Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

See a sneak peek of Tessian in action featuring admin and end user experiences. Watch the Product Tour →


Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover

Legacy Secure Email Gateways Are No Match for the Cyber Threats of Tomorrow
By John Filitz
25 November 2021
Email represents the greatest threat vector, responsible for 96% of cybersecurity breaches. And legacy email security solutions that rely on Secure Email Gateways (SEGs) and rule-based controls are simply not up to the task of mitigating increasingly advanced and evolving cyber threats.   In fact, between July 2020 and July 2021, Tessian detected 2 million malicious emails that bypassed SEGs. This declining security effectiveness is the principal reason why security leaders are starting to question whether standalone SEGs have a place in today’s cybersecurity stack.   Combined with growing alert fatigue, and an increasing level of redundancy as organizations adopt SaaS offerings like Microsoft 365 with SEG capabilities natively included, the calls for ripping and replacing SEGs are growing louder. Echoing this shift in the email security landscape, Gartner predicts by 2023, 40% of organizations will be using a cloud email security solution like Tessian in place of a SEG.
Static vs. dynamic protection   The vast majority of organizations still rely on SEGs as the main method of filtering out malicious email-based attacks. Developed in 2004 and designed in the era of on-premise email servers, one of several shortcomings of SEGs is the reliance on an overly manual, rule-based approach, based on threat intelligence.   By using threat intelligence-derived deny lists, creating allow lists, or using signatures for message authentication, SEG-based email security controls are reactively geared to protect your company’s email and data — but only from known threats. The SEG-based approach offers no protection against zero day attacks, which is a significant and growing threat vector — with zero day discoveries up by 100% in 2021. SEG solutions also fall short against attackers that have invested resources and effort into advanced social engineering campaigns, which are able to circumvent the static, rule-based controls. The greatest attack types that SEGs fail to prevent include Business Email Compromise (BEC), Account Takeover (ATO) and advanced Spear Phishing attacks.  
Email threats are on the rise   All it takes is one malicious email to bypass your existing security controls. And as Tessian research has demonstrated, malicious email bypassing SEGs and native tools is extremely common today. This is why Business Email Compromise (BEC) is seen as one of the leading threat vectors to organizations, resulting in $1.8 billion in losses in 2020.    Cybercrime is also steadily becoming more organized, with cybercriminals offering professionalized “Cybercrime-as-a-Service” offerings. Threat actors are able to bypass SEGs by leveraging intricate social engineering exploit kits procured on the dark web. They’ll even go so far as to recruit unsuspecting cybersecurity professionals to carry out attacks. Spear phishing and ATO are common methods for either perpetrating cyber fraud, data exfiltration, or even more worryingly, deploying ransomware.    The growing prominence of zero day attacks and ransomware is of particular concern. International law enforcement agencies note remote workers are being targeted with phishing emails carrying malicious payloads, including ransomware. With the  frequency of attacks doubling in the past year, ransomware attacks are now seen as the foremost threat faced by organizations.
Why organizations are ripping and replacing their SEGs   This is where best-in-breed email security solutions like Tessian come into play. Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.   Relying on machine learning and behavioral intelligence, Tessian is able to detect and prevent anomalous and malicious inbound and outbound email traffic, including preventing data loss. Unlike SEGs, Tessian also offers protection against numerous collaboration platform entry points like Microsoft SharePoint, OneDrive and ShareFile.    And with over 70% of enterprises now hosted in one or more public clouds and utilizing SaaS productivity suites such as Microsoft 365 or Google Suite, which include native SEG capabilities such as sender reputation and authentication, spam filtering and custom routing rules, is yet another reason why standalone SEG solutions are redundant.   If you combine these native capabilities with an intelligent inbound and outbound solution like Tessian, robust email security protection is guaranteed.     Some of the standout features offered by Tessian include advanced Attachment and URL Protection (behavioral analysis and threat intelligence), as well as a range of Impersonation Attack Defense capabilities, such as:   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Credential Theft   Tessian also offers protection against malicious data loss enabled through a successful social engineering campaign, or accidental, for example, an employee sending sensitive company data to a personal email address. Other unique features include in-the-moment- security awareness training for suspected phishing email, as well as in-the-moment DLP  pop-ups.   Combined with Microsoft 365 or Google Workspace, Tessian’s ability to address sophisticated inbound email security threats across expanding entry points places it into the best-of-breed inbound email security solution category. But when combined with Tessian’s advanced DLP capability, it becomes undeniable that it’s time to replace your SEG for the next generation of unrivaled email security. And this is why Tessian was recognized as a representative vendor for Integrated Cloud Email Security in the 2021 Gartner Market Guide to Email Security.
Want to learn more about how and why security leaders are replacing their SEGs with Tessian? Check out our customer stories or book a demo.
How to Spot a Delivery Impersonation Attack
By Andrew Webb
25 November 2021
Amazon, UPS, DHL, FedEx, USPS, Royal Mail – logistics delivery is a huge part of our lives. Amazon is said to ship 1.6m parcels a day and DHL delivers over 1.5 billion parcels per year. Of course all these parcels make this sector a prime theatre for bad actors to operate in. Why? Think about the process for ordering a package. You enter card details, your email address, and other Personally Identifiable Information (PII) like your home address. And, as we all know, pretty much all of us use logistic delivery services at some point.   In fact, according to Tessian research, nearly half (47%) of people say they shopped online more in the last year than the year prior. It’s no wonder delivery impersonation attacks are among the most common types of cyberattacks targeting people today.    What’s more, delivery impersonation scammers are using increasingly complex and hard-to-spot tactics to carry out their attacks.This article will explain what a delivery impersonation attack is and provide helpful guidance on how you can help yourself and your organization avoid falling victim to this type of scam.
What is a delivery impersonation attack?   First things first: what is a delivery impersonation attack? A delivery impersonation attack is a type of phishing where the attacker impersonates a delivery company.  The scam involves sending a fraudulent SMS or email to a consumer, telling them that they have missed a delivery. The message contains a link that, when followed, leads to a website operated by the scammers. When the target visits the fraudulent website, they are duped into revealing personal information, such as their login credentials, contact details, or payment information.
How common are delivery impersonation attacks?   It’s no exaggeration to say that delivery impersonation attacks are an endemic and widespread security threat.Delivery impersonation attacks occur year-round, but spike around the same periods each year, typically when consumers are making a lot of online orders—most notably around Black Friday.   In Q3 2020, Tessian detected a significant spike in fraudulent email activity in the run-up to Black Friday, as cybercriminals attempted to exploit the increase in online deliveries. More recent Tessian research reveals that around 20% of US consumers and 33% of UK consumers have received a delivery impersonation email or SMS so far in 2021.   This increase in delivery impersonation is part of a general surge in phishing that has occurred since the start of the pandemic.In October 2021, research from Ofcom revealed that 82% of UK adults received a suspicious text or email in the preceding three months. The situation has gotten so bad that the UK Government announced it was relaunching its Joint Fraud Taskforce in response.
Telltale signs of a delivery impersonation attack   Now we’ve explained what a delivery impersonation attack is, let’s consider what such an attack looks like.   As explained, a delivery impersonation message will always contain a link. The aim of the attack is to get you to click or tap the link and give up your personal information.   Therefore, it’s crucial that you carefully inspect any link contained in a text or email to determine whether it is malicious.    Here’s an example:   The phishing link contained in this delivery impersonation message points to a site that is operated by scammers, rather than the delivery company Hermes. But how can you tell whether a URL is malicious?   Well, it’s not always obvious. While some URLs are blatantly fraudulent, fraudsters have come up with ingenious ways of creating links that really look right. Here are some examples of different URL impersonation techniques.
Root domain impersonation   The “root domain” is the part of the URL that appears before the “top-level domain”. So, in “”, the root domain is “amazon”, and the top-level domain is “.com”. Amazon owns the root domain “amazon”, so fraudsters can’t simply set up their own phishing sites under that domain. But they can create domains that look like “” to fool people into clicking their phishing links. One common root domain impersonation tactic is to use numbers instead of letters. So, swap the “o” in “amazon” with a zero, and you have “”. At first glance, an undiscerning target might mistake this for Amazon’s actual website. However, root domain impersonation is increasingly uncommon as this trick is relatively easy to spot. Also, major brands tend to buy up similar-looking domains to prevent cybercriminals from acquiring them. Tessian research reveals that only 20% of top couriers have configured their website’s DMARC policies to the strictest settings. This means fraudsters can use tactics like email spoofing to convincingly imitate these sites via fraudulent emails.
Subdomain impersonation   One highly persuasive impersonation technique is to include the impersonated company’s name in the subdomain of a URL operated by the cybercriminals. The subdomain is the part of a URL that appears before the root domain of a website. Here’s an example of a delivery impersonation attack message impersonating delivery company DPD:
The first part of this link is “dpd”, and so it may appear to lead to DPD’s website. However, the root domain—the website operated by the fraudsters—comes after “dpd”. It’s “track7k4”. So, if you receive a delivery message that looks real at first glance, take special care to check whether the root domain is as authentic-looking as the subdomain.   Top-level domain impersonation Attackers can also impersonate the top-level domain of a URL to make it appear authentic. The top-level domain appears last in a URL. Common examples include “.com”, “.net”, and “”. Here’s an example:
In this delivery impersonation message, the link points to a URL that might seem authentic at first glance. Visiting “” would take you to the Post Office website. But this URL doesn’t actually lead to “”—the top-level domain is “”, not “”. Note that the words “uk” and “” are separated by a hyphen rather than a forward-slash, meaning that both words are part of the top-level domain.   Protecting employees from delivery impersonation attacks As noted, delivery impersonation attacks mainly target consumers. But they can be a problem for businesses too—particularly in the age of “bring-your-own-device” and remote working.So how can you protect your organization from delivery impersonation attacks?   Unfortunately, there is little you can do to stop employees from receiving delivery impersonation attacks via SMS. Android and iOS have some basic filtering and notification functions, but these often fall short and allow delivery impersonation attacks to reach people’s mobiles.   Therefore, incorporating information about delivery impersonation attacks into your company’s security training program is essential. When it comes to preventing delivery impersonation attacks via email, there is a viable solution.   Tessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most subtle signs of email impersonation and phishing.  Here’s how it works: Tessian’s machine learning algorithms analyze your company’s email data, learning each employee’s usual communication patterns and mapping their trusted email relationships inside and outside of your organization. Tessian inspects both the content and metadata of inbound emails for signals suggesting email impersonation or other phishing attacks. Such content might include suspicious payloads, geophysical locations, IP addresses, email clients, or sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.   Click here to learn more about how Tessian Defender protects your team from email impersonation and other cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like phishing.  
What is Email Spoofing? How Does Email Spoofing Work?
22 November 2021
Let’s start with a definition of email spoofing.
While email spoofing can have serious consequences, it’s not particularly difficult for a hacker to do. And, despite the fact that email filters and apps are getting better at detecting spoofed emails, they can still slip through.   Why do people spoof emails? You might be wondering why someone would want to spoof another person or company’s email address in the first place. It’s simple: they want the recipient to believe that the email came from a trusted person.   Most commonly it is used for activities such as:   Spear phishing: A type of “social engineering” attack where the attacker impersonates a trusted person and targets a specific individual. Business Email Compromise (BEC): A phishing attack involving a spoofed, impersonated, or hacked corporate email address. CEO fraud: A BEC attack where the attacker impersonates a high-level company executive and targets an employee. Vendor Email Compromise (VEC): A BEC attack where the attack impersonates a vendor or another business in a company’s supply chain. Spamming: Sending unsolicited commercial email to large numbers of people.   Now let’s look at the technical process behind email spoofing. How email spoofing works   First, we need to distinguish between “email spoofing,” and “domain impersonation.” Sometimes these two techniques get conflated.   Here’s the difference: In an email spoofing attack, the sender’s email address looks identical to the genuine email address ( In a domain impersonation attack, the fraudster uses an email address that is very similar to another email address (   When you receive an email, your email client (e.g. Outlook or Gmail) tells you who the email is supposedly from. When you click “reply,” your client automatically fills in the “to” field in your return email. It’s all done automatically and behind the scenes. But, this information is not as reliable as you might think.   An email consists of several parts: Envelope: Tells the receiving server who sent the email and who will receive it. When you get an email, you don’t normally see the envelope. Header: Contains metadata about the email: including the sender’s name and email address, send date, subject, and “reply-to” address. You can see this part. Body: The content of the email itself.   Spoofing is so common because it’s surprisingly easy to forge the “from” elements of an email’s envelope and header, to make it seem like someone else has sent it.   Obviously, we’re not going to provide instructions on how to spoof an email. But we can break down a spoofed email to help you understand how the process works.   Let’s take a look at the email header:
First, look at the “Received From” header, highlighted in blue, which shows that the email came from the domain “”   But now look at the parts highlighted in yellow — the “Return-Path,” “From,” and “Reply-To” headers — which all point to “Mickey Mouse,” or “”. These headers dictate what the recipient sees in their inbox, and they’ve all been forged.   The standard email protocol (SMTP) has no default way of authenticating an email. There are authentication checks that depend on the domain owner protecting its domain. In this case, the spoof email failed two important authentication processes (also highlighted in blue, above):   SPF, short for Sender Policy Framework: Checks if the sender’s IP address is associated with the domain specified in the envelope. DMARC, short for Domain-based Message Authentication, Reporting, and Conformance: Verifies an email’s header information. DKIM, short for DomainKeys Identified Mail: Designed to make sure messages aren’t altered in transit between the sending and recipient servers.   As you can see, DMARC, SPF, and DKIM all = none. That means our spoofed email slipped right through. Here’s how the email looks in the recipient’s inbox:
The email above appears to have been sent by Mickey Mouse, using the email address But we know from the header that it actually came from This demonstrates the importance of setting up DMARC policies. You can learn more about how to do that here. Note: Disney does have DMARC enabled. This is a hypothetical example! Want to find out which companies don’t have DMARC set-up? Check out this website.   How common is spoofing? Measuring the precise number of spoofed emails sent and received every day is impossible. But we can look at how many cybercrime incidents involving spoofing get reported each year. A good place to start is the U.S. Federal Bureau of Investigation (FBI)’s Internet Crime Complaint Center (IC3) annual report.  In 2020, the IC3 reported that: The IC3 received 28,218 complaints about spoofing (up from 25,789 in 2019). The losses associated with spoofing complaints totaled over $216.5 million.   Note that the IC3’s definition of “spoofing” includes incidents involving spoofed phone numbers. But we already know that 96% of phishing attacks start with email. There are many examples of harmful email spoofing campaigns, and the COVID-19 pandemic has made it easier than ever for cybercriminals to trick people into falling for these scams.   For example, in October 2021, a threat actor was found to have spoofed email domains belonging to the Philippine government, targeting shipping, manufacturing, and energy companies with fraudulent emails about COVID-19.   And in March 2021, a widespread email spoofing campaign targeting C-suite executives was uncovered. The attackers created spoofed spear phishing emails that evaded “Office 365’s native defenses and other email security defenses.”   Now you understand what email spoofing is, and how serious a threat it can be, it’s time to read our article on how to prevent email spoofing.
Ultimate Guide to Surviving Black Friday Phishing Attacks
By Andrew Webb
18 November 2021
Ahh Black Friday, ‘o-phish-ally’ the phishiest day of the year according to our 12-month analysis of over 4 billion emails.     You can read more on our research below, and see why bad actors specifically use this day to launch the highest number of attacks of the year.     We also have articles explaining why attackers impersonate delivery firms, how to spot retail scams, and seven tips to help you survive Black Friday.
With over 165 million people heading to stores or shopping online during the frenzy that follows Thanksgiving, retailers will be busier and more distracted than ever. And this makes them a prime target for cybercriminals.  It’s no wonder 42% of CISOs miss Turkey Day… Read more below.
A recent survey also revealed that one in five (20%) U.S. consumers and 33% of U.K. consumers received a phishing scam from a hacker posing as a delivery service this year already. With consumers spending billions online during the upcoming Black Friday and Cyber Monday, it’s highly likely that delivery-related phishing scams will surge – especially against the backdrop of the supply chain issues retailers are currently facing, which are causing delays and product shortages. Read more below.  
With staff working hard to fulfill customers’ orders, they’re highly likely to be distracted, which is when bad actors like to strike. Read more on why they’re not only targeting consumers, but retail businesses themselves, in our  ‘Tis the Season to be Phished report
Cybercriminals follow the money, and at this time of year there’s LOTS of it flowing about. Read more on phishing in retail in this blog post.
New research shows that 30% of U.S. consumers received a phishing message around Black Friday 2020 by text or email. Do you know how to spot a scam? If your organization needs a reminder, download this infographic and circulate to the team. It explains What a phishing email looks like, Which organizations and retailers are most likely to impersonate, and what to do if they’re targeted.    
Find out how Tessian can help secure your Human Layer against threats not just on Black Friday, but every other day of the year too.
What Is Credential Phishing and How Does it Work?
18 November 2021
Think about all of your different online accounts.  Email, social media, banking, eCommerce platforms, news sites….And that’s just in your personal life. What about at work?   For all of these different accounts, you’ll have a username, a password, a pin, or some combination of the three. We call these credentials and they’re the type of data that’s most frequently compromised in phishing attacks. In fact, businesses (and individuals!) lose millions every year to the direct and indirect costs of credential phishing attacks.
Keep reading to find out what credential phishing is, what a credential phishing email looks like, and how to avoid falling victim to a credential phishing attack.   What is phishing?   First things first. Before we can dive into credential phishing specifically, we have to explain what phishing is broadly. Phishing is a type of social engineering attack where the attacker uses “impersonation” to trick the target into giving up information, transferring money, or downloading malware.   Phishing attacks can take many different forms, including: Spear phishing: A targeted phishing attack against a known individual. Whaling: A phishing attack targeting a c-level executive. Senior employees make good targets, as they have easier access to a larger amount of money. Smishing: A phishing attack conducted via text message. Vishing: A phishing attack conducted via voice (phone or VoIP). Any of these types of phishing could be used to gain access to credentials. Attackers also use these methods to target other types of information, like credit card details or social security numbers, and to steal money from the target (“wire transfer phishing”). If you want to learn more about phishing and other social engineering attacks, check out these articles: How to Identify and Prevent Phishing Attacks Phishing vs. Spear Phishing: Differences and Defense Strategies 6 Real-World Examples of Social Engineering Attacks How does credential phishing work?   Credential phishing almost always starts with an email. In fact, 96% of phishing attacks do. So how can you spot one? Let’s take a look at the elements of a credential phishing email. Subject line The cybercriminal’s first challenge is to get their target to open the phishing email. This requires an intriguing and attention-grabbing subject line. Research reveals some of the most commonly-used words and phrases in the subject lines of phishing emails, including: Request Follow up Urgent/Important Are you available?/Are you at your desk? Payment Status Hello Purchase Invoice Due   You’ll notice that some of these subject lines elicit feelings of urgency, while others aim for familiarity.  According to another report,  25% of phishing emails get read. Ask any marketer, this is a high “open rate”. So, while these tactics might seem crude…they work.   Main body of email The main content of a credential phishing email is designed to do two jobs: evade spam filters and persuade the target to click a malicious link. With that in mind, there are some hallmarks of a persuasive phishing email:   It is addressed to you by name. It appears to be from a trusted sender with whom you regularly communicate. It uses the supposed sender’s proper branding, email signature, and communication style. The goal – of course – is to make the target believe it’s real.   That’s why successful phishing operations are highly targeted and backed by meticulous research about the target. The days of “spray and pray” bulk phishing emails are long gone. Cybercriminals are using increasingly advanced tactics, such as open source intelligence (OSINT) and hijacking an ongoing email conversation.   Malicious link   Unlike other types of phishing attacks, a credential phishing attack will always contain a link to a fake login page. But, like the main body of the email, the URL should look legitimate. Again, the goal is to trick the target, not raise their suspicions. How? Piggyback off another brand’s reputation. Research suggests that 52% of malicious links contain a brand name. This is known as a “spoof” domain. For example, a spoof of the URL “” might be “http://www.tessian.nh” Other techniques used for disguising URLs include using a link-shortening service like Bitly or using a hyperlinked image (for example, a “log in” button). Clickthrough rates on credential phishing links are estimated to fall anywhere from 3.4% (Verizon) to 10% (Proofpoint). This represents a very high success rate: remember that just one person clicking that link can cost a company millions of dollars.   Phishing website Once you’ve clicked on the link, you’re directed to the phishing website designed to steal your credentials. We call these malicious websites. The landing page must be just as convincing as the email itself. That means a good phishing login page will be meticulously crafted, using authentic images and fonts to perfectly recreate a brand’s genuine site.   Did you know: Cybercriminals are increasingly securing their sites using HTTPS or SSL certification. Research from APWG suggests that 78% of phishing sites use SSL certificates. This security makes the user feel more secure, but it doesn’t mean the site owner can’t steal their data.   As well as looking convincing, the phishing site must also evade security controls that filter out non-whitelisted sites based on keywords such as “enter password.” But hackers have found a shortcut. Instead of using text on their login pages, they use images. That way, rule-based security controls and spam filters can’t spot the fakes.
What happens to phished credentials? Cybercriminals steal credentials for a variety of reasons. Once your username and password have been phished, they might be:   Used for Business Email Compromise (BEC) or Vendor Email Compromise (VEC) attacks. Used to log into your email account and steal personal or company data. Used for identity fraud. Used for conducting fraudulent transactions. Sold on the dark web: Research from Digital Shadows shows there are over 15 billion sets of credentials available to buy online. Credential phishing can be especially damaging for anyone who reuses passwords. Why? If one password is compromised, several accounts could be exposed. Researchers at Virginia Tech observed attackers using phished PayPal, LinkedIn, and Microsoft credentials to log into email accounts — even though the email accounts were not the attackers’ primary targets.   What you need to know about credential phishing   Now you know how credential phishing works, let’s clear up some myths and misconceptions about this particularly dangerous form of cyberattack. Credential phishing is effective Because phishing is such a common and well-established type of cyberattack, you might think people have become wise to these scams. Surely phishing for people’s credentials is an outdated tactic? Unfortunately not. Phishing attacks are becoming more sophisticated — and because many people naturally tend to trust others — we’re still clicking those phishing links. According to Verizon, phishing was the most common cause of data breaches in 2019, with 22% of 2019 data breaches involving phishing. Phishing was also the leading issue in complaints to the FBI’s Internet Crime Complaint Centre (IC3) in 2020. Phishing incidents more than doubled compared to the previous year, and cost victims over $54 million in direct losses. Not all of these phishing attacks targeted credentials. Other types of phishing involve fake invoices or target credit card details. But credentials are the most common target, with over 60% of phishing attacks aiming to steal usernames and/or passwords. Looking for more phishing statistics? Check out this article: Must-Know Phishing Statistics: Updated 2020. 
Multifactor authentication won’t prevent credential phishing Multifactor authentication (MFA) is an essential extra layer of login security. But MFA isn’t a solution to credential phishing. This is a misconception that can leave people and organizations vulnerable. Here’s why. Logging into an account protected by MFA requires you to enter your login credentials and take one or more additional steps to verify your identity — such as clicking on a link in an email, entering a verification code sent via SMS, or using an authenticator app. Yes, this makes things a lot harder for hackers, who must steal a user’s account credentials and access the additional authenticator. But cracking MFA is far from impossible. Authentication tokens can be phished or hacked, just like usernames and passwords. That means MFA is an essential layer of protection that you should apply across all user accounts, but it’s not a failsafe against credential phishing. Credential phishing attacks increasingly target corporate email accounts Some organizations might focus their cybersecurity efforts on preventing attacks involving ransomware or wire transfer phishing, believing that consumers are more likely to be the target of credential phishing. Credential phishing attacks against consumers are very common, but research shows that credential phishing scammers now have their sights set on corporate targets.   What makes corporate email accounts a particularly good target for credential phishing? Hackers can use one account as a foothold to conduct further phishing operations both within the organization and across their supply chain.   How to prevent credential phishing attacks Investment in cybersecurity is increasing year on year (up 44% in the UK since GDPR was rolled out) and preventing inbound attacks like credential phishing is a high priority for many companies. Here are some solutions to consider. Email security software You’ve seen the sophisticated techniques that cybercriminals use to fool their targets. Even the most tech-savvy of your team members can’t be expected to detect advanced credential phishing emails. Instead of leaving people as the first and last line of defense against these targeted attacks, consider email security software like Tessian Defender that automatically protects your employees’ email accounts against credential phishing and other inbound threats. Here’s how: Tessian scans your employees’ inboxes to learn their regular email style and map their trusted relationships. This way, it automatically knows when an employee receives correspondence from an unexpected sender. Tessian inspects inbound emails for signs that they might be phishing emails. Signs might include barely noticeable irregularities in the sender’s email address, potentially malicious links, or suspicious changes to the sender’s communication patterns. Tessian warns employees before they fall victim to a phishing attack and alerts security teams, who can quickly and easily investigate the attack and – to prevent future attacks – can add the sender’s domain to a denylist in a single click. Security training Staff training in data protection and phishing awareness are both essential (and can even be a requirement under some privacy laws and regulatory standards). Why? Your staff should know what phishing emails and other cyberattacks look like and know what to do if they fall victim to one. But the average person isn’t a security expert. Like we said, even the most tech-savvy person can fall for sophisticated attacks. It’s no wonder, then, that most data breaches start with human error. To learn more about the pros and cons of phishing awareness training, click here. Password management In a world where passwords protect our most valuable and sensitive data, it’s incredible how many people still use the same password across multiple accounts.   Re-using passwords increases your vulnerability across multiple accounts. Your organization should insist that employees use unique, complex passwords for each of their accounts. Employees should also be changing their passwords regularly.   One way to ensure better password management is to use a password manager, ideally designed for enterprise, with centralized user account controls. You should also be implementing multi-factor authentication wherever possible.   If you want to learn more about email security best practices, we recommend these articles: Email Security Best Practice 2020 Email Mistakes at Work and How to Fix Them The Psychology of Human Error How to Catch a Phish: a Closer Look at Email Impersonation   Or, if you want to learn more about how Tessian helps enterprises around the world prevent credential phishing and other inbound and outbound threats, read our customer stories.
ATO/BEC Integrated Cloud Email Security Interviews With CISOs
All Cybersecurity 2022 Trend Articles Are BS, Here’s Why
By Josh Yavor
16 November 2021
Ah, the holidays. As we roll up to the end of the year, one thing’s certain as the office party and failed New Year’s resolutions – cybersecurity 2022 trend articles.    And like festive holiday merch in stores, trends pieces seem to appear earlier and earlier each year.    Well this year, we’re taking a stand against ‘trends for 2022’ articles. Why? Here’s just a flavor of what real InfoSec leaders like you said when we talked trends.
And on Twitter, the feeling is similar… My prediction? The majority of 2022 cybersecurity predictions will again be “More of the same, packaged a bit differently” because that is how evolution works. It is only from an appreciable vantage point that one sees the scale of incremental change. 1/x — Rik Fërgüson (@rik_ferguson) November 1, 2021 My 2022 Cybersecurity Predictions: — c🎃e (@caseyjohnellis) November 2, 2021
So while someone, somewhere might fall for a high profile deepfake attack or AI generated breach, the main issues faced by the vast majority of InfoSec for next year will be… the same as last year, and similar to the years before that.    We like to call these The Infinity Trends, so pass the eggnog, throw another yule log on the fire, and let’s explore the five gems that’ll be taking up 91.4% of your time in the next 365 days.   Infinity Trend One: People are (still ) gonna fall for the same ol’ sh*t Year in, year out, there’s always a risk that someone is going to click on a malicious link. And when bad actors are using sweet, juicy bait like early access to Series 2 of Squid Games, you can see why. You're only as strong as your weakest link. Human error wins every time. Awareness training is key. #InfoSec — Khalil (@sehnaoui) June 21, 2017 You can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases.   Infinity Trend Two: You’ll (still ) have to explain why cybersecurity matters to the CEO An important "soft skill" as you move up in leadership roles is brevity, the ability to not only be succinct but also flexible when presenting; knowing how to adjust your content on the fly. This is crucial when presenting to higher level business leaders. Practice this! — Alyssa Miller 👑 Duchess of Hackington (@AlyssaM_InfoSec) October 28, 2021 Looking back to the ‘before times’ circa 2012, a predicted trend was cybersecurity moving from being solely an IT department issue, to a C-suite issue. (Here’s Phil Gardner, founder of IANS, talking about exactly this back in the day.) Yet here we are, 10 years later, and despite the 2021 PwC Annual Global CEO Survey, revealing chief executives see cyber threats as the number one risk, the same report goes on to note that the majority of CISOs overall — 63% of organizations — don’t get the kind of support they need from their CEO. If you’ve got a CEO who gets security in all its forms, you’re one of the lucky ones. For everyone else, here’s the only three metrics they care about.  
Infinity Trend Three: Attacks will (still ) come after lunch or at the end of the day (on a Tuesday) Bad actors have a preferred time to strike. We know this because we analyzed four billion emails in a 12-month period and found that 2 million of them were malicious, and slipped past secure email gateways (SEGs). Further examination found that mid-afternoon, or just before the end of the day, is when most attacks occur. Why? Because our research shows that 45% of employees say they’ve clicked on a phishing email because they were distracted.
Interestingly, Tuesday – not Friday – was the time employees sent and received the most emails, and that’s also the preferred time for spear phishing. One particular Friday does rank the very highest however, Black Friday. So if you’re reading this….  incoming! It’s not all bad news, though. Our research also showed that, like everyone else, even the bad guys take a break over New Year, perhaps to make their own New Year’s resolutions? Infinity Trend Four: Your biggest risks will (still ) come from ‘inside the house’ The spear phishing of staff was an exotic emerging threat trend in 2012, and it’ll still be your number one threat a decade later. Then there’s the risk from misdirected emails, sending the wrong attachments, and deliberate exfiltration. You can see why Forrester’s recent report of over a 1,000 security professionals found that 61% think an employee will cause their next data breach.
  Infinity Trend Five: Hiring a diverse team will (still ) be one of your biggest priorities… and challenges Back in 2016, 72% of Black Hat attendees were saying that “they do not have enough staff to meet current threats”, and those trends have only gotten worse with 2021’s Great Resignation.    Add to this the fact that the average CISO is in post for a little over 26 months (plus a doesn’t-get-it-CEO), and you can see why it can be hard to foster a solid security culture.    InfoSec has a high turnover rate, too; keeping your people together, focused, and motivated was a challenge in 2012, and it’s still a challenge now.    So despite a decade passing, the problems most InfoSec, SOC teams, CISOs, and CTOs face daily haven’t really changed. What has changed is that everything has gotten bigger and more complicated – from the frequency and sophistication of attacks, to your attack surface and perimeter, to the sums of money and number of people involved.    So our number one cybersecurity trend’ for 2022?    Same as it ever was: cybersecurity is still primarily a people problem. This time of year we all make resolutions: get fit, quit that bad habit, be better at what we do. If you’re thinking about one more, why not make 2022 the year you secure your Human Layer?   Until then, Happy Holidays!
Smishing and Vishing: What You Need to Know About These Phishing Attacks
11 November 2021
Smishing and vishing are two types of fraud that use SMS (smishing) and voice (vishing) to trick people into giving up money or personal information. These two increasingly common types of “social engineering” attacks have been wreaking havoc worldwide recently—and the change and uncertainty brought about by the COVID-19 pandemic have exacerbated the problem.   This article will: Explain what smishing and vishing attacks are and how they relate to phishing Provide examples of each type of attack alongside tips on how to identify them Explain what you should do if you’re targeted by a smishing or vishing attack   Smishing, vishing, and phishing Before we look at smishing and vishing in detail, let’s clarify the difference between smishing, vishing, and phishing. Smishing and vishing are two types of phishing attacks. They’re “social engineering attacks,” meaning that in a smishing or vishing attack, the attacker uses impersonation to exploit the target’s trust.   Because 96% of phishing attacks arrive via email, the term “phishing” is sometimes used to refer exclusively to email-based attacks. But it’s important to guard against threats arising from other means of communication too, including smishing, vishing, and social media phishing.   Regardless of how the attack is delivered, the message will appear to come from a trusted sender and may ask the recipient to: Follow a link, either to download a file or to submit personal information Reply to the message with personal or sensitive information Carry out an action such as purchasing vouchers or  transferring funds   What is smishing?
These messages often contain a link (generally a shortened URL) and, like other phishing attacks, they’ll encourage the recipient to take some “urgent” action, for example: Claiming a prize Claiming a tax refund Confirming and rescheduling a delivery Locking their online banking account   Smishing attacks continue to rise Just like phishing via email, the rates of smishing continue to rise year on year. Data from the Federal Trade Commission (FTC) suggests that US consumers lost over $86 million through scam text messages in 2020.   Reports of malicious text messages nearly tripled: from 107,663 in 2019 to 305,241 in 2020. And in October 2021, the UK government relaunched its Joint Fraud Taskforce after research revealed that 82% of adults received a suspicious text or email over the previous three months.   Smishing attacks most commonly target consumers. But increasingly, fraudsters are using smishing techniques to target businesses, too. A good example of how smishing attacks affect businesses comes from the UK, where the country’s tax authority (Her Majesty’s Revenues and Customs or “HMRC”) regularly warns businesses about scam text messages.   In October 2021, HMRC reminded business owners that it would “never ask for personal or financial information” via text and that recipients should never reply to a message offering “a tax refund in exchange for personal or financial details.”   How to identify a smishing attack Cybercriminals are using increasingly sophisticated methods to make their messages as believable as possible. That’s why many thousands of people fall for smishing scams every year. In a study carried out by Lloyds TSB, participants were shown 20 emails and texts, half of which were inauthentic. Only 18% of participants correctly identified all of the fakes.   So, given that smishing messages are so persuasive, how can you spot one? To help familiarize you with how smishing messages look, here’s a real-life example:
The message above appears to be from the Driver and Vehicle Licensing Agency (DVLA) and invites the recipient to visit a link. Note that the link appears to lead to a legitimate website—“” is a UK government-owned domain.The use of a legitimate-looking URL is an excellent example of the increasingly sophisticated methods that smishing attackers use to trick unsuspecting people into falling for their scams.
Smishing texts share some common characteristics with phishing emails. For example, a smishing message will normally: Convey a sense of urgency Contain a link (even if the link appears legitimate, like in the example above) Contain a request personal information   Another clue that a text message might be malicious is the sender’s phone number. Large organizations, like banks and retailers, will generally send text messages from short-code numbers. Smishing texts often come from “regular” 11-digit mobile numbers. Smishing messages might also be poorly-written or contain typos. However, don’t rely on these sorts of mistakes—typos in smishing messages are increasingly uncommon as fraudsters become more sophisticated.   What is vishing?
Like targets of other types of phishing attacks, the victim of a vishing attack will receive a phone call (or a voicemail) from a scammer, pretending to be a trusted person who’s attempting to elicit personal information such as credit card or login details.   So, how do hackers pull this off? They use a range of advanced techniques, including: Faking caller ID, so it appears that the call is coming from a trusted number Utilizing “war dialers” to call large numbers of people en masse Using synthetic speech and automated call processes   A vishing scam often starts with an automated message, telling the recipient that they are the victim of identity fraud. The message requests that the recipient call a specific number. When doing so, they are asked to disclose personal information. Hackers then may use the information themselves to gain access to other accounts or sell the information on the Dark Web. 
Vishing attacks and COVID-19 The pandemic has presented many opportunities for online fraud, and we’ve seen COVID–related smishing scams in abundance. Here’s a particularly appalling example—in June 2021, the Better Business Bureau revealed that scammers were impersonating agents from a government-backed funeral program and targeting families that had lost loved ones to coronavirus.   But—like with smishing—vishing scammers don’t just target consumers. COVID-19-related vishing attacks have hit businesses, too.   On August 20, 2020, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement warning businesses about an ongoing vishing campaign. The agencies warn that cybercriminals have been exploiting remote-working arrangements throughout the COVID-19 pandemic.  The scam involves spoofing login pages for corporate Virtual Private Networks (VPNs), so as to steal employees’ credentials. These credentials can be used to obtain additional personal information about the employee.   The attackers then use unattributed VoIP numbers to call employees on their personal mobile phones. The attackers pose as IT helpdesk agents and use a fake verification process using stolen credentials to earn the employee’s trust.
How to identify a vishing attack   Vishing attacks share many of the same hallmarks as smishing attacks. In addition to these indicators, we can categorize vishing attacks according to the person the attacker is impersonating: Businesses or charities — Such scam calls may inform you that you have won a prize, present you with you an investment opportunity, or attempt to elicit a charitable donation. If it sounds too good to be true, it probably is. Banks — Banking phone scams will usually incite alarm by informing you about suspicious activity on your account. Always remember that banks will never ask you to confirm your full card number over the phone. Government institutions — These calls may claim that you are owed a tax refund or required to pay a fine. They may even threaten legal action if you do not respond. Tech support — Posing as an IT technician, an attacker may claim your computer is infected with a virus. You may be asked to download software (which will usually be some form of malware or spyware) or allow the attacker to take remote control of your computer.   How to prevent smishing and vishing attacks One key to preventing smishing and vishing attacks is providing employees with security training. Security awareness training is a key part of complying with privacy and security laws, such as the General Data Protection Regulation (GDPR) and the New York SHIELD Act. You can read more about how compliance standards affect cybersecurity on our compliance hub.    Training can help ensure all employees are familiar with the common signs of smishing and vishing attacks, which could reduce the possibility of falling victim to such an attack. But, what do you do if you receive a suspicious SMS or voice message? The first rule is: don’t respond.   If you receive a text requesting that you follow a link—or a phone message requesting that you call a number or divulge personal information—ignore it until you’ve confirmed whether or not it’s legitimate. If the message appears to be from a trusted institution, search for the organization’s phone number and call directly. For example, if a message appears to be from your phone provider, search for your phone provider’s customer service number and discuss the request directly with the operator.     If you receive a vishing or smishing message at work or on a work device, make sure you report it to your IT or security team. If you’re on a personal device, you should report significant smishing and vishing attacks to the relevant authorities in your country, such as the Federal Communications Commission (FCC) or Information Commissioner’s Office (ICO).    For more tips on how to identify and prevent phishing attacks, including vishing and smishing, follow Tessian on LinkedIn or subscribe to our monthly newsletter. 
ATO/BEC Email DLP Integrated Cloud Email Security
Tessian Recognized as a Representative Vendor in 2021 Gartner® Market Guide for Email Security
By Ed Bishop
09 November 2021
Tessian is honored to be recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security. According to Gartner the “continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”
The key findings listed in this Market Guide for Email Security    According to this report, “the adoption of cloud email systems continues to grow, forcing security and risk management leaders to evaluate the native capabilities offered by these providers”. The report further states “solutions that integrate directly into cloud email via an API, rather than as a gateway, ease evaluation and deployment and improve detection accuracy, while still taking advantage of the integration of the bulk of phishing protection with the core platform.”    The report also states that “ransomware, impersonation, and account takeover attacks are increasing and causing direct financial loss, as users place too much trust in the identities associated with email inherently vulnerable to deception and social engineering.”    Gartner recommends that the security and risk managers for email security should: “Use email security solutions that include anti-phishing technology for business email compromise (BEC), protection that uses AI to detect communication patterns and conversation-style anomalies, as well as computer vision for inspecting suspect URLs.”  “Consider products that also include context-aware banners to help reinforce security awareness training.” “Invest in user education and implement standard operating procedures for handling financial and sensitive data transactions commonly targeted by impersonation attacks. Remove as many targeted ad hoc processes from email as possible.”   This report highlights trends that we believe Tessian is also seeing.    Historically, companies around the globe were deploying the Tessian platform to augment the shortcomings of their Secure Email Gateways (SEGs). Customers needed a more comprehensive solution that would stop the real nasty stuff like zero-day attacks and ransomware, and that was able to detect and stop the threats that often slip past their SEGs such as business email compromise (BEC), account takeover (ATO), spear phishing, and impersonation attacks. Tessian’s recent Spear Phishing Threat Landscape 2021 Report examined emails from July 2020 – July 2021, and discovered nearly 2,000,000 emails slipped through SEGs. An interesting shift we’ve observed over the past nine months is that we’re seeing more and more customers leveraging the enhancements made by Microsoft along with the Tessian platform to replace their SEG. We expect that trend to accelerate in 2022. Gartner predicts that “by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG), up from 27% in 2020.”     Tessian’s approach Tessian is a leading cloud email security platform that intelligently protects organizations against advanced threats and data loss on email, while coaching people about security threats in-the-moment. Using machine learning and behavioral data science, Tessian automatically stops threats that evade legacy Secure Email Gateways, including advanced phishing attacks, business email compromise, accidental data loss and insider threats. Tessian’s intelligent approach not only strengthens email security but also builds smarter security cultures in the modern enterprise. Built as a cloud-native platform, Tessian integrates seamlessly with O365, Google Workspace, and MS Exchange environments within minutes, learns in hours, and starts protecting in a day closing the critical gaps in the email security stack.    
Tessian is honored to be recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security. According to Gartner the “continued increases in the volume and success of phishing attacks and migration to cloud email require a reevaluation of email security controls and processes. Security and risk management leaders must ensure that their existing solution remains appropriate for the changing landscape.”
The Tessian differentiators:  Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI  
Tessian solutions: Tessian Defender is a comprehensive inbound email security solution that automatically prevents a wide range of attacks that bypass Secure Email Gateways (SEGs) while providing in-the-moment training to drive employees toward secure email behavior.  Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails. Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity. Tessian Architect is a powerful policy engine for real-time email data loss prevention. It features a combination of classic elements of DLP policies that provide custom protection against sensitive data loss. To learn more about how Tessian can help strengthen your email security posture, book a demo now.    
Gartner, “Market Guide For Email Security”, Mark Harris, Peter Firstbrook, Ravisha Chugh, Mario de Boer, October 7, 2021. Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Cybercriminals To Impersonate Delivery Firms in Black Friday Phishing Scams
By Charles Brook
04 November 2021
The Black Friday sales weekend is fast approaching, with many consumers set to splash their cash and bag themselves a bargain before the holidays. According to Adobe Analytics, online spending surged by 22% during Black Friday 2020, with consumers spending $9 billion on retailers’ websites the day after Thanksgiving.    And Black Friday 2021 is set to be no different.    In a recent Tessian survey, 62% of U.S. consumers told us they will take part in Black Friday shopping this year. It’s important, then, to be wary of the phishing and smishing scams that you could receive.    Why Cybercriminals Leverage Black Friday for Phishing Attacks   When our researchers analyzed malicious emails between July 2020 and July 2021, they saw a significant spike during Q3 2020, immediately before and after Black Friday.      What’s more, nearly a third of U.S. consumers (30%) said they received a phishing email around Black Friday last year, either by email or SMS to their personal email or cell.   The thing is that consumers expect to receive more marketing and advertising emails from retailers during this time, touting their deals, along with updates about their orders and notifications about deliveries. Inboxes are noisier-than-usual and this makes it easier for cybercriminals to ‘hide’ their malicious messages.    What’s more, attackers can leverage the ‘too-good-to-be-true’ deals people are expecting to receive, using them as lures to successfully deceive their victims. When the email looks like it has come from a legitimate brand and email address, people are more likely to click on malicious links that lead to fake websites or download harmful attachments. 
And it’s not just consumers that need to be wary. Employees in the retail industry will be busier and more distracted than ever during this time, faced with hundreds of orders, thousands of customer queries to respond to, and overwhelming sales targets to hit. Cybercriminals will use this to their advantage, crafting sophisticated phishing emails and cleverly worded social engineering messages in the hope that a stressed worker will miss the cues and comply with their requests.    In fact, security leaders in the retail industry told us that they aren’t 100% confident that their staff will be able to identify the scams that land in their inbox during these busier periods.    Being made aware of the scams and being provided with sound advice – in-the-moment – on what to do if they do receive a phishing email will make the difference between whether an employee clicks on the link or shares their credentials versus if they don’t.    Impersonating Couriers to Advance Phishing Scams   As the number of online purchases grew throughout the pandemic, so did the number of emails and SMS messages in which scammers impersonated delivery companies and logistics firms.    In fact, our survey revealed that one in five (20%) U.S. consumers and 33% of U.K. consumers received a phishing scam from a hacker posing as a delivery service this year already.  
With consumers spending billions online during the upcoming Black Friday and Cyber Monday, it’s highly likely that delivery-related phishing scams will surge – especially against the backdrop of the supply chain issues retailers are currently facing, which are causing delays and product shortages.    For example, these supply chain issues mean delivery services are expected to experience higher-than-normal demand. This is creating an opportunity for bad actors to scam people through SMS and email, posing as legitimate couriers or logistics companies and claiming to have important information regarding a package.   It’s particularly concerning, then, that two-thirds (64%) of the top couriers are at risk of having their domains impersonated by phishers and scammers as a result of not having Domain-based Message Authentication, Reporting & Conformance (DMARC) records set to the strictest settings.    In fact, just 20% of the top couriers have configured DMARC policies to the strictest settings to prevent abuse of the domain by scammers and phishers.   Without the proper DMARC records in place, an attacker could impersonate one of these couriers’ domains in phishing campaigns, tricking people into thinking they’re opening an email from a trusted and legitimate source about an order or delivery update.   From that phishing email, hackers could lure their targets to a fake website that has been set up to steal account credentials or personal and financial information.    For the consumer, it really wouldn’t seem out of the ordinary to receive a message that asks them to ‘learn more’ about a delivery update or reschedule a missed delivery.    How to Avoid Falling For Black Friday Phishing and Smishing Attacks   Here are some simple tips for you, your employees, friends and family to follow this Black Friday:   Inspect emails and text messages to look out for spelling errors; these are a sure sign that it is not from a legitimate source. Take a few seconds to verify that the sender’s name and email address match up, especially if you are reading your emails on your mobile. Cybercriminals typically spoof a brand’s name in the hope that you’ll fail to inspect the email domain. Be wary of business messages from unknown numbers or numbers starting with a local area code such as +44, as these are regularly associated with scam texts. If you’re led to a website, look for the padlock in the URL bar to verify the website is secure or not.  And, if in doubt, just don’t click. You can follow up with the delivery company or retailer directly if you have a question that needs to be answered.     And for security teams at retailers and delivery companies:    Educate your staff – everyone from senior executives to temporary/seasonal employees – on the scams they could be exposed to during this busy period and train them on what to do should they receive a malicious message.  Remind employees to expect emails that come from suppliers or third parties; posing as a trusted connection is another way in which cybercriminals will try to hack into the organization.  Configure email authentication records like DMARC and set strict policies – this is a necessary first step in preventing attackers from directly impersonating your business’s email domain.
How to Prevent and Avoid Falling for Email Spoofing Attacks
By Maddie Rosenthal
22 October 2021
Email spoofing is a common way for cybercriminals to launch phishing attacks — and just one successful phishing attack can devastate your business. That’s why every secure organization has a strategy for detecting and filtering out spoofed emails. Do you?   This article will walk you through some of the best methods for preventing email spoofing. Want to learn more about email spoofing, how hackers do it, and how common these attacks are? Check out this article: What is Email Spoofing and How Does it Work?   And, if you’re wondering how to prevent your email address or domain from being spoofed…the first step is to enable DMARC. But, even that isn’t enough. We explain why in this article: Why DMARC Isn’t Enough to Stop Impersonation Attacks. Security awareness training Email spoofing is a common tactic in social engineering attacks such as spear phishing, CEO fraud, and Business Email Compromise (BEC). Social engineering attacks exploit people’s trust to persuade them to click a phishing link, download a malicious file, or make a fraudulent payment. That means part of the solution lies in educating the people being targeted.   It’s important to note that cyberattacks target employees at every level of a company — which means cybersecurity is everyone’s responsibility. Security awareness training can help employees recognize when such an attack is underway and understand how to respond.   In this article  – What Is Email Spoofing and How Does it Work? – we looked at how an email’s header can reveal that the sender address has been spoofed.   Looking “under the hood” of an email’s header is a useful exercise to help employees understand how email spoofing works. You can see if the email failed authentication processes like SPF, DKIM, and DMARC, and check whether the “Received” and “From” headers point to different domains.   Take a look at the example below. See how the “Return-Path”, “From”, “Errors-To”, and “Reply-To” fields (from “”) differ from the “Received” field (from “”).
Note: Disney does have DMARC enabled. This is a hypothetical example! Want to find out which companies don’t have DMARC set up? Check out this website.   Although email headers can provide valuable indicators that an email has been spoofed, it’s obviously not realistic to expect people to carefully inspect the header of every email they receive.   So what are some other giveaways that might suggest that an email spoofing scam is underway?   The email doesn’t look how you expect. The sender might be “” But does the email really look like PayPal’s other emails? Most sophisticated cybercriminals use the spoofed company’s branding — but some can make mistakes. The email contains spelling and grammar errors. Again, these mistakes aren’t common among professional cybercriminals, but they still can occur. The email uses an urgent tone. If the boss emails you, urgently requesting that you pay an invoice into an unrecognized account — take a moment. This could be CEO fraud.   You must get your whole team on board to defend against cybersecurity threats, and security awareness training can help you do this. However, Tessian research suggests that the effectiveness of security training is limited.   Email provider warnings   Your mail server is another line of defense against spoofing attacks. Email servers check whether incoming emails have failed authentication processes, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).   In the “spoofed email header” we provided above, you can see that the spoofed email failed DMARC, SPF, and DKIM checks. Many email providers will warn the user if an email has failed authentication. Here’s an example of such a warning from Protonmail:
As part of your company’s security awareness training, you can urge employees to pay close attention to these warnings and report them to your IT or cybersecurity team. However, it’s not safe to rely on your email provider. A Virginia Tech study looked at how 35 popular email providers handled email spoofing. The study found:   All except one of the email providers allowed fraudulent emails to reach users’ inboxes. Only eight of the providers provided a warning about suspicious emails on their web apps. Only four of the providers provided such a warning on their mobile apps.   Even the most powerful companies in the world get spoofed, and email filters frequently let these spoofed emails sail through their filters. In October 2021, for example, security experts warned of a highly convincing Amazon spoof email designed to steal customers’ personal and financial information. The email arrived from the domain “”   And in March 2021, a widespread email spoofing campaign targeting C-suite executives was uncovered. The attackers created spoofed spear phishing emails that evaded “Office 365’s native defenses and other email security defenses.”   Authentication protocols As noted by the Virginia Tech study, email providers often allow fraudulent emails through their filters — even when they fail authentication. But, perhaps more importantly, whether a fraudulent email fails authentication in the first place is out of your hands.   For example, SPF lets a domain owner list which email servers are authorized to send emails from its domain. And DMARC enables domain owners to specify whether recipient mail servers should reject, quarantine, or allow emails that have failed SPF authentication.   So, for domain owners, setting up SPF, DKIM, and DMARC records is an essential step to prevent cybercriminals and spammers from sending spoofed emails using their domain name.   But as the recipient, you can’t control whether the domain owner has properly set up its authentication records. You certainly don’t want your cybersecurity strategy to be dependent on the actions of other organizations.  Want more information? Check out our eBook on this topic, Why DMARC and Authentication Records are Failing to Stop Spear Phishing. Email security software   Effective email spoofing attacks are very persuasive. The email arrives from a seemingly valid address — and it might contain the same branding, tone, and content you’d expect from the supposed sender.   This makes email spoofing attacks one of the hardest cybercrimes to detect manually. Humans aren’t good at spotting the subtle and technical indicators of a well-planned email spoofing attack. Legacy solutions like Secure Email Gateways and native tools like spam filters aren’t either.  The best approach to tackling spoofing — or any social engineering attack — is intelligent technology.   An email security solution powered by machine learning (ML) will automate the process of detecting and flagging spoofed emails, making it easier, more consistent, and more effective.   Here’s how Tessian Defender solves the problem of email spoofing: Tessian’s machine learning algorithms analyze each employee’s email data. The software learns each employee’s email style and maps their trusted email relationships. It learns what “normal” looks like so it can spot suspicious email activity. Tessian performs a deep inspection on inbound emails. By checking the sender’s IP address, email client, and other metadata, Tessian can detect indications of email spoofing and other threats. If it suspects an email is malicious, Tessian alerts employees using easy-to-understand language.    
Threat Intelligence: COVID-19 Proof of Vaccination Scams
By Charles Brook
21 October 2021
Scammers and threat actors are continuing to use the COVID-19 pandemic as a theme for their phishing campaigns. The latest trend? Asking people to download their ‘proof of vaccination’ or vaccine certificates. In fact, in a recent Tessian survey, 35% of US citizens and 22% of UK citizens said they’d received a ‘proof of vaccination’ phishing email this year.  That’s because (as you likely know) most businesses and travel companies are requesting that people now provide proof of vaccination or digital vaccine credentials. Attackers see this as an incentive to get targeted recipients to click links in phishing emails.  What do these emails contain?  Tessian researchers have been analyzing emails related to ‘proof of vaccination’ scams over the past six months and found that, in many of the emails, cybercriminals will apply a sense of urgency to their messages, using subject lines that include “IMPORTANT” and “OFFICIAL”.  This is a common social engineering tactic, prompting the person to act quickly so that they don’t spend too much time thinking about the consequences of complying with the request.  The call to action in 80% of the emails analyzed is to click a link to request and download a COVID-19 vaccination passport or certificate, explaining that if the recipient doesn’t have their proof of vaccination, they won’t be able to travel or must remain in quarantine. Wouldn’t you want to act fast? Most emails also contained a payload of either a malicious link or attachment which would direct the recipient to a web page designed to trick them into entering sensitive information such as personal details, credit card or banking details in order to receive their proof of vaccination.
Of the emails analyzed, 20% of them contained language indicating an intent to steal information. Once cybercriminals have this information, they can use it to access your other online accounts or commit identity fraud.  In the UK, the majority of the ‘proof of vaccination’ scams saw attackers impersonate the National Health Service (NHS), tricking their targets into thinking they’d received an email from a legitimate and trustworthy source.  Here’s an example of an email sent from a business email address using compromised credentials:
For anyone quickly glancing at this email, it looks like the real deal.  The attacker has spoofed the NHS in its display name, used the correct logo, and avoided any spelling mistakes. Only when you look at the sender’s email address can you see that it’s not actually from the NHS.  How can you avoid falling for a ‘proof of vaccination’ scam?  If you require ‘proof of vaccination’ for any of your upcoming holidays, plans, or activities, or if you have any questions, always go through direct channels with your local authority. You can find their email addresses or phone numbers via their website.  Remember;  For UK residents, the NHS App is free, the NHS Covid Pass is free, and the NHS will never ask for payment or any financial details. For US residents, COVID-19 vaccination providers cannot charge you for a vaccine or charge you for any administration fees, copays, or coinsurance.  So, if the sender of the email is asking you for money or payment information, such as bank details or card details, it is likely a scam. If it looks suspicious, avoid clicking any links or attachments. Mark the email as spam or move it to your junk folder to help improve dedication against the type of malicious email and if you’ve received the email on your work email, then report it to your IT team. Then, hit delete.
CEO Fraud Prevention: 3 Effective Solutions
20 October 2021
CEO fraud is a type of cybercrime in which the attacker impersonates a CEO or other company executive. The fraudster will most often use the CEO’s email account — or an email address that looks very similar to the CEO’s — to trick an employee into revealing sensitive data or transferring money. A report by UK Finance suggests that CEO fraud is among the main eight types of fraud attacks targeting consumers and businesses.   Like all types of phishing, CEO fraud attacks are very difficult for employees to spot. Some legal technical solutions, such as Secure Email Gateways (SEGs) can also struggle to detect this increasingly sophisticated type of cybercrime. But, there are still ways to prevent successful CEO fraud attacks. The key? Take a more holistic approach by combining training, policies, and technology. We’ve outlined three techniques that are crucial to help your organization defend against CEO fraud and other related types of cybercrime.   1. Raise employee awareness Security is everyone’s responsibility. That means everyone – regardless of department or role –  must understand what CEO fraud looks like. Staff training is getting tougher as CEO fraud gets more sophisticated. The FBI’s Internet Crime Complaint Centre (IC3) warns that along with CEOs, cybercriminals increasingly impersonate a broad range of actors, including vendors, lawyers, and payroll departments. So where do you start when training employees to detect CEO fraud attacks? Using real-world examples to point out common red flags can help.
What are the signs that this email is part of a CEO fraud attack? First off, note the lack of spelling errors. Poor spelling and grammar can be a phishing indicator, but this is increasingly unlikely in today’s more sophisticated cybercrime environment.   Also, notice the personal touches — Sam’s familiar tone, his references to Kat working from home, and his casual email sign-off. Fraudsters go to great efforts to research their subjects and their targets, whether via hacking or simply using publicly available information.   These persuasive elements aside, can you spot the red flags? Let’s break them down: The sender’s email address: The domain name is “” (which looks strikingly similar to, especially on mobile). Domain impersonation is a common tactic for CEO fraudsters. The sense of urgency: The subject line, the ongoing meeting, the late invoice—creating a sense of urgency is near-universal in social engineering attacks. Panicked people make poor decisions. The authoritative tone: “Please pay immediately”: there’s a reason cybercriminals impersonate CEOs — they’re powerful, and people tend to do what they say. Playing on the target’s trust: “I’m counting on you”. Everyone wants to be chosen to do the boss a favor. Westinghouse’s “new account details”: CEO fraud normally involves “wire transfer phishing”—this new account is controlled by the cybercriminals.   Your cybersecurity staff training program should educate employees on how to recognize CEO fraud, and what to do if they detect it. Check the sender’s email address for discrepancies. This is a dead giveaway of email impersonation. But remember that corporate email addresses can also be hacked or spoofed. Feeling pressured? Take a moment. Is this really something the CEO is likely to request so urgently? New account details? Always verify the payment. Don’t pay an invoice unless you know the money’s going to the right place.   Looking for a resource that you can share with your employees? We put together an infographic outlining how to spot a spear phishing email. While these are important lessons for your employees, there’s only so much you can achieve via staff training.   Take it from the U.K.’s National Cyber Security Centre (NCSC):“Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle.The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.”   Humans are often led by emotion, and they’re not good at spotting the small giveaways that might reveal a fraudulent email. Sometimes, even security experts can’t!
2. Implement best cybersecurity practice Beyond staff training, every thriving company takes an all-around approach to cybersecurity that minimizes the risk of serious fallout from an attack. Many companies choose to implement a cybersecurity framework, such as the CIS Critical Security Controls or the NIST Cybersecurity Framework, to help them adopt security controls and protections in a systematic and comprehensive way.   Here are some important security measures that will help protect your company’s assets and data from CEO fraud: Put a system in place so employees can verify large and non-routine wire transfers, ideally via phone Protect corporate email accounts and devices using multi-factor authentication (MFA) Ensure employees maintain strong passwords and change them regularly Buy domains that are similar to your company’s brand name to prevent domain impersonation Regularly patch all software Closely monitor financial accounts for irregularities such as missing deposits Deploy an email security solution   All the above points are crucial cybersecurity controls. But let’s take a closer look at that final point — email security solutions.   3. Deploy intelligent inbound email security   CEO fraud attacks overwhelmingly take place via email (along with 96% of all phishing attacks).  That’s why deploying an email security solution is one of the most effective steps you can take to prevent this type of cybercrime. But not just any email security solution.   Legacy solutions like Secure Email Gateways (SEGs), spam filters, and Microsoft and Google’s native tools generally can’t spot sophisticated attacks like CEO fraud. Why? Because they rely almost entirely on domain authentication and payload inspection. This means they tend to check publicly available records to verify the authenticity of an email address, and examine any attachments to see if they contain malware. Social engineering attacks like CEO fraud easily evade these mechanisms. Tessian is different. Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of signals indicative of CEO fraud. Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of CEO fraud. For example, suspicious payloads, anomalous geophysical locations, out-of-the-ordinary IP addresses and email clients, keywords that suggests urgency, or unusual sending patterns. Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.
Click here to learn more about how Tessian Defender protects your team from CEO fraud and other email-based cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like CEO Fraud.