Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Jan 31 Live Webinar | How to Keep Socially Engineered Attacks From Sneaking Into Email | Save Your Seat →

Email DLP, ATO/BEC

How Tessian stops Impersonation Attacks

by Andrew Webb Friday, December 2nd, 2022

Every cyber attack that gets through hurts your organization’s staff, but impersonation attacks are particularly damaging to the individual who’s targeted. In this example, we see how Tessian can stop these types of attacks and protect staff so they can do their best work. 

While attackers will target almost anyone in an organization to gain access, teams in areas closest to the money – namely the finance team.  Finance teams handle hundreds of invoice payments a month, and are responsible for your organization’s cash flow. And when it comes to payroll they interact with every other employee in the company. This is why they represent high value targets to attackers. 

There are four types of impersonation; multi-persona, brands, individuals, and vendors. And we’ll look at the last one – vendors – In this example. You can see how the Tessian Cloud Email Security Platform has flagged this email to Calvin in the  finance team asking for an invoice payment. OSINT tools and the victim organization’s own blog and social media might reveal a typical third party that they’ve worked with, in this fictitious example, it’s a supplier called Darkhill Health. 

There are several reasons why Tessian has flagged this as a potential impersonation attempt and stopped it from reaching Calvin’s inbox. Let’s look at them in more detail. 

  • Firstly, examination of the URL reveals the letter i in @darkhill-health has been replaced with the number 1. 
  • Furthermore, we can see there is an unusual display name, Philip Davis rather than the typical Philip J Davis found in other emails from Darkhill Heath. 
  • There’s also a fake use of the RE: reply in the subject line, giving the impression that this is part of a sequence of email exchanges, even though it’s the first email in the chain from this fake domain.
  • Finally, and this is one of the hardest things for legacy solutions to determine, there is suspicious financial intent as the sender is requesting updated payment details.

Our own State of Spear Phishing report shows that the most successful attacks happen just after lunch, or towards the end of the working day, when people are at their most distracted. Sent at 5:16pm on a Thursday, with just the right sense of urgency, and you can see how your employees could easily fall victim to this type of attack.

How Tessian stops these attacks. 

Tessian utilizes behavioral intelligence to gain a deeper understanding of each internal and external relationship. Using deep content inspection, as well as  your historical email data, Tessian forms a behavioral intelligence model that understands how your people use email within the organization. It knows who they contact, what they send and receive, and what projects they’re working on.

This advanced behavioral intelligence sits in a single cloud-based email security platform protecting your organization from both advanced incoming threats like the one above AND also stopping sensitive data leaving the organization. 

All of this means this attack is stopped dead in its tracks, and never reaches Calvin’s inbox, so he can carry on with his day.

Andrew Webb Senior Content Manager