Get Your Complimentary Copy of the Gartner Market Guide For Email Security 2021 – Don’t miss out on the recommendations here

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing

Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing and Business Email Compromise.

Spear Phishing
Spotting the Stimulus Check Scams
16 April 2020
Since the US government announced that citizens who make less than $75K would receive $1,200 checks, we have found that there have been 673 newly registered domains related to the $2T stimulus package.  Unlike the domains spoofing the U.S. Census that we discovered earlier this month, these URLs aren’t intended to mimic official government websites. Rather, these domains have been set up to take advantage of the stimulus package, using common questions or key words to lure users in such as whereismystimuluscheck.com or covid-19-stimulus.com.  Where do these new domains go? When we looked at the newly registered domains more closely, we found that nearly half of the newly registered domains hosted websites offer the following services: Consultancy: helping people with the paperwork to get their checks Calculators: asking users to enter their personal information, such as their age and address, to find out how much money they are entitled to Donations: giving people the opportunity to donate their check to a Covid-19 related cause Business loans We also found that 7% of these spoofed domains were spam websites, with no clear call to action. With hackers capitalizing on this global health crisis to launch targeted phishing scams, people need to be mindful of what information they share on these sites.  The thing is that cybercriminals will always follow the money, looking for ways to take advantage of the fact people will be seeking more information or guidance on the stimulus package. Although not every domain registered in the last month may be malicious, it’s possible that these websites offering consulting and business loans could be set up to trick people into sharing money or personal information.  Our advice? Always check the URL of the domain and verify the legitimacy of the service by calling them directly before taking action.  Think twice about sharing your data It’s also important to consider what data you are being asked to share via websites offering calculators or status checks, and what the websites offer after you have taken an action. Cybercriminals could use the information you shared to craft targeted phishing emails that include the ‘results’ of your assessment, tricking you to click on malicious links with the intention of stealing money, credentials or installing malware onto your device. Earlier this week, the IRS launched a new online resource for citizens to check on their payment status. We anticipate that even more URLs will crop up as a result of this. How to avoid potential scams Think twice before sharing personal information to calculator websites. If it doesn’t look right, it probably isn’t  Make sure the educational sites offering consultancy services are legitimate before sharing information or money. Always check the URL and, if you’re still not sure, verify by calling the company directly Never share direct deposit details or your Social Security number on an unfamiliar website Take care when sharing your email address and other personal information on websites like the calculator ones and question the legitimacy of the emails sharing your results before clicking on any links Always use different passwords when setting up new accounts on these websites  
Spear Phishing
How to Spot and Avoid 2020 Census Scams
By Maddie Rosenthal
07 April 2020
In case you missed it, Tessian recently published a blog around the most common types of Tax Day scams in both the US and the UK.  Unfortunately, though, these aren’t the only opportunistic phishing attacks bad actors are carrying out this time of the year. They’re also launching Census scams.  As they do in Tax Day scams, cybercriminals will be impersonating government agencies. In this case, you’ll find they’re generally impersonating either the U.S. Census Bureau or an agent, or a third-party agency working for the U.S. Census Bureau. What do Census scams look like? Hackers have a range of threat vectors they can use to carry malware or gain access to sensitive information. In the past, we’ve seen attacks via email, phone, social media, job boards, and even traditional mail.  The common thread between all of these attacks is the request for sensitive personal information like home addresses, social security numbers, ethnicity and information related to the members of your household. This information could be used to make you a victim of identity theft. It’s important to remember that attacks may not ask directly for this information and may instead direct you to another webpage or portal via a link or QR code.  In this post, though, we’ll focus on email scams.  Example: Email Survey Scam
What’s wrong with this email? The US Census Bureau conducts surveys online, over the phone, via mail, or in-person, not via email.  While the Display Name looks authentic, the full email address is suspicious and inconsistent and doesn’t match the legitimate domain, which is @census.gov. Upon hovering over the link, you’ll see the URL is suspicious. Not only is the website connection not secure (remember: https indicates a secure connection), but the format and website name are both unusual.  Who will be targeted by Census scams?  Because it’s mandatory for all households to participate in the census, every US resident over 18 years of age is at risk of being targeted. That means that over the next several weeks, everyone in every state needs to exercise caution when responding to a request for personal information that appears to be coming from the U.S. Census Bureau or an affiliated individual or organization.   What do I do if I’m targeted by a phishing attack?  While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals should always follow the same guidelines if they think they’ve received a fraudulent request for information, whether by mail, email, SMS, or another online forum.  If anything seems unusual, do not follow or click links or download attachments.  The best way to avoid falling victim to one of these scams – whether over email, online, or over the phone – is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid. If you’ve been targeted, report the attack to the Census Bureau. Call 1-800-354-7271, in English, or 1-800-833-5625, in Spanish. More resources The best way to stay safe is to stay informed.  The Census Bureau has issued its own advice on how to stay safe from phishing scams online and over the phone. Read their tips here. 
Spear Phishing
Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks
17 March 2020
Hackers love emergencies and times of general uncertainty. Why? Because people are scared, distracted, potentially desperate, and are therefore vulnerable—making them ideal targets. As COVID-19 continues to spread and global concern about the pandemic rises, bad actors will be impersonating trusted institutions like healthcare organizations, insurance companies, banks, and airlines in order to steal money, harvest credentials, or install malware on your computer…and that’s just on the consumer side.  When it comes to business, trusted individuals and brands will be impersonated. For example, hackers will impersonate out-of-office CxOs and popular web conferencing applications, especially as organizations encourage and rely on remote-working. Internally at Tessian, we’ve shared tips with our employees on how to spot this type of scam and what to do in case you’re targeted. We think it’s important to spread the message and raise awareness with everyone.  Consumers: What Should You Look For? Hackers will be impersonating trusted brands. Carefully inspect all emails, but be especially wary of those coming from healthcare organizations, insurance companies, banks, and airlines, especially those that ask you to “Confirm you are safe”, “Confirm you haven’t traveled to recently affected COVID-19 countries”, or anything similar.  Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors or branding inconsistencies either in the logo, email template, or a landing page.  Employees: What Should You Look For? Hackers will be impersonating people within your organization and third-parties like suppliers or vendors. You should be cautious when responding to any internal email that mentions the sender being out-of-office and any third-party email that comes from a source you don’t recognize or that requires urgent action. Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors, language or requests that are out-of-character, and branding inconsistencies. These red flags are all a bit easier to spot when you have a bit more context. Below are just a few examples of phishing emails that you may see over the next few weeks. The Fraudulent Third-Party
What’s wrong with this email? The sender’s email address contains irregular characters and doesn’t match the Display Name. Organizations should send internal communications to let their employees know they’ve implemented new tools or platforms. You shouldn’t be hearing about it from the third-party first. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The Out-Of-Office Boss
What’s wrong with this email? The sender’s email address is from a freemail domain (@yahoo.com) and not from within the organization. The attacker is giving the email a sense of urgency. That attacker is using remote-working as a ploy to encourage the target to do something unusual. The attacker is impersonating a person in power; this is a common tactic in social engineering schemes. The Concerned Counterparty
What’s wrong with this email? The toplevel domain (.net) is unusual and inconsistent with previous emails from this supplier. The attacker is using fear and urgency to motivate the target to act. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The “Helpful” Government Organization
What’s wrong with this email? All valid email correspondence from WHO will come from @who.int, not any other variation. The attacker is using the fear of COVID-19 to motivate the target to download the malicious attachment. Like many other organizations, WHO has stipulated they will never send unsolicited emails containing attachments. The Proactive Health Insurance Provider
What’s wrong with this SMS? The attacker is using fear to motivate the target to act. Because no health insurance provider is mentioned by name, you can assume this text has been sent to a large pool of targets. Legitimate organizations will never ask you to update your payment details via text. The text message contains a shortened link; the target can’t see the URL of the website they’re being led to. Of course, knowing what these opportunistic phishing emails look like is just the first step. Actually knowing what to do if you’re targetted is what’s really important. What to Do If You’re Targeted  If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  If you’re an employee who’s been targeted, contact your line manager and/or IT team. We’ve all heard the phrase “prevention is better than cure” and phishing attacks are no exception. While knowing what to do if and when you’re targetted is incredibly valuable, it’s also important that both individuals and organizations know how to avoid being impersonated in the first place.  How to Avoid Being Impersonated For those of you who are working remotely or are otherwise Out of Office, don’t include any personally identifiable information (PII) in your automated emails or on social media. For example, don’t provide your personal mobile number or email address. Don’t tell people to email a colleague in your absence; this information helps bad actors map connections and relationships within an organization, which can be used to make future phishing emails seem more convincing. Hackers can use this to their advantage to target your colleagues. Organizations should implement SPF, DKIM, and DMARC to help prevent hackers from directly spoofing their domain.   Both brands and senior leadership should advise customers and employees what they will and will not ask for via email, phone, or text. People will then have a better sense of what requests are out of the ordinary and therefore suspicious.  As we continue sharing best practice tips with our employees to keep them secure while working remotely, we’ll share them with you, too. Check back on our blog for the latest updates.
Human Layer Security Spear Phishing
Hacker’s Advice: 7 Tips for Avoiding Phishing Scams
09 March 2020
The final speaker at Tessian’s first Human Layer Security Summit was Glyn Wintle, the CTO and co-founder of Tradecraft (formerly DXW Cyber), a security consulting agency that uses social engineering tactics, technical work, open intelligence sources, and attacks on physical locations to breach clients’ systems. In other words, he’s an ethical hacker, although he prefers “friendly hacker”.  During his presentation, he explained how hackers combine psychology and technical know-how to create highly targeted and highly effective phishing attacks on people. Based on his insights, we’ve put together 7 tips to help you avoid social engineering schemes like phishing attacks.
1. Don’t Underestimate Hackers or Overestimate Your Ability to Spot a Phish Glyn started his presentation with one clear and concise statement: Breaking in is easier than defending. And, he’s right.  Attacks like phishing emails rely on power in numbers, meaning that only one person has to follow a link, click an attachment, share personal information, or make a bank transfer for the hacker to be successful.  Interestingly, though, employees tend to be incredibly confident in their ability to spot phishing emails; only 3% of people think it’s difficult to spot a phish. The general consensus, especially amongst employees at organizations where security awareness training is required, is that “only idiots fall for scams”.  While that may be the case with the more blatantly obvious scams – for example, an email coming from a Nigerian Prince claiming they’d like to share their fortune with you if you share your bank account details – hackers have an arsenal of techniques to dupe even the most discerning eye. This is especially the case in spear phishing attacks where hackers might spend days or even weeks researching their target to craft a perfectly believable email. With social platforms like LinkedIn, they can easily uncover not just a company’s organizational structure, but more timely information about individuals like when they’re attending a conference. This is powerful ammunition for a spear phishing attack. 2. Look Out for Both Emotive and Enterprising Scams People tend to be familiar with phishing and spear phishing attacks that rely on an emotional response – fear, urgency, stress – often triggered by an email that appears to be sent from a person in power. They work, really well. But enterprising scams are just as powerful.
Glyn cited an example in which a company made a public announcement that it recently received VC funding. Based on the press release, a savvy hacker contacted the Venture Capital firm impersonating the company. The hacker was able to create a convincing email relationship with the Venture Capital firm and this trust enabled the hacker to successfully get the VC to transfer the funds into their account.  People sometimes mistakenly think the solution to this is to hide all information. But often there’s a reason why information was and is made public. Making sure people know what information is public or not can help. 3. Relying on hyper vigilance isn’t enough People – especially in work environments – tend to move and work quickly. Because of that, and despite training, they might not think twice about irregularities in email addresses, URLs, or landing pages in pursuit of being productive. What’s more, expecting people to double check every thing will not work. They will not get any work done. Management must understand that people make mistakes; expecting them to be hyper vigilant at all times cannot be the solution. There are technical measures that can be used to warn someone that something abnormal is happening. Showing users who do have the privileges to do harmful things what real targeted phishing emails look like can help. But you must also find ways to make their lives easier. Telling them “this is really hard” then saying “best of luck”, is not setting them up for success. 4. Don’t take the “secret” bait If nothing else, hackers are inventive. Glyn cited one example where, instead of emailing a target pretending to be someone else, they’ll simply CC individuals into a conversation that genuinely has nothing to do with them. The email message will allude to a secret or piece of sensitive information; potentially with a malicious link to the alleged source or malicious attachment. It seems rudimentary but it works.  More often than not, the target will follow the link or attachment, thinking they’re gaining access to something highly confidential. In reality, they will have installed malware on their computer. 5. Beware of Urgent Requests and Reasonable Requests While a lot of hackers will use urgency to incite action, that’s not the only tactic they employ. In fact, a tried-and-tested technique according to Glyn is to request an action within two working days.  “If you’re impersonating a company and targeting employees, and you say something must be actioned within two working days, you will get much higher hit rates.”
6. Take Extra Caution on Your Mobile While mobile phones have no doubt made it easier for us to stay connected, they’ve also made it even easier for hackers to pull off successful phishing attacks given the smaller screens and differences in functionality, especially after hours. “I love mobiles. But if you’re targeting someone on mobile, the rules change. You probably want to do it on a Friday night, when alcohol might be involved, especially because the smaller web browser makes it hard to see who the sender is or tell what exactly the URL is.” But, it’s not smaller browsers that make mobiles risky. Smishing and vishing are also on the rise, meaning email isn’t the only threat vector to be weary of. 7. Implement a Security Solution While there are certainly steps individuals can take to prevent themselves from falling victim to a phishing scam, if organizations really want to protect their people, they have to implement security solutions.
#HumanLayerSecuritySummit20
Human Layer Security Spear Phishing
Tim Sadler on Hacking Humans Podcast: Episode 87 “The Art of Cheating”
28 February 2020
Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why email is so risky and inboxes remain dangerous territory. Listen to Hacking Humans Episode 87 “The Art Of Cheating.” Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He is from a company called Tessian. And we discuss the human element of cybersecurity, along with some details on some phishing schemes. Here’s my conversation with Tim Sadler. Tim Sadler: I think, for a long time, when we’ve spoken about securing people, we’ve always defaulted to training and awareness rather than thinking about how we can use technology to take the burden of security away from people. So I think there’s a challenge at the moment in that humans are unpredictable. They break the rules. They make mistakes. And they’re easily tricked. And that’s what’s leading to so many data breaches today that are ultimately caused by people and human error. Dave Bittner: And so the bad guys, knowing this, have adjusted their tactics. Tim Sadler: I think that’s right. I mean, if you think about email for an organization, it is an open gateway. So it is one of the only pieces of infrastructure an organization has where anybody can send anything into an organization without pre-approval. And I think that’s one of the reasons why we’re seeing such a high level of threat around phishing, spear-phishing, business email compromise, those kinds of attacks. It is the – really, the entry point for every attacker that wants to get into an organization today, and it’s so effortless to execute one of these scams. Dave Bittner: So what kind of things are you tracking? What are some of the specific campaigns that are popular these days? Tim Sadler: So I think, you know, we see everything from the well-known trends like the fact that, you know, it’s tax season and the W-9 form scam – so attackers putting malicious attachments in emails trying to get people to open them because, you know, it’s tax season, and that’s something that everybody is watching out for. And then some of the more interesting things that we’re seeing specifically are around attackers scraping LinkedIn data to automate attacks based on people moving jobs. So a new joiner to an organization will – you know, is – may have a higher propensity to be duped by a phishing scam. They won’t know the protocol that an organization has in place. So we’re seeing a lot of attacks that come through when people are new to an organization. It’s maybe in their first or second week, and then they’ll receive a spear-phishing email pretending to be the CFO or pretending to be the CEO, trying to dupe them into doing something and, again, use those techniques of deception and urgency on emails. Dave Bittner: Now, what about some of the more targeted campaigns – you know, things like spear-phishing, even – you hear it referred to sometimes as whaling, where they’re targeting high-level people within organizations?
Tim Sadler: And actually, you can – for attackers, it is fairly scalable to do this. You can build a LinkedIn scraper. You can be pulling names. And you can be automating the purchase of domains that look like legitimate domains but, in fact, aren’t. And then you can automate the sending of those emails into organizations. And, you know, the rewards from doing this kind of thing can be enormous for attackers. So I read about that charity in the U.K. this morning who fell victim to a spear-phishing scam where they lost almost a million dollars over three transactions. So it is a huge, huge payoff for these attackers when they actually – you know, they get their target to do the thing they want them to. Dave Bittner: What are your recommendations for organizations to best protect themselves? Tim Sadler:  So I think, you know, it does start with awareness. You have to make sure that employees are aware that their inbox is dangerous. And they need to pause, if only for five seconds, just with every email they get and do some basic checks. So check, who is this email from? Does the domain look legitimate? Tim Sadler: But really, what is extremely difficult is, for most organizations today, their entire security strategy is reliant on their employees doing the right thing 100% of the time. So if you are only relying on security training and awareness, there are going to be things that creep through. There are going to be attacks that are successful. And in the same way that organizations use advanced technology to secure their networks and secure their devices, we believe that organizations today need to be using advanced technology to secure their people. Dave Bittner: Well, how does that technology play out? What sort of things are you describing here? Tim Sadler: In order to secure people – so again, we come back to this point that people are unpredictable. They break the rules. They make mistakes, and they’re easily hacked. A system needs to understand the normal patterns of behavior that a person exhibits on email in order to understand what looks like a security threat and what looks like a normal email. So what organizations can do is they can use a platform – like Tessian, for example – that uses machine learning to analyze historical email patterns and behaviors to understand, on every incoming email, does this email look legitimate or not? And that’s something that we’ve pioneered and we use and is much more effective than some of the traditional approaches, which use rules or policies to control the flow of inbound email. Dave Bittner: You know, it reminds me of a story that a colleague of mine shared with some friends who work for a nonprofit. And they got an email from the chief financial officer, who had just gone on vacation, and it said, I know; I realize I’m out of town, but I need you all to transfer this large sum of money, and I need it done immediately; you know, please don’t let me down. And to a person, they all said, this is the last thing in the world this person would ever say or do. And that tipped them off to the problem. It sounds like – I mean, that’s a similar thing to how you’re coming at this from a technological point of view or looking – making sure that the behavior isn’t anomalous. Tim Sadler: Yeah, that’s exactly right. We use machine learning in the way that it’s been applied to other fields – for example, credit card fraud detection. You look at their normal spending patterns and behaviors on card transactions, and then you use that intelligence to then spot the fraudulent transactions. And that’s what we’re doing. We’re looking at normal email behavior in order to spot the fraudulent email behavior. And in the same way that you would try and train a person to look out for the unusual aspects of an email that may give a clue as to whether it’s a phishing email or not, you can train a machine-learning algorithm to do the same. Tim Sadler: Now, the difference and the advantage to doing this is that a machine-learning algorithm can traverse millions and millions and millions of data points in a split second, whereas a human is only going to have a limited number of data points that they can remember or they can go back to in their mind. Dave Bittner: Where do you suppose we’re headed with this? As you look towards the future and this problem with email continues to be an issue, do you suppose the types of things that you’re offering here are going to become just a standard part of doing business? Tim Sadler: I think it’s critical that organizations today realize that their security strategy cannot be reliant on training people to do the right thing 100% of the time. And again, it comes back to – at the beginning of my career, I was working for one of the world’s largest banks and saw a massive problem, and that is that banks spend millions of dollars on securing their networks and devices using advanced technology, but they completely neglect the security of their people. So instead, they’re relying on training them to do the right thing 100% of the time. And that, obviously, doesn’t work. Tim Sadler: I saw people who would send highly sensitive information to completely the wrong person. They would email documents to their personal email account, or they would fall for phishing scams. So we thought this was a huge problem that needed solving, and that’s why we built the product that we’re building today – because we believe that in the same way you have a firewall for your network and you have an EDR platform for your devices, we believe you need a human-layer security platform to protect your people. Dave Bittner: All right. Interesting stuff. Joe? Joe Carrigan: Yeah. A couple things stick out to me. One, your inbox is dangerous, and Tim does a really good job of describing why that is. He calls it an open gateway because anyone – literally anyone – can use your inbox.
Human Layer Security Spear Phishing DLP
A Year in Review: 2019 Product Updates
By Harry Wetherald
01 January 2020
2019 was a big year for email security. While the world did see a record number of data breaches (up 33% from 2018) we also saw tighter security-related policies and regulations drafted and implemented, and, in general, an increased awareness amongst businesses about the importance of proactive security strategies. While we may be biased, it seems note-worthy that human error became more and more of a talking point in the cybersecurity space. In fact, human error and the importance of machine learning and artificial intelligence in protecting people has been one of the most talked about trends by analysts going into the new year. Similarly, companies are waking up to the fact that humans are their biggest risk. It’s about time. After all, misdirected emails – emails accidentally sent to the wrong person – have been one of the top data security incidents reported under GDPR according to the Information Commissioner’s Office. We believe it’s unreasonable to expect employees to do the right thing 100% of the time when it comes to making security-related decisions; people break the rules, people make mistakes, and people can be hacked. To err is human! What’s more, we have seen how quickly the threat landscape continues to evolve, which is why throughout 2019, we rolled out a series of important product updates that have kept our user base – which saw triple digit growth over the last 12 months – safe. Here are the most important product updates to Tessian’s Human Layer Security platform for 2019.
1. Human error, quantified. The new Tessian Dashboard gives customers an at-a-glance view of breaches and near-misses on email Keen to discover trends related to the number of breaches that were prevented by Tessian over the last 30 days? Our easy-to-navigate dashboard gives administrators a complete overview of activity, including any malicious and anomalous emails detected, misdirected emails prevented, and unauthorized email attempts thwarted. Module performance for Tessian Defender, Guardian, Enforcer, and Constructor are all visible on one page, and visual representations of data make it easy to monitor and drill down on activity day-by-day. If suspicious activity is spotted, you can quickly and easily generate a report without navigating off the page. The Tessian Dashboard also allows administrators to view user health at a glance, including the percentage of users active on the Add-in and Gateway and any connection issues across the network. This will help in-house security teams ensure every employee within their organization is protected by Tessian’s modules at all times. 2. Evolving algorithms. Tessian Defender can now detect and prevent more spear phishing attempts than ever Throughout 2019, Tessian Defender was improved through a series of subtle but impactful tweaks to our algorithms to be even more adept at detecting spear phishing attempts, including advanced, difficult-to-detect direct spoof attacks. The fact is, bad actors are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks. It’s imperative that we stay ahead of the curve, hence the regular updates. Tessian Defender has improved over time – and will continue to improve – enabling the detection and prevention of even the most advanced spear phishing attempts.
3. Thwarted first-attempts. It’s now even more difficult for employees to exfiltrate sensitive data Tessian Enforcer can now detect the first attempt an employee makes to exfiltrate data over email. How? By inferring what is and isn’t likely to be authorized communication based on the vast amount of data Tessian’s ML algorithm was trained on, which doesn’t necessarily rely on prior email history of a particular email address. For example, if an employee attempts to send an email to their personal, freemail account and that email address contains the employee’s first name or surname, Tessian Enforcer presents a warning to the user advising them that the behavior is potentially unsafe and prompting them to reconsider the action. Data exfiltration remains an incredibly unwieldy problem for businesses. Tessian gives businesses much-needed oversight of the problem over email.
4. In-situ learning opportunities. Employees have an opportunity to understand why an email is unsafe with contextual warnings While Tessian prides itself on low flag rates so that security doesn’t impede productivity, we wanted to maximize the opportunity to educate users through our warnings. This way, when users do see a notification, they understand why. Improved warnings across all four modules were designed for a more user-friendly experience that seamlessly reinforces any previous or ongoing security training. With more context included, employees can now see exactly why an email is being flagged as suspicious and – importantly – they can make their own decision on how to proceed. This is at the core of Tessian’s mission. Employees should be empowered by security solutions instead of burdened by them. 5. New detection capabilities. Customers can create rules that are specific to their environment Every business or enterprise is different and IT and Infosec security leaders need some flexibility in creating filter conditions that are applicable specifically to their operations. Because we’ve introduced new detection capabilities, users can now combine more conditions to create filters for their individual use cases; for example, scanning attachment content, identifying hidden fields in spreadsheets, and reading Azure Information Protect and other DLP labels. At the most basic level, these rules look something like this: If A and B, then C, except when D or E. These variables can apply to a number of elements contained in an email, from the recipient(s) to language patterns. One way an administrator might use these new detection capabilities would be to configure a filter which only allows the finance team, for example, to share spreadsheets with people outside of their organization if the recipient’s email address is recognized as a customer, except when the attachment contains a hidden row titled “social security numbers”. Protect your most valuable asset: your people Tessian is committed to creating the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the human layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration. Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with productivity in mind. To understand how Tessian can fit into your existing security framework, request a demo now.
Human Layer Security Spear Phishing
It’s the Most Fraudulent Time of the Year
30 November 2019
With Black Friday just around the corner, the holiday shopping season is upon us and retailers will face their busiest time of the year. In the last six weeks of 2018, for example, UK retailers and US retailers saw sales of £79.7bn and $719.2bn, respectively, as shoppers rushed to scoop up the best deals. No wonder, this window is often referred to as the “Golden Quarter”. But retailers and their customers may get more than they bargained for as this surge of shoppers makes the “Golden Quarter” a golden time for cybercriminals to launch phishing campaigns. We often think about consumers as the main victims of retail-related phishing attacks in the holiday shopping season. And quite rightly; shoppers receive hundreds of emails from retailers promoting their latest deals around peak shopping days like Black Friday and Cyber Monday. It’s a ripe opportunity for cybercriminals, who are looking to steal personal data and payment details, to “hide” in the noise, pose as legitimate brands and prey on individuals who are not necessarily security savvy. However, it’s also important to remember that retailers themselves are at greater risk of phishing attacks during this time, as well. In fact, our latest report reveals that nearly two thirds of UK and US retailers (64%) receive more phishing attacks in the three months leading up to Christmas, compared to the rest of the year. Black Friday, in particular, is a prime time for seasonal scammers as UK retailers (56%) and US retailers (57%) saw an increase in the number of phishing attacks during the Black Friday / Cyber Monday weekend last year. Given that phishing attacks have only grown in frequency and severity since then, there is no doubt that phishing will continue to be a persistent threat for retailers this year too. It’s also concerning to see that 70% of IT decision makers at UK retailers and 65% at US retailers believe their staff are more likely to click on phishing emails during the holiday shopping season. The reason? Employees are at their busiest and working at a much faster pace, meaning they are less likely to check the legitimacy of the emails they are receiving. Hackers will take full advantage of the fact that security won’t be at the front of mind for busy and stressed retail workers, and will craft sophisticated spear phishing campaigns to encourage individuals to click on malicious links, download harmful attachments or wire huge sums of money. On top of this, staff will also receive more emails at this time. Consider how many colleagues, temporary workers, customers and third party suppliers retail workers engage with during the holiday shopping season. Knowing inboxes will be filling up with timely requests and orders, hackers can easily deceive employees and get them to comply with their requests via spear phishing emails that convincingly impersonate colleagues, senior executives or trusted suppliers. With the average phishing attack now costing a company $1.6 million, there are significant financial consequences for a retail worker being duped by a phishing attack. It’s understandable, then, that the IT decision makers we surveyed said that “data breaches caused by human error” are the number one threat to their business in the final quarter of the year. Phishing came in a close second, with one in five IT decision makers in retailers believing phishing is the greatest threat to their organization during the holiday shopping season. Given the people-heavy nature of the industry, retailers are, sadly, an easy target for cybercriminals. Our report clearly shows that retailers need to do everything they can to build robust defenses and minimize incidents of human error that could lead hackers to steal data and compromise systems this holiday season.  
Spear Phishing
7 Ways to Survive this Black Friday
15 November 2019
Shoppers are expected to smash previous Black Friday spending records this weekend, with experts forecasting global sales of around $36.9 billion on Friday alone. With over 165 million people heading to stores or shopping online during the frenzy that follows Thanksgiving, retailers will be busier and more distracted than ever. And this makes them a prime target for cybercriminals. Here are our top tips for your business to survive the Black Friday weekend: 1. Think before you click on email Phishing is the biggest risk for one in five IT decision makers at UK and US retailers during the holiday shopping season. No wonder – over 60% receive more phishing attacks during this time than any other point in the year. Peak shopping days like Black Friday, Small Business Saturday and Cyber Monday are a golden opportunity for hackers to hide in chaotic inboxes and take advantage of individuals who are not security savvy. Is your business defending against this risk? 2. Keep calm and carry on When dealing with throngs of shoppers, processing thousands of orders and meeting overwhelming sales targets, retail staff will be under pressure to deliver. With more emails being sent and received and with staff working at a fast pace for long hours, mistakes will inevitably happen. In fact, 67% of IT decision makers at UK and US retailers believe staff are more likely to click on a phishing email during the holiday shopping season. Put measures in place to protect your people, especially when security is the last thing on their mind. 3. Train temporary staff on the threat Temporary seasonal workers play a critical role in helping retailers out during this busy time but they rarely benefit from the cybersecurity training that full-time employees receive. This makes them more vulnerable to threats like phishing. If just one employee falls for a scam, the retailer could face a security breach exposing the personal and financial data of thousands of consumers. Make sure all staff are trained on the phishing threat and know what action to take should they receive one. 4. Keep customer service teams alert Over a quarter of retail IT practitioners are concerned that customer service workers will fall for phishing attacks during this peak shopping season. Hackers will target these teams with phishing emails that contain malicious attachments or links, knowing that staff will need to deal with every customer enquiry they receive. Stay on high alert: encourage customer service teams to flag any messages that look suspicious. 5. Protect your customers from seasonal scams Consumers will be inundated with emails touting Black Friday deals this weekend. It’s a golden opportunity for cybercriminals looking to steal personal data and credit card information to pose as legitimate retail brands and lure consumers to fake sites. We increasingly see hackers impersonating brands in sophisticated spoofed emails; it’s surprisingly easy to do if the company doesn’t have email authentication records like DMARC in place. Worryingly, a third of retailers we surveyed do not have these checks in place. The problem is that consumers are more likely to click on malicious links or download harmful attachments when an email looks like it comes from a legitimate brand and email address. Protect your customers by protecting your brand. 6. Be wary of spoofed suppliers Not only can hackers target your third-party suppliers to gain access to company information, but they can also impersonate suppliers’ domains and send seemingly legitimate emails to your staff, asking them to wire money or share credentials. Nearly one in three retailers say employees have received spear phishing emails impersonating an external supplier. Always examine what the sender is asking you to do—are you being asked to carry out an urgent request? If this isn’t normal, it may be a fake request. 7. Don’t rely on tick-box training Don’t make cybersecurity training a one-off exercise. Continually teach and reinforce safe email behavior so that your staff are able to make the right cybersecurity decisions both at work and in their personal life. Our handy cheat sheet will help. Encourage your employees to print it and keep it on their desk so that they can identify the cues of a malicious message. To find out more about how to avoid seasonal scams, read our report.
Spear Phishing
Spear Phishing Demystified: the Terms You Need to Know
10 October 2019
Jargon is a hallmark of all industries. Cybersecurity is no different, but using the right security terminology has a real impact. When an organization’s data and systems are threatened by spear phishing attacks, being aware of evolving trends and the definitions of key terms could be the difference that helps prevent the next threat. Spear phishing is the number one threat facing businesses today, but research still suggests that “lack of knowledge and awareness about cyber-attacks could hinder the growth of the spear phishing protection market.” In this article we define and explain key spear phishing concepts and terms. (To learn more about how to prevent spear phishing attacks with machine-intelligent technology, read about Tessian Defender.) Spear phishing definition, and other attack types Although media outlets and security companies rightly pay a lot of attention to spear phishing, advanced impersonation spear phishing attacks come in many forms. Once you’ve read our breakdown of different key terms and what they mean, you’ll come away with a clearer understanding of the range of sophisticated inbound email threats. Spear phishing Spear phishing describes an advanced impersonation phishing attack directed at specific individuals or companies. (Head to the “Other useful terms” section below to see a definition of regular “bulk” phishing.) Similar to “bulk” phishing, spear phishing attacks are designed to trick people into taking an action like transferring funds or clicking on a malicious link. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Because spear phishing emails are low-volume as well as more sophisticated in their construction and convincing in execution, they are far harder for traditional email security products to catch. CEO fraud / executive fraud CEO fraud is a type of spear phishing attack where attackers impersonate a CEO or another high-level executive. Here, attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk. Attackers often use social engineering techniques (see “Other useful terms” below) to convey urgency and prevent targeted employees from thinking twice about following the instructions of the “CEO”. A notorious example of this kind of fraud saw an impersonation of Pathé France’s CEO lose Pathé €19.2m. Whaling Whaling is related to CEO fraud, with a key difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Because they are many times more likely to be targeted than rank-and-file employees, because they tend to be very busy, and because of their access and influence, senior executives can be especially profitable targets for attackers. Forms of impersonation used in spear phishing attacks Although all spear phishing attacks revolve around impersonation of some kind, impersonation itself can take many forms. Attackers impersonate people on email in order to: • Steal money, data and credentials • Compromise systems • Take over accounts Essentially, all spear phishing attacks use impersonation as a strategy. Mechanisms differ from the easy (display name impersonation) to the complex (direct spoofing). Here’s how we break impersonations down: Business Email Compromise According to the FBI, Business Email Compromise (BEC) attacks cost organizations $1.2bn in 2018 alone. BEC is closely related to spear phishing – and commonly confused with it – but is potentially still more damaging and severe. Attackers impersonate employees or external counterparties and send spear phishing emails to people within the organization being targeted, using social engineering techniques to convince targets to wire funds outside the organization or to click on dangerous links that risk compromising systems and/or data. Readers should bear in mind that there are several different interpretations of BEC. For example, it’s often confused with Account Takeover (ATO): ATO describes the unauthorized takeover of someone’s actual account, using harvested credentials or “brute force” hacking. Domain impersonation These attacks involve attackers spoofing or impersonating an organization’s domain in order to appear legitimate. There are three main kinds of domain impersonation: root, top-level and subdomain. Below is an example of each of these impersonations, using the domain companyinc.com as a starting point: • Root: companyceo@companyinc-outbound.com OR companyceo@c0mpanyinc.com • Top-level: companyceo@companyinc.net • Subdomain: companyceo@companyinc.secured-email.com Display name impersonation Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. This might mean impersonating a senior executive within a company, or the name of a key supplier or partner. The technical skill required is effectively zero: most mainstream email clients offer users ways to change display names in their account settings. Display name impersonations are particularly effective when received on mobile devices, as the sender’s actual email address is usually hidden.
Attackers can also change a sender’s display name to include a genuine-seeming email address, such as “Thomas Edison <thomas@nationalphonograph.co>
Freemail impersonation Freemail impersonation describes spear phishing attacks where criminals use the fake personal email address of a senior-level executive. An attacker impersonating the CEO of a company – let’s use Thomas Edison again – could send an email from thomas.edison@gmail.com to an employee working in the finance department, for example, requesting an urgent transaction. Here’s the example from before:
Automatic “Out of office” replies are a useful tool for attackers planning freemail spear phishing campaigns. By probing lists of contacts, attackers can learn when a particular executive is out of the office. Details volunteered in OOO autoreplies may tell them how long the executive is out of the office for, and even where they’ve gone. With this knowledge, attackers are free to impersonate the executive’s personal email account (or simply register an authentic-looking freemail address) and target the executive’s colleagues with a convincing impersonation.
Other useful terms Credential harvesting Credential harvesting is often an end goal of spear phishing attacks. Attackers will use coercive emails to direct recipients to fake login pages or other websites, where credentials can be harvested. Attackers can monetize credentials by selling them, or by using stolen account information to make purchases. In an enterprise environment, compromised credentials can also place entire systems at risk, doing significant financial and reputational harm to the business. Having harvested credentials, attackers can even take over email accounts and begin targeting victims’ contacts. Payload Many spear phishing emails contain a payload: on email, this might be a malicious link or attachment that, when opened, triggers malware on affected devices or systems. Increasingly, spear phishing attacks don’t have a payload at all, relying on persuasive language to coerce an employee into making a mistake. In turn, this makes these attacks especially hard for traditional security tools to defend against. Phishing Generally, phishing attacks are sent in bulk to a large audience, meaning the attackers’ language is relatively untargeted and unpersonalized. While phishing attacks can be successful, most attacks can be identified by traditional email security tools. This is why attackers have evolved to rely on spear phishing to extract money, data and credentials from organizations. Ransomware Ransomware attacks are growing in popularity and also need little or no technical skill to carry out. In a ransomware attack, an attacker holds an organization “hostage” by deploying malicious software across critical infrastructure. The attacker will threaten to steal money or data, or to cripple the organization’s systems unless a ransom is paid. Perhaps the most famous example of such an attack is the NotPetya worm which crashed systems around the world in 2017. Many ransomware attacks start with a spear phishing email containing a dangerous payload. Social engineering Social engineering describes the techniques attackers use to persuade people to take a dangerous action. Attackers may rely on the seniority of the person they are impersonating, or the illusion of urgency being created, to prompt a lower-ranking employee to take a desired action. Often, attackers will build trust with a target by communicating ‘normally’ for periods of time, using entirely innocuous language: this heightens the effect of coercive language when an attack is finally launched. Spoofing A spoof describes an impersonation where an attacker forges an email by modifying the email address from which the email appears to have been sent. (Many people don’t know that it’s possible for anyone with their own mail server to specify any From: address when sending an email, a loophole often leveraged by more sophisticated attackers.) As an industry, cybersecurity is responding to a rapidly evolving threat landscape and growing more complex every day. It’s vital to understand the range of different concepts and terms that surround the exploding spear phishing crisis. A reminder: if you have further questions about spear phishing, speak to a Tessian expert.
Spear Phishing
Inside Email Impersonation: the Danger of Display Names
18 September 2019
A single spear phishing email can deeply damage your organization’s cybersecurity. After a data breach, credentials could be compromised and systems left unguarded, all as the result of someone’s failure to detect an impersonation of a colleague, supplier or partner. What makes the threat of impersonation especially worrisome is the fact that you don’t have to be a highly skilled cybercriminal to impersonate someone on email. In fact, many kinds of impersonation are startlingly simple. In this post we’ll cover display name impersonation, perhaps the easiest way for an attacker to dupe employees and extract money, data and/or credentials from enterprises.
What is display name impersonation? Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. The display name is not part of the email address itself: it’s the name affiliated with the account that usually appears before the email address in inboxes. Display name impersonations are often combined with domain impersonations to execute sophisticated impersonation attacks, which use social engineering to threaten organizations’ most sensitive data and systems. How do attackers manipulate display names? Even for people with little or no technical knowledge, impersonating a display name is very easy: the operation can be carried out within almost all major email clients. Here, we’ll take you through how to do this with Gmail:
This approach is especially effective on mobile devices (pictured above), because the From: email address is hidden on mobile screens. Very little work has gone into creating a potentially convincing impersonation that could fool busy, distracted employees – especially if the sender being impersonated is a high-ranking executive or a demanding supplier. With CEO fraud losses totalling more than £14m in the UK in 2018, organizations should be aware of the growing threat of executive impersonations. Attackers can also change a sender’s display name to include both a genuine-seeming name and email address, such as “Thomas Edison <thomas.edison@nationalphonograph.co>”. In this case, the attacker is betting the target won’t notice that the email address they see first isn’t actually the address from which the email was sent.
Why are impersonations so easy to carry out? Email is an extraordinary tool that offers effectively free communication to billions of people around the world. But email was never designed to cope with the sheer volume of traffic we now see on a daily basis (almost 125 billion business-related emails were sent per day in 2018). Simplicity is a core ingredient of email’s success. But being so simple means it’s dangerously easy for malicious actors to take advantage of inbuilt vulnerabilities. Email as a channel has many vulnerabilities, but despite being a multibillion-dollar industry in its own right, email security products – and the protocols that underpin email infrastructure more generally – have historically done a poor job of preventing impersonations. Organizations that have spent energy configuring DMARC, DKIM and SPF cannot rest on their laurels: authentication tools like DMARC are limited in their scope and are unable to prevent display name impersonation attacks. The legacy tech problem For decades now, Secure Email Gateway (SEG) products have defended organizations’ networks from attacks. The main methods of defense employed by SEGs are: Payload inspection like scanning URLs and attachments. (Attackers know that zero-payload attacks, which rely on social engineering techniques to persuade targets to take dangerous actions, are much more likely to evade SEGs’ defenses.) Spam and “bulk” phishing prevention. (By focusing on past known attacks and basic email characteristics like domain authentication, these techniques fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems.) Rules to prevent impersonation. (Basic rules can prevent simple email impersonation attacks by detecting newly registered domains, different sender/reply-to addresses, etc.) SEGs were designed to protect networks and devices from inbound cyberattacks. More or less, they still do a good job of defending against the bulk spam and phishing scams that were so prevalent years ago. The problem? They are not flexible and intelligent enough to identify anything but the most basic impersonations. Being able to inspect suspicious URLs and attachments doesn’t help when an advanced impersonation spear phishing attack consists only of persuasive, urgent language to coerce an employee into taking a dangerous action like transferring money. Blacklisting known examples of names and addresses used in phishing attacks only prevents attacks that have been reported already; any new spear phishing or impersonation attack will bypass these perimeters. Meanwhile, rule-based email security services are limited by the ability of system administrators to continually update rules based on new edge cases and evolving threats. Static rules do not equip enterprises with the ability to identify and predict new anomalous email attacks in real time. SEGs find it hard to deal with advanced email threats, and even “simple” display name impersonations pose them serious challenges. Using rudimentary logic to determine whether a display name is “close” to the display name of an employee doesn’t work for external impersonations, for example. In addition, rules that trigger when (for example) a display name has one or two characters that are different from a genuine employee’s name are inherently limiting. Attackers are able to easily reverse engineer SEGs and find ways around their defenses. So should enterprises be looking elsewhere to defend their email environments? Display name impersonations: a summary For attackers, changing a display name is startlingly easy. The combination of display name impersonation with domain impersonation can lead to very sophisticated spoofing attacks that can have seismic repercussions for enterprises and the sensitive information they control. Cyberattacks continue to evolve and become more dangerous. But security products like Tessian Defender offer a way to combat display name (and other) impersonations. Using machine learning, Defender learns and adapts to threats by analyzing behavioral and communication patterns on email, preventing advanced impersonation spear phishing attacks before they wreak havoc within organizations. Every email employees receive is analyzed for anomalies: this might be the use of language, prior communications with the email’s recipients, discussion of sensitive topic areas, and many more factors besides. (This applies whether the email is from a colleague or from an external partner.) With this information to hand, Tessian’s algorithm predicts which emails represent a danger to the employee and the organization. Real-time notifications let employees take the right course of action before the threat can harm their employer’s defenses. Organizations need to respond by investing in products that are designed to deal with a newly advanced generation of cyber threats. Speak to an expert today to learn more.
Spear Phishing
How to Catch a Phish: a Closer Look at Email Impersonation
20 August 2019
Today, 95% of all cyber attacks launched on businesses start with a spear phishing email. What’s more, spear phishing attacks increased 250% last year as bad actors have discovered more and more ways to outwit email users (busy people) and defenses (legacy technology). The motivations behind attacks are straightforward: deploy malware or defraud the target of money or credentials. The tactics, however, vary greatly and are becoming increasingly more difficult to spot. What is spear phishing? A variety of terms are used to describe inbound email attacks ranging from spoofing, phishing, spear phishing and whaling. While some people use the terms interchangeably, they are, in fact, different. Here’s a breakdown of the terminology: Email spoofing: the creation of email messages with a forged sender address or display name. It is common for spam and phishing emails to use spoofing tactics to mislead a target about the origin of the communication. Phishing: the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by pretending to be a trusted entity. Occurring predominantly via email or text messaging, phishing is typically bulk in nature and not personalized for an individual target. While phishing attacks can be successful, most are often easy for clued-up individuals or email security policies to detect. Spear Phishing: advanced phishing attacks directed at specific individuals or companies. Similar to phishing attacks, these too, are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Because they are more sophisticated in their construction and convincing in execution, spear phishing emails are harder to catch. They work best when they impersonate someone the target trusts. Whaling: a highly targeted phishing attack aimed at senior executives or employees with access to particularly valuable assets. Whaling emails are more sophisticated than generic phishing emails as they often target chief (“c-level”) executives and board members.
What does a spear phishing email look like?
Spear phishing emails have four key components: Target: spear phishing attacks are directed at specific employees or groups, oftentimes those with access to money, sensitive systems or powerful people. For example, accounts payable departments and executive administrators are frequently targeted. Criminals may also target new hires and other “quick-to-click” employees, exploiting their desire to act fast on any requests or assignments. Criminals don’t have to search long and hard to identify good targets. There is an abundance of valuable data online, from Linkedin career updates to employee details on company websites. Intent: in both the email subject line and body copy, the attacker will use deliberate language to establish context and intent; they want the recipient to do something now. In sophisticated attacks, fraudsters will initiate normal conversations but not mention any requests. With this approach, they invest time in developing a legitimate dialogue and establishing trust with the target over multiple emails. As a result, any subsequent requests﹘like a wire transfer﹘will appear authentic and usually get the target to complete the desired action. [Read more on how trust can be manipulated by tech in our report “Why People Make Mistakes”] Impersonation: at the heart of every spear phishing attack is impersonation. The attacker is pretending to be a person or entity that the target knows and trusts. The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email. In general, criminals often impersonate an influential or powerful person﹘like a CEO﹘or a trusted company﹘for example, Microsoft ﹘in order to establish a sense of legitimacy or urgency. Tessian refers to sophisticated impersonation attacks as advanced impersonation spear phishing. Payload: spear phishing emails may contain some form of payload to engage the target. Basic impersonations include obvious payloads like links and attachments that appear legitimate, but which are in fact malicious. Advanced impersonation tactics are more discreet; they rely on text alone to elicit a desired action. For example, “please wire payment to this account: 123-4567” or “Can you please buy 10 Apple gift cards for our clients and send me the voucher codes as reference ASAP?” By omitting conspicuous payloads, these advanced threats (aka zero payload attacks) can more easily slip through standard email defenses.
Advanced impersonation spear phishing falls into three categories.
Why is spear phishing so dangerous? Spear phishing isn’t difficult to pull off. Attackers don’t need capital, special equipment or a particularly advanced skillset. They just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn. Spear phishing is particularly effective because busy professionals are easy to trick on email. Today, the average worker spends nearly a third of their working week on email, sending and receiving around 124 emails every day. The pressure to be constantly connected and on-the-go means that employees are more likely to be distracted and make mistakes on email. A shift towards becoming a mobile workforce hasn’t helped the situation either. Verizon research has shown that people are significantly more susceptible to social attacks received on mobile devices; this is a result of mobile design and people’s tendency to multitask on mobile devices. Businesses globally have lost $12.5bn over the past five years as a result of phishing scams. Advanced impersonation spear phishing has emerged as one of the most popular and successful attack methods being leveled at businesses – small and large – around the world. Rewards for attackers are high, and the damage to organizations can be catastrophic, resulting in wire payment fraud, file sharing, credential theft and eventual systems takeover. How do you prevent advanced impersonation spear phishing? Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound threats, SEGs commonly employ machine layer methods: Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence. Spam and bulk-phishing prevention. Focusing on past known attacks and basic email characteristics (e.g. domain authentication), these fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems. Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc). While SEGs can block malware and bulk phishing attacks, rule-based solutions cannot stop advanced impersonation attacks and are incapable of detecting external impersonation. Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Defender stops advanced threats that legacy systems miss. Tessian Defender’s stateful machine learning retroactively analyses historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Defender can detect and prevent threats in real time with minimal end-user disruption. To learn more about Tessian or book a demo of Tessian Defender, contact us here.
Spear Phishing
Why DMARC is Not Enough to Stop Impersonation Attacks
By Laura Brooks
30 July 2019
The UK’s National Cyber Security Centre (NCSC) reported that in the past year, it has stopped 140,000 phishing attacks and taken down more than 190,000 fraudulent websites. In its second annual report on the Active Cyber Defence (ACD) program, the NCSC details how its use of Synthetic DMARC has stopped sophisticated phishing operations, including one in which hackers used a gov.uk domain to impersonate an airline organization. While this approach of synthesising DMARC records has proven to be effective in stopping spoof email campaigns so far, the NCSC’s report also describes it as “an evil hacky kludge,” adding that more needs to be done to express policy ownership in domain hierarchies. Here, we address the shortfalls of DMARC and email authentication records, and consider what more can be done to stop strong-form impersonation attacks. A necessary first step 95% of all attacks on enterprise networks are the result of successful spear phishing, which often involves an attacker directly impersonating the email domain of the receiver. For example, any attacker could send an email from your business email domain to an employee at your business, and the recipient would have no way to validate the sender’s authenticity in the absence of authentication records. SPF and DKIM are email authentication records that, in short, allow email clients to validate the domain name of an inbound email. DMARC enables organizations to specify how the client responds to emails that fail SPF or DKIM checks (generally reject, quarantine, or no action.) SPF, DKIM, and DMARC are essential for preventing direct impersonation of your organization’s email domain. All email domains – especially those of trusted brands – are at risk of direct domain impersonation, regardless of past threat activity. The darker side of DMARC However, DMARC has its downsides. And while the NCSC has encouraged more UK businesses and government agencies to adopt DMARC, the report doesn’t shy away from bringing these shortfalls to light. 1. DMARC configuration is time-consuming and resource intensive The NCSC report states that “for any enterprise of a decent size, implementing DMARC is often a long process”  and that “implementing DMARC is a lot harder than people will have you think.” Strict DMARC policies can, if misconfigured, block the delivery of real, legitimate emails. As a result, the ACD recommends organizations take time to digest DMARC reports and investigate the nuances of their mail infrastructure, before gradually moving to a more protective DMARC policy. Unfortunately, this process takes many organizations well over a year. 2) DMARC records are publicly available; attackers can work around them DMARC, SPF, and DKIM records are inherently public information – they need to be so that receiving mail clients can authenticate a sender’s domain. Attackers can see not only if your organization has a DMARC policy, but also how strictly you have configured it. Before trying to impersonate your email domain directly, a sophisticated attacker will check if you have a strict DMARC policy in place. If you do, the attacker can still carry out an advanced spear phishing attack. For example, DMARC doesn’t protect against indirect impersonation, or domains that are similar to yours (e.g. @tassian.com, @tessian.outbound.com, @tessian.email). There are thousands of ways an attacker can make a new domain look similar enough to your domain to fool members of your organization. These new, legitimate domains are unprotected by DMARC. Perhaps because of DMARC’s public nature and the vulnerability of indirect impersonation, ACD data has yet to establish a causal link between increased DMARC adoption and decreased phishing. 3) External domains remain a threat Configuring DMARC and other email authentication records are necessary measures for preventing attackers from directly impersonating your organization’s email domain. Unfortunately, a high percentage of the emails your employees receive likely come from the domains of other organizations, such as partners, vendors, customers, and government bodies. Given that other organizations are unlikely to have authentication records in place, employees remain vulnerable to direct impersonation of their external contacts. Email authentication records and policies, then, are only a small piece of the puzzle for protecting your organization against spear phishing attacks. Impersonation is a difficult problem to solve. To accurately detect it, you need to understand what is being impersonated. You need to be able to answer the question, “for this user, at this point in time, given this context, is the sender really who they say they are?” Tessian Defender uses stateful machine learning models to analyze historical email data and understand relationship context, which means we can automatically detect the impersonation of both internal and external parties.
Page