Get Your Complimentary Copy of the Gartner Market Guide For Email Security 2021 – Don’t miss out on the recommendations here

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing

Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing and Business Email Compromise.

Spear Phishing
Why Financial Services Firms are Most Likely to Fall for Phishing Attacks
10 July 2019
Recent reports show that the number of cyber incidents reported by financial services firms to the Financial Conduct Authority (FCA) skyrocketed from 69 in 2017, to 819 in 2018. Ransomware and phishing attacks topped the list of reported cyber attacks, making the financial sector one of the most targeted industries for phishing crimes. With the threat of phishing and spear phishing attacks only growing in severity, being aware of potentially malicious emails and impersonation scams has never been more important. However, our report – Why Do People Make Mistakes? – worryingly suggests that people in financial services are the most likely to fall for phishing scams. We found that nearly one in three financial services workers has clicked on a phishing email at work, making it the sector with the highest percentage of people falling for these attacks. The problem is that people in financial services are under huge amounts of stress and pressure – and this often leads to mistakes online and puts cybersecurity at risk. For example, nearly half of the people we surveyed from financial services (49%) described their current workload is either ‘overwhelming’ or ‘heavy’, while 70% said there is an expectation within their organization to respond to emails quickly. Furthermore, an overwhelming majority 89% said they feel stressed at work, with nearly nine in 10 admitting they make more mistakes when stressed – significantly higher than the UK average of 71%. Stress and overwhelming workloads can, ultimately, increase vulnerabilities to threats given that a person’s ability to spot anomalies in a phishing email becomes influenced by other tasks requiring their attention at the same time. With so much going on, overworked employees will likely rely more on habitual behaviors that inform their decision making, rather than engaging in rational, analytical thinking. Tiredness, too, also impacts our ability to question the legitimacy of messages we receive, leading to what could be a costly mistake for any business. Mistakes are inevitable, especially when people are tired, stressed and facing a never-ending to do list. Cybersecurity is the last thing on their minds but it just takes one click on a malicious link or one response to a hacker’s request to compromise data and ruin a company’s reputation. So, as cybercriminals continue to hone their skills and make spear phishing attacks more targeted and more believable, businesses need to consider how to prevent the inevitable mistakes. Consider how best to protect your people. Alert them to potential threats and provide them with the information they need – in real-time – to think before they click.
Spear Phishing
Ed Bishop: Spear Phishing and the Dangers of Impersonation
09 July 2019
Tessian CTO Ed Bishop runs through the most dangerous forms of spear phishing and email impersonation attacks threatening organizations. Email allows us to interact freely. If you know someone’s address, you can send them an email, regardless of where in the world they are located or what device they’re using. Even if you don’t know someone’s email, it’s often relatively easy to guess. Email is also open by default. This openness has taken masses of friction out of global commerce, and is vital to our businesses. But there’s a tension here. An open network inevitably means risk to individuals and businesses alike. Organizations around the world handle sensitive material every day. Vigilance will always be important. But striking a balance between empowering employees and cracking down on suspicious activity has to be done sensitively. Strong-form spear phishing is a particularly dangerous threat. Spear phishing takes advantage of email’s openness using advanced impersonation techniques undetectable by most filters and safeguards, creating significant headaches for information security leaders. It is the most insidious threat to email communication, and is the number one form of attack threatening enterprises today. The FBI now tracks Business Email Compromise (BEC), whereby spear phishing is used to extract large sums of money through illegitimate or unauthorized wire transfers. In 2018, the FBI estimated that in the previous five years, Business Email Compromise (of which spear phishing is an important component) had cost enterprises as much as $12.5bn. So how did this threat emerge? The birth of phishing Email was introduced in the 1970s. It didn’t take long for it to attract a parasite: spam, which arrived in 1978. Spam allowed emails to be sent to large numbers of recipients with minimal personalization. Originally invented for marketing purposes, it soon led to innumerable scams. By 2017, spam made up 55% of all emails received globally.  In response to spam detectors and blockers, attackers started to work harder. They turned to phishing. Phishing mimics the identity of trusted people and services in order to extract sensitive information, such as passwords or account numbers. Although they remain a threat, generic bulk phishing attacks can usually be prevented by legacy email security solutions. The problem, though, is that attackers have refined their approach over the years. They have invested more time and energy into targeting specific individuals, and have turned to public-domain information from sites like LinkedIn to personalize emails. As phishing has grown in popularity, other cybercrime strategies like ransomware and fraudulent online purchases have also become more prevalent. In 2017, hackers stole a staggering £130bn from consumers through these schemes. And information security professionals have their work cut out. Targeted, personalized attacks are constantly evolving. At Tessian, we see impersonation-based spear phishing as the next stage in this email arms race. High-ranking employees are most at risk From a technological perspective, spear phishing is much more difficult to filter out than run-of-the-mill spam or bulk phishing. This is because it is highly targeted towards particular individuals within organizations. Even the most cynical and risk-aware individuals can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by employees. This is not confined to mid-ranking employees: ‘whaling’ scams specifically target C-level executives, for instance. These nefarious tactics are not going away any time soon. Secure Email Gateways: solving the problem? To combat attackers, enterprises have traditionally used Secure Email Gateways to monitor attachments and URLs. Today, almost every email provider or legacy Secure Email Gateway (a guard against malicious emails) will include a spam filter. However, there are always ways for attackers to get around these rule-based technologies. Cybercriminals may employ malware that evades software programs’ screening capabilities, for instance: alternately, organizations might fall victim to a zero-payload attack that doesn’t represent a threat for weeks or months. So how have Secure Email Gateway structures attempted to address spear phishing issues? Display address irregularities Secure Email Gateways are designed to catch irregular display addresses. These occur when the target’s display address doesn’t exactly match the genuine address (changing an ‘n’ to ‘m’ and making ‘bank’ ‘bamk’, for instance). This check looks for instances where a reply-to address may be different from the sender’s own address. Domain monitoring Here, the Secure Email Gateway checks whether the sending domain has been recently registered, or whether it is registered as inactive. The protective measures mentioned here can only ever be partially effective. That’s because they are focused on providing static, rule-based solutions: attackers can easily reverse engineer these rules and circumnavigate them. So how are cybercriminals evading Secure Email Gateways? At least in part by focusing on strong-form techniques. Attackers are becoming more subtle Attackers have a variety of ways to break down organizations’ defences, but strong-form tactics are especially hard for Secure Email Gateways and other rule-based systems to detect. We’ve already covered reply-to modifications, for instance. This is an example of weak-form phishing which relies on targets not realising that the reply-to address of an email has been changed from the original ‘sender’. With strong-form phishing tactics, the reply-to address can appear to be exactly the same as the sender’s address. This has the potential to confound simplistic rule-based systems. A strong-form attack could be a homograph impersonation of a ‘trusted’ external counterparty, such as a law firm or an accountant. Here, other alphabets can be used to deceive targets into believing a domain or address is genuine. The English language ‘a’, for instance, is very similar to a Cyrillic small letter ‘a’. This visual trick can be used to create alias addresses that could well deceive targets. It might seem surprising that anybody can send an email pretending to be anyone, but current email protocols allow for this. Email authentication methods like SPF, DKIM and DMARC have been designed to try and confirm sender identities. The problem is that this can only be truly effective when every company in the world publishes its own email authentication record. Unfortunately, this is far from being the case: many Fortune 500 companies still have not published the recommended email authentication records. This gives attackers the means to find, through public domain data, any external counterparties without correct authentication records, and simply send emails pretending to be them. It’s clear that hackers are thinking about more subtle ways to breach organizations’ defences. As such, it’s important to understand how spear phishing works in practice. The tip of the spear: breaking down intelligent phishing attacks Understanding how spear phishing attacks are constructed is fundamentally important to the success of an information security team’s defences. So what are the key components of a spear phishing attack? Target The target could be any employee within your organization, but attackers may focus on high-ranking executives or members of the finance department. Cybercriminals can spend significant amounts of time researching and identifying the most vulnerable individuals. Impersonation The impersonation of another person or company is the core tenet of spear phishing attacks. Once a target is identified, the attacker may choose to impersonate a colleague or a trusted third party external to the organization (possibly someone who works at another organization they interact with regularly and trust). Intent Successful spear phishing attacks all manage to get the email recipient to take a particular kind of action. This could be wiring money to an attacker’s bank account, divulging login details or other sensitive data, or installing malware or ransomware on a device. Often, requests for action exploit organizational pressures to maximize urgency and time sensitivity.
Hacking the human One successful spear phishing attack can result in the extraction of millions of dollars, devastating data loss, and incalculable reputational damage. While some enterprises are able to stop basic spear phishing, these attacks are becoming more sophisticated all the time. This isn’t surprising. The history of email security shows us that phishing attacks only become more advanced and personalized with time. In industries where many firms still rely on only traditional technologies like Secure Email Gateways to operate, the threat level is potentially even more potent. The rewards for attackers are large, and the risk for companies still larger. There is much to be done before organizations can be said to have the upper hand against these bad actors. By acknowledging the people that are at the heart of this battle, and by building products that understand and protect them, I’m confident that we can make significant progress. *Interview condensed from Modern Law Magazine supplement, May 2019.
Spear Phishing
Attackers are Using Microsoft Forms to Exfiltrate Data
22 February 2019
Attackers are using Microsoft Forms links to get past email URL protection and steal sensitive information. We were alerted to this new tactic by one of our clients in the financial services sector. They recently received a spear phishing email containing a Forms link. In an attempt to protect firms from credential pharming and malware, several email security providers including Proofpoint, Mimecast and O365 Advanced Threat Protection re-write and scan URLs within emails to verify that the URL is safe to visit. The effectiveness of this approach has been questioned before, and now a new vulnerability involving the use of Microsoft Forms is being exploited by attackers. How are they exploiting Microsoft Forms? Microsoft Forms is an online tool for creating quizzes and surveys and automatically collecting the results. Forms were fully released to enterprise users of Office 365 in 2018. Here’s how they work You create a survey or quiz via Microsoft Forms and distribute it to your audience by embedding a link in an email. To fill out the form, a recipient will click the link within the email and be directed to a Microsoft Form containing fields that capture whatever data the form is designed to collect. Crucially, because the links direct users to a genuine Microsoft site, Forms links are trusted by the URL protection from Secure Email Gateways and ATP. Attackers have become aware of this and are now using authentic Microsoft Forms to collect sensitive information from unwitting targets. Any data input into the form is automatically sent to attackers, bypassing security defenses.
Many enterprises have become overly reliant on URL protection to prevent spear phishing attacks. To make things worse, with URL protection in place, employees begin to trust the links they receive in their inbox and become less vigilant to attacks. As attackers become more sophisticated they are finding simple ways to get past URL protection. Instead of focusing on the URL or on other payloads that can be sent in a spear phishing email, enterprises should aim to identify the actual impersonation behind the attack. This will not only reduce their vulnerability to attacks like this one, but also protect them from zero-payload attacks such as Business Email Compromise. We have reported this attack to Microsoft and have recommended that unique client IDs are used in the Forms URLs to allow enterprises to build custom policies to warn users when the client IDs do not match. We will update you when we hear from Microsoft.
Page