Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Jan 31 Live Webinar | How to Keep Socially Engineered Attacks From Sneaking Into Email | Save Your Seat →

Tessian Blog

  • All
  • Customer Stories
  • Compliance
  • Email DLP
  • Integrated Cloud Email Security
  • Data Science
  • NULL
    array(14) { [0]=> object(WP_Term)#10289 (11) { ["term_id"]=> int(5) ["name"]=> string(16) "Customer Stories" ["slug"]=> string(16) "customer-stories" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(5) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Read our latest Customer Stories, interviews and news. Learn how Tessian protects organisations in Financial Services, Legal, Technology and other markets." ["parent"]=> int(2) ["count"]=> int(46) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [1]=> object(WP_Term)#10293 (11) { ["term_id"]=> int(120) ["name"]=> string(10) "Compliance" ["slug"]=> string(10) "compliance" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(120) ["taxonomy"]=> string(8) "category" ["description"]=> string(143) "Read our latest articles, tips and news on Compliance including GDPR, CCPA and other industry-specific regulations and compliance requirements." ["parent"]=> int(0) ["count"]=> int(39) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [2]=> object(WP_Term)#11138 (11) { ["term_id"]=> int(116) ["name"]=> string(9) "Email DLP" ["slug"]=> string(20) "data-loss-prevention" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(116) ["taxonomy"]=> string(8) "category" ["description"]=> string(144) "Read our latest articles, tips and industry-specific news around Data Loss Prevention (DLP). Learn about the implications of data loss on email." ["parent"]=> int(0) ["count"]=> int(96) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [3]=> object(WP_Term)#11132 (11) { ["term_id"]=> int(2) ["name"]=> string(31) "Integrated Cloud Email Security" ["slug"]=> string(20) "human-layer-security" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(2) ["taxonomy"]=> string(8) "category" ["description"]=> string(301) "Integrated Cloud Email Security solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.  Learn more about what they are, the benefits of using them, and how you can best evaluate those on offer." ["parent"]=> int(0) ["count"]=> int(131) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "4" } [4]=> object(WP_Term)#10328 (11) { ["term_id"]=> int(486) ["name"]=> string(12) "Data Science" ["slug"]=> string(12) "data-science" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(486) ["taxonomy"]=> string(8) "category" ["description"]=> string(0) "" ["parent"]=> int(0) ["count"]=> int(1) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [5]=> object(WP_Term)#10355 (11) { ["term_id"]=> int(341) ["name"]=> string(17) "Data Exfiltration" ["slug"]=> string(17) "data-exfiltration" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(341) ["taxonomy"]=> string(8) "category" ["description"]=> string(154) "Access Tessian's library of free data exfiltration posts, guides and trend insights. Acidental data loss, insider threats, and misdirected emails content." ["parent"]=> int(116) ["count"]=> int(35) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [6]=> object(WP_Term)#11177 (11) { ["term_id"]=> int(433) ["name"]=> string(14) "Remote Working" ["slug"]=> string(14) "remote-working" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(433) ["taxonomy"]=> string(8) "category" ["description"]=> string(163) "Access free tips from security leaders and new research related to remote working and hybrid-remote structures. Level-up your cybersecurity for a remote workforce." ["parent"]=> int(116) ["count"]=> int(15) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [7]=> object(WP_Term)#11175 (11) { ["term_id"]=> int(384) ["name"]=> string(7) "Podcast" ["slug"]=> string(7) "podcast" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(384) ["taxonomy"]=> string(8) "category" ["description"]=> string(345) "Cybersecurity podcast series on the human factor, discussing why we need to focus on people - not just machines and data - to stop breaches and empower employees. Tim Sadler, CEO of Tessian meets with business, IT and security leaders to flip the strict on cybersecurity and share best practices, cybersecurity challenges, threat intel and more." ["parent"]=> int(2) ["count"]=> int(9) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [8]=> object(WP_Term)#11179 (11) { ["term_id"]=> int(411) ["name"]=> string(12) "Threat Intel" ["slug"]=> string(19) "threat-intelligence" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(411) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Tessian Threat Intelligence and Research team uncovers trends and insights in email security related to phishing, social engineering, and more. Learn more!" ["parent"]=> int(2) ["count"]=> int(21) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [9]=> object(WP_Term)#11178 (11) { ["term_id"]=> int(3) ["name"]=> string(7) "ATO/BEC" ["slug"]=> string(14) "spear-phishing" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(3) ["taxonomy"]=> string(8) "category" ["description"]=> string(166) "Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover" ["parent"]=> int(0) ["count"]=> int(144) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "5" } [10]=> object(WP_Term)#11176 (11) { ["term_id"]=> int(352) ["name"]=> string(15) "Life at Tessian" ["slug"]=> string(12) "team-culture" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(352) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about Tessian company news, events, and culture directly from different teams. Hear from engineering, product, customer success, and more." ["parent"]=> int(0) ["count"]=> int(42) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "6" } [11]=> object(WP_Term)#11170 (11) { ["term_id"]=> int(435) ["name"]=> string(21) "Interviews With CISOs" ["slug"]=> string(21) "ciso-spotlight-series" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(435) ["taxonomy"]=> string(8) "category" ["description"]=> string(164) "Learn how to navigate the threat landscape, how to get buy-in, and how to break into the industry from these cybersecurity leaders from Shell, Penn State, and more." ["parent"]=> int(0) ["count"]=> int(32) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "7" } [12]=> object(WP_Term)#11169 (11) { ["term_id"]=> int(436) ["name"]=> string(16) "Engineering Team" ["slug"]=> string(16) "engineering-team" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(436) ["taxonomy"]=> string(8) "category" ["description"]=> string(134) "Tessian's engineering team shares tips for solving complex problems. Get advice related to QAs, 502 errors, team management, and more." ["parent"]=> int(352) ["count"]=> int(17) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [13]=> object(WP_Term)#11173 (11) { ["term_id"]=> int(434) ["name"]=> string(16) "Cyber Skills Gap" ["slug"]=> string(16) "cyber-skills-gap" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(434) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about the cybersecurity skills gap and cybersecurity gender gap. Research and interviews with industry leaders and champions of diversity." ["parent"]=> int(435) ["count"]=> int(19) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } }
Email DLP, Integrated Cloud Email Security
The Dark Side of Sending Work Emails “Home”
by Cai Thomas Friday, October 11th, 2019
This article was originally published on TechRadar Pro. In the last four years, the number of remote working jobs has more than doubled, as employers acknowledge the need to change traditional working practices. In fact, it’s expected that 50% of the UK workforce will work remotely by 2020, further blurring the lines between home and the office. This shift has huge benefits; improving people’s work-life balance, increasing employee productivity and boosting employee retention rates. However, it does also pose a problem for one very important aspect of business: data security. Data security is at a greater risk as staff are more likely to send important and, even, confidential company information to personal email accounts, with the usual intention of working on documents at home. Worryingly, many are completely unaware how risky these actions are. According to tech firm Probrand, nearly two-thirds of UK employees have forwarded customer emails to their personal email accounts and 84% of them did not feel they were doing anything wrong. So what are the risks with sending work home? And who are the workers you need to be wary of? 1. The 24/7 worker While a number of the emails sent ‘home’ contain non-sensitive information, like travel arrangements, cinema tickets or food recipes, we’ve seen that around 10-15% of emails sent to personal accounts contain company sensitive information. We’ve all been there; it’s late on a Friday, that Monday deadline is looming, and the employee thinks to themselves, “I’ll just have to finish this document at home over the weekend”. So they send the document to their, or their partner’s, personal freemail account. However, this can have devastating consequences for the company’s reputation and it could destroy customers’ trust in the business. The problem is that by sending emails ‘home’, the information the messages contain now sits in an environment that is not secured by the company, leaving the data vulnerable to cybercriminals. It’s also important to note that this simple act of sending work home means your company is now at risk of breaching data protection regulations, like GDPR, due to the fact that you, as the Data Controller, no longer have oversight as to where the data is held. Boeing, for example, faced scrutiny after an employee shared a spreadsheet containing the personal information of 36,000 co-workers with his spouse, simply because she was better at Excel formatting than him. The incident sparked an internal security investigation and was brought to the attention of the Washington state Attorney General and other officials in California because employee data had left the control of the company. 2. The leaver We often see a spike in data exfiltration during an employee’s notice period. Workers know they’re not supposed to, but the temptation to take information that will give them an advantage in their new role is hard to ignore. As such, we see people sending company IP and client data to personal accounts prior to moving to another employer. This happens most frequently in industries such as financial services, legal, healthcare and recruitment, where a person’s client base and network is king. The task of manually monitoring suspicious ‘leaver’ behaviour over email has become incredibly challenging for IT staff, due to the increased employee churn rate year on year. A study by LinkedIn found that young workers now switch jobs four times in their first 10 years after graduation. However, by not putting a stop to this act, companies could face losing their competitive advantage as well as their clients’ business due to leaked secrets, strategy and IP. 3. The malicious insider This is where employees steal data from their company for personal or financial gain. Despite being less common, the threat of the ‘malicious insider’ is something businesses have come up against more frequently in the past few years. Employees will typically steal confidential company secrets and/or client data with the intention of selling it on the dark web or handing it over to a competitor to damage their current company. Just last year, Bupa fell victim to this crime after the personal data of 500,000 customers was sold on the dark web while audit firm SRBC and Co.’s reputation was tarnished after its client’s earnings estimation was maliciously leaked over email. An intelligent solution for a flexible workforce There can be no denying that monitoring all employee email behavior is an arduous task for IT and compliance teams to undertake. With the average employee sending and receiving 124 emails a day, and with daily email traffic increasing 5% year on year, deciphering data exfiltration within email logs is like finding a needle in a haystack. To help tackle the problem of data being leaked to unauthorized accounts, some organizations opt to simply blacklist all freemail domains. However, this can impede productivity and is usually ineffective given that many clients, small businesses and contractors use freemail accounts, as do prospective applicants looking for jobs at the company. Businesses need a more intelligent approach to data exfiltration – one that can look at the emails each employee has sent and received in the past, in order to identify non-business contacts with whom each employee interacts with. Machine learning, for example, can evolve to understand the differences between authorized and unauthorized freemail accounts, and it can analyze email content to determine whether it is sensitive or non-sensitive. By doing so, machine learning can make an accurate prediction as to whether an employee is exfiltrating data and acting against company policies. There will always be reasons for people to bend the rules and leak data outside of their organization – maliciously or for convenience. The consequences for doing so, though, could be devastating for any company; huge fines, loss of competitive advantage and a damaged reputation. So as more businesses adopt remote working practices, it’s important that technologies are place to ensure company sensitive data is secure and not at risk of ‘being sent home’.
Read Blog Post
ATO/BEC
Spear Phishing Demystified: the Terms You Need to Know
Thursday, October 10th, 2019
Jargon is a hallmark of all industries. Cybersecurity is no different, but using the right security terminology has a real impact. When an organization’s data and systems are threatened by spear phishing attacks, being aware of evolving trends and the definitions of key terms could be the difference that helps prevent the next threat. Spear phishing is the number one threat facing businesses today, but research still suggests that “lack of knowledge and awareness about cyber-attacks could hinder the growth of the spear phishing protection market.” In this article we define and explain key spear phishing concepts and terms. (To learn more about how to prevent spear phishing attacks with machine-intelligent technology, read about Tessian Defender.) Spear phishing definition, and other attack types Although media outlets and security companies rightly pay a lot of attention to spear phishing, advanced impersonation spear phishing attacks come in many forms. Once you’ve read our breakdown of different key terms and what they mean, you’ll come away with a clearer understanding of the range of sophisticated inbound email threats. Spear phishing Spear phishing describes an advanced impersonation phishing attack directed at specific individuals or companies. (Head to the “Other useful terms” section below to see a definition of regular “bulk” phishing.) Similar to “bulk” phishing, spear phishing attacks are designed to trick people into taking an action like transferring funds or clicking on a malicious link. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Because spear phishing emails are low-volume as well as more sophisticated in their construction and convincing in execution, they are far harder for traditional email security products to catch. CEO fraud / executive fraud CEO fraud is a type of spear phishing attack where attackers impersonate a CEO or another high-level executive. Here, attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk. Attackers often use social engineering techniques (see “Other useful terms” below) to convey urgency and prevent targeted employees from thinking twice about following the instructions of the “CEO”. A notorious example of this kind of fraud saw an impersonation of Pathé France’s CEO lose Pathé €19.2m. Whaling Whaling is related to CEO fraud, with a key difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Because they are many times more likely to be targeted than rank-and-file employees, because they tend to be very busy, and because of their access and influence, senior executives can be especially profitable targets for attackers. Forms of impersonation used in spear phishing attacks Although all spear phishing attacks revolve around impersonation of some kind, impersonation itself can take many forms. Attackers impersonate people on email in order to: • Steal money, data and credentials • Compromise systems • Take over accounts Essentially, all spear phishing attacks use impersonation as a strategy. Mechanisms differ from the easy (display name impersonation) to the complex (direct spoofing). Here’s how we break impersonations down: Business Email Compromise According to the FBI, Business Email Compromise (BEC) attacks cost organizations $1.2bn in 2018 alone. BEC is closely related to spear phishing – and commonly confused with it – but is potentially still more damaging and severe. Attackers impersonate employees or external counterparties and send spear phishing emails to people within the organization being targeted, using social engineering techniques to convince targets to wire funds outside the organization or to click on dangerous links that risk compromising systems and/or data. Readers should bear in mind that there are several different interpretations of BEC. For example, it’s often confused with Account Takeover (ATO): ATO describes the unauthorized takeover of someone’s actual account, using harvested credentials or “brute force” hacking. Domain impersonation These attacks involve attackers spoofing or impersonating an organization’s domain in order to appear legitimate. There are three main kinds of domain impersonation: root, top-level and subdomain. Below is an example of each of these impersonations, using the domain companyinc.com as a starting point: • Root: companyceo@companyinc-outbound.com OR companyceo@c0mpanyinc.com • Top-level: companyceo@companyinc.net • Subdomain: companyceo@companyinc.secured-email.com Display name impersonation Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. This might mean impersonating a senior executive within a company, or the name of a key supplier or partner. The technical skill required is effectively zero: most mainstream email clients offer users ways to change display names in their account settings. Display name impersonations are particularly effective when received on mobile devices, as the sender’s actual email address is usually hidden.
Attackers can also change a sender’s display name to include a genuine-seeming email address, such as “Thomas Edison <thomas@nationalphonograph.co>
Freemail impersonation Freemail impersonation describes spear phishing attacks where criminals use the fake personal email address of a senior-level executive. An attacker impersonating the CEO of a company – let’s use Thomas Edison again – could send an email from thomas.edison@gmail.com to an employee working in the finance department, for example, requesting an urgent transaction. Here’s the example from before:
Automatic “Out of office” replies are a useful tool for attackers planning freemail spear phishing campaigns. By probing lists of contacts, attackers can learn when a particular executive is out of the office. Details volunteered in OOO autoreplies may tell them how long the executive is out of the office for, and even where they’ve gone. With this knowledge, attackers are free to impersonate the executive’s personal email account (or simply register an authentic-looking freemail address) and target the executive’s colleagues with a convincing impersonation.
Other useful terms Credential harvesting Credential harvesting is often an end goal of spear phishing attacks. Attackers will use coercive emails to direct recipients to fake login pages or other websites, where credentials can be harvested. Attackers can monetize credentials by selling them, or by using stolen account information to make purchases. In an enterprise environment, compromised credentials can also place entire systems at risk, doing significant financial and reputational harm to the business. Having harvested credentials, attackers can even take over email accounts and begin targeting victims’ contacts. Payload Many spear phishing emails contain a payload: on email, this might be a malicious link or attachment that, when opened, triggers malware on affected devices or systems. Increasingly, spear phishing attacks don’t have a payload at all, relying on persuasive language to coerce an employee into making a mistake. In turn, this makes these attacks especially hard for traditional security tools to defend against. Phishing Generally, phishing attacks are sent in bulk to a large audience, meaning the attackers’ language is relatively untargeted and unpersonalized. While phishing attacks can be successful, most attacks can be identified by traditional email security tools. This is why attackers have evolved to rely on spear phishing to extract money, data and credentials from organizations. Ransomware Ransomware attacks are growing in popularity and also need little or no technical skill to carry out. In a ransomware attack, an attacker holds an organization “hostage” by deploying malicious software across critical infrastructure. The attacker will threaten to steal money or data, or to cripple the organization’s systems unless a ransom is paid. Perhaps the most famous example of such an attack is the NotPetya worm which crashed systems around the world in 2017. Many ransomware attacks start with a spear phishing email containing a dangerous payload. Social engineering Social engineering describes the techniques attackers use to persuade people to take a dangerous action. Attackers may rely on the seniority of the person they are impersonating, or the illusion of urgency being created, to prompt a lower-ranking employee to take a desired action. Often, attackers will build trust with a target by communicating ‘normally’ for periods of time, using entirely innocuous language: this heightens the effect of coercive language when an attack is finally launched. Spoofing A spoof describes an impersonation where an attacker forges an email by modifying the email address from which the email appears to have been sent. (Many people don’t know that it’s possible for anyone with their own mail server to specify any From: address when sending an email, a loophole often leveraged by more sophisticated attackers.) As an industry, cybersecurity is responding to a rapidly evolving threat landscape and growing more complex every day. It’s vital to understand the range of different concepts and terms that surround the exploding spear phishing crisis. A reminder: if you have further questions about spear phishing, speak to a Tessian expert.
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Helen Rabe, Global Chief Security Officer of Abcam
Wednesday, October 9th, 2019
Can you give an overview of your career history prior to joining Abcam? I’ve had a fairly linear career journey in IT in general where security has always been a feature given that I’ve worked across the full systems lifecycle from project management to service delivery. A lot of my earlier career focus was on reactive remediation projects for organizations that had been compromised. More recently, I made a conscious decision to specialize and moved into a dedicated security role at Costa. It proved a successful decision and it’s led me onto CBRE and more recently Abcam where I am the Global Chief Security Officer (CSO). Can you give an outline of your responsibilities as Global Chief Security Officer of Abcam? It’s a wonderfully diverse role with many fascinating security considerations and unique challenges. Physical building management systems and specialized laboratory equipment are within my remit and they are an important part of our holistic security strategy. Abcam is a life-science company with a strong e-commerce element which facilitates external feedback on products using reviews and ratings submitted by customers. Abcam has a corporate culture driven by altruistic and humanitarian values which creates a unique security and risk profile that’s different from industries like banking and telecoms that I’ve been in previously. What are some of the challenges you’ve faced since being in the role? Abcam is undergoing a major digital transformation as part of its growth strategy. Trying to establish a security program in an organization already impacted by a large change initiative is not easy. I need to ensure the security program does not contribute to ‘change fatigue’ and lose its effectiveness. I’m attempting to deliver security across an organization in a way that emphasizes helping people to understand that security adds value rather than being a process blocker, it requires a major communication initiative. I’ve had success with this by positioning security more as a lifestyle choice, this involves helping employees understand how security behaviors can benefit their personal lives as much as it can in the business world. It’s about embedding a security message in a relatable context, that’s how I believe you create positive security behaviors. How important is the human factor when it comes to your security considerations? To me personally, it’s a key factor in the success of my strategy. The human element in cybersecurity is complicated and it shouldn’t be treated as mutually exclusive from the technology enabling solutions we implement. One of the things that technology cannot fix outright is the insider threat, whether malicious or unintentionally negligent. Training employees in order to mitigate the insider threat can’t be a one off and training only goes so far in mitigating this risk. There needs to be a balanced approach in providing human intervention through validation processes alongside automated technology solutions, one should not be relied on over the other. I also support the notion that any security initiative or new policy requires a proportional internal ‘PR’ campaign around it to be effective. For example, if we’re taking something away from users like USBs and pulling away norms you’re going to get the inevitable backlash so we have to communicate what value the users are getting out of the situation to sell it internally prior to it being implemented and impacting them. I don’t think we can easily solve the human problem, human behavior is too variable for us to nail down entirely, and we shouldn’t rely on AI technology as the panacea, but what we can do is prepare for the known threats coming at us. Security needs to be more front line and supporting users for things like phishing and whaling BEC that we know are growing more sophisticated and involve critical human decision making. When cybersecurity technology is at its best, what can it bring to an organization? Value creation…if the technology offers users an intuitive, seamless experience and ensures security, it adds immediate value. This doesn’t necessarily have to be a tangible thing, if your users embrace the solution, by extension security benefits from the success and longer-term support for its initiatives. End users ultimately want to have to have a symbiotic relationship with technology. The best solutions have to be a meshing of technology and the soft line of people, understanding how each of these couple into each other and add value is crucial. What are the common misconceptions about the role of cybersecurity? There is a belief that security owns everything, that it provides oversight for all risks but this is a huge misconception. Most of the time we’re responsible but not accountable, security awareness programs should also include a basic overview of who security is and what it is accountable for. An example would be an introduction to the classic 3 lines of defence model to help business users understand the engagement model between business risk and security. This is why it’s important to have an understanding of the softer elements of security in order to make sure it works for end users, that’s the sign of a successful security program. To achieve this, my advice is to step outside the line of what’s considered the CSO role and to be creative.  
Read Blog Post
Compliance
The Impact of POPI on Your Organization
Monday, September 30th, 2019
The Protection of Personal Information (POPI) Act is a piece of South African legislation that aims to ensure effective management of any personal data processed by both private and public bodies. The POPI Act became law in November 2013, but the Act has not yet been fully enacted. Once the implementation date is confirmed, organizations operating business in South Africa will have one year to ensure that they are POPI compliant. Personal data under POPI is defined as information that relates to an individual or juristic person. Gender, employment history and email address are a few examples of what POPI defines as personal information. Since there are different criteria for how organizations classify personal and non personal information, POPI will affect the way that organizations manage this. For example, organizations will have to take any consumer data that they may hold and classify what type of information it is. In the instance that a data breach occurs, organizations will have to report the breach to the Information Regulator as well as the affected parties. Under POPI, organizations could be fined up to R10 million (approximately £538k), and sentences could even could include jail time of up to 10 years depending on the seriousness of the breach. Finally, organizations could face significant reputational damage in the form of customer loss and limited ability to attract new clients. POPI and GDPR POPI makes it imperative for businesses based in and dealing with South Africa to comply with newly stringent data protection regulations, but South African businesses may be wondering how the Act intersects with other global data legislation. Rulings like he European Union’s General Data Protection Regulation (GDPR) also has ramifications for organizations around the world, of course. Businesses in South Africa that process customer data from the European Union must also ensure they are fully compliant with GDPR. How to remain POPI compliant Acknowledging the ever-present risk of data breaches is an essential part of the role for security leaders. Traditionally, data controllers tend to focus on malicious threats such as ransomware or brute force cyberattacks. However, human error is increasingly putting organizations at risk. For example, human error was the root cause of 30% of data breaches in South Africa, which is higher than the global average of 26%. Mistakes made due to human error could include an employee accidentally sending a misdirected email to the wrong recipient or hitting the “reply all” or “cc” field instead of “bcc.” In both cases, the employee is not acting maliciously, but the impact is that sensitive information is still exposed. POPI will have an impact on all companies in South Africa, but it will be particularly important for organizations that hold large amounts of personal information to take the right steps early on to ensure that they are POPI compliant. Implementing the right technology will help your organization stay proactive with your security strategy. Forward-thinking firms in all sectors are choosing Tessian to manage the way in which data moves on email. Enforcer and Constructor’s machine learning allows organizations to prevent data from being transferred to non-compliant destinations. With cutting-edge technology, businesses can ensure that they remain compliant amid changing regulations. To learn more about how Tessian could help you become POPI compliant, contact us here. 
Read Blog Post
Customer Stories
Australia’s Oldest Law Firm Invests in Human Layer Security
Saturday, September 28th, 2019
Allens is one of Australia’s leading commercial law firms with offices throughout Australia and 28 international locations through a global alliance with Linklaters. For almost 200 years, Allens has prided itself on providing excellent client service. The firm has worked with many of the world’s leading organizations both within Australia and abroad. Allens is protecting 1,100 employees with Tessian Defender, Tessian Guardian, and Tessian Enforcer. 
Looking for better data security oversight Allens is the oldest law firm in Australia, and has a proud heritage of supporting its clients through important matters. Bill Tanner is the Chief Information Officer at Allens and looks after endto-end IT delivery for the firm across Australia and South East Asian territories. Law firms like Allens receive sensitive company and client data on a daily basis. For Bill, ensuring the firm’s technical stack remains up to date and secure is a top priority. As Bill says, “Allens wants to help our people identify potential threats but also ensure our people don’t inadvertently expose our systems.” Searching for a solution that could simultaneously protect their people from security threats, while building awareness within the workforce as to how threats manifest on email, Allens turned to Tessian.
Mitigating inbound and outbound threats Tessian’s Guardian, Enforcer and Defender filters were seamlessly integrated into Allens’ security stack. After deployment, Bill and his team were able to immediately see the filters’ success in eliminating threats from both inbound and outbound emails. The high accuracy of the Tessian platform meant employees could still be protected while continuing their day to day business without interruption. Mail being sent to the firm has increased 57% over the past six months. Whilst there has been a 74% increase in the volume of mail rejections, this correlated with an 8% improvement in rejection rate. Mail-based attacks continue to rise, and attackers are getting more sophisticated with their techniques. Allens was looking to bolster its existing defences by providing additional context around the potential threats landing in employees’ inboxes. Tessian’s Defender module detects anomalous incoming emails in real time, delivering warnings to employees that both prevent the attack having any impact and educate them as to why the email looks suspicious. To Bill, Defender’s intelligent notifications “provide that context in the moment that is so important for our people.”
Creating a conscious security culture As data security threats continue to threaten the legal sector, it will be vital for firms like Allens to invest in cutting-edge technology to mitigate the risk of data loss and spear phishing attacks, and the potentially disastrous repercussions of data breaches. With Tessian’s filters protecting Allens employees in multiple territories, Allens has increased the protection of the sensitive data held by the firm as it continues to deliver the high standard of service the firm has provided for almost 200 years.
Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Allens Linklaters Case Study hbspt.cta.load(1670277, '088f48a8-3560-405c-810b-d0cc67fef572', {"region":"na1"});
Read Blog Post
Interviews With CISOs
Tessian Spotlight: Craig Hopkins, Chief Information Officer for the City of San Antonio
Wednesday, September 25th, 2019
Craig Hopkins has been Chief Information Officer and IT Director for the City of San Antonio for over two years after spending more than 20 years in financial services. San Antonio is the seventh-most populous city in the United States, and as CIO Craig manages systems integration, user experience, cyber and physical security, and portfolio prioritization for the city. This includes aligning the City of San Antonio’s 42 departments and almost 13,000 employees and developing a business strategy to ensure that each department accomplishes their mission, takes care of their employees, and remains secure. What are the greatest challenges that you’ve faced being in the role? Originally when I came into role, my primary responsibility was to build new technology relationships across the 42 departments that make up the city. This included looking at different departments’ business strategies and helping them leverage technology to support it. The second area of focus was to set and strengthen the culture inside of the IT organization and to work with our municipal partners across San Antonio as well. I think we’ve done a great job over the past two years on these focus areas. Now the team is integrating systems and processes across departments with a focus on common platforms and prioritizing the user experience. We’re utilizing design thinking techniques and are becoming more of a consultant to the departments rather than building individual technology silos. We’re also having the departments work together on a common set of platforms that help with user problems, not just individual problems that are department specific. As the CIO of San Antonio, are there any core security principles that help guide your approach to security? In the first year we were really focusing on the information security foundation and making sure that we were as strong as we could be with our policies and tools. However, we wanted to make sure that information security was not the only component. It’s really about understanding your overall security posture, which is a combination of physical, data and cyber. In the past year we’ve improved our principles based on the NIST framework with a focus on a comprehensive training programs for our employees, network hardening, updating obsolete systems, threat profiling and vulnerability analysis. This has helped with communicating our policies and procedures and raising the cultural awareness within our organization. Security is everyone’s responsibility. What unique pressures and dynamics do you face when it comes to cybersecurity decisions in the public sector? Typically, people that work in tech will tell you that technology is the most important factor when it comes to making decisions about cybersecurity. What I’ve learned is that in reality, it’s about people. The human factor is incredibly important because people can be great at detecting threats and abnormalities in the system– more so than any tool – but they can also be your greatest internal threat, either intentionally or unintentionally. What we try to do here is to teach behaviors and have protocols that can minimize the risk of intentional and unintentional issues, such as only giving systems access to those who need it and constantly refreshing and validating the user rights. This sounds basic, but it’s the foundational practices and business processes that solidify your position. We also provide peer oversight, technical training, and teach how to combat social engineering. Ultimately, we want people to understand these threats to make sure that we are always leveraging our people first and our technology second. What are the common misconceptions about the role of information security? One of the common misconceptions that I hear is that an organization’s best defense is their technology tools. My response to that is actually that the best defense is a workplace culture that prioritizes cyber and physical security and creates aware and engaged employees and leaders. A second common misconception is that cybersecurity is for the IT team to solve. I believe that cybersecurity isn’t just an IT problem, it’s for leadership to solve for across the organization. It’s the job of all leaders to support and protect our employees on our teams. Looking forward, what type of security culture do you want to create within the City of San Antonio a few years from now? A security-conscious culture where cyber, data, and physical security is naturally integrated into everything we do and every design decision that we make. It can’t be the only thing that we think about, because you can’t run a business that way, but it must be embedded in our thinking and our architecture, as we seek to improve the lives of our citizens and our employees in San Antonio. That is the culture that we want to build into our organization.  
Read Blog Post
ATO/BEC
Inside Email Impersonation: the Danger of Display Names
Wednesday, September 18th, 2019
A single spear phishing email can deeply damage your organization’s cybersecurity. After a data breach, credentials could be compromised and systems left unguarded, all as the result of someone’s failure to detect an impersonation of a colleague, supplier or partner.   What makes the threat of impersonation especially worrisome is the fact that you don’t have to be a highly skilled cybercriminal to impersonate someone on email. In fact, many kinds of impersonation are startlingly simple. In this post we’ll cover display name impersonation, perhaps the easiest way for an attacker to dupe employees and extract money, data and/or credentials from enterprises.
What is display name impersonation?   Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. The display name is not part of the email address itself: it’s the name affiliated with the account that usually appears before the email address in inboxes.   Display name impersonations are often combined with domain impersonations to execute sophisticated impersonation attacks, which use social engineering to threaten organizations’ most sensitive data and systems.   How do attackers manipulate display names?   Even for people with little or no technical knowledge, impersonating a display name is very easy: the operation can be carried out within almost all major email clients. Here, we’ll take you through how to do this with Gmail:
This approach is especially effective on mobile devices (pictured above), because the From: email address is hidden on mobile screens. Very little work has gone into creating a potentially convincing impersonation that could fool busy, distracted employees – especially if the sender being impersonated is a high-ranking executive or a demanding supplier. With CEO fraud losses totalling more than £14m in the UK in 2018, organizations should be aware of the growing threat of executive impersonations.   Attackers can also change a sender’s display name to include both a genuine-seeming name and email address, such as “Thomas Edison <thomas.edison@nationalphonograph.co>”. In this case, the attacker is betting the target won’t notice that the email address they see first isn’t actually the address from which the email was sent.
Why are impersonations so easy to carry out?   Email is an extraordinary tool that offers effectively free communication to billions of people around the world. But email was never designed to cope with the sheer volume of traffic we now see on a daily basis (almost 125 billion business-related emails were sent per day in 2018).   Simplicity is a core ingredient of email’s success. But being so simple means it’s dangerously easy for malicious actors to take advantage of inbuilt vulnerabilities.   Email as a channel has many vulnerabilities, but despite being a multibillion-dollar industry in its own right, email security products – and the protocols that underpin email infrastructure more generally – have historically done a poor job of preventing impersonations. Organizations that have spent energy configuring DMARC, DKIM and SPF cannot rest on their laurels: authentication tools like DMARC are limited in their scope and are unable to prevent display name impersonation attacks.   The legacy tech problem   For decades now, Secure Email Gateway (SEG) products have defended organizations’ networks from attacks. The main methods of defense employed by SEGs are:   Payload inspection like scanning URLs and attachments. (Attackers know that zero-payload attacks, which rely on social engineering techniques to persuade targets to take dangerous actions, are much more likely to evade SEGs’ defenses.) Spam and “bulk” phishing prevention. (By focusing on past known attacks and basic email characteristics like domain authentication, these techniques fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems.) Rules to prevent impersonation. (Basic rules can prevent simple email impersonation attacks by detecting newly registered domains, different sender/reply-to addresses, etc.)   SEGs were designed to protect networks and devices from inbound cyberattacks. More or less, they still do a good job of defending against the bulk spam and phishing scams that were so prevalent years ago. The problem? They are not flexible and intelligent enough to identify anything but the most basic impersonations.   Being able to inspect suspicious URLs and attachments doesn’t help when an advanced impersonation spear phishing attack consists only of persuasive, urgent language to coerce an employee into taking a dangerous action like transferring money. Blacklisting known examples of names and addresses used in phishing attacks only prevents attacks that have been reported already; any new spear phishing or impersonation attack will bypass these perimeters.   Meanwhile, rule-based email security services are limited by the ability of system administrators to continually update rules based on new edge cases and evolving threats. Static rules do not equip enterprises with the ability to identify and predict new anomalous email attacks in real time.   SEGs find it hard to deal with advanced email threats, and even “simple” display name impersonations pose them serious challenges. Using rudimentary logic to determine whether a display name is “close” to the display name of an employee doesn’t work for external impersonations, for example. In addition, rules that trigger when (for example) a display name has one or two characters that are different from a genuine employee’s name are inherently limiting.   Attackers are able to easily reverse engineer SEGs and find ways around their defenses. So should enterprises be looking elsewhere to defend their email environments?   Display name impersonations: a summary   For attackers, changing a display name is startlingly easy. The combination of display name impersonation with domain impersonation can lead to very sophisticated spoofing attacks that can have seismic repercussions for enterprises and the sensitive information they control.   Cyberattacks continue to evolve and become more dangerous. But security products like Tessian Defender offer a way to combat display name (and other) impersonations. Using machine learning, Defender learns and adapts to threats by analyzing behavioral and communication patterns on email, preventing advanced impersonation spear phishing attacks before they wreak havoc within organizations.   Every email employees receive is analyzed for anomalies: this might be the use of language, prior communications with the email’s recipients, discussion of sensitive topic areas, and many more factors besides. (This applies whether the email is from a colleague or from an external partner.) With this information to hand, Tessian’s algorithm predicts which emails represent a danger to the employee and the organization. Real-time notifications let employees take the right course of action before the threat can harm their employer’s defenses.   Organizations need to respond by investing in products that are designed to deal with a newly advanced generation of cyber threats. Speak to an expert today to learn more.
Read Blog Post
Customer Stories, Integrated Cloud Email Security
Hill Dickinson Adopts Tessian to Prevent Sensitive Client Data from Falling into the Wrong Hands
Tuesday, September 17th, 2019
London, UK. 17 September, 2019 – International law firm Hill Dickinson has selected cybersecurity company Tessian to prevent accidental data loss caused by misdirected emails and data exfiltration to non-business email accounts, in order to protect sensitive client data. With a number of clients in the financial services and healthcare sectors, data security is a number one priority for Hill Dickinson. The firm’s health practice works with some of the UK’s largest healthcare providers, and the team proactively sought out an email security solution that could ensure the safety and privacy of sensitive data, such as patient records, while not impairing productivity. Keith Feeny, Director of IT and Operations at Hill Dickinson said, “Data breaches are a huge concern from a client perspective. Having big directories of contacts with similar names can increase the chance of an email containing sensitive data being accidentally sent to the wrong person. This could have serious consequences. We wanted a solution that could stop people making a potentially costly mistake without restricting business as usual.” Using machine learning technology, Tessian is able to predict whether an outgoing email is about to go to the wrong person. The solution sits quietly in the background and automatically alerts an individual only when a mistake is about to be made. Hill Dickinson is also working with Tessian to stop sensitive information from being exfiltrated to unauthorized, non-business accounts. The firm’s IT team found that, despite each employee being issued with a company laptop, staff were still sending documents to personal email accounts in order to work on them at home. While some companies opt to blacklist all freemail domains to solve this problem, this approach can impede productivity and stop the firm engaging with private clients, small businesses or contractors that use freemail domains. Hill Dickinson, therefore, required a solution that would pose minimal disruption to business as usual but that could automatically prevent unauthorized emails. Feeny added, “We needed our staff to understand that data was at greater risk if sent outside the network. With Tessian in place, we are able to better control the flow of data in the firm and we can ask people to think twice before sending potentially sensitive information to their personal accounts.” Tim Sadler, CEO at Tessian, said, “With high client expectations and a stricter regulatory landscape, there is no margin for error in law firms when it comes to securing the data they hold and process. But that doesn’t mean security should restrict the way partners and employees want to work. Hill Dickinson can ensure its people are able to work effectively and efficiently, without putting client data at risk.”
Read Blog Post
Compliance
The California Consumer Privacy Act (CCPA) Could Set a New Standard for Privacy and Data Security in the US
Monday, September 16th, 2019
In June 2018, privacy and data security standards in the United States were fundamentally overhauled. On January 1st 2020, when the California Consumer Privacy Act (CCPA) becomes law, Californian citizens and businesses (and all businesses dealing with California) will have a very different relationship to data. The CCPA will allow all residents of California to know what personal information is being collected about them by for-profit companies operating in the state, whether it is sold, disclosed or simply held. Although the CCPA will only directly apply to California, its implementation will affect any organization doing business in California and which satisfies one of the following credentials: • Annual revenues of more than $25m • Possesses personal information of more than 50,000 consumers, households or devices • Generates over half its annual revenue from selling personal information When the CCPA comes into effect in January 2020, actions will need to be taken in order for organizations to remain compliant. For example, the CCPA will require companies to create a channel such as a toll-free number that can allow consumers to request information regarding how their data is being used. Parallels have been drawn between the CCPA and GDPR, with the CCPA requiring data privacy protections similar to those imposed by the European Union. Financial fines for data breaches under the CCPA will be less severe than the penalties under GDPR, capping at $7,500 per violation compared to the maximum cap of 4% of revenue / €20m (whichever is higher) for the most severe GDPR breaches. With the CCPA and GDPR in place, organizations will have their data management practices under the spotlight more than ever. Luckily, technological solutions exist that can mitigate the risk of data loss and the associated negative consequences for enterprises. Tessian’s Enforcer and Constructor filters help organizations manage the ways data moves on email. Enforcer’s and Constructor’s machine learning allows organizations to prevent data from being transferred to the wrong place, ensuring that enterprises can comply with evolving regulations. The general emphasis on tightening data security worldwide means that organizations will have to prioritize security in order to stay compliant and to uphold new privacy and security standards. To learn more about how Tessian can help you become CCPA-compliant, contact us here.
Read Blog Post
Integrated Cloud Email Security
Email Security Tips for an Enterprise
Monday, September 16th, 2019
In today’s changing business environment, 70% of organizations believe their security risk has increased significantly. The idea of data breaches being more a question of “when” rather than “if” has become mainstream. That being said, there are a number of ways for enterprises to mitigate the security risks that they could be exposed to. 1. Educate your employees The main cause of security failure within an organization is often employees, as they are responsible for handling and sending sensitive data. Educating employees on the risks that they could be exposed to through training programs is a common strategy that organizations adopt in order to try and mitigate some of these risks. While they can be beneficial, one issue with training programs is the dangerous assumption that once training is completed, all employees retain information equally well. This is an unrealistic expectation, as even the most advanced training programs have gaps that do not account for human error. Having technology that can prevent security issues before they happen – while educating your employees in real time – is potentially a more nuanced and intelligent solution for your enterprise. With Tessian’s Guardian and Defender filters, users are shown a pop-up if an inbound email looks suspicious. The pop up explains why the email could represent a threat, leaving the employee to make the final decision on which action to take, with the benefit of having all the salient information to hand. tEmployees are educated as to the threats they face, while the industry-leading technology prevents threatening emails from causing damage to your organization. 2. Be proactive Of course, data loss over email becomes becomes much more difficult to handle once it’s already happened. Having a plan in place for what to do in the event that an employee does leak data over email is important, and having a strategy for preventing the leak from occurring in the first place is even better. Invest in technologies and platforms that will enable your organization to better understand how your employees communicate with each other, and people outside the organization. 3. Get the basics right Getting the basics right is a critical step, as it will allow you to build an information security infrastructure on a great foundation. Best security practices include utilizing encryption, being careful when using a corporate email account from public and or a shared computer, and not opening emails from unknown sources. That being said, don’t let these steps lull you into a false sense of security. Research suggests that 30% of cybersecurity incidents are caused by current employees Confidence comes hand in hand with the capability of your security stack. If you’re still using legacy security software, the extent to which your organization can guard itself against internal and external attacks is already inherently limited. With this in mind, it is no surprise that confident IT security professionals are more than twice as likely to think that C-suite involvement in email security strategy as “very appropriate” and 1.4x more likely to actually obtain that engagement. Therefore, why wait until something goes wrong to implement much-needed change? Arm’s, CISO Tim Fitzgerald wanted to perfect the firm’s email security basics and find a platform that would complement the security culture that he wanted to create. Tessian helps thousands of Arm employees get the basics right on email while ensuring that their systems remain secure. (Read the case study.) 4. Don’t forget about mobile devices Email communication has become more mobile. Using email on the go and on various devices (laptops, tablets, smartphones) greatly increases the potential for mistakes. A data breach caused by a misdirected email could very easily occur on your daily commute by accidentally picking the wrong recipient from a “helpful” autocomplete list. Many email DLP platforms can only ensure protection on desktop computers, or only for Microsoft email environments. It’s important that you find a way to secure your email network, regardless of how employees might be accessing it. It’s more difficult than ever for security leaders to feel like they’re on top of everything. Fortunately, Tessian’s solutions help organizations get the basics right, while stopping even the most sophisticated outbound and inbound email threats. To learn more about Tessian, contact us here.
Read Blog Post
Engineering Team, Life at Tessian
Data Science at Tessian is all about Passion And Curiosity
Friday, September 13th, 2019
Tessian Data Scientists design the algorithms that are at the heart of what we do. We wouldn’t exist without our machine learning models, and it’s what our clients rely on day-to-day. But what does this mean in practice? Companies can leverage data science in a number of ways, and we think the role of a Data Scientist falls into three distinct categories: 1. You work for a business function analyzing & reporting on how to improve a key metric; e.g. increasing user conversion. 2. You are responsible for writing production models to enhance the main product; e.g recommendation systems for e-commerce. 3. You build machine learning models, which are the product the company sells. First, we love email More specifically we love massive enterprise email datasets. Email doesn’t have the best reputation with engineers – the protocol is ancient, poorly defined, even more poorly secured and email isn’t Slack. As a Data Science team we don’t think of email in terms of SMTP, but rather a beautiful, dynamic and pretty-huge JSON dataset that captures the intricacies of human-to-human communication. Email knows who you communicate with, what you communicate about, what clients you’re pitching, what projects you’ve just completed, who your team members are, your company hierarchy, (excitingly) the list goes on.
Of course, all this information is hidden, messy and unstructured But that’s where we come in. Using machine learning and NLP, we build bespoke anomaly detection models to prevent threats executable by humans (rather than code) to secure our client’s communications. We also care deeply about the end user experience of our products, which sounds obvious, but is much more difficult (and in our opinion, important) when machine learning is involved due to its black box nature. This means we spend a lot of time focussing on the explainability of our machine learning predictions back to the end user. For example, why does this email look misdirected? Why does this email you’re receiving look malicious? Notifications with context are more effective than lazy boilerplate warnings (the industry standard). Another exciting part of being a Data Scientist at Tessian is that we are always thinking about future products we should be building. The great thing about email data is that it’s not “opinionated” about the problem we are trying to solve, meaning we can experiment with solving different problems using the exact same dataset. Sometimes this involves us trying to find signal in the noise, like when we discovered strong-form spear phishing impersonation attacks were getting past existing defenses. Other times it involves trying to solve specific threats and problems brought to us by our clients. The highlight of my week is the Data Science Brainstorming session where we discuss all of our ideas for new products, current product improvements, as well as any new papers/tools that we’ve read about that might help us further our research and models.
One thing I’ve touched on a lot, but not specifically discussed is data And that’s why at Tessian it’s impossible to talk about Data Science without talking about Engineering. To train our machine learning algorithms we need lots of data, and to deploy and run our models in production, we need this data processed with minimal latency. Our Data Science team own the data and what we do with it. But to process, store and scale this data, we call in the Engineering teams to help. How Data Science and Engineering work together is a much discussed topic and one for which I believe there is no out-of-the-box solution. We’re still figuring it out and tweaking our process, but currently we follow a similar model to Jeff Magnusson’s (Stitch Fix). It’s explained here in Engineers Shouldn’t Write ETL. The platform and Engineering teams leverage their domain knowledge to build and expose data frameworks, empowering our Data Scientists to have end-to-end ownership of their work. This has the added benefit of freeing up Engineering teams to focus on building and scaling our core APIs, rather than maintaining fiddly data pipelines. We’re a friendly bunch of ambitious Engineers building breakthrough machine learning and natural language technologies to analyze, understand & protect enterprise communication networks. Tessian Stack Overflow     #engineering
Read Blog Post
ATO/BEC
How to Catch a Phish: a Closer Look at Email Impersonation
Tuesday, August 20th, 2019
Today, 95% of all cyber attacks launched on businesses start with a spear phishing email. What’s more, spear phishing attacks increased 250% last year as bad actors have discovered more and more ways to outwit email users (busy people) and defenses (legacy technology). The motivations behind attacks are straightforward: deploy malware or defraud the target of money or credentials. The tactics, however, vary greatly and are becoming increasingly more difficult to spot. What is spear phishing? A variety of terms are used to describe inbound email attacks ranging from spoofing, phishing, spear phishing and whaling. While some people use the terms interchangeably, they are, in fact, different. Here’s a breakdown of the terminology: Email spoofing: the creation of email messages with a forged sender address or display name. It is common for spam and phishing emails to use spoofing tactics to mislead a target about the origin of the communication. Phishing: the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by pretending to be a trusted entity. Occurring predominantly via email or text messaging, phishing is typically bulk in nature and not personalized for an individual target. While phishing attacks can be successful, most are often easy for clued-up individuals or email security policies to detect. Spear Phishing: advanced phishing attacks directed at specific individuals or companies. Similar to phishing attacks, these too, are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Because they are more sophisticated in their construction and convincing in execution, spear phishing emails are harder to catch. They work best when they impersonate someone the target trusts. Whaling: a highly targeted phishing attack aimed at senior executives or employees with access to particularly valuable assets. Whaling emails are more sophisticated than generic phishing emails as they often target chief (“c-level”) executives and board members.
What does a spear phishing email look like?
Spear phishing emails have four key components: Target: spear phishing attacks are directed at specific employees or groups, oftentimes those with access to money, sensitive systems or powerful people. For example, accounts payable departments and executive administrators are frequently targeted. Criminals may also target new hires and other “quick-to-click” employees, exploiting their desire to act fast on any requests or assignments. Criminals don’t have to search long and hard to identify good targets. There is an abundance of valuable data online, from Linkedin career updates to employee details on company websites. Intent: in both the email subject line and body copy, the attacker will use deliberate language to establish context and intent; they want the recipient to do something now. In sophisticated attacks, fraudsters will initiate normal conversations but not mention any requests. With this approach, they invest time in developing a legitimate dialogue and establishing trust with the target over multiple emails. As a result, any subsequent requests﹘like a wire transfer﹘will appear authentic and usually get the target to complete the desired action. [Read more on how trust can be manipulated by tech in our report “Why People Make Mistakes”] Impersonation: at the heart of every spear phishing attack is impersonation. The attacker is pretending to be a person or entity that the target knows and trusts. The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email. In general, criminals often impersonate an influential or powerful person﹘like a CEO﹘or a trusted company﹘for example, Microsoft ﹘in order to establish a sense of legitimacy or urgency. Tessian refers to sophisticated impersonation attacks as advanced impersonation spear phishing. Payload: spear phishing emails may contain some form of payload to engage the target. Basic impersonations include obvious payloads like links and attachments that appear legitimate, but which are in fact malicious. Advanced impersonation tactics are more discreet; they rely on text alone to elicit a desired action. For example, “please wire payment to this account: 123-4567” or “Can you please buy 10 Apple gift cards for our clients and send me the voucher codes as reference ASAP?” By omitting conspicuous payloads, these advanced threats (aka zero payload attacks) can more easily slip through standard email defenses.
Advanced impersonation spear phishing falls into three categories.
Why is spear phishing so dangerous? Spear phishing isn’t difficult to pull off. Attackers don’t need capital, special equipment or a particularly advanced skillset. They just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn. Spear phishing is particularly effective because busy professionals are easy to trick on email. Today, the average worker spends nearly a third of their working week on email, sending and receiving around 124 emails every day. The pressure to be constantly connected and on-the-go means that employees are more likely to be distracted and make mistakes on email. A shift towards becoming a mobile workforce hasn’t helped the situation either. Verizon research has shown that people are significantly more susceptible to social attacks received on mobile devices; this is a result of mobile design and people’s tendency to multitask on mobile devices. Businesses globally have lost $12.5bn over the past five years as a result of phishing scams. Advanced impersonation spear phishing has emerged as one of the most popular and successful attack methods being leveled at businesses – small and large – around the world. Rewards for attackers are high, and the damage to organizations can be catastrophic, resulting in wire payment fraud, file sharing, credential theft and eventual systems takeover. How do you prevent advanced impersonation spear phishing? Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound threats, SEGs commonly employ machine layer methods: Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence. Spam and bulk-phishing prevention. Focusing on past known attacks and basic email characteristics (e.g. domain authentication), these fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems. Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc). While SEGs can block malware and bulk phishing attacks, rule-based solutions cannot stop advanced impersonation attacks and are incapable of detecting external impersonation. Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Defender stops advanced threats that legacy systems miss. Tessian Defender’s stateful machine learning retroactively analyses historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Defender can detect and prevent threats in real time with minimal end-user disruption. To learn more about Tessian or book a demo of Tessian Defender, contact us here.
Read Blog Post