6 Reasons to Download The CEO’s Guide to Data Protection and Compliance

We certainly won’t be the first to have made this claim in the last nine months but…the world has changed. Yes – we’ll say it – these are unprecedented times.  That’s why companies around the world are reinventing their approach to engaging with and supporting their people. How has Tessian adapted so far this year? So, what have we done at Tessian? A lot.  We’ve reimagined how we socialize and connect with Tessians all over the world (yes, there’s been bingo!). We’ve set up fully remote onboarding for the first time ever. We’ve even ever-so-briefly re-opened our London office, with super safe protocol and measures put in place to protect those of us who wished to return. We’ve done it all. But undoubtedly the biggest challenge we’ve had to grapple with – and therefore the question we’ve had to answer – is this: What should the new world of work look like for Tessians when things start to return to “normal”?  We know for sure that our office of the future will be very different from our office of the past, but what exactly does it look like? And, more importantly, how do we support  Tessians while the future is still so unclear? It’s been a journey, but we’re excited to finally share Tessian’s plans for the future. It’s looking bright – and full of choice. What does the new world of work look like at Tessian? Some companies pride themselves on being entirely remote. And there are no doubt benefits to this simplified approach. No office politics. And, decisions don’t get made “where the action is” (in the office) because, well, there isn’t one! Others are still trying to retain an office that puts culture first. They want to create a space that fosters collaboration and offers the social benefits that are synonymous with a bustling office.  But we believe that both of these approaches – while possibly easier and with fewer risks to manage – miss out on one of the most important determinants of happiness and wellbeing in our lives: Choice. So, at Tessian, we’re excited to announce our new approach to the future of work: Choice First What is Choice First? Choice First enables Tessians and future Tessians to do their best work, in whatever way is best for them. Put simply, we will be giving our team three options to choose from, with as few caveats as possible:

Why have we landed here (and not remote first, or office first)? We have done extensive internal and external research, and there are three core reasons we believe this is the way forward.  1. Attract (and keep!) world-class talent  We know that the best companies in the world will be adopting remote options for employees while keeping hubs for those employees who prefer being able to work and socialize in the office. It’s about getting the best of both.  We want to be amongst these companies. That way, we can continue to attract and retain the best people.  Internally, having heard from our people (our Culture Council has done some great work here), some Tessians can’t wait to get back to the office.  We want to ensure that we still have this option in the future. In fact, some have even said they wouldn’t want to work for a company that didn’t have this as an option! But some Tessians have experienced an enormously positive change in their lives since skipping the commute to the office every day. We need to ensure that we offer both. Just look at the results of our most recent research report, Securing the Future of Hybrid Working. You can see employees really do want to be able to work from anywhere. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); 2. Diversity catalyst  This will open doors to new pools of diverse talent and will make room for every potential Tessian. We believe this will support us in creating a more diverse “place” to work by:  Opening up talent pools in different locations around the country (and world!) Allowing those who need to work from home for health reasons, or due to caring or other responsibilities, will be able to join the Tessian experience Enabling those who do want to enjoy the social elements of an office to do so Learn more about why diversity is important at Tessian…from Tessians. Watch the video now. 3. Take care of Tessians and support wellbeing Choice First allows people to be in control of their own working lives.  Which is a good thing. Why? Because what works for one person may not work for another.  Studies have shown that when employees are given the freedom to make the right choices for their career and their life outside of work, their holistic wellbeing will be greater.  Surprisingly, given how difficult this period of working from home has been, our own engagement data is backing up how not being in the office can increase wellbeing. We’ve had a significant (over 10%!) uplift in our company engagement scores against the “health” driver (which measures things like mental and physical wellbeing) since leaving the office back in March.  So, for people to do their best work, and have good holistic wellbeing, we need to enable choice around work locations and preferences. What about the risks?  We all know that introducing a hybrid culture is not without its challenges. So we’re dedicating significant time and resources over the coming months to counteract these. Just some of the key things we’re thinking about are below.  Culture Inclusivity – How do we make sure people aren’t left out because they do or don’t work in the office? Communication – How do we make sure people feel connected to what’s happening at Tessian? Fun – How do we keep things interesting in a hybrid environment? Fairness – How do we make sure no one is positively or negatively impacted due to their choice? Ways of working Communication – When do we use synchronous vs asynchronous communication? How we work – Are hybrid working patterns different from office-based patterns? Security – How can we continue leveraging technology, policies, and training to keep our people safe, wherever and however they work?  Amplifying performance – How can we provide in-the-moment feedback and help Tessians do their best work, even when we’re not all together? Effectiveness – Does hybrid make it harder to get stuff done? Do we have the right tools in place to support everyone? What’s next? There is still a lot of work to be done. We will be mobilizing our internal teams to make sure our current employees and future Tessians have clarity about their options. Of course, decisions don’t need to be made just yet. Watch this space for more insights about our journey – we can’t wait to share it with you.

While email does make it easier for all of us to communicate both in our work and personal lives, there are two major issues with email communication: spam and phishing.  That means the average person needs to know how to spot these illegitimate emails and businesses need to know not just how to protect their employees, but how to avoid inadvertently sending spam.  In this article, you’ll learn the difference between spam and phishing, how common they are, and how to avoid each of them.

What is spam? You may know spam as junk mail. But, what’s that? Unsolicited bulk email means that the recipient didn’t ask for it (unsolicited) and that many people were sent the email at once (bulk). These two elements are essential to the definition of “spam.”  Unsolicited emails can be legitimate, e.g., job inquiries, customer service inquiries, any first-contact correspondence. Bulk emails can be legitimate, e.g., newsletters, marketing to existing customers, transactional emails. But emails that are both unsolicited and bulk are almost always spam. As well as being sent via email, spam can also be sent via SMS or instant messaging. Unsolicited sales and marketing calls (also known as nuisance calls) can also be considered spam.

Spam is generally commercial (meaning from businesses) but it can also serve more nefarious purposes, such as fraud. However, when a spam email uses social engineering techniques to trick the recipient, we call it a “phishing” email. Not sure what social engineering is? Examples will help. We’ve rounded up 6 recent, real-world examples of social engineering attacks here.  What is phishing? Phishing is essentially a more targeted version of spam.  A hacker impersonates a trusted brand or person and sends a fraudulent message in an attempt to steal information or money, commit fraud, or install malware on a target’s device.  But, there are many types of phishing. Here are a few examples: Spear phishing: A phishing attack on a specific individual Whaling: A phishing attack targeting a company executive Business Email Compromise (BEC): A phishing attack originating from a hacked or spoofed corporate email account Vendor Email Compromise (VEC): A phishing attack targeting a business using one of its vendors’ email accounts It’s important to note that a phishing attack can be delivered via several different communications channels: Email: The big one — 96 percent of phishing attacks take place via email. When people say “phishing,” they’re generally referring to email-based social engineering attacks Smishing: Phishing via SMS Vishing: Voice-phishing, via phone or Voice over Internet Protocol (VoIP) software Phishing attacks can also have different aims, for example: Stealing credentials, e.g., social media, email, or internet banking login details Installing malware, e.g., keylogger software, ransomware, or viruses Stealing money, e.g., by sending fraudulent invoices (known as “wire transfer phishing”) Now, let’s take a closer look at spam and phishing.

How common is spam? According to 2019 research from PreciseSecurity:  Spam accounts for around 55 percent of global email activity. Around 295 billion spam emails are sent and received every day. China generates the most spam (20.43 percent), followed by the U.S. (13.37 percent) and then Russia (5.6 percent). However, bear in mind that — despite these statistics — people’s experience of using email is generally improving. This is because: Rates of spam are lower now than they have been previously — in 2014, data from M3AAWG estimated that spam accounted for 90 percent of email traffic. Email providers are getting better at detecting spam, which means that more spam is being blocked or sent to junk folders.  How common is phishing? Phishing is the most prevalent example of cybercrime. Let’s look at some of the best data we have covering the past few years: Verizon’s 2020 Data Breach Investigations Report cites phishing as the most common cause of data breaches in 2019 —  22% of all data breaches involved phishing.  The FBI’s Internet Crime Complaint Centre (IC3) 2019 Internet Crime Report cites phishing as the leading cause of cybercrime complaints. The U.K.’s National Cyber Security Centre (NCSC) Annual Review 2020 reported that 85% of U.K. businesses experienced one or more phishing attack in 2020 (up from 72% in 2017). For up-to-date data on phishing, see our Must-Know Phishing Statistics: Updated 2020. Risks associated with spam While – yes – there certainly are some risks associated with receiving spam, most email providers like Gmail and Outlook have gotten pretty good at filtering these emails out. Don’t believe us? Check your spam folder!  A bigger risk – specifically to businesses – is accidentally (or negligently) sending “spam” as part of a direct-marketing campaign. Businesses sending spam (including those who are perceived to be sending spam) run the following risks: They could alienate their customers — which, ultimately, could damage their reputation and lose them business. Their legitimate email correspondence could end up in people’s junk folders. They could be fined or prosecuted under the various national laws regulating spam. Consequences of phishing attacks Phishing is one of the most damaging forms of cybercrime. But, as we’ve discussed, there are a lot of different types of phishing.  Wire transfer phishing causes direct, quantifiable losses when businesses pay fake invoices sent to them by fraudsters. The FBI’s data shows that U.S. businesses lost $1.7 billion in 2019 to wire transfer phishing via email. Ransomware attacks are frequently delivered by email. Clicking the link in a phishing email can lead to your documents, databases, other files becoming encrypted. Emsisoft estimates that ransomware cost organizations $7.5 billion in 2019. But what about the impact caused to individual companies? A single phishing attack can be devastating for a business.  The biggest known phishing scam of all time targeted tech giants Facebook and Google. This example of wire transfer phishing cost the companies around $121 million over two years. But the indirect losses caused by phishing can be even greater. When Australian hedge fund Levitas Capital was defrauded for nearly $8.7 million in November 2020, the firm recovered 90% of the money. But the fund was forced to close after losing its biggest client as a result of the attack. Unfortunately, Levitas Capital isn’t the only organization to have lost customers after a breach. After a breach, companies see an average of 3.9% customer churn. It makes sense, then, that “losing a customer/their trust” is the biggest consequence of a data breach according to security leaders.  So, how can businesses reduce the risk of being successfully targeted by a phishing attack? How to avoid phishing attacks Staff training Much of the traditional guidance on phishing focuses on staff training — helping your employees to identify phishing emails and manually delete them. The classic “telltale” signs of a phishing email are often said to be:  Spelling mistakes  A sense of urgency An unprofessional tone This might have been good advice when phishing emails were sent out in “spray and pray” bulk attacks. But now, it’s unfair and unrealistic for organizations to expect their employees to be able to spot phishing attacks, especially those using advanced impersonations techniques. Today, effective phishing emails look like any other email. They don’t carry these “telltale signs.” They carry the branding and tone of voice you’re used to seeing from trusted senders. They can arrive from a colleague or friend’s email address. They might even look like part of an ongoing conversation (“email thread hijacking”). That means staff training — while important — must not be your primary defense against phishing. As the National Cyber Security Centre (NCSC) says:

Want to learn more about why phishing training alone just isn’t enough? Read our blog: Pros and Cons of Phishing Awareness Training. Email security software The only truly reliable way to root out phishing emails is by implementing an email security solution like Tessian Defender.  Here’s how Tessian protects your people and prevents inbound threats like phishing Tessian ingests historial email data from employees’ inboxes to learn what “normal” looks like and map their trusted relationships with other employees and third-parties outside the organization. This way, it automatically knows when an employee receives an email from an unexpected sender. Inbound emails are also analyzed in real-time for anomalies. Anomalies might include barely noticeable irregularities in the sender’s email address and IP address, potentially malicious links, or suspicious changes to the sender’s communication patterns. If an email is suspicious, Tessian alerts employees with contextual warnings that explain why the email has been flagged. Tessian also alerts security teams, who can quickly and easily investigate the attack and – to prevent future attacks – can add the sender’s domain to a denylist in a single click. : Importantly, solutions like Tessian Defender prevent the most advanced attacks. Specifically, those that slip past legacy solutions, Secure Email Gateways, and spam filters. 

We’re back with another roundup of the biggest stories in cybersecurity in November 2020.  With phishing, hacking, and ransomware continuing to surge worldwide, there was a lot of news to choose from. We’ve selected stories representing the latest trends in cyberattacks — and demonstrating the myriad ways that cybercrime impacts businesses and consumers. UK Hit By Record Number of Serious Cyberattacks The UK’s National Cyber Security Centre (NCSC) published its 2020 annual review on November 3. The report revealed that the NCSC had defended the UK against a record-breaking 723 cyber incidents in the past year. The data covers the period between September 1, 2019 and August 31, 2020 and reveals a 20.1% increase in cyber incidents compared to the previous three-year average (602 cyber incidents). So what explains this surge in cybercrime? The NCSC chalks the increase in numbers up to its proactive approach in identifying and mitigating threats, together with tips from its “extensive network of partners” and public reports. But there’s another reason: cybercriminals’ exploitation of the COVID-19 pandemic. The NCSC’s Suspicious Email Reporting Service received an incredible 2.3 million reports in its first four months of operation, leading to the removal of 166,710 phishing URLs. In fact, phishing takes up a lot of space in the NCSC’s report, which highlights:  A spate of spear phishing attacks targeting pharmaceutical companies An “explosion” in fake ads sent via phishing emails A rise in the percentage of businesses experiencing phishing attacks — from 72% in 2017 to 86% in 2020 Want to know more about how widespread phishing has become? Read our must-know phishing statistics. Amazon Customers Targeted By Vishing Attacks Our October roundup reported an increase in Amazon-related phishing scams around Prime Day. On November 7, the Guardian revealed another Amazon scam: Amazon Prime customers are being targeted in vishing (voice phishing) attacks. Victims received calls from scammers impersonating “Amazon Prime Security” employees, who advised them that their accounts had been used to make suspicious payments.  Consumer group Which? described how one Amazon Prime customer was persuaded during a vishing call to install remote-access software on her device. The scammers then accessed her bank account and stole £6,900 (over $9,200). UK cybercrime reporting agency Action Fraud said it had received 14,893 reports of similar “computer software service fraud” incidents over the past 12 months, resulting in losses of over £16 million ($21.3 million). Vishing attacks are a massive problem for businesses as well as consumers. Read our guidance to find out more about defending against vishing attacks. WhatsApp Hoax Spreads False Phishing Claim On November 11, Naked Security reported a smishing (SMS phishing) scam that is, sadly, pretty unremarkable in the current climate. Victims received a text alerting them to an “unpaid phone bill,” and redirecting them to a fake O2 network credential-phishing login page. What’s more unusual about this widespread smishing attack is the rumors surrounding it. According to Action Fraud, WhatsApp-based “fake news” proliferated in the days following the attack, spreading confusion among consumers. The WhatsApp message, which referenced the City of London Police Fraud agency, claimed that the smishing attack was an “extremely sophisticated scam,” whereby attackers could drain money from victims’ accounts as a result of them merely “touching” the fraudulent text message. This type of disinformation serves as another attack vector for cybercriminals. It can undermine the efforts of legitimate cybersecurity authorities. Repeated hoaxes of this kind could, ultimately, lead to reduced vigilance among the targets of cybercrime. Credential phishing is a serious issue in itself — there’s no need to exaggerate the threat via phony WhatsApp chain messages. Read more about credential phishing here. Fintech Platform Attacks Unwittingly Facilitated by GoDaddy Staff Cryptocurrency trading platform Liquid reported on November 13 that its domain registrar, GoDaddy, had “incorrectly transferred control of (Liquid’s) account and domain to a malicious actor,” allowing the attacker to take control of internal email accounts.  The attack resulted in the theft of users’ email addresses, names, physical addresses, and encrypted passwords. Worse still, ID cards, selfies, and proof of address documents — collected as part of the site’s “Know Your Customer” requirements — may also have been compromised. But GoDaddy’s problems don’t end there. Just five days later, crypto-mining service NiceHash revealed that its domain had been subject to “unauthorized access” owing to “technical issues” at GoDaddy. While NiceHash reported that user data was likely safe, its domain was unavailable for some time. GoDaddy didn’t disclose details of the attacks, but Krebs on Security revealed in March that GoDaddy staff had been subject to a vishing attack that had compromised fintech website Escrow.com. Whatever the specifics, it seems GoDaddy has suffered multiple social engineering attacks in the past year. Read our six real-world examples of social engineering attacks to learn how to avoid such problems. Around 28 Million Texans’ Driver’s Licenses Compromised Fox 26 Houston reported on November 18 that hackers had stolen nearly 28 million driver’s licenses registered in Texas. Driver’s license details are highly valuable to cybercriminals, who can sell them on the dark web or use them to commit identity fraud. The attack has been blamed on weak security protocols, with data being “inadvertently” held in unsecured storage by service provider Vertafore. In addition to driver’s license numbers, names, birthdates, addresses, and vehicle registration details were also stolen.  The breach took place between March and August and affected drivers who had received their license before February 2019. Vertafore is offering victims one year of free credit monitoring. More and more US states are introducing tough new data breach notification and privacy laws. Read our guidance on US privacy laws for business leaders to find out more. Google Products “Weaponized” for Phishing Attacks Research from Armorblox, published November 19, revealed how popular Google products, including Docs, Forms, and Firebase, have been exploited by cybercriminals and used to “defraud individuals and organizations of money and sensitive data.” Why are hackers weaponizing Google products? Well, they’re typically open-source and easily-adapted. And because Google is ubiquitous and legitimate, Google-associated URLs are rarely blocked by firewalls or security software. Examples of Google-based phishing attacks uncovered by the investigation include: A Google Form used to impersonate an American Express account-recovery page A fake email login page hosted on mobile API Google Firebase A Google Doc used as a fake payslip for a payroll diversion scam Blocking your employees from accessing Google products and URLs would be undesirable and impractical. The only realistic way to avoid Google-exploit phishing scams is with effective email security software. Tessian Defender uses AI-driven technology to detect suspicious activity in your employees’ inboxes automatically. Click here to find out how Tessian helps defend against phishing and other social engineering attacks. Hedge Fund Forced to Close After $8 Million Phishing Attack On November 22, the Australian Financial Review revealed how hedge fund Levitas Capital was defrauded for nearly $8.7 million following a phishing attack. The attacker sent a fake Zoom invite link to one of the hedge fund’s co-founders. When they opened the Zoom link, malware was installed on their device. This allowed the attackers access to the fund’s corporate email account. Using Levitas Capital’s email account, the hacker launched a Business Email Compromise (BEC) attack, sending fraudulent invoices to the fund’s administrators and trustees. The attack was discovered in late September after an examination of the fund’s online banking records. All but $800,000 of the $8.7 million stolen was recovered before payments cleared. But the damage was done — following the attack, the fund lost its biggest client and was forced to close. This case shows how devastating phishing attacks can be — even when the direct losses are mitigated. To find out more, read our articles on wire transfer phishing and Business Email Compromise (BEC) attacks. South Korean Retailer Closes 23 Stores After Ransomware Attack South Korean fashion conglomerate E-Land group announced that it was closing 23 of its 50 stores following a ransomware attack, according to a November 22 report from news agency Yonhap. E-Land reportedly had to temporarily shut down part of its corporate network to contain the attack, meaning that nearly half of its NC Department Store and NewCore Outlet branches could not operate. A company spokesperson confirmed that the attack had targeted E-Land’s headquarters. It is unclear whether E-Land group chose to pay the ransom or whether files or data were exfiltrated as part of the attack. Ransomware continues to ravage the global economy. Last month we reported that US businesses could be breaching international sanctions rules if they attempt to salvage their files by paying a ransom. To help defend your business against ransomware and other cyberattacks, read our guide to choosing the right email security software. That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.