The total loss reported from these victims was over $300,000,000. How does email spoofing work? Email spoofing attacks can be successful simply because people assume that the information in email headers – specifically about where the email comes from – is trustworthy. The reality is that the original protocols that still underpin email, such as the Simple Mail Transfer Protocol (SMTP), were never designed to authenticate the sender information.  In other words, there is no inherent way to confirm that an email comes from the email address specified in the Sender parameter in the email header. When an email is sent, the initial connection to the receiving mail server contains two parameters, MAIL FROM and RCPT TO, which specify the address the email is sent from and to, respectively. These parameters are commonly known as the “envelope” of the email. However, there are no default checks on the MAIL FROM parameter to ensure that the connecting mail server is authorized to send emails on behalf of that domain. Therefore, if the RCPT TO parameter is correct, the receiving server indicates it will accept the email and the sending server proceeds with the rest of the email, including the From, Reply to, and Sender header items, which are similarly not checked by default. Therefore, an attacker with the right tools at their disposal can easily create and send emails as if they were someone else. This is not hard to achieve, and there are many tools available for them to do this. They can also create a legitimate seeming link in the email that, if followed, will take the recipient to a server under the attacker’s control. Spoofed emails from the attacker’s perspective The easiest way to explain how an attack might unfold is to explain it from the attacker’s perspective. Example scenario: An attacker of moderate skill decides to launch a phishing attack on a company. The attack takes the form of an email asking the recipient to read and indicate acceptance of a company security policy update; this will be a document attached to the email. The file itself will contain malicious code, which will give the attacker a foothold on the machine of anyone who opens it. Target: Copper Duck, a finance company. Copper Duck hasn’t configured DMARC, nor does it have other protections in place. Objective: The attacker’s aim is to run malicious code on Copper Duck machines, in an attempt to gain information on the company network that will uncover further vulnerabilities and also capture usernames and passwords. The ultimate goal is to gain access to Copper Duck’s sensitive financial and personal data. Research: The attacker researches Copper Duck, and from publicly available information discovers that it has not registered its domain – @copperduck.com – with DMARC. They also search for Copper Duck email addresses in public repositories so they can copy the header and footer information. Additionally, they’ll look for any other information, such as employee names and job titles on LinkedIn, which could help them target the attack and create a believable email.  Attack preparation: The attacker can obtain phishing kits and code suited to their purpose on the dark web. There are many such kits, and while it only takes moderate skill for an attacker to launch a phishing attack, these make it even easier. They compile a list of email addresses to target, sometimes from addresses discovered in the public domain, or by making informed guesses. For example, if the attacker has a number of addresses in the form [email protected], it’s likely that other employee addresses follow the same format. Once they have the list, the attacker creates the phishing email and the attachment file containing the malicious code. Because Copper Duck has not implemented a method to protect their domain from spoofing, the attacker can easily forge the Sender and other information in the email header. The attack: The emails are sent early in the morning on a weekday, to arrive shortly before employees begin working their way through their inboxes.  Every employee who clicks the link and opens the document will activate the malicious code it contains. It runs on their machine, and sends any sensitive data it can find back to the attacker. Even if not every employee clicks through, there is a good chance that at least one will. One is all it takes for an attacker to gain a foothold in the network. Bonus: The time of day an email is sent is one of many important factors that attackers may consider; there are several instances where an employee’s ability to make the right cybersecurity decision may be impaired. Read the full report here. What if there are protections in place? If Copper Duck used DMARC or a mail application that scanned attachments for malicious code, this would make life more difficult for the attacker, but not impossible. As previously mentioned, they could register a domain almost identical to that of Copper Duck (for example, copper-duck.com or coppperduck.com), and prompt the user to follow a link to a server under their control instead. However, protections like DMARC only stop spoofs of your domain; it won’t protect against all spoofs you might receive (for example, a spoof of one of your suppliers). This means you have to be vigilant both as a consumer and an employee when it comes to protecting yourself from these types of attacks. What can you do to protect yourself from email spoofing attacks? Phishing attacks employing spoofed emails are inevitable. So how can you spot them, what should you do when you’re targeted, and how can a business protect itself against the threat they pose? As a private individual… Watch for emails that try to instill a sense of urgency in the reader. Attackers often rely on inspiring fear or worry to try to get their targets to act in the way they want Try to get into the habit of reading emails thoroughly and exercise caution, especially if they contain a call to action, such as following a link, downloading an attachment, or sharing sensitive information If you have any reason to doubt an email’s legitimacy, such as poor spelling or an unusual tone of voice, check the email address it’s sent from, not just the Sender field or Display Name Also check  any links the email contains for grammatical errors or suspicious URLs Perhaps most importantly, do not open attachments or follow links that prompt you to log in unless you are absolutely sure they are legitimate. In the case of links, you’re better off searching for the organization and following links directly from their website As an employee… In addition to all of the precautions listed above, you should report suspected phishing attacks through the normal channels, such as your system administrators or IT helpdesk If you suspect you have fallen victim to a phishing attack, again, report it as soon as possible. Everyone makes mistakes, and the better phishing attacks can be hard to spot. The quicker you report it, the better the chances are of remediating the situation. For IT and security teams, oversight is essential  As a business… Set up proper DMARC records with a quarantine or reject policy, and use other protections such as SPF to help identify spoofed emails before they arrive in your inboxes  Train your employees to spot phishing emails by sharing information with them, such as this article Actively encourage employees to report the attacks. It is especially important that they feel they can come forward if they’ve fallen victim to one, without fear of blame. This is why creating a positive security culture is paramount. Unfortunately, though, DMARC, training, and a positive security culture simply aren’t enough. Cybersecurity strategies have to account for the fact that DMARC doesn’t stop bad actors from domain lookalike impersonations, training is ineffective long-term, and people won’t do the right thing 100% of the time.  To combat the threat of email spoofing, security teams should also deploy enterprise-level security applications to identify and block phishing attacks, such as Tessian Defender. What is Tessian Defender? Tessian Defender is powered by machine learning (ML). By learning from historical email data, Tessian’s ML algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of advanced phishing scams, including email spoofing attacks. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts.
Spear Phishing
How to Identify and Prevent Phishing Attacks
13 February 2020
Imagine you receive an email from FedEx with the subject line: You Missed a Delivery. Because you had, in fact, recently placed an order online and are expecting a delivery, you immediately open the email and follow the link to track your package. Everything about the email looks exactly as you’d expect it to; you recognize the sender as FedEx, the FedEx logo appears in the signature, the email itself is addressed to you, and it seems to contain information related specifically to you and your delivery. But, after following the link, your computer begins to slow and, behind the scenes, malware is consuming large chunks of your computer’s information, including personal data like saved credit card information and contact lists. What happened? You’ve fallen victim to one of the oldest and most prevalent cyber attacks in the book…phishing. What is phishing?
Although the technique was first described in a paper by HP back in 1987, the term “phishing” was actually coined in the mid-90s in a Usenet group for AOL by the well-known hacker Khan C Smith. Shortly thereafter, the term appeared for the first time in the AOHell hacking tool, which was used to generate and send fraudulent spam “from” AOL’s customer service team to users, tricking them into revealing passwords, birthdates, social security numbers, and more. While there are dozens of different “types” of phishing schemes that rely on different methods of obtaining data, the following criterion helps define this type of cyber attack. The sender is impersonating another person or company The content of the correspondence motivates users to act The message isn’t highly personalized and is sent to large amounts of people
Is phishing really a problem? While it’s been over two decades since the first phishing attack and today, most of us are attuned to what less sophisticated impersonations look like – for example, fake Nigerian princes asking targets for bank details in return for a share of their fortune – the threat is evolving and the stakes are higher than ever. Amazon, Apple, Booking.com, PayPal, Target, and Qatar Airways have all made headlines in the last several years because of successful phishing campaigns in which attackers impersonated their brands and targeted their customers. While it’s difficult to quantify the total cost to individuals and the reputational damage inflicted on the spoofed brands, these scams negatively impacted tens of millions of people. The fact is, we’re spending more time online creating and sharing more data than ever before; in fact, employees now spend 40% of their screen time on email, which is why phishing is just as big of a problem for businesses as it is for consumers. While the intent and top-level tactics employed by bad actors can be the same for these two types of targets, the brands impersonated often differ. Why? Because employees tend to trust and interact with different types of brands and be motivated by different types of content. For example, while news of a missed delivery from FedEx might motivate a consumer, an employee is more likely to trust an email from Microsoft and will, therefore, be more motivated to follow a link to a login portal for Office 365. Hence why Microsoft is consistently a favorite amongst phishers.
Phishing tools and techniques Surprisingly, cybercriminals don’t actually need an arsenal of technical skills to create a successful phishing campaign. Phishing kits are readily available on the dark web and contain everything a “bad guy” needs to hook a phish including source code, images, scripts, spamming software, and sometimes, even lists of email addresses to target. In short, these kits make it easy for anyone with a bit of IT knowledge to clone a webpage and host their own look-a-like version. From there, attackers can (and do) effectively harvest data that unsuspecting victims enter into mirror versions of legitimate, branded login pages. Again, Microsoft tends to be a go-to, with 62 phishing kit variants used to target the brand’s users within an observation window of just 262 days. Of course, even without a phishing kit, it’s not terribly difficult to design a convincing email template that instills a sense of trust and confidence in targets to the point that they click a link, send a reply, or complete a form. What’s more, not all phishing schemes rely on look-a-like pages. Some attackers simply need to buy (or create) malware. Impersonation 101 As we’ve mentioned, at the core of every phishing attack is email impersonation. So, how do you successfully impersonate a person or brand? Let’s use the FedEx example and imagine that the only legitimate email address associated with the brand is [email protected] While cybercriminals can actually replicate that exact email address by spoofing the fedex.com domain, it’s risky. To start, many major brands have adopted DMARC email authentication, which could prevent someone from directly spoofing their domain. But, with risk comes reward. Recipients of emails that are sent from spoofed domains have no way of knowing that an email wasn’t actually sent from its apparent sender.
Nonetheless, it’s more common for attackers to use domain variations that in some way resemble the authentic email address. The easiest way is to simply change the display name. Anyone – yes, anyone – can change their display name via their email account settings. That means that someone using an email address that’s in stark contrast to [email protected] can still use the display name FedEx Customer Service.
Likewise, attackers can register domains with the specific purpose of impersonating a legitimate company. There are dozens of phishing domain tactics, which include registering domains with just a one letter difference to the authentic domain and creating convincing sub, top-level or root domains.
Playing the odds Once the email itself has been crafted, it has to be disseminated. Importantly, time is of the essence. Since phishing by definition relies on a large pool of targets, it’s vital that the email is sent to as many unsuspecting victims as possible before the domain and/or servers used by the attacker are blacklisted. Phishing campaigns can be identified by the IP address and domain they’ve been sent from, which means that once a domain or IP address is known to be associated with malicious emails, email systems will redirect the email to a junk folder or reject it altogether. Let’s consider the odds. Phishing attacks have a 3% click rate. If the email is sent to 100 people, only 3 of them are statistically likely to open a malicious link or a download malicious attachment. If the email is sent to 1,000 people, 30 of them might fall for the scam, and so on. More targets equal more opportunity for success. An introduction to payloads Cybercriminals go to great lengths to deceive their targets, almost always with the intent of extracting data or infecting computers. As we’ve mentioned, data can be “extracted” by way of look-a-like sites that rely on the victims themselves willingly (albeit unknowingly) following a link and entering information. But, the data can also be captured over an extended period of time via an attachment that’s downloaded or installed. In the world of cyber attacks, these harmful links and attachments are called malicious payloads. When these malicious payloads take the form of an email attachment, they often fall under the larger umbrella of malware. It’s important to note, though, that not all phishing emails rely on malicious payloads. Zero-payload attacks simply use coercive language to implore the target to reply to or action a request, whether that be handing over an account number for an invoice or sharing credentials to a security tool. These types of attacks – often seen in more sophisticated schemes – are especially disquieting because cybercriminals are able to circumvent and evade legacy tools, payload inspection systems, spam filters and secure firewalls. Needless to say, there’s more than one way for bad actors to get whatever it is they’re after – from money to credentials – and as these payloads become more sophisticated, they’re harder for people and security software solutions to spot. Consequences of a successful phishing attack Today, phishing attacks are the most persistent threat to cybersecurity, with a marked 250% increase in frequency from 2018 to 2019 according to Microsoft’s annual Security Intelligence Report. That means that this year, you’re almost 3x more likely to have a phishing email land in your inbox than you were last year. So, what happens if you’re one of the 3% that falls for a phishing attack? The consequences are virtually limitless, ranging from identity theft to a wiped hard drive. Unfortunately for the average person, the phishing business is becoming more and more profitable for cybercriminals as the price tag for personal information continues to increase. But the consequences for businesses can be even more devastating, especially when you consider that the average cost of a data breach in 2019 was an incredible $3.92 million, a 1.5% increase from 2018. Needless to say, phishing is the number one cause of these types of breaches. In particular, spear phishing, phishing’s more targeted, personalized, and often more damaging counterpart. Phishing vs. spear phishing At face value, phishing and spear phishing seem almost impossibly similar. After all, the intent is identical. But, there are two key differences. While a phishing campaign casts a very wide net and is relatively easy to execute, spear phishing campaigns are targeted at fewer people, and with more personalized correspondence. Spear phishing requires more thought and time to successfully execute. In addition to the tactics that we see employed in phishing, bad actors in these more customized attacks will use information from company websites, social media, news articles, and more to engineer an email that’s believable, even to someone who’s been through extensive security awareness training. Oftentimes, cybercriminals impersonate someone in an authoritative position – for example, the CEO or a line manager – because employees tend to be less likely to question their superiors, are generally keen to help someone in power, and tend to act with a greater sense of urgency.
Zero-payload attacks like the one shown above can be particularly effective because a bad actor is able to build rapport with the victim by posing as a co-worker or superior, sometimes over a series of emails. How can you spot and stop phishing attacks? Unfortunately, innovation in email hasn’t evolved in tandem with the fast-paced digital transformation, which is one reason why reports of phishing attacks have continued to increase year-on-year. 6.4 billion fake emails will be sent today alone. Because this number continues to grow, it’s quite clear that spam filters, antivirus software, and other legacy security solutions aren’t able to keep pace with attacks that are becoming more and more complex by the day. That’s why it’s so important that individuals are scrupulous and inspect attachments and links before they’re downloaded or clicked. In particular, we recommend that you: Review the email address of senders and look out for impersonations of trusted brands Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand directly, rather than hitting reply But what about businesses? While staff training, blacklists, URL and attachment inspection systems, and legacy rule-based solutions may be enough to block some phishing attacks, they aren’t always capable of stopping the more sophisticated incarnations. Even Secure Email Gateways (SEGs) – which were designed to stop high-volume spam and keep inboxes safe from malicious emails – can’t always identify more advanced, targeted attacks, in particular zero-day attacks, zero-payload attacks, and spear phishing attacks.
Businesses need to protect their human layer The tactics employed by legacy solutions – namely identifying malicious payloads and flagging blacklisted domains – are simply ineffective against the advanced impersonation tactics used by cybercriminals in spear phishing attacks. When the attacker is pretending to be someone the target trusts, it becomes a human problem, not a filter or software problem. Hence why 86% of data breaches are caused by human error. Businesses, therefore, need an adaptive, highly personalized tool that can help them detect impersonations on email in order to protect their users. That tool is Tessian Defender, and it’s powered by machine learning (ML). By learning from historical email data, Tessian’s ML algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.  
DLP Human Layer Security Spear Phishing
A Year in Review: 2019 Product Updates
By Harry Wetherald
01 January 2020
2019 was a big year for email security. While the world did see a record number of data breaches (up 33% from 2018) we also saw tighter security-related policies and regulations drafted and implemented, and, in general, an increased awareness amongst businesses about the importance of proactive security strategies. While we may be biased, it seems note-worthy that human error became more and more of a talking point in the cybersecurity space. In fact, human error and the importance of machine learning and artificial intelligence in protecting people has been one of the most talked about trends by analysts going into the new year. Similarly, companies are waking up to the fact that humans are their biggest risk. It’s about time. After all, misdirected emails – emails accidentally sent to the wrong person – have been one of the top data security incidents reported under GDPR according to the Information Commissioner’s Office. We believe it’s unreasonable to expect employees to do the right thing 100% of the time when it comes to making security-related decisions; people break the rules, people make mistakes, and people can be hacked. To err is human! What’s more, we have seen how quickly the threat landscape continues to evolve, which is why throughout 2019, we rolled out a series of important product updates that have kept our user base – which saw triple digit growth over the last 12 months – safe. Here are the most important product updates to Tessian’s Human Layer Security platform for 2019.
1. Human error, quantified. The new Tessian Dashboard gives customers an at-a-glance view of breaches and near-misses on email Keen to discover trends related to the number of breaches that were prevented by Tessian over the last 30 days? Our easy-to-navigate dashboard gives administrators a complete overview of activity, including any malicious and anomalous emails detected, misdirected emails prevented, and unauthorized email attempts thwarted. Module performance for Tessian Defender, Guardian, Enforcer, and Constructor are all visible on one page, and visual representations of data make it easy to monitor and drill down on activity day-by-day. If suspicious activity is spotted, you can quickly and easily generate a report without navigating off the page. The Tessian Dashboard also allows administrators to view user health at a glance, including the percentage of users active on the Add-in and Gateway and any connection issues across the network. This will help in-house security teams ensure every employee within their organization is protected by Tessian’s modules at all times. 2. Evolving algorithms. Tessian Defender can now detect and prevent more spear phishing attempts than ever Throughout 2019, Tessian Defender was improved through a series of subtle but impactful tweaks to our algorithms to be even more adept at detecting spear phishing attempts, including advanced, difficult-to-detect direct spoof attacks. The fact is, bad actors are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks. It’s imperative that we stay ahead of the curve, hence the regular updates. Tessian Defender has improved over time – and will continue to improve – enabling the detection and prevention of even the most advanced spear phishing attempts.
3. Thwarted first-attempts. It’s now even more difficult for employees to exfiltrate sensitive data Tessian Enforcer can now detect the first attempt an employee makes to exfiltrate data over email. How? By inferring what is and isn’t likely to be authorized communication based on the vast amount of data Tessian’s ML algorithm was trained on, which doesn’t necessarily rely on prior email history of a particular email address. For example, if an employee attempts to send an email to their personal, freemail account and that email address contains the employee’s first name or surname, Tessian Enforcer presents a warning to the user advising them that the behavior is potentially unsafe and prompting them to reconsider the action. Data exfiltration remains an incredibly unwieldy problem for businesses. Tessian gives businesses much-needed oversight of the problem over email.
4. In-situ learning opportunities. Employees have an opportunity to understand why an email is unsafe with contextual warnings While Tessian prides itself on low flag rates so that security doesn’t impede productivity, we wanted to maximize the opportunity to educate users through our warnings. This way, when users do see a notification, they understand why. Improved warnings across all four modules were designed for a more user-friendly experience that seamlessly reinforces any previous or ongoing security training. With more context included, employees can now see exactly why an email is being flagged as suspicious and – importantly – they can make their own decision on how to proceed. This is at the core of Tessian’s mission. Employees should be empowered by security solutions instead of burdened by them. 5. New detection capabilities. Customers can create rules that are specific to their environment Every business or enterprise is different and IT and Infosec security leaders need some flexibility in creating filter conditions that are applicable specifically to their operations. Because we’ve introduced new detection capabilities, users can now combine more conditions to create filters for their individual use cases; for example, scanning attachment content, identifying hidden fields in spreadsheets, and reading Azure Information Protect and other DLP labels. At the most basic level, these rules look something like this: If A and B, then C, except when D or E. These variables can apply to a number of elements contained in an email, from the recipient(s) to language patterns. One way an administrator might use these new detection capabilities would be to configure a filter which only allows the finance team, for example, to share spreadsheets with people outside of their organization if the recipient’s email address is recognized as a customer, except when the attachment contains a hidden row titled “social security numbers”. Protect your most valuable asset: your people Tessian is committed to creating the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the human layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration. Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with productivity in mind. To understand how Tessian can fit into your existing security framework, request a demo now.
Spear Phishing
Whaling Email Attacks: Examples & Prevention Strategies
12 December 2019
95% of all attacks on enterprise networks are the result of successful spear phishing. But spear phishing can take many forms. One form is whaling, and it’s on the rise.
What is the difference between a spear phishing and whaling attack? A whaling attack is a type of spear phishing attack targeted specifically at an executive like the CEO or CFO. Spear phishing is an advanced phishing attack directed at a specific individual or company, not necessarily an executive. Whaling attacks are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. Oftentimes, criminals will gather and use personal information about their target to personalize the email better and increase their probability of success. As a result, whaling attacks can be very convincing and difficult for both humans and email defenses to catch. It’s important to note that whaling and CEO fraud are not the same, even though they are sometimes used interchangeably. Whaling attacks target high ranking executives; they don’t necessarily impersonate them. CEO fraud (or CxO fraud) is a type of spear phishing attack where attackers impersonate a CxO or other senior leader.
Why are whaling attacks successful? Whaling attacks can be easy to pull off. Attackers don’t need much capital, special equipment or a particularly advanced skillset. They often just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn. CxOs are incredibly busy and under a tremendous amount of pressure. They most certainly have access to significant amounts of sensitive information, and likely have their attention divided across many parts of the business. Working at a fast pace, on-the-go or outside work hours can lead to CxO’s to make critical mistakes on email and easily be duped into thinking a whaling email is legitimate. What’s more, CxO’s might be less likely to attend security awareness training due to their busy schedules. More and more companies are investing in training, but busy executives could prioritize educating the staff over themselves, which keeps the business at risk. After all, one employee misstep can have serious consequences for an organization. And CxO’s have a target on their backs due to the amount of sensitive company information that they hold. How can a successful whaling attack hurt a company? The motivation behind whaling attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences of whaling attacks: Financial loss: Of course, a principal objective is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. Austrian aircraft parts manufacturer FACC AG lost €50 million when their CEO fell victim to a whaling attack and wired the money to what he thought was a trusted source. When second-order financial penalties like fines are taken into account too, whaling attacks can prove extremely damaging to organizations’ balance sheets. Data breach: Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses. What’s more, data breaches are expensive to manage; the average cost of a breach is $3.86 million. Fines: It’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183 million after a 2018 data breach. Reputational damage: It’s harder to quantify on a balance sheet, but after a whaling-induced data breach, hard-won brand reputation could be put at serious risk. An email security failure can negatively affect an organization’s relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult. How can your organization protect against a whaling attack? Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound email threats, like whaling, SEGs commonly rely on the following— Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence. Spam and bulk-phishing prevention. Focus on past known attacks as well as basic email characteristics (e.g. domain authentication). These approaches rely on emails that contain blacklisted domains or IP addresses as well as they block bulk emails. These fail to prevent advanced impersonation, which is low-volume and often contains domain and IP addresses that have never been seen before. Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc) but attackers have learned to evade these rules. While SEGs can block malware and bulk phishing attacks, rule-based solutions struggle to stop advanced impersonation attacks and to detect external impersonations, common in whaling attacks. External impersonation is the impersonation of someone who belongs to a different organization than the target such as a supplier or vendor. Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Tessian Defender stops advanced threats that legacy systems miss. Tessian Defender’s stateful machine learning retroactively analyzes historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Tessian Defender can detect and prevent threats in real time with minimal end-user disruption.
Spear Phishing
What is Spear Phishing? Defending Against Targeted Email Attacks
08 December 2019
With legacy tools trapping more scatter-gun approaches to stealing data and money from organizations, spear phishing has become increasingly popular amongst the cybercriminal community. Part of the appeal is that it is extremely difficult to detect.
What is spear phishing?
What is the difference between phishing and spear phishing? On the face of it, phishing and spear phishing attacks may seem similar, however there are many differences. Phishing emails are sent in bulk and are relatively easy to execute by those with nefarious intent. Phishing attempts are generally after things like credit card data or login credentials and are usually a one-and-done attack. On the other hand, spear phishing is significantly lower in volume and much more targeted. A spear phishing attack is usually targeted at a specific individual within the organization and is highly personalized. What makes a spear phishing attack so effective is that it’s more difficult to spot that the email is malicious as it often convincingly impersonates a trusted source known to the target. Spear phishing is an attack that isn’t as difficult to pull off as you might assume. The research required for an effective attack isn’t much of a barrier either due to the abundance of data that is available online. It is no exaggeration to say that spear phishing is the number one security threat facing businesses today. While every spear phishing attack is unique by its very nature, we will discuss some of the characteristics that can be seen in a spear phishing attack: the target, the intent, impersonation and the payload.
The target Spear phishing attacks often target staff with access to financial resources, critical internal systems, or sensitive information. Spear phishing attacks commonly target specific employees or groups that have access to money, sensitive systems or important people within the organization. In addition to selecting their target by the department, attackers will also select a target by their job title. New hires are also a frequent target for attackers as they tend to be a bit more eager to please their superiors than colleagues who have been employed for some time. There is an abundance of valuable data available online for criminals to exploit to identify the best targets, from LinkedIn career updates to new employee details on company websites. Finally, new hires tend to have a lack of understanding about what normal email communication looks like within the company, meaning they have less knowledge of how internal email address should look and less insight into who the organization usually communicates with. Once they have identified their target, the attacker can easily undertake further research to find out who the target regularly communicates with. Here, social media sites such as Facebook and Twitter can provide valuable information about roles, responsibilities and professional relationship structures within an organization. With this information, the attacker can create a credible narrative and personalize the email they send. This makes the victim far more likely to fall for impersonation.
The intent The intent of the spear phishing email usually falls within three specific areas. Extract sensitive information Install malware onto the network Wire money to accounts that belong to the attackers Criminals are on the hunt for sensitive information, like login credentials, medical records or bank codes, because any information – regardless of its type – has a value on the dark web. To get this data, attackers can use different tactics. They may try to deploy malware in the form of ransomware or keyloggers in order to invoke widespread havoc. Or attackers may use spyware, which is designed to sit, undetected, in the background and mine valuable data. Alternatively, attackers can take a more direct approach: request a wire transfer in a well-crafted email impersonating a familiar colleague, supplier or customer.  Attackers can also build relationships with their victims long before making any requests for money or information. Or, they may send a very simple, casual email — “are you in the office?” — which can easily initiate an email exchange. Only after that do they strike with a follow up email include requests for the target to wire money, send confidential information, or click on a payload. Generally, the email will contain deliberate language to establish context and intent within both the subject header and body copy, to create a feeling of urgency that helps trick the target.
The impersonation There is always an element of impersonation in a spear phishing attack. Whether it is impersonating an authoritative figure within the organization (for example a CEO or CFO), someone external (such as from a trusted supplier or valued client), or a business unlikely to cause suspicion (such as Microsoft or PayPal). The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email. Furthermore, the very fact that modern organizations generally deal with so many counterparties offers limitless possibilities to impersonate vendors or suppliers (external impersonations), making them very hard to detect. Impersonating a display name is easy for even those with little technical knowledge and can be done quickly within almost all major email clients. Display name impersonation involves attackers setting a authentic-looking display names on their email account in order to mislead recipients. This approach has proven to be especially effective on mobile phones, as the email address of the sender is generally hidden when a user is accessing their inbox through a smartphone.
Impersonating a display name is easy for even those with little technical knowledge and can be done quickly within almost all major email clients. Display name impersonation involves attackers setting a authentic-looking display names on their email account in order to mislead recipients. This approach has proven to be especially effective on mobile phones, as the email address of the sender is generally hidden when a user is accessing their inbox through a smartphone. Domain impersonations are another popular technique, in which attackers spoof or impersonate an organization’s domain in order to appear legitimate. They look to circumvent security filters by impersonating recognized, trusted domains whether at the root (i.e. [email protected]), top-level (i.e. [email protected]) or subdomain (i.e. [email protected]). Such complex domain manipulations are very hard for both humans and rule-based security solutions to detect. For instance, a commonly used rule is to calculate the number of different characters between 2 domains: “If the difference is smaller than 2, block the email.” Attackers have learned to use a complex domain manipulation to evade such a rule.
The payload A payload is a malicious link or attachment contained in an email. Examples of payloads include: attachments that deploy malware or ransomware when opened; or embedded links that drive to fake login sites that farm credentials. It is important to note that not all spear phishing emails contain a payload. Historically, attackers have leveraged payloads in phishing attacks. Because of this, certain email security solutions have been developed in order to detect them. These solutions analyze and sandbox attachments, inspect links as well as look at the website that the links are pointing to in order to see if they’re malicious. As these security solutions become more popular, attackers have learned to execute attacks without links or attachments and instead are utilizing coercive language and social engineering to ask the target to share confidential data or wire money.
Why is spear phishing still a problem today? Today, employees are the most important data processors in any company. The reality is that just one employee misstep can have serious consequences for an organization. With the information they manage to obtain, fraudsters can reveal commercially sensitive information and steal large amounts of money from organizations. Employees likely receive more security awareness training than in the past, but their workloads have become greater and more complex. They are busier than ever and expected to maintain the same pace of delivery. Because of this, people can make mistakes and be deceived. No amount of training will change this. While training is well intentioned, it simply isn’t enough to prevent increasingly sophisticated spear phishing attacks. Companies can’t rely on people spotting every attack. While SEGs can block malware and bulk phishing attacks, they cannot stop spear phishing emails that don’t include a payload. Email is the main communication channel for enterprises today, however the openness of email makes it easy for attackers to exploit. Data continues to be lost and systems continue to be compromised via email, with spear phishing increasingly being the attack vector of choice. Recent headline-grabbing attacks include: volunteers for Hillary Clinton’s presidential campaign were targeted as part of one attack; City officials in Ocala, Florida were tricked into sending over $742K to what they thought was a construction company; Australia National University was targeted by a spear phishing email that led to attackers silently monitoring the university’s activity as well as stealing the credentials of staff and students.
How can machine learning help stop spear phishing attacks? The common root of all spear phishing attacks is impersonation—an attacker is pretending to be someone the target trusts. Companies therefore need to identify impersonations on email in order to protect their users, and importantly, their data and systems. But detecting impersonation is not easy. To do so, you need to understand human relationships and human behavior. Machine learning (ML) is the perfect tool to do this. By learning from historical email data, Tessian’s ML algorithms can understand a company’s users relationships and the context behind each email. This allows them to detect a wide range of impersonations, from obvious payload-based attacks to subtle social-engineered ones. To learn more about how Tessian Defender prevents spear phishing attacks for organizations like Arm, talk to an expert today.  
Human Layer Security Spear Phishing
It’s the Most Fraudulent Time of the Year
30 November 2019
With Black Friday just around the corner, the holiday shopping season is upon us and retailers will face their busiest time of the year. In the last six weeks of 2018, for example, UK retailers and US retailers saw sales of £79.7bn and $719.2bn, respectively, as shoppers rushed to scoop up the best deals. No wonder, this window is often referred to as the “Golden Quarter”. But retailers and their customers may get more than they bargained for as this surge of shoppers makes the “Golden Quarter” a golden time for cybercriminals to launch phishing campaigns. We often think about consumers as the main victims of retail-related phishing attacks in the holiday shopping season. And quite rightly; shoppers receive hundreds of emails from retailers promoting their latest deals around peak shopping days like Black Friday and Cyber Monday. It’s a ripe opportunity for cybercriminals, who are looking to steal personal data and payment details, to “hide” in the noise, pose as legitimate brands and prey on individuals who are not necessarily security savvy. However, it’s also important to remember that retailers themselves are at greater risk of phishing attacks during this time, as well. In fact, our latest report reveals that nearly two thirds of UK and US retailers (64%) receive more phishing attacks in the three months leading up to Christmas, compared to the rest of the year. Black Friday, in particular, is a prime time for seasonal scammers as UK retailers (56%) and US retailers (57%) saw an increase in the number of phishing attacks during the Black Friday / Cyber Monday weekend last year. Given that phishing attacks have only grown in frequency and severity since then, there is no doubt that phishing will continue to be a persistent threat for retailers this year too. It’s also concerning to see that 70% of IT decision makers at UK retailers and 65% at US retailers believe their staff are more likely to click on phishing emails during the holiday shopping season. The reason? Employees are at their busiest and working at a much faster pace, meaning they are less likely to check the legitimacy of the emails they are receiving. Hackers will take full advantage of the fact that security won’t be at the front of mind for busy and stressed retail workers, and will craft sophisticated spear phishing campaigns to encourage individuals to click on malicious links, download harmful attachments or wire huge sums of money. On top of this, staff will also receive more emails at this time. Consider how many colleagues, temporary workers, customers and third party suppliers retail workers engage with during the holiday shopping season. Knowing inboxes will be filling up with timely requests and orders, hackers can easily deceive employees and get them to comply with their requests via spear phishing emails that convincingly impersonate colleagues, senior executives or trusted suppliers. With the average phishing attack now costing a company $1.6 million, there are significant financial consequences for a retail worker being duped by a phishing attack. It’s understandable, then, that the IT decision makers we surveyed said that “data breaches caused by human error” are the number one threat to their business in the final quarter of the year. Phishing came in a close second, with one in five IT decision makers in retailers believing phishing is the greatest threat to their organization during the holiday shopping season. Given the people-heavy nature of the industry, retailers are, sadly, an easy target for cybercriminals. Our report clearly shows that retailers need to do everything they can to build robust defenses and minimize incidents of human error that could lead hackers to steal data and compromise systems this holiday season.