Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
7 Things We Learned at Tessian Human Layer Security Summit
By Maddie Rosenthal
Tuesday, March 2nd, 2021
That’s a wrap! Thanks to our incredible line-up of speakers and panelists, the first Human Layer Security Summit of 2021 was jam-packed with insights and advice that will help you level-up your security strategy, connect with your employees, and thrive in your role. Looking for a recap? We’ve rounded up the top seven things we learned. 1. CISOs can’t succeed without building cross-functional relationships  Today, security leaders are responsible for communicating risk, enabling individuals and teams, and influencing change at all levels of the organization. That’s easier said than done, though…especially when research shows less than 50% of employees (including executives) can identify their CISO.  The key is building relationships with the right people. But how? Patricia Patton, Human Capital Strategist and Executive Coach, Annick O’Brien, Data Protection Officer and Cyber Risk Officer, and Gaynor Rich, Global Director Cybersecurity Strategy & Transformation at Unilever tackled this topic head-on and introduced a new framework for security leaders to use: Relationship 15.
Find out more by watching the full session below or check out this blog to download a template for the Relationship 15 Framework. Further reading: Relationship 15: A Framework to Help Security Leaders Influence Change CEO’s Guide to Data Protection and Compliance  16 Tips From Security Leaders: How to Get Buy-In For Cybersecurity How to Communicate Cybersecurity ROI to Your CEO 2. Securing your own organization isn’t enough. You have to consider your supply chain’s attack surface and risk profile, too We often talk about how cybersecurity is a team sport. And it is. But, today your “team” needs to extend beyond your own network.  Why? Because more and more often, bad actors are gaining access to the email accounts of trusted senders (suppliers, customers, and other third-parties) to breach a target company in account takeover (ATO) attacks. The problem is, you’re only as strong as the weakest (cybersecurity) link in your supply chain, and these sophisticated attacks slip right past Secure Email Gateways (SEGs), legacy tools, and rule-based solutions. Marie Measures, CTO, at Sanne Group, and Joe Hancock, Head of Cyber at Mishcon de Reya explain how firms in both the legal sector and financial services are preventing these threats by consulting enterprise risk management frameworks, partnering with customers, and leveraging technology. Further reading: What is Account Takeover? How to Defend Against Account Takeover 3. If you want to understand and reduce risk, you need data (and smart tech) Throughout the Human Layer Security Summit, one word was repeated over, and over, and over again. Visibility. It makes sense. Clear visibility of threats is the first step in effectively reducing risk. But, because so many security solutions are black boxes that make investigation, remediation, and reporting admin-intensive, this can be a real challenge. We have a solution, though. Tessian Human Layer Risk Hub. This game-changing product (coming soon!) enables security and risk management leaders to deeply understand their organization’s security posture by providing granular visibility and reporting into individual user risk levels. How? Each user is assigned a risk score based on dozens of factors and risk drivers, including email behavior, training track record, and access to sensitive information. This clearly shows administrators who needs help (on an individual level and a team level).  The tool also intelligently recommends actions to take within and outside the Tessian portal to mitigate risk. Finally, with industry benchmarking and dashboards that show how risk changes over time, you’ll be able to easily track and report progress. Want to learn more about Tessian Human Layer Risk Hub? Sign-up for our newsletter to get an alert on launch day or book a demo. Further reading: Ultimate Guide to Human Layer Security Worst Email Mistakes at Work (And How to Fix Them) 4. Rule-based solutions aren’t enough to prevent data exfiltration 
If you’re interested in learning more about Human Layer Security, this is the session for you. David Aird, IT Director at DAC Beachcroft, and Elsa Ferreira, CISO at Evercore take a deep dive into why people make mistakes, what the consequences of those mistakes are, and how they – as security leaders – can support their employees while protecting the organization. Spoiler alert: blunt rules, blocking by default, and one-and-done training sessions aren’t enough. To learn how they’re using Tessian to automatically prevent data exfiltration and reinforce training/policies – and to hear what prompted Elsa to say “They say security is a thankless job. But Tessian was the first security platform that we deployed across the organization where I personally received ‘thank you’s’ from employees…”– watch the full session. Further reading:  Research Report: Why DLP Has Failed and What the Future Looks Like 12 Examples of Data Exfiltration 5. When it comes to security awareness training, one size doesn’t fit all  Security awareness training is an essential part of every cybersecurity strategy. But, when it comes to phishing prevention, are traditional simulation techniques effective? According to Joe Mancini, VP Enterprise Risk at BankProv, and Ian Schneller, CISO, at RealPage they’re important… but not good enough on their own. Their advice: Find ways to make training more engaging and tailored to your business initiatives and employees’ individual risk levels  Focus on education and awareness versus “catching” people Make sure training is continuously reinforced (Tessian in-the-moment warnings can help with that) Don’t just consider who clicks; pay attention to who reports the phish, too Consider what happens if an employee fails a phishing test once, twice, or three times Want more tips? Watch the full session. Further reading: Why The Threat of Phishing Can’t be Trained Away Why Security Awareness Training is Dead Phishing Statistics (Updated 2021) 6. The future will be powered by AI Nina Schick, Deepfakes expert, Dan Raywood, Former deputy-editor at Infosec Magazine, and Samy Kamkar, Privacy and Security Researcher and Hacker went back and forth, discussing the biggest moments in security over the last year, what’s top of mind today, and what we should prepare for in the next 5-10 years. Insider threats, state-sponsored threats, and human error made everyone’s lists…and so did AI.
Watch the full session to hear more expert insights. Further reading: 2021 Cybersecurity Predictions  21 Cybersecurity Events to Attend in 2021 7. Hackers can – and do – use social media and OOO messages to help them craft targeted social engineering attacks against organizations  Spear phishing, Business Email Compromise (BEC), and other forms of social engineering attacks are top of mind for security leaders. And, while most organizations have a defense strategy in place – including training, policies, and technology – there’s one vulnerability most of us aren’t accounting for. Our digital footprints. Every photo we post, status we update, person we tag, and place we check-in to reveals valuable information about our personal and professional lives. With this information, hackers are able to craft more targeted, more believable, and – most importantly – more effective social engineering attacks. So, what can you do to level-up your defenses? Jenny Radcliffe, Host of The Human Factor, and James McQuiggan, CISSP Security Awareness Advocate, KnowBe4, share personal anecdotes and actionable advice in the first session of the Human Layer Security Summit.  Watch it now. Further reading: New Research: How to Hack a Human  6 Real-World Social Engineering Examples Want to join us next time? Subscribe to our blog below to be the first to hear about events, product updates, and new research. 
Read Blog Post
Human Layer Security
The Ultimate Guide to Human Layer Security
By Tim Sadler
Monday, March 1st, 2021
There’s a big problem in cybersecurity. Despite stricter data compliance standards, incredible technological innovation, and more investment from businesses, data breaches are at an all-time high.  In fact, businesses are at risk of insider and outsider threats, with a reported 67% increase in the volume of security breaches over the past five years. Why is this happening? Because, historically, security solutions have focused on securing the machine layer of an organization: networks, endpoints and devices.  But the majority of these solutions provide blunt protection, rely on retroactive threat detection and remediation, and don’t protect a businesses’ most important asset: its employees.   So, when you can get a firewall to protect your network, and EDR to protect your devices, what do you get to protect your people? Human Layer Security.
What is Human Layer Security?
Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. We created this category nearly two years ago, and it was the thesis for our Series B fundraise.  Since then, we’ve seamlessly deployed Tessian solutions to customers across industries from SMBs to multi-national enterprises, and are now detecting and preventing millions of inbound and outbound threats on email.
Why do we need Human Layer Security? Your employees now control both your systems and your data. But people make mistakes, people break the rules, and people can be deceived. 88% of data breaches are caused by human error, with AIG reporting “human errors and behavior continue to be a significant driver of cyber claims.”  It makes sense. Employees can transfer millions of dollars to a bank account in a few clicks and can share thousands of patient records in an Excel file in a single email. You can read more about The Psychology of Human Error here. So, instead of expecting people to do the right thing 100% of the time, we think it’s better to preempt these errors by detecting and preventing them from happening in the first place. Each of our solutions – Tessian Enforcer, Tessian Guardian, and Tessian Defender – is uniquely positioned to do just that. People break the rules Whether done maliciously or accidentally, people in every organization can (and do) break the rules. Those rules can be related to anything, from a password policy to how sensitive information is stored. But, what about rules related to data exfiltration? Oftentimes, employees are blissfully unaware. They’re not familiar with the policies themselves or the consequences of poor data handling. So, they think nothing of emailing company information to their personal email account to print at home, for example.  But not all employees are well-intentioned. Case in point: In late-2019, an employee at a cybersecurity and defense company sold 68,000 customer records to scammers. This isn’t an isolated incident. According to one report, 45% of employees say they’ve taken work-related documents with them after leaving or being dismissed from a job and, according to another, more than half of UK employees admitted to stealing corporate data. A quarter of those would be willing to do so for less than £1,000. Tessian Enforcer prevents data exfiltration attempts (both malicious and negligent. Looking for more real-world examples of malicious and negligent insiders? Read this article.
People make mistakes From a simple typo to a misconfigured firewall, mistakes are inevitable at work. To err is human! In fact, 43% of employees say they’ve made a mistake at work that compromised cybersecurity.  Unfortunately, though, the consequences of these mistakes can be severe. Imagine an employee sends a misdirected email. Penalties and fines could be incurred, customer trust could plummet, and reputational damage could be long-lasting. And those are just the consequences to the larger organization. Individuals will likely suffer, too.  We all know the sinking feeling of making a mistake. But, misdirected emails cause employees more than red-faced embarrassment and anxiety. These accidents put people at risk of losing their jobs.   Tessian Guardian detects and prevents misdirected emails and misattached files so that the right email and the right files are always shared with the right person.
People can be deceived  Businesses of all sizes and across industries work with a web of suppliers, contractors, and customers. And, most use email to communicate. That means it’s easy for hackers to impersonate internal and external contacts.  Business Email Compromise (BEC) attacks increased by over 100% in the last two years.  Worse still, the odds are against businesses and their employees. While a hacker only has to get it right once, we are expected to get it right every time. So, what happens if one employee is successfully tricked one time by a spear phishing email and wires money, shares credentials, or otherwise helps a hacker gain access to your network? The average breach costs organizations $3.92 million. But, these costs can be avoided with technology like Tessian Defender that detects and prevents advanced impersonation attacks.
Why focus on email? At Tessian, our mission is to secure the human layer. And we know that to be truly effective, Human Layer Security must protect people whenever and however they handle data.  But, we’re starting with email. It’s the most popular (we spend 40% of our time on it) and riskiest (most breaches happen here) communication channel. It’s also the threat vector IT leaders are most worried about.
You’re probably wondering how Tessian compares to other solutions and how our technology would fit in your larger security framework. We’ll tell you.  Tessian vs. Rule-Based Technology Traditional email security solutions are blunt instruments that tend to be disruptive for employees and admin-intensive for security teams who have to continuously create and maintain thousands of rules.  Don’t believe us? 85% of IT leaders say rule-based DLP is admin-intensive and over half of employees say they’ll find a workaround if security software or policies make it difficult or prevent them from doing their job.  The fact is, manually classifying emails, tagging emails sent to external contacts, encryption, and pesky pop-ups are roadblocks that slow the pace of business and create friction between security teams and other departments.   Worse still, these older technologies just can’t be configured to adequately defend against all the ways people make mistakes or cut corners on email. Tessian is automated. No rule-writing, manual investigation, or configuration required. Tessian vs. Training Training is a necessary part of every security strategy. But, the majority of employees aren’t trained frequently enough and lessons don’t always stick. Employees also tend to struggle applying what they’ve learned in training to real-world situations.  But we can’t blame employees. The average person isn’t a security expert and hackers are crafting more and more sophisticated attacks. It’s hard for even the most security-conscious among us to keep up. That’s why security leaders need to invest in technology that bolsters training and reinforces policies and procedures. That way, employees can improve their security reflexes over time.   That’s where Human Layer Security comes in. Tessian warnings act as in-the-moment training for employees. And, because Tessian only flags 1 in 1,000 emails on average, when a pop-up does appear, employees pay attention. Learn more about why security awareness training (SAT) alone isn’t effective enough in this article: SAT is Dead. Long Live SAT.
Tessian Human Layer Security technology Tessian deploys within minutes, learns within hours, and starts protecting in a day. Human Layer Security works by understanding and adapting to human behavior. Our machine learning algorithms analyze historical email data and build a unique security identity for every employee based on relationships and communication patterns.  The best part is: these ML models get smarter and better over time as more data is ingested. This helps the technology establish what normal (and abnormal) looks like and allows Tessian to automatically predict and prevent security breaches on email across devices.    For every inbound and outbound email, our ML algorithms analyze millions of data points, including: Relationship History: Analyzing past and real-time email data, Tessian has a historical view on all email communications and relationships. For example, we can determine in real-time if the wrong recipient has been included on an outbound email; if a sensitive attachment is being sent to a personal, non-business email account; if an inbound email with a legitimate-looking domain is a spoof Content & context: Using natural language processing to analyze historical email data, Tessian understands how people normally communicate on email and what topics they normally discuss. That way, our solutions can automatically detect anomalies in subject matter (i.e. project names) or sentiment (i.e. urgency), which might indicate a threat. Best of all, all of this analysis happens silently in the background and employees won’t know it’s there until they need it. Tessian stops threats, not business. And not flow. And, with Human Layer Security Intelligence, security and compliance leaders can get greater visibility into the threats prevented, track trends, and benchmark their organization’s security posture against others. This way, they can continuously reduce human layer risks over time. First, you protected our networks. Then, you protected our devices. Now, you can protect your people with Tessian’s Human Layer Security.
Read Blog Post
Human Layer Security, Tessian Culture
Early adoption: Is Now the Time to Invest in the ‘New Breed’ of Security Products?
By Phil O'Hagan
Thursday, February 25th, 2021
There’s an (unfair!) perception in the industry that most CISOs are skeptical, or at least conservative, when it comes to adopting the latest security technology. But the role of the CISO is evolving. It’s no longer to simply “own” risk. Today, they’re also tasked with educating and informing everybody within the company – including the C-Suite – on the risks and what can be done to mitigate them.  In this fast moving world, it’s no longer possible to be passive. Only those who are open-minded (and ideally progressive) will protect their company from the most advanced threats. A year of firsts  The security industry is moving in a different direction. We need only look back at the last 12 months to see why: COVID has raised the profile for security.  A greater attack profile has caught the attention of executive teams, and they are looking to CISOs to respond. But, it’s not all bad news. Just as cybercriminals see opportunity in disruption, CISOs have an opportunity to play a bigger role at the executive level. The digital transformation has been accelerated. The shift to remote working means an increased attack surface. Today, security teams must support whole departments of remote workers as they engage with technology in their kitchens, bedrooms, and coffee shops. CISOs need to do more than send the occasional email or facilitate annual training to raise awareness about cyber threats.  Ransomware is an ever-growing threat. In fact, almost a third of victims pay a ransom, which means the stakes are higher than ever.  Attackers have improved the implementation of their encryption schemes, making them harder to crack. And, rather than simply encrypting critical data, some criminals now steal sensitive data and threaten to release it if the ransom is not paid.  With so much changing, CISOs have to adapt fast and adopt new technology to succeed. Gartner calls this period of early adoption a “hype cycle”.  And, for any new innovation, early publicity produces a number of success stories — often accompanied by scores of failures. Some companies take action; many do not. Where do you stand? The technology balance Both inside and outside of security, there are plenty of arguments both for and against new technologies:
Given the rapidly evolving threat landscape, though, CISOs should be pushed harder than most to commit fully to the leading edge of security innovation. After all, “nobody got fired for buying IBM” and “fortune favors the brave“, right? The next generation of security  More and more CISOs are choosing to be brave. Why? It comes down to the modern way this next generation of security is being designed and built.  Today’s security benefits  are focused on cutting the risk out of early participation while amplifying the benefits. At the heart of the change are two related trends:  Next-generation security services  The advancement of machine learning The next generation of security services has removed the need for CISOs to be experts on negotiating IT project. Instead, they can focus on managing the risks to their business.  For example, with cloud services, the costs of infrastructure – and efforts of supporting it – are completely removed as the services you buy are scalable to match the business. Cloud services also require no maintenance or professional assistance beyond an internet browser. The cloud means that the hurdles and expense associated with “trying out something new” are hugely mitigated. And, because these next-gen security services are hosted on the cloud, you’ll always have the latest version.  There is only one “copy” of these software tools. That means upgrade cycles have come down from once a year to multiple times a day. Better still, these services connect to one another. This equates to a shallower learning curve for users, faster time-to-market, and the flexibility to bolt on future tools that suit the way you want to run your operation.
Legacy technology vs. machine learning Whereas legacy technology uses rule-based techniques to secure organizational risks, new providers leverage machine learning to provide accurate, automatic protection, and visibility against advanced risks, otherwise impossible to detect with legacy systems. Machine learning’s goal is to understand the structure of the data and fit theoretical distributions to that data that is well understood. And, because machine learning often uses an iterative approach to learn from data, the learning can be easily automated. Passes are run through the data until a robust pattern is found. In an ever-evolving security world, this allows for the identification of specific risks. By using machine learning algorithms to build models that uncover these connections, organizations can make better decisions without human intervention. For example, identifying anomalous behaviors that form part of the most advanced threats in the enterprise. The benefit for CISOs – and their security teams – is clear. Lower time commitment to identify and remediate issues and more accurate reporting on the risks to the business. These next generation tools also achieve something legacy systems can’t and don’t: they share de-identified data between customers to ensure everyone is protected, even from threats that haven’t (yet) been seen in their own network. The benefit? Organizations continually – and automatically – improve their protection against an ever-changing threat environment. Low risk, high reward  Finally, like never before – and because these services are in the cloud – security leaders are in a position to switch on new services at low risk, without any upfront investment.  With no upfront CapEx, chances are that your first steps will be below any procurement ceiling too – so PoCs become simple to execute. It becomes rational to test a service or strategy with a small team before rolling out more broadly.  And, because the barrier to try (and switch!) for these early adopters is so low, “try before you buy” is a prevalent trend. With low switching costs, the software developers behind the scenes have a wholehearted commitment to making the trial period compelling enough to convince you to take the next step. They have skin in the game and understand that happy customers dictate whether or not a product is successful. This lowering of barriers, enabling of small-scale testing, and offsetting of cost should all make it a little more tempting for CISOs to take the leap and occasionally try for first-mover status. Because adopting innovative practices has never been so low-risk and the rewards are well-worth it.  To name a few… improving your security posture, reducing admin, and protecting your employees from ever-evolving threats.
Read Blog Post
Spear Phishing
Phishing vs Spear Phishing: What’s The Difference?
Tuesday, February 23rd, 2021
Phishing and spear phishing are both “social engineering” cyberattacks. In both types of attacks, a cybercriminal impersonates a trustworthy person and tricks their target into revealing login credentials, installing malware, or making a wire transfer.
Think of it this way:  Phishing is like catching fish using a line — you cast your rod into the water and see what bites.  With spear phishing, you choose the fish you want and aim the spear right at it. Note: This distinction is a big deal, affecting how you detect, mitigate, and prevent both types of attacks.
What is phishing? As we explained in our article “What Is Phishing?,” the term “phishing” can mean two things: An umbrella term covering many types of cyberattacks A specific type of cyberattack: an untargeted social engineering attack, conducted via email In the first instance, “phishing” can refer to cyberattacks including: Business Email Compromise: A phishing attack utilizing an impersonated, spoofed, or hacked business email address Wire transfer phishing: A phishing attack that attempts to trick the target into making a fraudulent transfer to the attacker Smishing: Phishing via SMS Vishing: Phishing via voice, e.g., phone or VoIP software In the second, specific sense, phishing means a social engineering attack (conducted via email) with no specific target. We sometimes call this “spray-and-pray” phishing. The cybercriminal sends as many emails as they can in the hope that someone falls for their scam. But don’t be fooled: phishing attacks aren’t necessarily amateurish operations.  What is spear phishing? Spear phishing is a targeted phishing attack. The target receives an email that addresses them directly — by name.  Any type of targeted phishing attack is a “spear phishing” attack, including: Whaling: A spear phishing attack targeting company executive CEO fraud: A spear phishing attack where the fraudster impersonates a company’s CEO and targets another of the company’s employees. But spear phishing is broader than this: if a Business Email Compromise attack, wire transfer phishing attack — or any other type of phishing attack — targets a specific individual, it’s a spear phishing attack. Looking for more information about spear phishing? Check out this article: What is Spear Phishing? Targeted Phishing Attacks Explained. Phishing vs. spear phishing: examples Now we’re going to look at some phishing attacks and spear phishing attacks side-by-side so you can understand the differences. The two emails below demonstrate the essential difference between phishing and spear phishing:
This is an example of a “bulk” phishing email. It doesn’t address the target by name and doesn’t contain any personal information. But, because it appears to come from a trusted brand (Netflix) someone is likely to click the link. 
This is an example of a spear phishing email: CEO fraud, to be precise. The attacker has exploited a professional relationship to elicit feelings of urgency and trust — the CEO urgently needs a favor and requests an employee to pay an invoice to an unknown account. But the “CEO” is a cybercriminal who controls the “new account.” These examples should help you better understand the difference between phishing and spear phishing: Phishing succeeds by sheer volume: send a fraudulent email out to enough people and someone will fall for it eventually. Spear phishing succeeds through more sophisticated methods: send one fraudulent email containing personal information to a specific individual. Looking for more resrouces? We explore  phishing, spear phishing, and other social engineering attacks in greater detail in the following articles: Phishing 101: What is Phishing? What is Spear Phishing? Targeted Phishing Attacks Explained 6 Social Engineering Examples: Real-World Attacks How to Hack a Human: How Attackers Use Social Media to Craft Targeted Spear Phishing Campaigns
Read Blog Post
Spear Phishing
What is Spear Phishing? Targeted Phishing Attacks Explained
Monday, February 22nd, 2021
Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
This article will look at the different types of spear phishing, explain how a spear phishing attack works, and explore how common spear phishing is. If you’d rather learn more about phishing, check out this article: Phishing 101: What is Phishing? Types of spear phishing attacks Spear phishing attacks vary according to technique, target, and goal. But, here are some types of cyberattacks that involve spear phishing: Whaling: A spear phishing attack targeting a company executive CEO fraud: A spear phishing attack where the fraudster impersonates a company executive  Here are some cyberattacks that usually involve spear phishing: Business Email Compromise (BEC): A phishing attack using an impersonated, spoofed, or hacked corporate email account. Wire transfer phishing: A phishing attack involving invoice fraud Credential phishing: A phishing attack targeting login credentials Whenever these attacks are targeted at a specific person, they’re considered a spear phishing attack. If the attack isn’t targeted at an individual, we just call it a “phishing attack.” Struggling to understand the difference? We explain it – in detail – in this article: Phishing vs Spear Phishing: Differences and Defense Strategies.  How does spear phishing work? Most spear phishing attacks arrive via email. In fact, email is the medium of choice for around 96% of phishing attacks. However, cybercriminals also launch phishing attacks via social media, SMS (“smishing”), and phone or VoIP (“vishing”). But, let’s stay focused and look at a couple of examples of spear phishing attacks. This will help you understand how this type of cybercrime works. First, the all-too-common “delivery service” spear phishing attack. According to Check Point, shipping company DHL was the second-most impersonated brand in spear phishing attacks throughout Q4, 2020. Here’s how a spear phishing email impersonating DHL might look:
There are a few things to note about this spear phishing email: It addresses the target by name. This increases the email’s persuasiveness right off the bat. It contains authentic logos and branding. DHL’s real emails look a lot like this. The links lead to DHL’s actual website. But don’t be fooled: The sender’s email address is “[email protected]” This might look like an authentic DHL address, but it’s a crude impersonation attack. The “track your delivery” link leads to a credential phishing website. The DHL-style scam is  a simple but effective form of spear phishing that typically targets individuals.  Wondering what other brands are frequently impersonated? Check out this article (+ infographic!): Phishing Statistics (Updated 2021). Spoiler: LinkedIn, Amazon, IKEA, and Google almost made the top 10.  Let’s look at a more sophisticated example of spear phishing that targets a business instead of a consumer:
There are some similarities between this email and the DHL scam: Both target specific people Both use authentic logos But these factors make our second example more persuasive: The sender’s email address is real. Hackers can use account takeover methods to compromise real email accounts, or they can use email spoofing techniques to trick email clients into displaying bogus information. It references “real-world” personal information. Tessian research shows that 90% of people post personal information on social media — this is gold dust for hackers. It conveys a sense of urgency and exploits the target’s trust (“counting on you”). People make bad decisions under pressure. Spear phishing is becoming more refined and advanced all the time, so it’s easy to see why people keep falling for it. If you want help spotting a potential spear phishing attack, we’ve rounded up four red flags here. If you’re a security or business leader, this is a great resource to share with your employees that complements security awareness training.  How common is spear phishing? Rates of spear phishing have been climbing consistently over the past decade. Research suggests, in 2019:  88% of organizations faced spear phishing attacks 65% of US organizations suffered a successful spear phishing attack (55% worldwide) 19% of organizations faced more than 50 spear phishing attempts Note that these statistics refer to the period before the big migration to remote-working in 2020. There’s evidence that, as employees have moved into less secure working environments, cybercrime has increased considerably. Microsoft’s 2021 New Future of Work report found that: 80% of security professionals said security incidents had increased since the start of the pandemic. 62% of these said phishing campaigns showed the biggest increase. So, what’s the upshot of all this? Spear phishing damages people’s privacy, exposes confidential data, and causes major financial losses.  The FBI reports that financially-motivated Business Email Compromise (BEC), which almost always involves spear phishing, caused direct losses of over $1.8 billion in 2020 According to Verizon research, spear phishing is a major cause of data breaches. In the long-term, losing control of your customers’ data can be even more costly than losing money. IBM puts the average cost of a data breach at $3.86 million, rising to $8.64 million in the US. The biggest known spear phishing scam of all time, targeted at Google and Facebook, resulted in over $100 million in losses over a two-year period Want to know how to protect your business against this serious type of cybercrime? Read our article on how to prevent phishing to find out.  Evaluating anti-phishing solutions? Learn more about how Tessian Defender detects and prevents the most advanced spear phishing attacks by reading some of our customer stories or booking a demo.
Read Blog Post
Customer Stories
How Tessian Gave GoCardless Better Control and Visibility of Their Email Threats
By Maddie Rosenthal
Thursday, February 18th, 2021
Company: GoCardless Industry: Financial Services Seats: 450 Solutions: Guardian, Enforcer, Defender About GoCardless  GoCardless is a global leader in recurring payments. The GoCardless global payments network and technology platform takes the pain out of getting paid for more than 55,000 businesses worldwide, from multinational corporations to small businesses.  Each year GoCardless processes $18 billion of payments across more than 30 countries. GoCardless is headquartered in the UK, with additional offices in Australia, France, Germany, and the United States.  To help prevent accidental data loss, malicious data exfiltration, and inbound threats like spear phishing and Business Email Compromise, GoCardless has deployed Tessian Guardian, Enforcer, and Defender as their complete inbound and outbound email security solution. We talked to Punit Rajpara, Head of IT, and Benjamin Ayers, IT Engineer, to find out why GoCardless chose Tessian and how their security posture has improved since deployment.  1. Mistakes are inevitable, and self-reporting isn’t enough.  43% of people admit to making a mistake at work that compromised cybersecurity. For Punit and Ben, this isn’t a surprise.  “Whether you like it or not, people make mistakes. It’s inevitable. It could be an accident – like sending a spreadsheet or proposal to the wrong person. Or it could be something more intentional and malicious, like a bad leaver. Whatever it is, we – and all other businesses, really – need to accept that and be prepared for it. At GoCardless, we’d like to be proactive rather than wait for something bad to happen,” Punit explained. That’s why he and his team had a process in place for employees to follow if and when mistakes did happen: reporting. But, after a Proof of Value with Tessian, they realized self-reporting wasn’t enough.
2. Their existing security stack offered limited protection, visibility, and control. GoCardless had several email security solutions in place, many of which were native tools like Google’s rule-based DLP. But these tools alone just weren’t effective enough.
But HLS-I was just one of the features that met their criteria. Their ideal solution needed to be low-maintenance, too. They found that in Tessian. “Tessian was clearly designed with end-users in mind. It’s really allowed us to empower our users to protect themselves without much – if any – admin overhead. That was essential for us,” Ben said. This is especially important for GoCardless since empowerment is an integral part of their ethos.  What about inbound? GoCardless – who have security training and awareness programs in place to help employees spot phishing emails – wasn’t looking for spear phishing protection. But, they immediately saw the value of Tessian Defender. Punit explained, saying “We didn’t come to Tessian for inbound protection. Just outbound. But when we saw how effective Tessian Defender was – especially at reinforcing training – we quickly realized how valuable it would be to have one single platform that covered both inbound and outbound. If we can solve two problems together, why do just one? That was a deciding factor for us”.  3. A breach would have devastating consequences. Since deploying Tessian Guardian to prevent misdirected emails, Tessian Enforcer to prevent data exfiltration, and Tessian Defender to prevent spear phishing, Punit and Ben have seen how their security posture can improve.  But, in order to get buy-in, it was important they outlined the consequences of a breach. For GoCardless, just a few include: Exposed client data  GDPR fines and penalties  Customer churn Customer litigation Loss of VC funding Loss of license  Reputational damage That’s not to say, though, that they had to weigh the cost of the solution against the potential cost of a breach.
 Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
GoCardless Case Study hbspt.cta.load(1670277, 'a3c10d11-c5e4-4fac-96d8-af18dbb965b8', {"region":"na1"});
Read Blog Post
Spear Phishing
How to Avoid Falling For a Phishing Attack
Wednesday, February 17th, 2021
Phishing is a decades-old social engineering attack that costs people and businesses billions each year. One small mistake can have serious consequences. But you can take a few simple and effective steps to avoid falling for one. This article will explain how to recognize a phishing email, how cybercriminals can leverage publicly-available information, and what technical solutions are available to help businesses prevent successful phishing attacks.  If you’d rather learn more about what phishing is, don’t worry. We can help. Read this article first: Phishing 101: What is Phishing? Learn to recognize a phishing email There are some hallmarks of a phishing email that you should be able to recognize.  But be careful —  none of these traits are common to every phishing email, and most of them won’t be present in more sophisticated phishing campaigns. And remember! Phishing and spear phishing are different. If you’re looking for tips to help you spot spear phishing emails, read this article instead: What Does a Spear Phishing Email Look Like? 4 Red Flags. 1. Branding When you receive an email, ask yourself “Does this look right?” A good first step is to check for inauthentic or amateurish logos and email signatures. Here’s an example: on the left is a genuine email from shipping company DHL, and on the right is a fake, taken from a 2020 phishing campaign:
You can see that the email on the right is trying to look like DHL. It’s using DHL’s red and yellow branding, but it’s clearly a cheap imitation. If you receive an email looking like this, alarm bells should immediately start ringing. 2. Spelling and grammar Second, check the email for spelling and grammar mistakes. Again, while poor spelling and grammar is a good indicator that an email is inauthentic, it’s increasingly common for phishing campaigns to contain very few errors. Check out this example:
This fake Netflix email is a real-life example of a credential phishing attack that has been circulating since at least May 2018.  Not sure what credential phishing is? We explain everything you need to know in this article: What is Credential Phishing? How Does it Work? Unlike the DHL email, this Netflix scam is pretty convincing, except for a couple of tiny errors that give it away. There’s an unnecessary space in the greeting (“Hello ,”) and a missing apostrophe (We re here if you need it).  These errors don’t necessarily indicate a phishing email — they might have gotten past Netflix’s quality control team — but they’re a red flag (if you notice them). 3. Sense of urgency Third, a phishing attack usually conveys some sense of urgency. Whether the attacker is trying to persuade you to make a payment, download a file, or click a link — they know you’re more likely to do so if you’re feeling anxious. Stressed people make bad decisions. We explore this in detail here: The Psychology of Human Error.  Here’s an example of an American Express scam that emerged in 2020:
Many people will panic when receiving this and immediately click “NO.” They might even do this despite having second thoughts about the nature of the email. Of course, this is exactly what the cybercriminal wants. 4. Inauthentic sender address Finally, there might be some more subtle indicators that the email you’ve received is part of a phishing scam. These have to do with the sender’s email address. A phishing email is more likely to succeed if it appears to come from an authentic email address. This type of phishing is called Business Email Compromise (BEC), and the FBI estimates that it cost businesses $1.7 billion in 2019. Cybercriminals use three main techniques to make email addresses look authentic: Email impersonation: The email looks similar to a genuine business email address (think “[email protected]” or “[email protected]”). Impersonation can be easy to spot if you’re paying attention. Email spoofing: The fraudster amends the email’s headers, so the receiving email client displays a false address. In some cases, spoofing is only noticeable if you inspect the email header information. Account takeover (ATO): The email arrives from an authentic account that has been hacked. ATO is nearly impossible for a person to detect and requires email security software. Limit your publicly available personal information Spear phishing is a subcategory of phishing targeting a specific person by name. Cybercriminals can find your name and email address easily — but they probably have access to a lot more of your personal information, too. According to Tessian research, 90% of people post personal and professional information online. Many employees also appear in company publicity or press releases. Even out-of-office auto-replies can give away personal information.  This information is gold dust for hackers seeking to impersonate someone the target trusts. Drop in a few personal references — whether about the target or the person the cybercriminal is impersonating — and a spear phishing email becomes a lot more persuasive. Wondering what you should (and shouldn’t) post online? Read the full report to find out.
Deploy email security software If you’re an individual looking for advice, skip this section. This piece of advice is for security and business leaders. As we’ve seen, phishing is becoming increasingly hard for humans to spot. It’s also an email-based attack 96% of the time. That’s why deploying an intelligent inbound email security solution is the key to preventing phishing. Email security is particularly important as teams move into a remote working environment, away from the protection of CISOs and IT departments. Microsoft research shows that 80% of security professionals saw an increase in security incidents since employees started working from home. Phishing emails almost always carry some signals that reveal they are dangerous. The more subtle phishing indicators aren’t detectable by humans — or traditional solutions like Secure Email Gateways (SEGs) and spam filters. Tessian Defender uses machine learning, anomaly detection, behavioral analysis, and natural language processing to detect even the most discrete phishing signals. Click here to learn more about how Tessian Defender protects your team from phishing and other email-based cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like phishing.
Read Blog Post
Spear Phishing
Phishing 101: What is Phishing?
Wednesday, February 17th, 2021
First things first: let’s answer the question at hand.
That’s the short and sweet definition. But, there’s more you need to know. Phishing is a common type of social engineering attack that cybercriminals have been conducting for decades. In this article, we’ll take a look at some different types of phishing, how these differ from “traditional” phishing, and how phishing attacks work. Wondering what social engineering is? Check out this article, which includes plenty of real-world examples.  Definitions of phishing If you look at the definition above, you’ll notice we made an important distinction in the last sentence. “Phishing is typically bulk in nature and not personalized for an individual target.” But, oftentimes, you’ll hear the word “phishing” used as an umbrella term to cover many types of online social engineering attacks, including:  Spear phishing: A phishing attack targeting a specific individual Whaling: A phishing attack targeting a company executive Smishing: Phishing via SMS Vishing: Voice-phishing, via phone or VoIP software What links all these types of attacks? They all involve some form of “impersonation” — the attacker pretends to be a person or institution that the target is likely to trust. But, in this article, we’ll focus on traditional “spray and pray” phishing attacks. It’s one of the most straightforward types of online social engineering attacks.  Importantly, this “old-school” form of cybercrime is distinct from all the examples above because: Unlike smishing or vishing, phishing attacks occur via email.  Unlike spear phishing and whaling, traditional phishing isn’t targeted. Attackers send phishing emails indiscriminately, rather than emailing a specific individual. If you’re scratching your head trying to figure out how phishing is different from spam, we’ve answered all your questions in this article: Spam vs. Phishing: The Difference Between Spam and Phishing. How phishing works Let’s take a real-life example of a phishing attack to see how this type of cybercrime works. It appears to comes from a brand most of us know and trust: Netflix. 
So, what makes it a phishing email? The “UPDATE ACCOUNT NOW” button leads to a malicious website (not Netflix’s genuine website) designed to steal payment information.  But, the average person wouldn’t know that. The email arrived from “[email protected]” — a person could reasonably believe this was a genuine Netflix email address The “Help Center” and “Communications Settings” links lead to Netflix’s actual website The Netflix logo and branding look authentic But look a little closer, and you’ll notice a few giveaways. The greeting is generic (“Hello ,”). This suggests that this is a bulk email sent to many recipients. The email asks for payment details. Netflix will never request payment information via email. There’s a typo (“We re here if you need it”). Typos are increasingly rare in phishing emails, but they should always raise a red flag. This is not your typical “Nigerian prince” scam and it’s easy to see why so many people – both consumers and employees – fall for these scams. If you’re looking for statistics to back this up, check out this article: Must-Know Phishing Statistics (Updated 2021). Note that this scam appears to use “email impersonation”: the sender address ( looks like it could be an authentic Netflix domain, but Netflix doesn’t own that domain at all.  Hackers can also use account takeover and email spoofing for more advanced phishing attacks. What is phishing for? We’ve looked at how criminals use different methods to conduct phishing scams and target different types of people. But why do they do it? Attackers use phishing scams to target different types of resources. For example: Credentials. Cybercriminals steal usernames and passwords to sell them on the dark web, access company data, or conduct account take-over attacks. Personal information. Addresses, social security numbers — even lists of names associated with a particular platform can be valuable to cybercriminals, who can use them to target spear phishing attacks. Money. Phishing attacks aiming to trick the target into transferring money to the attacker are common, but they’re normally reserved for more sophisticated types of phishing such as Business Email Compromise (BEC), which the FBI calls “the $26 billion scam.” Want to know which of these resources hackers target the most frequently? Download this infographic.  How common is phishing? Phishing has become a huge criminal industry, and there’s no sign of it getting smaller.  Here are some of the latest statistics: The FBI’s Internet Crime Complaint Centre (IC3) 2020 Internet Crime Report cites phishing as the leading cause of cybercrime complaints. Phishing complaints more than doubled between 2019 and 2020. According to Verizon’s 2020 data breach report, 96% of phishing attacks arrive by email (smishing and vishing account for 3% and 1% of attacks, respectively). Phishing is on the rise. Microsoft’s 2021 Future of Work report shows that 80% of organizations experienced an increase in security threats in 2020 — and of these, 62% said phishing showed the most significant increase. As a major cause of data breaches, phishing is a considerable business expense. According to IBM, the average cost of a data breach in 2020 was $3.86 million. Want more of the most up-to-date figures on phishing? Subscribe to our newsletter for monthly updates, straight to your inbox.  Now you know what “phishing” means, how common it is, and how much damage it can cause. If you want to learn how to protect yourself from phishing, check out our guidance on how to avoid falling for phishing attacks.
Read Blog Post
Spear Phishing
How Hackers Are Exploiting The COVID-19 Vaccine Rollout
By Laura Brooks
Tuesday, February 16th, 2021
Where there is uncertainty, there are cybercriminals. And the uncertainty surrounding the roll-out of the Covid-19 vaccine is creating the perfect environment for cybercriminals and their phishing scams. According to new Tessian research: 2,697 new website domains, related to the Covid-19 vaccine, were registered between 5 December 2020 and 10 January 2021. Many of these domains impersonate legitimate healthcare websites, tout misinformation around injection side effects, and falsely claim to offer guidance around timing and logistics of distribution to dupe people. Some of the newly registered domains were confirmed as malicious. Tessian researchers found specific examples of domains that impersonate a legitimate O365 login in page and Apple ID login page. These pages have been designed to steal people’s account credentials. 22% of the live domains take advantage of a technique called “typo-squatting” – a technique where one or two letters of a word are changed, in the hope that people make mistakes when typing the website into the URL bar or just simply miss the typo when landing on the page. One example of this is Why do newly registered domains pose a threat? The NHS recently issued a warning about scam emails that invite people to click on fake invitations to “register” for the vaccine. However, no registration is actually required for the real vaccine. The fake website, the BBC reports, also asks people for their bank details either to verify identification or to make a payment. Often, scammers will register new domains to lure people to a page after they’ve clicked a link in a phishing email. Tessian researchers found that many of the vaccine-related websites contain online forms designed to harvest financial or healthcare information and, in some cases, steal people’s account credentials. For example, some of the confirmed-malicious websites impersonate an Office 365 or Apple ID page and prompt people to log-in and share their username and password. People urgently want to find out things such as when they will get the vaccine, where can receive the jab, and many more want to research and understand potential side effects. As we’ve seen throughout the pandemic, cybercriminals are capitalizing on people’s desire for more information and are finding ways to trick people into clicking on links to fake websites or enter their valuable details.
Who is most at risk from the vaccine scams? Anyone who is eligible for the vaccine, and anyone who is looking for information about the vaccine roll-out, should be wary about the websites they land on. For example, concerns have been raised over U.S. health officials’ use of ticketing website Eventbrite to schedule vaccination appointments. Health departments have warned citizens of scams whereby fraudulent Eventbrite websites have been created, while The Tampa Bay Times reported that people had been charged money for vaccination slots that turned out to be fake. One of the main concerns surrounding vaccine scams is how hackers will target older generations – those at the top of the list for the vaccine. A Tessian report published in 2020 – The Psychology of Human Error – found that people over 55 years old were the least likely to know what a phishing email was. Awareness is crucial; people must think twice before responding to these messages and be sceptical of emails or websites requesting payment or personal information at this time.
Vaccine scams: what to look out for Be wary of emails purporting to come from healthcare organizations asking you to click on links to ‘find out more’. Always check the sender name and address, particularly if you have received an email on your phone in order to verify the sender’s identity. It’s also important to questions any websites that request personal data. Domains that spoof government healthcare websites, like the Centers for Disease Control and Prevention (CDC) are especially dangerous, as bad actors could potentially steal extremely sensitive information such as Social Security numbers and health information like insurance or medical history details. At a time when phishing scams are rife, always think twice before entering your personal information online and remember, if it doesn’t look right, it probably isn’t.
Read Blog Post
Human Layer Security, Spear Phishing
Romance Fraud Scams Are On The Rise
By Laura Brooks
Thursday, February 11th, 2021
Cybercriminals are exploiting “lockdown loneliness” for financial gain, according to various reports this week, which reveal that the number of incidents of romance fraud and romance scams increased in 2020.  UK Finance, for example, reported that bank transfer fraud related to romance scams rose by 20% in 2020 compared to 2019, while Action Fraud revealed that £68m was lost by people who had fallen victim to romance fraud last year – an increase on the year before. Why? Because people have become more reliant on online dating and dating apps to connect with others amid social distancing restrictions put in place for the Covid-19 pandemic.
With more people talking over the internet, there has been greater opportunity for cybercriminals to trick people online. Adopting a fake identity and posing as a romantic interest, scammers play on people’s emotions and build trust with their targets over time, before asking them to send money (perhaps for medical care), provide access to bank accounts or share personal information that could be used to later commit identity fraud. Cybercriminals will play the long-game; they have nothing but time on their hands.  A significant percentage of people have been affected by these romance scams. In a recent survey conducted by Tessian, one in five US and UK citizens has been a victim of romance fraud, with men and women being targeted equally.
Interestingly, people aged between 25-34 years old were the most likely to be affected by romance scams. Tessian data shows that of the respondents who said they had been a victim of romance fraud, 45% were aged between 25-34 versus just 4% of respondents who were aged over 55 years old.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//"); This may be because romance fraud victims are most commonly targeted on social media platforms like Facebook or Instagram, with a quarter of respondents (25%) saying they’d been successfully scammed on these channels.  This was closely followed by email (23%) while one in five people said they’d been targeted on mobile dating apps, and 16% said they’d been scammed via online dating websites.  This behavior is quite typical, say experts. Often romance fraud will start on dating apps or official dating websites but scammers will move to social media, email or text in order to reduce the trail of evidence.
How to avoid falling for a romance scam It’s important to remember that most dating apps and websites are completely safe. However, as social distancing restrictions remain in place for many regions, people should consider how they could be targeted by social engineering attacks and phishing scams at this time. We advise people to question any requests for personal or financial information from individuals they do not know or have not met in person, and to verify the identity of someone they’re speaking to via a video call. We also recommend the following: Never send money or a gift online to someone who you haven’t met in person. Be suspicious of requests from someone you’ve met on the internet. Scammers will often ask for money via wire transfers or reload cards because they’re difficult to reverse. Be wary of any email or DM you receive from someone you don’t know. Never click on a link or download an attachment from an unusual email address.  Keep social media profiles and posts private. Don’t accept friend requests or DMs from people you don’t know personally.  The FBI and Action Fraud have also provided citizens with useful advice on how to avoid falling for a romance scam and guidance for anyone who thinks they may have already been targeted by a scammer.  And if you want to learn more about social engineering attacks, you can read Tessian’s research How to Hack a Human. 
Read Blog Post
Human Layer Security, DLP
Industry-First Product: Tessian Now Prevents Misattached Files on Email
By Harry Wetherald
Thursday, February 11th, 2021
Misdirected emails – emails sent to the wrong person – are the number one security incident reported to the Information Commissioner’s Office. And, according to Tessian platform data, an average of 480 misdirected emails are sent every year in organizations with over 1,000 employees.  An unsolved problem We solved this years ago with Tessian Guardian, our solution for accidental data loss. But sending an email to the wrong person is just one part of the problem. What about sending the wrong attachment? After all, our data shows that 1 in 5 external emails contain an attachment and new Tessian research reveals that nearly half (48%) of employees have attached the wrong file to an email. We call these “misattached files” and we’re happy to announce a new, industry-first feature that prevents them from being sent.  The consequences of attaching the wrong file The consequences of a misattached file depend on what information is contained in the attachments.  According to Tessian’s survey results, 42% of documents sent in error contained company research and data. More worryingly, nearly two-fifths (39%) contained security information like passwords and passcodes, and another 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data.  Any one of the above mistakes could result in lost customer data and IP, reputational damage, fines for non-compliance, and customer churn. In fact, one-third of respondents said their company lost a customer or client following this case of human error, and a further 31% said their company faced legal action.  Until now, there weren’t any email security tools that could consistently identify when wrong files were being shared. This meant attachment mistakes went undetected…until there were serious consequences.  How does Tessian detect misattached files? The latest upgrade to Tessian Guardian leverages historical learning to understand whether an employee is attaching the correct file or not. When an email is being sent, Guardian’s machine learning (ML) algorithm uses deep content inspection, natural language processing (NLP), and heuristics to detect attachment anomalies such as: Counterparty anomalies: The attachment is related to a company that isn’t typically discussed with the recipients. For example, attaching the wrong invoice. Name anomalies: The attachment is related to an individual who isn’t typically  discussed with the recipients. For example, attaching the wrong individual’s legal case files. Context anomalies: The attachment looks unusual based on the email context. For example, attaching financial-model.xlsx to an email about a “dinner reservation.” File type anomalies: The attachment file type hasn’t previously been shared with the receiving organization. For example, sending an .xlsx file to a press agency.
If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. Best of all, the warnings are helpful, not annoying and flag rates are low. This means employees can do their jobs without security getting in the way.  Want to learn more about how Tessian detects attachment anomalies before they’re sent? Download the data sheet.
Benefits for Tessian customers Tessian is the only solution in the market that can solve the problem of misattached files, giving customers complete protection from accidental data loss on email.  In addition to preventing human error and subsequent breaches, Tessian Guardian has several features that help ease the burden of compliance on thinly-stretched security teams and give key key stakeholders peace of mind. These include: Automated protection: Tessian Guardian automatically detects and prevents misattached files. No rules or manual investigation required.   Flexible configuration options: With this new feature, customers will be able to configure Guardian’s algorithm to enable and/or disable specific use-cases. This allows administrators to balance user experience with the level of protection appropriate to their risk appetite. Data-rich dashboards: For the first time, customers will have visibility of how many misattached files are being sent in their organization and by whom. This demonstrates clear ROI and makes auditing and reporting easy. 
Learn more about Tessian Interested in learning more about Tessian Guardian’s new features? Current Tessian customers can get in touch with your Customer Success Manager. Not yet a Tessian customer? Learn more about our technology, explore our customer stories, or book a demo now.
Read Blog Post
Human Layer Security, Spear Phishing
Must-Know Phishing Statistics: Updated 2021
By Maddie Rosenthal
Wednesday, February 10th, 2021
We’ve rounded up the latest phishing statistics, including: The frequency of phishing attacks How phishing attacks are delivered The most common subject lines The prevalence of phishing websites The most common malicious attachments  The data that’s compromised in phishing attacks The cost of a breach The most targeted industries The most impersonated brands  Facts and figures related to COVID-19 scams Phishing and the future of work Looking for something more visual? Check out this infographic with key statistics.
The frequency of phishing attacks According to the FBI, phishing was the most common type of cybercrime in 2020—and phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020.  The FBI said there were more than 11 times as many phishing complaints in 2020 compared to 2016. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing. While this is down 6.6% from the previous year, it’s still the “threat action variety” most likely to cause a breach.  The frequency of attacks varies industry-by-industry (click here to jump to key statistics about the most phished). But 75% of organizations around the world experienced some kind of phishing attack in 2020. Another 35% experienced spear phishing, and 65% faced BEC attacks. But, there’s a difference between an attempt and a successful attack. 74% of organizations in the United States experienced a successful phishing attack. This is 30% higher than the global average, and 14% higher than last year. Want to learn how to prevent successful attacks? Check out this page all about BEC prevention. ESET’s Threat Report reveals that malicious email detections rose 9% between Q2 and Q3, 2020. This followed a 9% rise from Q1 to Q2, 2020. How phishing attacks are delivered Hackers are relying more and more heavily on the credentials they’ve stolen via phishing attacks to access sensitive systems and data. That’s one reason why breaches involving malware have decreased by over 40%. According to Sonic Wall’s 2020 Cyber Threat report, in 2019, PDFs and Microsoft Office files were the delivery vehicles of choice for today’s cybercriminals. Why? Because these files are universally trusted in the modern workplace.  When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 
The most common subject lines 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks: Urgent Request Important Payment Attention Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020: IT: Annual Asset Inventory Changes to your health benefits Twitter: Security alert: new or unusual Twitter login Amazon: Action Required | Your Amazon Prime Membership has been declined Zoom: Scheduled Meeting Error Google Pay: Payment sent Stimulus Cancellation Request Approved Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription RingCentral is coming! Workday: Reminder: Important Security Upgrade Required The prevalence of phishing websites Google Safe Browsing uncovers unsafe URLs across the web. The latest data shows a world-wide-web rife with phishing websites. Since 2016, phishing has replaced malware as the leading type of unsafe website. While there were once twice as many malware sites as phishing sites, there are now nearly 75 times as many phishing sites as there are malware sites. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months). This compares to malware sites rising from 21,803 to 28,803 over the same period (up 32%). Here you can see how phishing sites have rocketed ahead of malware sites over the years.
The most common malicious attachments Many phishing emails contain malicious payloads such as malware files. ESET’s Threat Report reports that in Q3 2020, these were the most common type of malicious files attached to phishing emails: Windows executables (74%) Script files (11%) Office documents (5%) Compressed archives (4%) PDF documents (2%) Java files (2%) Batch files (2%) Shortcuts (>1%) Android executables (>1%) You can learn more about malicious payloads here. The data that’s compromised in phishing attacks The top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) While instances of financially-motivated social engineering incidents have more than doubled since 2015, this isn’t a driver for targeted attacks. Just 6% of targeted attacks are motivated by financial incentives, while 96% are motivated by intelligence gathering. The other 10% are simply trying to cause chaos and disruption. When asked about the impact of successful phishing attacks, security leaders around the world cited the following consequences:  60% of organizations lost data 52% of organizations had credentials or accounts compromised 47% of organizations were infected with ransomware 29% of organizations were infected with malware 18% of organizations experienced financial losses
The cost of a breach According to IBM’s Cost of a Data Breach Report, the average cost per compromised record has steadily increased over the last three years. In 2019, the cost was $150. For some context, 5.2 million records were stolen in Marriott’s most recent breach. That means the cost of the breach could amount to $780 million. But, the average breach costs organizations $3.92 million. This number will generally be higher in larger organizations and lower in smaller organizations.  Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion—far more than via any other type of cybercrime. And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter. This cost can be broken down into several different categories, including: Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees Costs associated remediation generally account for the largest chunk of the total.  Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.  The most targeted industries While the Manufacturing industry saw the most breaches from social attacks (followed by Healthcare and then Professional services), employees working in Wholesale Trade are the most frequently targeted by phishing attacks, with 1 in every 22 users being targeted by a phishing email last year.   According to a different data set, the most phished industries vary by company size. Nonetheless, it’s clear Manufacturing and Healthcare are among the highest risk industries. The industries most at risk in companies with 1-249 employees are: Healthcare & Pharmaceuticals Education Manufacturing The industries most at risk in companies with 250-999 employees are: Construction Healthcare & Pharmaceuticals Business Services The industries most at risk in companies with 1,000+ employees are: Technology Healthcare & Pharmaceuticals Manufacturing The most impersonated brands New research found the brands below to be the most impersonated brands used in phishing attacks throughout Q4, 2020. In order of the total number of instances the brand appeared in phishing attacks: Microsoft (related to 43% of all brand phishing attempts globally) DHL (18%) LinkedIn (6%) Amazon (5%) Rakuten (4%) IKEA (3%) Google (2%) Paypal (2%) Chase (2%) Yahoo (1%) The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information.
Facts and figures related to COVID-19 scams Because hackers tend to take advantage of key calendar moments (like Tax Day or the 2020 Census) and times of general uncertainty, individuals and organizations saw a spike in COVID-19 phishing attacks starting in March. But, according to one report, COVID-19 related scams reached their peak in the third and fourth weeks of April. And, it looks like hackers were laser-focused on money. Incidents involving payment and invoice fraud increased by 112% between Q1 2020 and Q2 2020. It makes sense, then, that finance employees were among the most frequently targeted employees. In fact, attacks on finance employees increased by 87% while attacks on the C-Suite decreased by 37%. h2 id=”future-work”>Phishing and the future of work According to Microsoft’s New Future of Work Report:  80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.  Of these, 62% said phishing campaigns had increased more than any other type of threat. Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the offic Tessian’s own research supports this. The Future of Hybrid Work shows the phishing was the leading cause of security incidents while employees have been working remotely.
What can individuals and organizations do to prevent being targeted by phishing attacks? While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received. You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action. Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply We’ve created several resources to help employees identify phishing attacks. You can download a shareable PDF with examples of phishing emails and tips at the bottom of this blog: Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks. But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.
Read Blog Post
[if lte IE 8]
[if lte IE 8]