Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Prepare for the next wave of email attacks at Fwd: Thinking on Nov 2 | Save Your Seat →

Why Organizations Need New Methods to Combat New Tricks

Over a 12-month period, Tessian detected nearly 2 million malicious emails that slipped past legacy phishing solutions. Learn more about bad actors’ tactics to understand the risk and how to combat it.

Phishing – in its many varieties – is the threat most security leaders are concerned about.

Why? Because attacks are frequent, hard-to-spot, time-consuming to investigate, and expensive to recover from. 


And most phishing solutions out there just aren’t enough. 


Native tools do a good job protecting users against bulk phishing attacks and spam, but can’t detect more sophisticated spear phishing and social engineering attacks. Phishing awareness programs help, but still leave people as the last line of defense and – as we all knowto err is human. 

That’s why, despite cybersecurity spending being at an all-time high, threats continue to land in employees’ inboxes, and, year-on-year, incidents are doubling and even tripling in frequency. 

To help you understand the risk, we analyzed nearly 2 million emails flagged by Tessian Defender as malicious to identify the what, how, who, why, and when of today’s spear phishing landscape.

Millions of emails are slipping past SEGs and native tools

Between July 2020 and July 2021, Tessian Defender analyzed roughly 4 billion emails, and flagged nearly 2 million as potentially malicious, meaning the email showed signs of impersonation, social engineering, or malicious intent. 


Ten out of twelve months, we saw an increase in the number of attacks with the biggest spike in Q3 (+45% QoQ), immediately before and following Black Friday. There was also a somewhat surprising nose-dive just in time for Christmas and New Years.

It would appear even bad actors take some time off for the holidays…


But still, 2 million emails slipped right past customers’ SEGs and native tools, leaving employees as the last line of defense against bad actors who make a sport out of staying a step ahead. 

Even with training, is it fair to expect employees to spot every malicious email that lands in their inbox? What would be the cost of just one mistake?

Don’t think you’d be fooled?
Think again.

Spear phishing attacks are more sophisticated than traditional “spray-and-pray” phishing attacks and rely on impersonation, a sense of urgency, and trust. It’s all about the art of persuasion. 


Bad actors will research their target using OSINT, pretend to be a trusted person or brand, exploit times of uncertainty or transition, use language that pressures the target to act fast, and do everything they can to ensure the email doesn’t look like the phishing attacks we see in training sessions or simulations. 

They look like the real deal; not like the Nigerian Prince scams of the 1990’s.

And 2% of the time, these malicious/fraudulent emails won’t just appear to have come from a trusted vendor or supplier’s legitimate email address, they actually will have come from it. This is called Account Takeover (ATO).  

That means if targets are only on alert for emails from suspicious domains that are riddled with grammatical errors and contain dubious attachments… they’ll never spot the phish.

Your SEG probably won’t, either.  

Cybercriminals have a type

[2021-09] Spear Phishing Report 2021 - Time of Day

When it comes to who they target, bad actors cast a wide net…


but do seem to have an affinity for Retail, Manufacturing, F&B, R&D, and Tech. But still, across all industries, Tessian flagged 14 malicious emails a year, per employee.

In terms of company size, bad actors will take whatever they can get.


Wondering why they don’t focus exclusively on the “big fish” (i.e. enterprise)?  Because smaller companies – who generally have less money to spend on cybersecurity – are often easier to infiltrate. This can be a foothold for lateral movement, especially for companies with large supply chains.

Take the 2020 SolarWinds hack, for example. After breaching the SolarWinds Orion system (a network management system that helps organizations manage their IT resources), nation-state hacking group Nobelium was able to gain access to the networks, systems, and data of thousands of SolarWinds customers, including government departments such as Homeland Security, State, Commerce, and Treasury. Affected private companies include FireEye, Microsoft, Intel, Cisco, and Deloitte.

Phishing is big business for bad guys

It’s no secret…

that bad actors create phishing campaigns with one (or more) of the following end goals in mind: 

  • Obtaining credentials
  • Initiating a wire transfer
  • Installing malware or ransomware

Our payload and keyword analysis corroborate this.

Of course, when we talk about the correlation between payloads and attack goals, there is certainly a grey area, and we won’t claim to know the specific intention of every email we’ve flagged. 

A link could lead your employee to a perfectly safe website, which could direct them to another website that deploys malware. A link could also lead someone to a look-a-like site that harvests their credentials, without the words “credentials” ever appearing in the body or subject of the email.  

Likewise, an email that doesn’t contain a payload and doesn’t contain the keyword “wire” could contain directions to update bank account details, resulting in diverted funds. An email without a payload could also be the first in a series of correspondence, designed purely to build rapport between the attacker and the target, before making a request days or weeks later.

The possibilities and combinations are endless, which is precisely why these threats are so hard to detect. 

Timing is everything

[2021-09] Spear Phishing Report 2021 - Time of Day

We’re often told that bad actors borrow best practice from marketers. If that’s the case, most phishing attacks would land in employees’ inboxes around 10 AM on Wednesdays. 

Our analysis tells a different story. 

The most malicious emails are delivered around 2PM and 6PM, with very little fluctuation day-to-day (except over the weekend). This isn’t an accident. Since employees are more likely to make mistakes when they’re stressed, tired, and distracted, the second half of the work day is a bad actor’s best bet.

This is reinforced by the fact that employees are most likely to mark an email as malicious between 9AM and 1PM, before the afternoon slump. We then see a steady decline starting at 2PM, right when the bad guys are ramping up.

  • WHAT
  • HOW
  • WHO
  • WHY
  • WHEN