Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

See a sneak peek of Tessian in action featuring admin and end user experiences. Watch the Product Tour →

guide icon

Tessian Blog

See All Posts
GDPR: 13 Most Asked Questions + Answers
Tuesday, March 15th, 2022
1. Who’s enforcing GDPR?   In May 2018, the GDPR came into force across the whole of the European Union. The GDPR applies equally to all EU member states, but that doesn’t mean each country will enforce its requirements equally. Each member state handles enforcement and will have a regulatory body called a supervisory authority that will be in charge of auditing and enforcement.   28 different countries will handle enforcement. That means Germany, for example, is expected to be tougher on enforcement of GDPR than elsewhere on the continent given data protection is conducted at a state level. Conversely, the U.K. has traditionally been the member state to push back against any overtly data-privacy regime that could impede global trade.   2. What are the penalties for non-compliance with GDPR?   Penalties can be a fine up to €20 million or 4 percent of a company’s annual revenue, whichever is higher. The latter is the steeper penalty and the assumption is that it will be levied in severe cases when a company has totally disregarded data privacy. The supervisory authority decides the fine’s amount based on the circumstances and the violation level.   3. What is a GDPR Data Processing Operation? A data subject is the person about whom data is being collected. The data controller is the person or organization that decides why personal data is held or used, and how it is held or used. Any person or organization that holds or uses data on behalf of the data controller is a data processor.   The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. However, on average companies take nearly 200 days to detect a breach.   4. How does the GDPR handle this?   GDPR refers to the time between detecting a breach to the time of notifying impacted parties about it. However, part of the security for privacy concept is about being able to detect breaches and have best-practice tools and processes in place to do so.   5. What documentation do we need to prove that we’re GDPR compliant?   GDPR, compared to the Data Protection Act that it replaces, states there is a need to demonstrate compliance. According to Article 5(2) of the regulation, “The controller [i.e. your company] shall be responsible for, and be able to demonstrate compliance”.   It is a good idea to document everything about your GDPR process, so it is clear that you have taken the right investigative steps and have made reasonable steps to fix any issues. You then have a document you can point to if you’re ever asked any questions.  
6. What are the data requirements for GDPR?   Data can only be processed for the reasons it was collected Data must be accurate and kept up-to-date or else should be otherwise erased Data must be stored such that a subject is identifiable no longer than necessary Data must be processed securely 7. Is GDPR training mandatory for staff and management?   Anyone whose job involves processing personal data undertakes data protection and data handling training. This includes full-time staff, third-party contractors, temporary employees, and volunteers.   8. Does GDPR compliance differ based on the number of employees a company has?   GDPR doesn’t differentiate between the size of organizations.
9. What type of language should be included in a consent policy?   Check out the Tessian privacy policy, which shows you how detailed consent needs to be.   10. Is appointing a DPO mandatory?   GDPR requires appointing a DPO when an organization performs data processing on a large scale, processes certain types of data or processes data on an ongoing basis as opposed to a one-time process.   11. What happens if some data is processed outside the EU?   The GDPR allows for data transfers to countries deemed by the European Commission to provide an adequate level of personal data protection. In the absence, transfers are also allowed outside non-EU states under certain circumstances like standard contractual clauses or binding corporate rules.   12. Does GDPR affect US-based companies?   Any U.S. company that has a web presence and markets their products over the web will have to take notice. Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.   13. If we are based in the US, have EU citizen data and experience a breach, who do we notify?   There are rules around what authority should be notified based on criteria like the situation, the organization and where the processing occurs.   How can Tessian make you GDPR Compliant?   Under GDPR, an organization is most likely to suffer a fine or penalty due to data loss through a misdirected email. Misdirected emails were the number one form of data loss reported to the Information Commissioner’s Office (ICO) in 2017. Some notable examples of penalties issued by the ICO for misaddressed emails include 56 Dean Street Clinic who were fined £180,000 for inadvertently disclosing the identities of HIV positive patients and also Dyfed-Powys Police who were fined £150,000 for inadvertently disclosing the identities of registered sex offenders to a member of the public.   GDPR forces organizations to report all personal data breaches to the appropriate governing body and maintain a register of these internally. Under GDPR, organizations have an obligation to report misdirected emails to the ICO and face fines of up to 4% of global turnover depending on the severity of the breach. Given that misdirected emails are the number one type of data security incident currently reported to the ICO, this should be of significant concern for all organizations in the transitioning years toward GDPR.   Tessian uses machine learning to automatically detect when emails are being sent to the wrong person, allowing organizations to both prevent information being sent to the wrong person and crucially, retain an audit log of warning messages shown to users when sending emails and the response that the user made on the warning that was shown.   The audit feature and preventative nature of Tessian align with the GDPR requirement “to implement appropriate technical and organizational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing” (Article 32).   Furthermore, with increasing numbers of firms adopting Tessian’s technology and their role in helping advising other companies in their transition to GDPR, simply relying on staff being as careful as possible and internal training, becomes an untenable posture when protecting personal data.
Read Blog Post
Why Enterprises Are Replacing Their SEGs With Microsoft and Tessian
By John Filitz
Monday, March 14th, 2022
The advancing sophistication of cybersecurity threat campaigns have brought legacy cybersecurity tools into sharp focus. Built for an on-premise world, these manual, rule-based approaches to cybersecurity are unable to ward off adaptive and increasingly intelligent attack methods.   On the other side of the coin are security leaders who are overwhelmed and overworked. This is largely due to the proliferation of threats, juxtaposed against managing their IT environments from a tooling and staff resource perspective.    Tool sprawl is reaching excessive levels that are simply impossible to manage. The average enterprise now has in excess of 45 cybersecurity tools deployed. Research shows excessive tools deployed leads to a decline of security effectiveness.    The bottom line: Increasing complexity warrants tool rationalization.    Keep reading to learn:   Why Secure Email Gateways (SEGs) have become redundant The powerful capabilities (and shortcomings) of Microsoft  The benefits of replacing your SEG with Tessian + Microsoft
SEG redundancy   The effectiveness of legacy Secure Email Gateway (SEG) solutions is starting to receive due attention as email related breaches continue to snowball. Depending on the statistic cited, the email threat vector accounts for anywhere between 80-96% of cybersecurity attacks.   Replacing SEGs represents a high return, low risk optimization opportunity, due to declining security effectiveness and the high degree of redundancy in the enterprise.     SEG security effectiveness is declining for two reasons:    The majority of enterprises have adopted cloud hosted productivity suites such as Microsoft 365, which natively provide SEG capabilities including malware, phishing and URL protection.  SEGs rely on static, rule-based approaches that are ineffective in safeguarding  email users and data from advanced threats.    Once a threat actor is able to bypass the SEG, they effectively have unmitigated access to carry out their threat campaign. This can (and often does) include Account Takeover (ATO), deploying exploit kits or more damagingly, delivering ransomware. And little protection is offered against insider threats – a growing concern.  
The powerful capabilities (and shortcomings) of Microsoft    Microsoft 365, which includes Exchange Online Protection (EOP) and Microsoft 365 Defender, provides a reasonable degree of email security that effectively makes the legacy SEG redundant.   M365 on E5 licensing provides the following capabilities:   Anti-malware protection Anti-phishing protection Anti-spam protection Insider risk management  Protection from malicious URLs and files in email and Office documents (Safe Links and Safe Attachments) Message encryption via issued PKI Audit logging Quarantine Exchange archiving
Microsoft alone, however, does not guarantee against advanced email threats. Significant gaps remain in Microsoft’s ability to protect against advanced social engineering campaigns that can result in business email  compromise (BEC), ATO, or zero day exploitation. And this is why these shortcomings are also reflected in Microsoft’s Service Level Agreement (SLA) exclusions, for example excluding guarantees against zero day exploits and phishing in non-English languages.    Microsoft + Tessian = Comprehensive security   This is where a next-gen behavioral cybersecurity solution like Tessian comes into play, providing advanced automated email threat detection and prevention capability.   With Tessian, no mail exchange (MX) records need to be changed. Tessian is able to construct a historical user email pattern map of all email behavior in the organization. The best-in-class algorithm is then able to detect and prevent threats that Microsoft or SEGs have failed to detect within 5 days of deployment.    This dynamic protection improves with each threat that is prevented, and unlike the in-line static nature of SEGs, it ensures 24/7 real time protection against all attack vectors, including insider threats. That is why the leading enterprises are opting for displacing their legacy SEG and augmenting Microsoft’s native security capabilities with Tessian.   
Tessian Defender’s capabilities include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover Invoice FraudBulk Remediation Automated Quarantine  Threat Intelligence
No black box threat visibility and intelligent risk mitigation   Beyond the cost and resource optimization realized by removing SEGs, Tessian clients see significant efficiency gains in the SOC due to the high degree of automating triage and the enablement of a distilled view on the threats that matter  –  finding that needle in the haystack, in real time and in context.    For example, with one-click, SOC analysts can bulk remediate high volume phishing campaigns (aka burst attacks) that are targeting the organization as they happen. Suspicious emails are also automatically quarantined, with threat remediation context provided.    The platform provides a single pane of glass, giving security and risk leaders visibility of how cybersecurity risk is trending in their organization and the types of threats thwarted, down to individual employee-level risk scoring.
Context aware security awareness training  The context-aware security capability of Tessian extends to providing in-the-moment security awareness training to employees. The real-time security notifications flag suspicious and malicious emails received, offer a clear explanation, and provide education to employees in real time. Most enterprises experience a 30% click through rate (CTR) on simulated phishing exercises – including our clients prior to deployment. Tessian clients see simulated phishing exercises returning a less than 5% CTR after deployment – illustrating the effectiveness of Tessian’s security awareness training.
Stopping threats, reducing complexity    Tessian enables security teams to focus on mission critical tasks rather than manually and retroactively triaging already occurred security events. Legacy email security approaches relying on SEGs simply no longer have a place in an increasingly crowded cybersecurity stack. By leveraging Microsoft 365’s native capability together with Tessian, presents an opportunity for security leaders to improve security while reducing complexity.
This is why according to a Tessian commissioned Forrester study, 58% of cybersecurity leaders are reevaluating legacy email security tools and approaches, and why 56% will be investing in behavioral email security solutions with automated detection capabilities.
Read Blog Post
ATO/BEC, Human Layer Security
Nation-States – License to Hack?
By Andrew Webb
Thursday, March 10th, 2022
Traditionally, security leaders view of  nation-state attacks has been ‘as long as you’re not someone like BAE systems or a Government, you’re fine’ But in the last three years nation-state attacks doubled in number to over 200… and we’ve yet to see the full cyber impact of the war in Ukraine. Consequently, nation-state attacks are something all security leaders should be aware of and understand. Here’s what you need to know.
How a nation-state attack differs from a regular cyber attack    Nation-state attacks are typically defined as APTs, or advanced persistent threats – a term first defined in 2005. They are referred to as advanced because they have access to exploits and techniques that are more professional, more effective, and more expensive than the average criminal actors.   Nation-state attackers can have teams full of people that can work a 24-hour shift and handoff every 8 hours. There’s also the question of the duration of an attack. APTs play the long-game, and can sometimes take 18 to 24 months before any compromise takes place. The bottom line: nation-state hackers have the resources to wait for the perfect moment to strike.
What are the aims of a nation-state APT attack? With the nearly unlimited money and resources of a nation-state , nation-state attackers can try every technique and tactic available until they eventually accomplish their goal. And those goals are nearly always political rather than purely criminal. APT attacks generally aim to do one of the following:    Exfiltrate data containing military secrets or intellectual property Conduct propaganda or disinformation campaigns Compromised sensitive information for further attacks or identity theft sabotage of critical organizational infrastructures  Russia blurs this line in that they use criminal activity in furtherance of political goals, and have been for years. They also have an APT set whose objective is essentially disruption and discord, so that security teams and government agencies don’t know where to place the defense resources.
Which businesses are most at risk from a nation-state attack?  A sector all threat actor groups are interested in is Cleared Defense Contractors (CDCs). CDCs are businesses granted clearance by the US Department of Defense to access, receive, or store classified information when bidding for a contract or other supporting activities.   One of the first APT attacks against CDCs was Titan Rain in 2003. Suspected Chinese hackers gained access to the computer networks companies such as Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA, as well as UK Government departments and companies. What’s more, it’s believed that they were inside the network for over three years.  Infrastructure companies are also popular targets. US infrastructure companies such as Colonial Pipeline have been getting hit more and more frequently, and Ukraine suffered a power grid outage in 2015. And banks – especially national banks – are under continual attack, and in light of the recent removal of Russia from the SWIFT payment system, western banks are presumed to be under increased threat in retaliation.
Softer secondary targets   Although traditionally, targets with connections to the military bore the brunt of APTs, there are signs that this is spreading to other industries. In 2021 Microsoft shared detailed information regarding a “state-sponsored threat actor” based in China that targeted a wide range of entities in the U.S. — including law firms. The highly sophisticated cyber-attack used previously unknown exploits to infiltrate Microsoft Exchange Server software, so it’s reasonable to assume that if you have tangential connections to a political target of one of these countries, then you could be at risk.
As KC Busch, Tessian’s Head of Security Engineering & Operations explains “APTs might need to spend a million dollars to compromise their direct target. But if they can find a law firm connected with that target that doesn’t encrypt outbound comms or has adequate email protection, then they’re going to go for the law firm rather than the million-dollar target”   This underscores the importance of not just your own cybersecurity posture, but that of every organization in your network or supply chain. You’re only as strong as your weakest link.. 
The phases of an APT attack   APT attacks come in three phases.    First, there’s network infiltration, typically achieved through compromised credentials. If compromised credentials aren’t an option, or defenses are particularly robust, nation-state attackers might use a zero-day attack. Countries can have teams that will research and write their own zero-days, but more commonly, they will buy them from a gray market of third-party companies that aggregate exploits and sell them without much ethical thought of how they’re used.    This murky world of zero-day exploits and the people that broker them to Governments and security agencies was chronicled by Former New York Times cybersecurity reporter Nicole Perlroth in her recent book, ‘This Is How They Tell Me The World Ends’. Perlorth’s book highlights how for decades, US government agents paid thousands, and later millions of dollars to hackers willing to sell zero-days, and how they lost control of the market. The result is that zero-days are in the hands of hostile nations, who have money to purchase them and a need to deploy them as they’re becoming rarer and more expensive.    The second phase is the expansion of the attack to spread to all parts of the network or system. As we’ve mentioned, APT attacks are not hit-and-run. With time on their side, hackers can wait patiently in the network before gaining full access and control of it.   Thirdly, there’s the attack itself. This could involve collecting data and exfiltrating it, or disrupting critical infrastructure systems. Furthermore, several APT attacks have started with a distributed denial-of-service (DDoS) attack which acts as a smokescreen as data that’s been amassed over what could be months or years is exfiltrated. 
Notable nation-state attacks The most sophisticated: Stuxnet is widely believed to have been developed by the USA and Israel for use against Iran’s uranium enrichment program. It disrupted the plant’s uranium centrifuges by varying their spin rate, but not enough to cause them to shut down. Furthermore, false data was displayed back to the controller, so employees thought everything was business as usual.. Designed to be delivered by an infected USB stick, it could cross the air gap that protected the plant. However, it got out into the wild when an engineer took his infected laptop home from the plant, and connected it to the internet.   The biggest: 2015’s Anthem breach (China was reported to be behind it) saw the sensitive personal data of approximately 78.8 million Americans fall into the wrong hands. Brian Benczkowski, the assistant attorney general in charge of the Department of Justice Criminal Division, called the Anthem hack “one of the worst data breaches in history.”    The data wasn’t ransomed back to the company, and the reasons for the attack remain unclear. By 2019 the DOJ unsealed an indictment charging two Chinese nationals for the attack, but an indication of the alleged hackers’ motives or affiliation was noticeably absent. Current thinking is that it will be used for identity theft or to identify interesting individuals or Government employees for further exploitation and attack. Only nation-states have the resources to process that much intel and find the 100 or so people whose credentials can be further targeted. As for Anthem, the breach cost them over $40 millionto settle the resulting claims, and clear up the mess. 
What’s the future of nation-state attacks?    The Anthem breach and others led to a very loose set of guidelines on what is, and what is not, acceptable. This was hammered out between former President Obama and President Xi Jinpingof China in 2015, but none of this has the force of law like the Geneva Convention. And with an actor like Russia currently in a highly aggressive position, it’s reasonable to expect an escalation until desired political goals are achieved.  Attack types are likely to evolve, too. One example: wipers.. Unlike ransomware, where you pay the money and (hopefully) get your data back, a wiper will display the message as it’s erasing all your data. They’re a class of malware that have a narrowly targeted use, but if someone decided to let those loose, the damage could be astronomical. And worryingly, they’ve already been spotted in Ukraine.
How to protect your organization from nation-state attacks The federal Cybersecurity & Infrastructure Security Agency (CISA) posted a bulletin, titled “Shields Up,” which includes an evolving overview of the current cyber threat environment and specific steps that organizations, corporate leaders, and CEOs can take to bolster their cyber defenses. We have more on those recommendations, as well as how to foster a risk-aware culture, in this blog post. Enacting these defenses and upskilling your team is the best way to protect your organization from Nation-state attacks.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Human Layer Security
Fostering a Risk-Aware Culture is Key to Ensuring Your Organization’s Cybersecurity
By John Filitz
Tuesday, March 8th, 2022
Operational complexity and risk are increasing. As the pandemic and the war unfolding in Ukraine have laid bare, risk can manifest unexpectedly. On the cybersecurity front, the risk faced by organizations is increasing steadily year-over-year, with threat actors continuously refining attack methodologies. This in part explains why the cost and impact of cybercrime damages is expected to reach $10.5 trillion by 2025 – a 350%+ increase from 2015.
Cyber threats are increasing  In response to this shifting cyber threatscape, the US government issued an Executive Order on the 12th of May 2021, recognizing the need to strengthen the nation’s cybersecurity posture for public and private sectors alike. The war against Ukraine has increased the threat of nation-state cyber attacks and has underscored the need to improve cyber resiliency for both the public and private sectors. This has prompted the US Cybersecurity and Infrastructure Agency (CISA) to issue a Shields Up notice for heightened awareness and increased protection for critical assets.   The Shields Up guidance includes the following recommendations:   Reduce the likelihood of a damaging cyber intrusion Validate remote access Ensure software is up to date Disable all non-essential ports and protocols   Take steps to quickly detect a potential intrusion Identify and quickly assess unusual network activity Ensure the organization’s network is protected by antivirus/anti-malware software    Ensure that the organization is prepared to respond if an intrusion occurs Designate a crisis-response team Assure availability of key personnel Conduct a table-top exercise so that all participants understand their roles during an incident   Maximize the organization’s resilience to a destructive cyber incident  Test backups procedures  to ensure that critical data can be rapidly restored i.e. Recovery Time Objective in hours vs days   The Shields Up guidance also calls for empowering CISOs, lowering the barriers to reporting threats, as well as focussing on investments and resilience that support critical business functions. It also recommends planning for the worst-case scenario, like disconnecting high-impact parts of the network in the event of an intrusion.   As CISA rightly pointed out, basic cybersecurity best practice is important, too. This includes:   Multi-factor authentication Updating and patching software Improving email security defenses to prevent phishing attacks Having an effective password policy in place and using strong passwords
The importance of a risk-aware culture   Moving beyond the Shield Up guidance, improving cybersecurity for critical industries and non-critical industries starts with ensuring that organizations have adopted a risk-aware mindset and culture. Evidence of this includes having well-developed and routinely exercised business continuity and disaster risk reduction plans – and ensuring that these are updated in accordance with the business strategy and objectives regularly.   Routinely reviewing the risk and threatscape is important, too. In addition to cyber risk, some of the other key risks for consideration in risk mitigating planning include environmental disaster risk, biological risk and man-made risks, such as insider threats, accidents and geopolitical risk.   But, the reality for most organizations is that it’s difficult to balance risk mitigation with a slew of other competing priorities.    Part of the challenge facing risk managers and risk mitigation efforts often includes inadequate resourcing (financial and non-financial). But the greatest impediment concerns the lack of prioritization of risk mitigation by the C-Suite as a business critical function.   Although the importance of prioritizing cybersecurity is starting to get due attention, the roots of the problem stem from the early days of viewing cybersecurity as a strictly IT function. As businesses digitally transform, data and information systems are now seen as the lifeblood of business.   Successful businesses are increasingly fostering a risk-aware culture that prioritizes the importance of cybersecurity along with key business objectives. These leaders understand that the robustness of the risk and the cybersecurity posture can determine whether a business survives a cyber disaster event.   Viewed this way, the cybersecurity resiliency of a business is integral to a business achieving its desired objectives. 
Getting C-Suite buy-in    Often getting C-Suite buy-in for cybersecurity initiatives can be challenging. We have detailed a number of ways on how to get the necessary buy-in. At a high-level, we provide an overview of the three steps below:   Firstly, it’s about getting the C-suite to understand the risk and whether the current cybersecurity posture is commensurate with the threatscape.    The second step entails quantification of that risk. It’s important to quantify what the financial fall-out would be from a successful cyber attack. There are also important non-financial aspects that need to be considered, such as reputational damage and a loss of customer trust.   Finally, it’s about understanding the business criticality of being able to successfully recover your data and information systems in the event of an attack, in the shortest possible time frame. The longer that a business does not have access to its data and information systems, the greater the risk of catastrophic business failure.
Taking a business critical approach to risk and cybersecurity planning   Given the importance of fostering a risk-aware culture and prioritizing cybersecurity as a business critical function, it is imperative that businesses routinely review the current and emerging threatscape – and take appropriate action.    As the past 24 months have borne out, risks that might not have been in the purview for decades can manifest within a short time-frame.    A key part of taking a business critical approach to risk and cybersecurity entails regularly testing cyber defenses and ensuring that emerging threats are addressed as they arise, and with the urgency that they deserve. Additional resources To help ensure you’re prepared for today’s threats, we’ve included some resources from CISA and the UK’s National Cyber Security Center (NCSC)   CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure:   CISA: Shields Up guidance:   CISA: Known Exploited Vulnerabilities (KEV) Catalog:   CISA: Insights on Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure:   CISA: Free Public and Private Sector Cybersecurity Tools and Services:   And guidance from the UK’s NCSC on what actions to take when the cyber threat is heightened:
Read Blog Post
Cyber Skills Gap
New Research: 1 in 3 Employees in IT and Security Teams Are Female
By Maddie Rosenthal
Monday, March 7th, 2022
As the global job market has contracted over the last 18 months, cybersecurity has expanded, putting IT and security professionals in higher demand than ever. But diversity is still a big problem in the industry and it’s one that security leaders, HR teams, and recruiters are desperately trying to solve.    And, while there’s still room for improvement, new research shows that organizations are prioritizing diversity and inclusion (D&I), and it’s paying off: 1 in 3 employees in IT and security teams are female.    Why is diversity so important in cybersecurity?    We know instinctively why D&I matters from an ethical perspective. But, year after year, research from consulting firms like McKinsey show there’s a strong business case for diversity, too. It helps boost innovation, increase job satisfaction, and helps drive higher profitability, market share, and return. It’d also have a big impact on the global economy.    The Center for Economics and Business Research quantified just how much of an impact…   If the number of women working in cybersecurity rose to equal that of men, we’d see a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK. And, if women earned as much as their male counterparts, we’d see billions more pour in, with a further $12.7 billion added in the US and £4.4 billion in the UK.   So, how diverse is the industry today?
How diverse is the industry today?   A recent survey of 250 IT leaders in the US and UK revealed that: On average, one in three (33%) employees in IT and security teams, in UK and US organizations, are female  IT leaders in US organizations have slightly more diverse teams, with 36% of their team being female, versus 30% of IT teams in UK organizations  Larger companies are more likely to have greater diversity in their teams. 36% of IT teams in medium sized businesses (25-499 employees) are female, and 34% of IT teams in large enterprises (1000+ employees) are female. This drops to 29% in small businesses (2-49 employees)  But it’s not just about gender. It’s about geo, professional experience, educational background (or lack thereof), age, religion, and more.    According to a 2021 report from (ISC)2, while minority professionals make up a significant portion of the cybersecurity workforce, they’re underrepresented across senior roles within their organizations. Among minority cybersecurity professionals, just 23% hold a role of director or above, 7% below the U.S. average.    And, interestingly, minorities who have advanced into leadership roles often hold higher degrees of academic education than their Caucasian peers who occupy similar positions. Of minorities in cybersecurity, 62% have obtained a master’s degree or higher, compared to 50% of professionals who identified as White or Caucasian.    That said, progressive IT leaders do have objectives in place to hire people from a more diverse range of backgrounds: 56% of IT leaders in US organizations have objectives around increasing efforts to hire people from more diverse range of backgrounds in 2022 46% of IT leaders in UK firms have objectives have objectives around increasing efforts to hire people from more diverse range of backgrounds in 2022 65% of large businesses (1000+ employees) have objectives around increasing efforts to hire people from more diverse range of backgrounds in 2022 This begs the question: what can organizations do to ensure a more diverse workforce, including diverse leadership?    How can organizations hire (and keep) diverse talent? Hiring diverse talent   To better understand what would encourage more diversity in cybersecurity, we asked female practitioners what would make the biggest impact. Here’s what they said:   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//");   According to Tessian’s CISO, Josh Yavor, job descriptions and requirements are turning people off and away, too.    “We have to look at the terrible multi-decade history of awful job descriptions and requirements in cybersecurity. This industry is bad at posting entry-level descriptions that require unreasonable levels of experience and this makes it impossible to hire anyone. The challenge I give to hiring managers is to ask them, what does 5-10 years of experience actually mean to you? What does 5-10 years of experience look like and what value does that actually provide?” Josh explained.   It’s essential that organizations remove barriers to entry like 4-year degrees, cybersecurity certifications, and previous experience. Of course, IT skills and knowledge of computer science and engineering may be prerequisites for some roles in cybersecurity. But all roles require soft skills.For example, data analytics, analytical thinking, creative thinking, and collaboration.   Retaining diverse talent   The Great Resignation of 2021 has continued well into 2022, with record high numbers of people quitting their jobs and seeking opportunities for better positions, better pay, better work/life balance and even exploring a career in a completely new industry.   According to our latest survey of 2,000 employees in UK and US businesses, 55% are considering leaving their current employer this year. The most likely department to be on their way out? IT.    That means retaining diverse talent is just as important as hiring diverse talent.    How? Prioritize employee wellbeing, promote flexibility, offer good perks (which means more than just snacks, beer, and ping pong), build a good company culture, and invest in career development.   Looking for a new gig? If you’re looking for your next gig, and want all of the above ☝ explore Tessian’s open roles.
Read Blog Post
18 Examples of Ransomware Attacks
Friday, March 4th, 2022
The ransomware crisis is getting out of control. With recent attacks on critical infrastructure, supply chain IT companies, and hospitals, the world is waking up to how serious this type of cyberattack can be.   IT leaders understand that ransomware is preventable—and they know how to protect against it. But still, increasingly many businesses are finding their computers locked, their files encrypted, or their customers’ personal data stolen.   From the widespread chaos caused by2017’s WannaCry attack to the recent REvil supply chain infection affecting up to 1,500 organizations—these 12 ransomware examples will help you understand what you’re up against.   Want to learn more about what ransomware is and how it’s delivered? Check out this article instead. 
Nvidia attempts “hack-back” after ransomware gang steals source code   After Nvidia fell victim to ransomware in late February 2022, the semiconductor giant didn’t take the attack lying down. Instead, Nvidia installed ransomware on the perpetrator’s own machines—but appeared not to solve its problem by doing so.   Nvidia was targeted by the ransomware group known as Lapus$, which stole the company’s source code, including a proprietary hash rate limiter that reduces the usefulness of Nvidia’s chips for cryptocurrency mining.   In an attempt to safeguard its intellectual property, Nvidia hired security experts to locate the attackers’ infrastructure and target it with a retaliatory ransomware strike.   While the revenge attack succeeded in infecting Lapus$’ computers—an act which, perhaps ironically, led the group to label Nvidia “criminals”—-Nvidia failed to retrieve its data as the group had backed it up.   In exchange for keeping Nvidia’s data private, Lapus$ demanded the company publish its GPU drivers as open source—in addition to paying a cryptocurrency ransom, of course.   Oil pipeline ransomware attack forces supply re-route   The BlackCat ransomware group launched a ransomware attack affecting 233 German gas stations on Jan. 29, 2022, causing disruption that forced oil company Shell to re-route supplies to different depots.   The attack is believed to have leveraged vulnerabilities in two software applications, Microsoft Exchange and Zoho AdShelf Service Plus1, enabling the attackers to exfiltrate “business secrets and intellectual property,” according to the German intelligence services.   The agency also said it feared the attackers might have infiltrated “the networks of customers or service providers” as part of the attack. In addition to rerouting supplies to avoid affected fuel depots, Shell said it may have to run some previously automated processes manually.   The attack has been attributed to BlackCat, a cybercrime group that mainly targets US organizations but has extended its operations into Europe.
Flights disrupted after ransomware hits Swiss airport   Airport operator Swissport was hit by a ransomware attack on Feb 3, 2022, resulting in grounded planes and flight delays at Zurich international airport.   The attack on Swissport—which provides air cargo operations and ground services—resulted in the delay of 22 flights. Swissport managed to contain the ransomware threat relatively quickly and most critical systems appear to have remained unaffected.   But because the attack came a week after the series of ransomware attacks on European oil services (detailed above), researchers suspect that the Swissport attack may have been part of a coordinated effort to destabilize European infrastructure.     Attack on Puma exposes nearly half of workforce’s personal information   Sportswear giant Puma lost control of around half of its employees’ personal information in February 2022, after ransomware actors hit the company’s cloud provider, Kronos Private Cloud (KPC).   Puma was forced to provide notification of the data breach to the affected employees and to Attorney General offices in multiple states. News website Republic World reported that the breach lead to the theft of data about 6,632 people.   Puma said no customer data had been leaked as a result of the attack, but that it had to resort to using “pencil and paper” to carry out certain business operations.
Ransomware strike on UK snack company threatens nation’s chips and nuts supply   A ransomware attack on UK food company KP Snacks made headlines in February 2022 after reports that it could lead to shortages of some of the nation’s favorite crisps (potato chips) and roasted nuts.   Following the incident, the snack firm wrote to stores warning them to expect significant disruption to supplies with deliveries expected to be delayed and cancelled until “the end of March at the earliest.” The company said it could not “safely process orders” until it had contained the attack.   News website Bleeping Computer reported that Cybercrime group Conti featured KP Snacks on its “data leak page,” showing examples of “credit card statements, birth certificates, spreadsheets with employee addresses and phone numbers, confidential agreements, and other sensitive documents” that the group had allegedly stolen from the company.     Ransomware attacks on Ukraine deemed a “decoy” for other cyber threats   Ukraine was hit by a variety of cyberattacks in the run-up to Russia’s invasion of the country in February 2022, including massive distributed-denial-of-service (DDoS), data wiper and ransomware attacks.   Wiper attacks hit Ukranian (and seemingly Lithuanian) servers on the morning of February 24, shortly before the Russian military launched an all-out war on the country. The wiper malware makes any device it infects unusable.   Researchers at Symantec said some ransomware attacks were also detected—but it’s possible that ransomware was used as a “decoy or distraction” from these other attacks.   In this case, ransomware’s disruptive nature made it the perfect distraction from the other cyberattacks that preceded Russia’s invasion.   Ransomware on candy manufacturer spoils Halloween   In October 2021, Ferrara—a candy manufacturer responsible for culinary delights such as SweeTarts, Nerds, Redhots, and Pixy Stix—announced a ransomware attack that could cause delays to production and affect Halloween deliveries.   The confectioner declined to reveal the extent of the damage caused by the attack but said it appreciated its customers’ “patience and understanding.”   Viewed in light of the hospitals, gas pipelines, and border agencies that have been hit by ransomware over the past year, Ferrara’s plight might seem insignificant—unless, perhaps, if America’s trick-or-treaters start coming home with empty baskets.
Sinclair Broadcast Group: Ransomware shuts down TV stations   US TV company Sinclair Broadcast Group was hit with ransomware in October 2021. The company operates over 600 channels, and this ransomware attack reportedly caused chaos within Sinclair’s internal and external operations.   The attack broke Sinclair’s email and phone systems and left the company unable to air certain ads and TV shows. Sinclair’s share price also dropped 3% on the day it announced the attack.   Several days after the incident, the company was still reportedly in disarray, with an anonymous source inside the company telling Vice that the attacker had “done a very good job… either by accident or by design.”   That last part is important. Once ransomware starts spreading, it takes on a life of its own—and it can quickly get out of control, causing more damage than even the attackers might have anticipated.   Vice’s source also condemned Sinclair’s alleged lack of preparedness for the incident, reportedly asking of their bosses: “Did you not have a plan? Did you not think this was a possibility? (…) In 2021, how could you not have a plan?”     Olympus hit by ransomware twice in five weeks   Japanese medical tech firm Olympus was hit hard by ransomware on September 8, 2021. The attackers encrypted Olympus’ network, disrupting the company’s EMEA operations. But just as the med-tech firm was recovering, it was attacked again on October 10, 2021—just one month after the first incident. This time, the attack impacted Olympus’ operations in the Americas.   We don’t know much about these two incidents, except that they are suspected to have been carried out by the Evil Corp ransomware gang. The attackers also reportedly used “Macaw Locker”—a new communications tool designed to evade US sanctions rules that had previously prevented victims from entering into negotiations with the group.   Ransomware actors have been known to strike the same victims multiple times—either because they have found a vulnerability they can exploit or because they know that the target is likely to pay up.     Weir Group faces $55m lost profits following ransomware attack   Scottish multinational engineering company Weir Group used its Q3 trading update to announce that it had been hit by ransomware—and that it expected profits to shrink by around 40 million GBP (55 million USD) as a result.   According to Weir Group’s statement, the incident—which occurred in early September 2021—forced the company to shut down its IT systems, enterprise resource planning operations, and engineering applications. Weir Group also said it expected the impact of the attack to continue into Q4 2021.   As a result of the ransomware incident, Weir Group said it had experienced 5 million GBP (6.8 million USD) in direct losses. But the company also said that the disruption indirectly caused by the incident was likely to cost nearly ten times that amount.   A $55 million loss would be a substantial blow for a company that expects its yearly profits to be around $316 million to $336 million—and a stark reminder of how destructive ransomware can be.      
Attack on Italian government agency exposes celebrities’ personal data   Ransomware isn’t just a cybersecurity threat—it can harm people’s privacy, too. In October 2021, an Italian public body responsible for safeguarding intellectual property rights—the Società Italiana degli Autori ed Editori (SIAE)—lost over 60 GB of data to the Everest ransomware group.   BleepingComputer later found this data—which reportedly included “national ID and driver’s license scans and documents relevant to contract agreements between SIAE and its members”—publicly available on Everest’s “extortion portal.”   The group appears to be selling the data for $500,000 after the SIAE failed to pay its ransom—a reminder that ransomware gangs will follow through on their threats. Italy’s data protection authority, the Garante per la Protezione dei Dati Personali (GPDP), is investigating the matter.     2017 WannaCry attack: The world’s first taste of how bad ransomware can get   Let’s start with an attack from several years ago—before “ransomware” was a household name—that shocked the world into taking cybersecurity more seriously.   The incident started in May 2017, when hackers infected a computer with the WannaCry ransomware. Within a day, users of over 230,000 computers worldwide found that their files had been encrypted—and that they could only retrieve their data by making a Bitcoin payment to the attackers.   How could WannaCry infect so many computers?   The original infection was initially believed to have resulted from a phishing email, but researchers later concluded that the ransomware took hold via a vulnerable SMB port.   From there, the infection spread to other computers that had not downloaded a recent Microsoft security update—the hackers used a tool called EternalBlue (developed by the U.S. National Security Agency) to exploit a zero-day vulnerability in Windows.   Wannacry caused chaos across multiple sectors in more than 150 countries. The U.K.’s National Health Service (NHS) was particularly badly affected—hospitals even had to cancel operations due to the disarray caused by the attack.   The actual ransom payments—between $300-$600 each—added up to a meager $130,634. But estimates of the overall costs associated with the attack range between hundreds of millions and billions of dollars.     Colonial Pipeline attack: ransomware affects critical infrastructure   On May 6, 2021, Ransomware gang Darkside hit the Colonial Pipeline Company, a utilities firm that operates the largest refined oil pipeline in the U.S., causing chaos at gas stations across the country and netting millions of dollars in the process.   Security analysts suspect that Darkside gained access to Colonial’s systems via a single compromised password—possibly after purchasing it via the dark web.   The cybercriminals targeted Colonial Pipeline’s computer systems, stealing nearly 100 gigabytes of data and impacting the company’s billing operations—but not the actual technology enabling the flow of oil through the pipeline.   Nonetheless, the company halted oil supplies throughout the duration of the attack, sparking fuel shortages and panic-buying throughout parts of the southern U.S. and prompting the Biden administration to issue a state of emergency.   Colonial Pipeline paid the Bitcoin ransom of around $4.4 million. But the more significant impact was on wider society. Ransomware had affected the supply and cost of gas—the hackers had broken through to people’s everyday experiences.
Fake invoice leads to Ryuk ransomware infection   Wire transfer phishing—where cybercriminals commit online fraud using a fake invoice and a compromised email account—costs businesses billions each year. But in this mid-2020 case, a fake invoice led not to a fraudulent wire transfer but to a ransomware infection.   An employee at a food and drink manufacturer opened a malicious Microsoft Word file attachment to an email, unleashing the Emotet and Trickbot malware onto their computer.   The malware created a backdoor into the organization’s systems, allowing the cybercriminals to gain access and deploy the Ryuk ransomware.   The company declined to pay the ransom in this case—but still incurred substantial costs. Over half of the organization’s systems were unusable for 48 hours, and the firm had to contract security experts to restore access.   Kaseya supply chain attack impacts 1,500 companies   The biggest ransomware attack on record occurred on July 2, 2021, when the REvil gang hit software company Kaseya. Organizations using Kaseya’s IT management software downloaded a malicious update that infected their computers with ransomware.   Victims received a ransom note informing them that their files had been encrypted. The note said users could retrieve their files by purchasing the cybercriminals’ $45,000 decryption software, payable in cryptocurrency.   The attack directly affected at least 60 firms—and it had downstream consequences for at least 1,500 companies. Even a Swedish supermarket chain was forced to close its doors after its payment processing equipment malfunctioned due to the attack.   A few days after the attack, a post on the cybercrime gang’s dark web page promoted a universal decryptor that could unscramble all data impacted by the attack—for the bargain price of $70 million.   The Kaseya ransomware attack was reminiscent of the notorious 2020 Solarwinds attack, which. while it did not involve ransomware, exposed the vulnerability of supply chains.   UK health service warns of Avaddon phishing attacks   In April 2021, the digital arm of the U.K.’s National Health Service (NHS) put out a warning about Avaddon ransomware, a type of ransomware that can “both steal and encrypt files” in “double extortion attacks.”   Avaddon typically arrives via a phishing email. The email contains a .jpeg or .zip file which acts as a downloader for the ransomware. In some cases, the application will terminate itself if it detects that you’re using a Russian keyboard layout. As mentioned, Avaddon not only encrypts your files—it can also steal and publicly leak them if you fail to pay the ransom.   What makes this double extortion method particularly harmful? Getting your important files encrypted is bad enough. You lose vital data and might need to cease operations until the situation is resolved.   But having your files stolen as well puts you at a heightened risk of penalties from regulators for failing to protect people’s personal data.   Stolen credentials lead to $4.4 million DarkSide attack   The North American division of chemicals distributor Brenntag lost around 150 gigabytes of company data in May 2021, when the DarkSide ransomware gang deployed ransomware on the company’s systems.   The cybercriminals reportedly demanded $7.5 million ransom, which the chemicals company managed to negotiate down to $4.4 million—a sum it reportedly paid DarkSide on May 14 to prevent the compromised data from being published.   So how did DarkSide get access to Brenntag’s systems? It appears the cybercrime gang (or one of its affiliates) purchased some of Brenntag’s user credentials on the dark web.   Credentials are a prime target for cybercriminals and are one of the data types most commonly compromised in phishing campaigns. For more information, see What is Credential Phishing?     COVID-19 testing delayed after Irish hospitals hit by ransomware   When Irish hospitals were attacked by a ransomware gang in May 2021, patient data was put at risk, appointments were cancelled, COVID-19 testing was delayed—and the world saw once again how far cybercriminals were willing to go to make money.   The hackers are believed to have targeted a zero-day vulnerability in a virtual private network (VPN) operated by the Irish Health Service Executive. The Russian cybercrime group responsible for the attack, known as Wizard Spider, reportedly demanded a $19,999,000 ransom.   After the Irish prime minister publicly declared that the country would not be paying the ransom, the healthcare system was forced to resort to keeping records on paper until the situation was resolved.
Read Blog Post
What We Learned From Our 7th Human Layer Security Summit
By Andrew Webb
Thursday, March 3rd, 2022
As the virtual curtain falls on our seventh Human Layer Security Summit we’d just like to say a huge thank you to our guests and to you, our attendees. There were some terrific insights, advice, and examples offered in every session – here’s what you missed..
New Vulnerabilities, Ransomware and Supply Chain Attacks: 3 Lessons to Make You Rethink Your Inbound Strategy To kick things off, Paul Laudanski (Head of Threat Intelligence at Tessian), hosted David Kennedy (CEO and Founder at TrustedSec), and Elvis Chan (Asst. Special Agent in Charge at the FBI). Together they discussed ransomware and supply chain attacks; how they’re often devastating for businesses, and how to protect against them.    As David says, “Why target one individual victim when you can target a thousand victims and get a much larger payout”. From the law enforcement side, Elvis Chan explains how we’re seeing more ‘ransomware as a service’, because as well as the technical elements of an attack, it’s also essential that bad actors can communicate clearly in English, and have access to money-laundering services to take the payment. “That’s a lot of sophisticated elements and organization,” says Elvis, “and that’s what the FBI is good at, going after syndicates and organizations”. Indeed, Elvis informs us that the FBI currently has over 100 investigations underway.
As for why phishing is the most popular attack vector, David explains “It’s the easiest method. Many organizations suffer from M&M syndrome – hard on the outside, soft on the inside. You have to do a lot of research to go against the perimeter.” Attacking the human, however, can be done much more easily, and once you’re inside, moving around is simple. David also explains how attacks disrupt three main areas “They’re going after your backups, they’re selling your data, and they’re hitting you with DDOS – until you pay.”
The Defense In-Depth Playbook: How to Augment Microsoft 365 to Supercharge Email Security Session 2 saw Matthew Pascucci (Director of Security Operations at Evercore) explain to Tessian CISO, Josh Yavor, how layering his security stack with solutions across network, endpoint, and application layers ensures they have the best possible defenses. “Microsoft are fantastic at what they do, but there are always areas for improvement,” says Matthew.    He explains how the partnership between Tessian and Microsoft, combines the best of rules-based solutions with behavioral solutions. “The key is having them build off each other,”he said. They go on to discuss Evercore’s ‘after event’ operations, and what procedures and documentation they have in place. “There should be an understanding from a user what happens when they get an ‘in the moment’ alert from Tessian – it’s there to protect them, not stop business,” says Matthew.    The session winds down with a discussion on why the days of on-prem Secure Email Gateways are numbered, and why the future is in the cloud. “There’s less patching, less hardware maintenance,” says Matthew. 
Preventing Advanced Attacks and Influencing Safe Behavior in the Fast-Paced World of Tech Next up was Ben Aung (Chief Risk Officer at Sage) in conversation with Tessian’s Solutions Engineer Ashley Bull. Sage is one of the UK’s largest technology companies, offering back-office software products and services for small and medium-sized businesses. As such, they hold some of their customers’ most sensitive data: HR, financial, and accounting records.    Ben explains how important support from the board of directors is, and how to put that support and interest from the board into action. “Winning that situation and making sure you set out your bigger picture in a way that’s easy to understand is key,” says Ben. He also explains what he loves about the capabilities of Tessian, and how he can tailor the advice specific to the user so that “in the moment, they’ll make the right judgment”.
Ensuring Ultimate Email Security in Law Firms, Where Reputation Is Everything Amelia Dunton (Customer Success Manager at Tessian) hosts Simon Lambe (Head of IT Security at Mishcon de Reya) and David Aird (IT Director at DAC Beachcroft) to discuss why your reputation is crucial in any global law firm. Simon details how he has to balance the speed of response times with data protection. – while also protecting clients’ most important information.   David highlights how some of the practices that might be permissible in another sector, aren’t in the legal sector. Simon then details how he’s developed the cybersecurity strategy at Mishcon around three pillars – prevention, detection, and recovery. “I think historically people thought only about prevention,” he adds. They both then discuss risk appetite, and how it needs to be business-focused, not technology-focused.    Finally, Amelia (who revealed herself as a DLP nerd 🤓), asks Simon for some of his data loss prevention examples; including finding one employee selling company IP to a competitor.
Creating a New Identity for Modern Security: Why Organizations Should Prioritize Securing the Human Our next session has Matt Egan (Director of Technical Strategy at Okta) in conversation with Austin Zide (Product Manager at Tessian). They start by exploring Matt’s ‘hobby’, calling out brands with bad password policies. “Yeah I have a lot of fun with that!” says Matt – not all heroes wear capes.    Matt then explains what trends he’s most excited about in Human Layer Security, and how we’re moving to a world of protecting the individual, not the IP address. He also details why many security teams are going wrong in security and specifically, identity – and how by changing this approach they can improve their overall security position. Finally, the session closes with how Tessian specifically integrates with Okta.
Security Philosophies from Trailblazers: Q&A with Helen Patton, Advisory CISO, Cisco Closing out the Summit is the awesome Helen Patton (Advisory CISO at Cisco) in conversation with our own Josh Yavor. Helen reveals what she considers security must-haves, such as good asset management, multi-factor authentication, vulnerability management, and incident response capabilities. “All those things are hard to do well, and all of those things combined are going to help you deal with the threats of the day, whatever they are,” says Helen.    She also explains how she uses Sounil Yu’s Cybersecurity matrix to find out where her strengths and weaknesses are, “it’s a maturity curve,” Helen said. She goes on to explain why it’s wrong to think of security as a technical discipline, and why it should be more a business discipline with a technical solution. Finally, she gives her thoughts on hiring. “When I look at job postings, and HR conversations, it’s broken,” she said. According to her, in order to improve the breadth of talent in the industry, we need a mindset change from what a security hire has done to what they will do.   So there you have it – That’s a wrap! If you want more from all seven summits, you can watch them on demand over on our knowledge hub. Sign up for our newsletter below and follow us on our social media platforms (LinkedIn and Twitter) so you’re first in the know for the next Human Layer Security Summit.  
Read Blog Post
ATO/BEC, Threat Intel
Analysis of a Microsoft Credential Phishing Attack
By Charles Brook
Friday, February 25th, 2022
Credential harvesting via phishing remains a significant threat to organizations. In early February 2022, we detected a credential harvesting campaign leveraging a fake Microsoft Outlook login page. Although Secure Email Gateways (SEGS) have URL rewriting protection capability, these types of phishing efforts typically go undetected through the usage of obfuscation techniques such as using superscript tags hiding the malicious code.
Summary of the attack   An email impersonating Microsoft was sent using Amazon Simple Email Service targeting multiple individuals at a specific organization. The email informed recipients their password was due to expire and they needed to follow a link to reset it.   The link in the email followed multiple redirects before landing on a credential phishing site impersonating the Microsoft Outlook login page. Analysis of this attack reveals it to be related to known phishing as a service (PhaaS) site where anyone can purchase tools and services for phishing.   Email Content   Below is a screenshot of the malicious email with a malicious link to reset the password. Note the usage of language (albeit with typos) expressing urgency around changing the end user’s password.
The threat actor sent the target recipients a request to change their Microsoft password that included a malicious link that would redirect to a credential harvesting website. Tailored to specific targets, the emails also appeared to be sent from an AWS Apps server using the Amazon Simple Email Service and passed security checks including SPF, DKIM and DMARC, meaning it is unlikely to be flagged as malicious.    Given the email appears to have been sent via Amazon SES, there is a chance the attacker may have compromised an AWS account. Alternatively they could have registered an account for the sole purpose of sending these emails and passing security checks since Amazon will be seen as a reputable sender.
Email body   When viewed from a mailreader these emails are fairly easy for the trained eye to spot. The main indicators being the grammatical errors that are common amongst phishing emails, as well as the suspicious link clickable from the button.   But underneath the message displayed was further evidence of the attacker going to great lengths through common phishing obfuscation techniques to make these emails difficult to detect.   The email body was base64 encoded which is not that uncommon for emails but still a technique attackers use to obfuscate the content of an email. Decoding this revealed the HTML used to construct the email. When focusing on the email body we find the attacker has added a series of HTML elements distributed randomly between the letters in the message.
Specifically the attacker has used superscript HTML tags to obfuscate the email body against common email security tools like SEGs.   <sup style=”display: none;”>YYCZPYYCZP</sup>   The attacker has added “display: none;” styling to each tag meaning the content of the element won’t appear in the displayed email. This means the recipient will only see the intended message displayed to them in a mail reader while making it difficult for legacy email security tools to pick up on any of the keywords that would indicate this as a phishing email.
By removing the superscript tags from the code we can more clearly see the message left behind that was displayed to the recipient.   Phishing URL   The email contained a phishing URL with the recipient address auto-populated at the end. The URL was added to a button labeled “Keep My Password”. Phishing link embedded in HTML email body        
The phishing link also contained a second URL nested in the query component of the first. The attacker is abusing an open redirect function in a well-known affiliate marketing network called Awin to redirect victims to the malicious site.   Phishing link from email:  hxxps://;id=201309&amp;p=hxxps%3a%2f%2fpcbmwc[.]org/fr#<recipient>@<domain>[.]com Which redirects to: hxxps://pcbmwc[.]org/fr#<recipient>@<domain>[.]com   The redirects are incorporated to bypass initial URL security checks common in legacy email security tools. Most security tools scanning URLs are likely to focus on the domain from the initial URL ‘awin1[.]com’ and recognise it as safe.   The domain in the nested URL ‘pcbmwc[.]org’ appears to belong to a buddhist monastery based in Patiya, Bangladesh. The site appears to be fairly basic and low budget, it is likely the attacker compromised this site and is using it to host part of their malicious infrastructure – an increasingly common tactic for phishing attacks.   The initial URL leads you to an apparently blank page. The source code reveals there is a script checking to make sure there is still an email address present at the end of the URL after the ‘#’. This is intended to be the target’s email address.  
If there isn’t an email address appended to the end of the URL then nothing will happen and you will stay on the blank page. If there is an email address included at the end, then the script redirects the target to the final landing page for the phishing site with that email address still included in the URL.   Link to the final phishing site:   hxxps://fra1.digitaloceanspaces[.]com/loskmwaksilopa/%23%25%5EE%26UY%23%26W%26%28%40.html#<recipient>@<domain>[.]com
Phishing Site Clicking the link from the original email will lead to the page below with the target’s email captured in the URL. The site is designed to resemble the Microsoft Outlook login page where you are prompted to enter your password. Looking at the source code for this site, it appears to be based on a previously seen template also used for Microsoft credential harvesting but with a few alterations.
To look as legitimate as possible, the site borrows graphics and styling directly from Microsoft owned CDNs. Entering a password into the box provided and clicking ‘Sign in’ would result in the email address from the URL and the password being captured and submitted through an AJAX post request to a php file hosted on a separate server.   PHP file:   hxxps://moliere[.]ma/aX3.php   The domain in the link to the PHP script appears to belong to a consulting firm based in Casablanca. If legitimate, then it too has likely been compromised by the attacker to host malicious infrastructure.   This script will most likely be what the attacker uses to harvest the credentials. It will either send the credentials to the attacker directly or store them in a location accessible by the attacker.    The source code of the site includes some jQuery scripts to perform a number of actions with the aim of making the site look and feel legitimate. This includes sections to provide feedback to the victim such as error messages and progress bars. One section checks to make sure the password entered isn’t blank and is more than one character long. Another section displays a fake progress bar after clicking sign in to give the illusion of a genuine login taking place.    If the credentials are submitted successfully then the victim is redirected to a genuine Microsoft login page and presented with the login screen again. The victim will assume that they entered their credentials incorrectly the first time and just carry on.   Another observation from the source code is that whoever wrote or borrowed the code has replaced most of the variable names and tag IDs with strings of seemingly random characters.    At closer inspection these random strings appear to be composed of various keyboard walk patterns. A keyboard walk is when you type a series of characters in the order they appear on the keyboard, for example ‘qwerty’ or ‘asdfg’. Often done by dragging a finger across the keyboard.   This has been done deliberately to make the code more difficult to read and follow without clearly labeled variables.
Phishing as a Service (PhaaS) The primary features and indicators from this phishing attack point to it being related to the BulletProofLink (aka BulletProftLink) phishing as a service site, which was detected and analyzed by Microsoft in late 2021.   This site offers phishing kits for sale to anyone and also offers infrastructure to host and run  malicious campaigns from. Phish kits or services will typically be available for sale for around $200.
Although there were some differences for the specific campaign analyzed here, the attack chain observed is virtually identical to that mapped out by Microsoft.  
This credential harvesting attempt is a good example of what is becoming a particularly common modus operandi to compromise an organization’s credentials and information system. The unfortunate reality is that such attempts have a high success rate of bypassing legacy and native email security controls. Threat actors are able to achieve this success through the use of obfuscation techniques that are tried and tested repeatedly against static, rule-based email security controls, until the desired outcome is achieved.   
With continuously advancing sophistication of phishing attacks, it becomes a matter of when, and not if, an organization’s legacy email security controls will be circumvented.  Behavioral cybersecurity solutions like Tessian are increasingly seen as a gamechanger and a necessity to ward off advanced social engineering-based attacks. Tessian detects and prevents phishing attacks as the one discussed on a daily basis for our clients. It does this by scanning not only the URL links, but all of the fields contained in an email and contrasts this against a historical mapping of the email ecosystem to determine using machine learning, whether the email is malicious or safe. End-users then receive in-the-moment security warnings prompting them towards safer action.
Appendix: Indicators Email Body (decoded) <sup style=”display: none;”>YYCZPYYCZP</sup>   URLs hxxps://;id=201309&amp;p=hxxps%3a%2f%2fpcbmwc[.]org/fr# hxxps://pcbmwc[.]org/fr# hxxps://fra1.digitaloceanspaces[.]com/loskmwaksilopa/%23%25%5EE%26UY%23%26W%26%28%40.html# hxxps://moliere[.]ma/aX3.php   Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred based on analysis of the email and the phishing site that was active at the time of receipt.   TA0043: Reconnaissance  T1589: Gather Victim Identity Information T1589.002: Email Addresses T15905: Active Scanning   The attacker will have gathered email addresses to target either from data breaches dumped on the Internet or by scanning the target organizations’ public facing website for addresses, which will have most likely been found on their people page.   TA0042: Resource Development T1584: Compromise infrastructure T1584.004: Server T1588: Obtain Capabilities T1608: Stage Capabilities T1608.005: Link Target   The attacker will either have developed or obtained the scripts and pages used to construct their malicious email through a phishing as a service site. It also appears they may have compromised vulnerable web-servers to host some of their malicious infrastructure used for harvesting credentials including the redirection page, the malicious login page and the PHP script to collect the credentials. This could also have been provided as part of a PhaaS package.   TA0001: Initial Access T1566: Phishing T1566.002: Spear Phishing Link   The attacker sent emails impersonating Microsoft containing a phishing link aimed at harvesting credentials. These emails were sent from an AWS Apps server via Amazon SES. Meaning the attacker may have compromised an existing AWS account or set one up for this campaign.   TA0005: Defense Evasion   A number of techniques were employed to evade detection. The first is the use of Amazon SES to make emails appear reputable and pass security checks. The attacker also obfuscated the message in the email by placing hidden HTML elements at random intervals, making it difficult for security tools to pick up on keywords.   An open redirect was also used in the phishing URL to send the recipient to the malicious site via a trusted one first. Security tools and the recipient will often see the domain for the trusted site and assume the URL is safe.
Read Blog Post
Email DLP, Data Exfiltration
What is Data Exfiltration? Tips for Preventing Data Exfiltration
Tuesday, February 22nd, 2022
Data is valuable currency. Don’t believe us? Data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web.   This data could include anything from email addresses to financial projections, and the consequences of this data being leaked can be far-reaching. Data can be leaked in a number of ways, but when it’s stolen, we call it data exfiltration. You may also hear it referred to as data theft, data exportation, data extrusion, and data exfil.
  This article will explore what data exfiltration is, how it works, and how you can avoid the fines, losses, and reputational damage that can result from it.   Types of data exfiltration   Data exfiltration can involve the theft of many types of information, including:   Usernames, passwords, and other credentials Confidential company data, such as intellectual property or business strategy documents Personal data about your customers, clients, or employees b Keys used to decrypt encrypted information Financial data, such as credit card numbers or bank account details Software or proprietary algorithms   To understand how data exfiltration works, let’s consider a few different ways it can be exfiltrated.  Email    According to IT leaders, email is the number one threat vector. It makes sense.    Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email, sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data with people both in and outside of their organization.    Needless to say, it’s a treasure trove of information, which is why it’s so often used in data exfiltration attempts. But how?   Insider threats can email data to their own, personal accounts or third-parties External bad actors targeting employees with phishing, spear phishing, or ransomware attacks. Note:96% of phishing attacks start via email.   Remote access   Gaining remote access to a server, device, or cloud storage platform is another data exfiltration technique.   An attacker can gain remote access to a company’s data assets via several methods, including: Hacking to exploit access vulnerabilities Using a “brute force” attack to determine the password Installing malware, whether via phishing or another method Using stolen credentials, whether obtained via a phishing attack or purchased on the dark web   According to 2020 Verizon data, over 80% of “hacking” data exfiltration incidents involve brute force techniques or compromised user credentials. That’s why keeping passwords strong and safe is essential.   Remote data exfiltration might occur without a company ever noticing. Consider the now infamous 2020 SolarWinds hack: the attackers installed malware on thousands of organizations’ devices, which silently exfiltrated data for months before being detected.   Physical access    As well as using remote-access techniques, such as phishing and malware, attackers can simply upload sensitive data onto a laptop, USB drive, or another portable storage device, and walk it out of a company’s premises..   Physically stealing data from a business requires physical access to a server or device. That’s why this method of exfiltration is commonly associated with current or former employees.   And it happens more frequently than you might think. One report shows that:   15% of all insiders exfiltrate data via USBs and 8% of external bad actors do the same 11% of all insiders exfiltrate data via laptops/tablets and 13% of external bad actors do the same   Here’s an example: in 2020, a Russian national tried to persuade a Tesla employee to use a USB drive to exfiltrate insider data from the company’s Nevada premises.  
How common is data exfiltration?   So how significant a problem is data exfiltration, and why should your company take steps to prevent it? It’s hard to say how often data is successful exfiltrated from a company’s equipment or network. But we know that the cybercrime methods used to carry out data exfiltration are certainly on the increase.   For example, phishing was the leading cause of complaints to the FBI’s Internet Crime Complaint Centre (IC3) in 2020. The FBI’s data suggests that phishing incidents more than doubled compared to the previous year. The FBI also reported that the number of recorded personal data breaches increased from around 38,000 to over 45,000 in 2020.   Verizon’s 2020 data suggests that companies with more than 1000 employees were more likely to experience data exfiltration attempts—but that attacks against smaller companies were much more likely to succeed.   Verizon also noted that “the time required to exfiltrate data has been getting smaller,” but “the time required for an organization to notice that they have been breached is not keeping pace.” In other words, cybercriminals are getting quicker and harder to detect.   Consequences of data exfiltration   We’ve seen how data exfiltration, and cybercrime more generally, is becoming more common. But even if a company experiences one data exfiltration attack, the consequences can be devastating. There’s a lot at stake when it comes to the data in your company’s control.   Here are some stats from IBM about the cost of a data breach:   The average data breach costs $3.6 million The cost is highest for U.S. companies, at $8.6 million Healthcare is the hardest-hit sector, with companies facing an average loss of $7.1 million   What are the causes of these phenomenal costs? Here are three factors:   Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is an expensive business—not to mention the thousands of hours that can be lost trying to determine the cause of a breach. Lawsuits: Many companies face enormous lawsuits for losing customer data. Trends suggest a continuing increase in data-breach class action cases through 2021. Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.
How to prevent data exfiltration Understanding the form, causes, and consequences of data exfiltration is important. But what’s the best way to prevent data exfiltration? 🎓 Staff training Business leaders know the importance of helping their employees understand information security.  Staff training can help your staff spot some of the less sophisticated phishing attacks and learn the protocol for reporting a data breach. However, while staff training is important, it’s not sufficient to prevent data exfiltration. Remember these words from the U.K.’s National Cyber Security Centre (NCSC): “No training package (of any type) can teach users to spot every phish. Spotting phishing emails is hard.” 🚫 Blocking or denylisting To prevent data exfiltration attempts, some organizations block or denylist certain domains or activities. This approach involves blocking certain email providers (like Gmail), domains, or software (like DropBox) that are associated with cyberattacks. However, this blunt approach impedes employee productivity. Denylisting fails to account for the dynamic nature of modern work, where employees need to work with many different stakeholders via a broad variety of mediums. 💬 Labeling and tagging sensitive data Another data loss prevention (DLP) strategy is to label and tag sensitive data. When DLP software notices tagged data moving outside of your company’s network, this activity can be flagged or prevented. However, this approach relies entirely on employees tagging data correctly. Given how much data organizations handle, the manual process of tagging isn’t viable—employees may label incorrectly or not label sensitive at all. 🔒 Email data loss prevention (DLP) Email is a crucial communication method for almost every business. But, as we’ve seen, it’s also a key way for fraudsters and criminals to gain access to your company’s valuable data. According to Tessian platform data, employees send nearly 400 emails a month. In an organization with 1,000 employees, that’s 400,000 possible data breaches each month. That’s why security-focused organizations seek to lock down this critical vulnerability by investing in email-specific DLP software. ⚡ Want to learn more about email DLP? We cover everything you need to know here: What is Email DLP? Complete Overview of DLP on Email. How does Tessian prevent data exfiltration? Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats.   Our Human Layer Security platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks.  To learn more about how Tessian detects and prevents data exfiltration attempts, check out our customer stories or talk to one of our experts today.
Read Blog Post
ATO/BEC, Human Layer Security
Playing Russian Roulette with Email Security: Why URL Link Rewriting Isn’t Effective
By John Filitz
Friday, February 18th, 2022
Malicious URL link-based attacks are tried and tested methods for threat actors to compromise information systems. Although legacy Secure Email Gateway (SEG) vendors offer URL link rewriting protection – also referred to as time-of-click protection – there are significant limitations in the degree of protection provided by this security control.    Unlike behavioral cybersecurity solutions like Tessian that dynamically and in real time scan all of the content in an email, including URL links and attachments, SEGs rely on a manual, rule-based threat detection approach. But with this approach, your protection is only as effective as the rules and policies you have created, combined with the relevancy of your threat detection engine.    The static approach to malicious URL link detection by SEGs explains why zero day threats often get through defenses. And the lack of machine learning scanning capability also explains why threat actors are able to successfully hide malicious URLs either as attachments or even in plain text.  For example, APT 39 successfully leveraged malicious URL links that  were hidden or attached in phishing emails to carry out an elaborate espionage and data gathering campaign, across multiple jurisdictions. Similar attacks are usually but not exclusively motivated by credential harvesting for Account Takeover (ATO) purposes.
How URL link rewriting protection works   SEGs that offer URL link rewriting typically scan and rewrite URLs that are contained in any inbound email via its own network. This means all links contained in any email received through the gateway are rewritten via the email security vendor’s system.     URL link rewriting detects malicious URL links at the time of a user clicking on the link by analyzing the link against key criteria specified in the security rules and policies, as well as against its threat repository of known malicious URLs.    When it comes to the security rules and policies, SEGs require the security admin to set the degree to which URL categories are scanned and also allows select email groups in an organization to be included or excluded. The scanning intensity settings typically range from relaxed, moderate to aggressive.    If a URL link is determined to be malicious based on rules and policies, as well as the reputation of the link, the end-user will be notified and warned against accessing the malicious URL.
Five shortcomings of URL link rewriting protection    1. URL link rewriting is an overly manual security control prone to human error   URL link rewriting or time-of-click protection requires a significant degree of manual security rule and policy orchestration. Due to the post-delivery approach of allowing malicious URLs to be delivered and only scanning URLs upon being clicked, without well-configured URL detection rules and policies, the security effectiveness of this static control is significantly compromised.The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.     2. URL link rewriting is ineffective at protecting against zero day attacks   URL link rewriting offers protection against known threats only. It offers limited protection against zero day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors. Once the threat actor has evaded security controls aka passed through the gateway, they have unfettered access to end-users who are under the impression that the email and included URL link has been scanned and is safe. Usually only after a successful compromise is the malicious URL threat detection engine updated.     3. URL link rewriting lacks the intelligence to detect advanced phishing subterfuge    Threat actors find sophisticated ways to obfuscate malicious URLs. They typically do not include malicious URLs in the email but often hide them in “safe” URL redirects or in attachments that are not commonly used, or are outside of the security policy ambit. Upon opening the file or clicking on the URL link, victims are taken to what appears to be a legitimate website, which redirects to a malicious website appearing as a trusted services provider.       4. Protection starts and stops at the gateway   URL link rewriting can be deployed from within the organization via a lateral phishing attack. Malicious URLs can be deployed from trusted sources within the organization and thereby misses the gateway protection.      5. If all you have is a hammer, everything looks like a nail   URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.
The need for intelligent email security    Email-based attacks remain the overwhelming favorite vector for attack. The forever evolving and advancing nature of email based threats has placed the effectiveness of legacy email security controls into sharp focus.    With its static orchestration and binary threat detection approach, URL link rewriting is the embodiment of legacy approaches to addressing email security risk. Simply stated, this security control is no longer fit for purpose in a dynamic threatscape, where threat actors are continuously honing their capabilities at circumventing rule-based security controls.  Only by leveraging email security solutions that have machine learning and contextually aware scanning capability, can you significantly improve your email security posture. See why CISOs at some of the leading organizations around the world are selecting Tessian as the advanced email security provider of choice. Book a demo now.
Read Blog Post
Life at Tessian
Tessian Named One of the 2022 UK’s Best Workplaces™ for Wellbeing
By Tessian
Thursday, February 17th, 2022
We’re excited to announce that Tessian has been named one of the 2022 UK’s Best Workplaces™ for Wellbeing.   So, what was the criteria? The Great Place to Work® culture experts analyzed thousands of employee surveys, assessing their holistic experiences of wellbeing at work through fundamental facets of employee wellbeing, like:   Work-life balance Sense of fulfilment Job satisfaction Psychological safety Financial security Here are just some examples of how we support wellbeing at Tessian.   Refreshian Summer Last year, we launched what we call “Refreshian Summer”. This sees everyone in the company down tools on specific days through-out the summer months to rest, recharge and enjoy the sunshine. You can learn more about the initiative here.    Mental health support We wouldn’t have made it on this list if we didn’t take mental health seriously. And private healthcare in both the US and the UK and instant access to support via Spill help us take care of our people. With Spill, therapy sessions, mental health training, and feelings check-ins are just a click away.    Access to Employee Resource Groups (ERGs)   It’s important employees feel like they can bring their whole selves to work, and ERGs, or staff community groups, help ensure all Tessians can connect with their peers in a safe space. Two examples? Plus, an LGBTQ+ network, and Tes-She-An, a space created to support Tessians who identify as women.    In-depth Diversity and Inclusion (D&I) training   Over the last 18 months, Tessian has been taking steps towards creating a more diverse and inclusive place to work. Why? Well, it’s the right thing to do. Diversity is infinite and everyone should feel valued for who they are and have the opportunity to bring this to work.    Hear why D&I is important to all of us below, and read more about how we created a strategy to maximize impact here.    “Choice First” working policy   Tessian’s ‘choice first’ working policy allows employees to choose where they work – remotely, in the office, or hybrid. Those working remotely get substantial budgets to set up their home offices, and those working in the office or hybrid have access to hubs in London, Boston, Austin, and San Francisco. 
Want to work at Tessian? See if we have a role that interests you today.
Read Blog Post
Phishing 101: What is Phishing?
Thursday, February 17th, 2022
First things first: let’s answer the question at hand.
That’s the short and sweet definition. But, there’s more you need to know. Phishing is a common type of social engineering attack that cybercriminals have been conducting for decades. In this article, we’ll take a look at some different types of phishing, how these differ from “traditional” phishing, and how phishing attacks work. Wondering what social engineering is? Check out this article, which includes plenty of real-world examples.   Definitions of phishing If you look at the definition above, you’ll notice we made an important distinction in the last sentence. “Phishing is typically bulk in nature and not personalized for an individual target.” But, oftentimes, you’ll hear the word “phishing” used as an umbrella term to cover many types of online social engineering attacks, including:   Spear phishing: A phishing attack targeting a specific individual Whaling: A phishing attack targeting a company executive Smishing: Phishing via SMS Vishing: Voice-phishing, via phone or VoIP software What links all these types of attacks? They all involve some form of “impersonation” — the attacker pretends to be a person or institution that the target is likely to trust. But, in this article, we’ll focus on traditional “spray and pray” phishing attacks. It’s one of the most straightforward types of online social engineering attacks.   Importantly, this “old-school” form of cybercrime is distinct from all the examples above because:   Unlike smishing or vishing, phishing attacks occur via email. Unlike spear phishing and whaling, traditional phishing isn’t targeted. Attackers send phishing emails indiscriminately, rather than emailing a specific individual. If you’re scratching your head trying to figure out how phishing is different from spam, we’ve answered all your questions in this article: Spam vs. Phishing: The Difference Between Spam and Phishing.   How phishing works   Let’s take a real-life example of a phishing attack to see how this type of cybercrime works. It appears to comes from a brand most of us know and trust: Netflix.
So, what makes it a phishing email? The “UPDATE ACCOUNT NOW” button leads to a malicious website (not Netflix’s genuine website) designed to steal payment information. But, the average person wouldn’t know that.   The email arrived from “” — a person could reasonably believe this was a genuine Netflix email address The “Help Center” and “Communications Settings” links lead to Netflix’s actual website The Netflix logo and branding look authentic But look a little closer, and you’ll notice a few giveaways.   The greeting is generic (“Hello ,”). This suggests that this is a bulk email sent to many recipients. The email asks for payment details. Netflix will never request payment information via email. There’s a typo (“We re here if you need it”). Typos are increasingly rare in phishing emails, but they should always raise a red flag.   This is not your typical “Nigerian prince” scam and it’s easy to see why so many people – both consumers and employees – fall for these scams. If you’re looking for statistics to back this up, check out this article: Must-Know Phishing Statistics (Updated 2021).   Note that this scam appears to use “email impersonation”: the sender address ( looks like it could be an authentic Netflix domain, but Netflix doesn’t own that domain at all. Hackers can also use account takeover and email spoofing for more advanced phishing attacks.   What is phishing for?   We’ve looked at how criminals use different methods to conduct phishing scams and target different types of people. But why do they do it? Attackers use phishing scams to target different types of resources. For example: Credentials. Cybercriminals steal usernames and passwords to sell them on the dark web, access company data, or conduct account take-over attacks. Personal information. Addresses, social security numbers — even lists of names associated with a particular platform can be valuable to cybercriminals, who can use them to target spear phishing attacks. Money. Phishing attacks aiming to trick the target into transferring money to the attacker are common, but they’re normally reserved for more sophisticated types of phishing such as Business Email Compromise (BEC), which the FBI calls “the $26 billion scam.” Want to know which of these resources hackers target the most frequently? Download this infographic.   How common is phishing?   Phishing has become a huge criminal industry, and there’s no sign of it getting smaller. Here are some of the latest statistics:   The FBI’s Internet Crime Complaint Centre (IC3) 2020 Internet Crime Report cites phishing as the leading cause of cybercrime complaints. Phishing complaints more than doubled between 2019 and 2020. According to Verizon’s 2020 data breach report, 96% of phishing attacks arrive by email (smishing and vishing account for 3% and 1% of attacks, respectively). Phishing is on the rise. Microsoft’s 2021 Future of Work report shows that 80% of organizations experienced an increase in security threats in 2020 — and of these, 62% said phishing showed the most significant increase. As a major cause of data breaches, phishing is a considerable business expense. According to IBM, the average cost of a data breach in 2020 was $3.86 million.   Want more of the most up-to-date figures on phishing? Subscribe to our newsletter for monthly updates, straight to your inbox.  Now you know what “phishing” means, how common it is, and how much damage it can cause. If you want to learn how to protect yourself from phishing, check out our guidance on how to avoid falling for phishing attacks.
Read Blog Post