In late January 2022 a specialist law firm was the target of a spear phishing campaign flagged by Tessian Defender where the threat actor attempted to impersonate the Chairman of the firm. Leveraging common social engineering tactics, the threat actor then targeted the firm’s junior employees. This is known as CEO Fraud.

Impersonation attacks are becoming a mainstay for threat actors. Based on our investigation  into the 2021 spear phishing landscape, we determined that 60% of the malicious emails seen in Tessian’s network relied on generic impersonation techniques, including freemail impersonation and Display Name Impersonation. An additional 30% relied on more advanced impersonation techniques, including direct impersonation like domain spoofing, direct spoofing and account takeover (ATO).

The Attack   The attacker leveraged the name of the chairman and used a freemail domain. Display name and domain name impersonation spoofs accounted for 4.9% of all malicious email detected and prevented by Tessian in 2021.

Email Content: Sender Address: <Name of Chairman>.<Website Domain>@gmail[.]com Display Name <Name of Chairman> Subject:  <Name of Chairman> Body: Asking if recipients have time available Expressing a sense of urgency Links & Attachments None   The threat actor registered an email address using Gmail and chose a username that contained the name of the law firm’s chairman, together with the domain used for it’s website. They also changed the display name associated with the account to match the name of the chairman as it appeared on the firm’s website.   After that, the attacker drafted an email with a generic message containing a call to action, asking the recipient “are you available?”. It was sent to +200 individuals at the firm.   The email did not contain links or attachments when it was sent, just the message added by the threat actor. This indicates intent to engage in social engineering via correspondence with recipients.

This style of phishing usually leads to the threat actor trying to convince the recipient to send money or share information that could be leveraged for a more advanced phishing attack. This low-cost-of-effort phishing attempt explains why social engineering now accounts for 70-90% of all successful breaches.   In other cases it can involve sending a few messages back and forth to establish a baseline of trust, before sending a malicious attachment or URL in subsequent emails. Having established trust, the recipient is more likely to click without feeling much concern or suspicion. This also explains why advanced social engineering threats bypass detection by legacy Secure Email Gateways (SEGs), either due to the sophisticated degree of subterfuge in name and domain name spoofing, or because the malicious payload is not present in the initial email.

The Approach   The majority of phishing attacks using this approach will typically come from addresses registered by a threat actor, for example, looking something like “partner1234@gmail[.]com” or “manager5678@hotmail[.]com”.    Attackers use freemail accounts because of their utility in carrying out attacks and zero cost. Freemail accounts that deliver malicious payloads via a proxy server are also notoriously difficult to trace for attribution. Accounts like this will continue to be used to target multiple organizations.   In the case of this attack the address was created as “<Name of Chairman>.<Website Domain>@gmail[.]com”, this indicates deliberate intent to target this firm specifically.    The fact that the threat actor sent the email to +200 junior members of the firm indicates a higher level of planning and reconnaissance than most of these types of attacks typically have.    Our research confirms that law firms are targeted 31% of the time for impersonation style phishing attacks.  And firms tend to post details of most employees on their websites including names, email addresses and positions held. Many are also active on networking platforms like LinkedIn. This makes reconnaissance very easy for threat actors.

In the case of this impersonation campaign, the threat actor will have found the firm’s people page, searched for a senior individual to impersonate, then filtered down to the more junior individuals to target.    The C-Suite was impersonated in this attack to amplify the call to action in the messaging and to increase the sense of urgency felt by the targets. Likewise, junior employees were targeted in this attack because they were possibly seen as being more likely to comply with instructions received from senior management.    Another hypothesis could be that the threat actor was seeking to gain more information to wage a secondary spear phishing attack, targeting more strategic positions in the firm such as the finance department.

Real-time, comprehensive email protection Tessian was able to detect the phishing techniques deployed by the threat actor for this campaign. Tessian recognized the law firm’s domain in the local part of the email address and the name of the chairman in the display name. It also detected suspicious keywords indicative of an urgent call to action, which included “are you available?” and “quick”.    Tessian also detected that the address used by the attacker had not been observed in historical emails sent to anyone at the law firm.   Many of the recipients at the law firm responded to the in-the-moment security warning message from Tessian and confirmed that the email was actually malicious.   All it takes is one click.    This example underscores the relentless pursuit of threat actors, attempting to gain access to an organization’s crown jewels. As attacks become more advanced, it requires a defense-in-depth approach to email security. Leveraging email security solutions that have behavioral detection and in-the-moment security awareness training capabilities is now table stakes to securing your email ecosystem.

Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred up to the point the email was received.   TA0043: Reconnaissance – https://attack.mitre.org/tactics/TA0043/ Gather Victim Org Information – https://attack.mitre.org/techniques/T1591/ Identify Roles – https://attack.mitre.org/techniques/T1591/004/   T1589: Gather VIctim Identity Information – https://attack.mitre.org/techniques/T1589 T1589.002: Email Addresses – https://attack.mitre.org/techniques/T1589/002 T1589.003: Employee Names – https://attack.mitre.org/techniques/T1589/003   The threat actor carried out reconnaissance activities against the target’s website. Here they identified the key individuals to impersonate and target. Using the people directory available on the website they were able to identify the chairman of the law firm to impersonate via email and get a list of names and email addresses for associates at the firm to target.    TA0042: Resource Development – https://attack.mitre.org/tactics/TA0042 T1585: Establish Accounts – https://attack.mitre.org/techniques/T1585/ T1585.002: Email Accounts – https://attack.mitre.org/techniques/T1585/002/   After identifying a high ranking member of the firm, the threat actor registered an email account with Gmail. They created an account with a username containing the name of the chairman of the firm as well as the domain used for the firm’s website. They also changed the display name associated with the account to that of the chairman.   TA0001: Initial Access – https://attack.mitre.org/tactics/TA0001 T1566: Phishing – https://attack.mitre.org/techniques/T1566/   With a free email address registered, a senior staff member to impersonate and a list of victims to target, the threat actor sent an email to more than 200 associates at the firm. The email contained a message explaining they were the chairman of the firm and wanted to know if they were available to help them quickly.    TA0005: Defense Evasion – https://attack.mitre.org/tactics/TA0005/   The threat actor avoided detection through conventional means by registering a new email address and not including a malicious link or attachment in their initial email. SEGs typically rely on known IOCs to be able to detect malicious activity. Since there was no attachment or URL in this case, there was nothing to scan or lookup the reputation for.   MITRE D3FEND Framework Most of the techniques used by the threat actor were reconnaissance-based and occured at the pre-compromise phase outside of the scope of typical defenses and controls meaning they could not be easily mitigated without advanced email protection.   Detect – https://d3fend.mitre.org/tactic/d3f:Detect D3-SRA: Sender Reputation Analysis – https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis   Sender reputation analysis can be used to detect unwanted or malicious emails by analyzing information about the sender. This can include information over time such as the number of emails received, number of recipients, number of emails replied to etc.   The problem with this attack is the email address used by the threat actor will likely have been recently registered using a reputable freemail service and would have been unseen to the law firm before. This means there is limited information available to determine the sender reputation. Detection can be done based on the email address having not been seen before; however with legacy email security controls this type of detection can generate high levels of alerts and false positives.  

If you thought the end of lockdowns might mean a drop in romance fraud scams, well, prepare to be heart broken… Lonely hearts looking for love are highly attractive… to scammers that is. The number of people targeted by romance fraud scams has nearly doubled in 2021, according to our latest research.

By adopting a fake identity or even impersonating a celebrity online, cybercriminals will spin a story to trick and manipulate their victims into sharing money or information that could be used to later commit identity fraud. Oftentimes, they won’t ask for the money outright. They’ll build trust over time, building a relationship. These are tried and tested social engineering tactics that are designed to manipulate human emotions – and they sadly can work on anyone.   32% of respondents have received a romance fraud scam in the last 12 months – a significant increase from the 18% of people surveyed previously.  Isolating the US, 43% said they had received a romance fraud scam – up from 29% in 2021 – and in the UK, 14% said they had been targeted by romance scammers – up from 8% in 2021.    Why are scammers investing in this particular type of attack? Because vulnerable people make easy targets. Loneliness was a public health issue back in 2018, and COVID just made everything a lot worse. Which is why incidents of romance fraud have surged during the pandemic. What’s more, we’re now much more used to conducting all aspects of our lives online, often asynchronously, rather than face to face in real life.

How are romance scams delivered? Email remains – just – the most popular attack vector for romance scams. When we asked which platforms they had received ‘romance’ messages on, personal email ranked top with 51% of respondents saying they had received fraudulent phishing emails from ‘love interests’ via this channel. This was hotly followed by 50% of respondents, who said they had received messages via Facebook. 45% had been targeted over text messages. Of course this may be the ‘tip of the iceberg’, as many victims are too embarrassed to come forward.

The rise of the celebrity love interest   Worryingly, a number of stories of cybercriminals impersonating celebrities have been reported to the media in the last 12 months. One woman was duped by a scammer pretending to be Nicolas Cage, conning her out of nearly $14,000. The continuing rise in romance fraud shows just how cybercriminals continue to exploit people’s vulnerabilities as they did during the pandemic.

Tessian’s top tips for spotting a romance scam   • Here’s our advice to avoid falling for a romance scam:    • Question any requests for personal or financial information from individuals you do not know or have not met in person, and to verify the identity of someone they’re speaking to via a video call.   • Never send money or a gift online to someone who you haven’t met in person.   • Keep social media profiles and posts private. Scammers will trawl social media to discover their victims and find information that they can use to build a relationship with you.    • Don’t accept friend requests or DMs from people you don’t know personally.    • Be suspicious of requests from someone you’ve met on the internet. Scammers will often ask for money via wire transfers or reload cards because they’re difficult to reverse.   • Be wary of any email you receive from someone you don’t know.    • Never click on a link or download an attachment from an unusual email address.   • Remember, if it sounds too good to be true, it probably is.   The FBI and Action Fraud has also provided citizens with useful advice on how to avoid falling for a romance scam and guidance for anyone who thinks they may have already been targeted by a scammer. 

This week, Tessian’s threat intelligence researchers detected a relatively sophisticated phishing attempt impersonating PayPal, the global payment services provider. The threat actor sent an email requesting action from the victim, prompting them to click on the login button, leading to a malicious website. The email that was received  

Social engineering-based cyber attacks like this, usually leveraging a form of phishing via email, have become a common phenomenon both at work and in our personal lives. Threat actors are able to perpetrate these attacks through a range of techniques,  leveraging information gathered by random coincidence or through open source intelligence (OSINT) tactics.    In fact 70-90% of all successful breaches are attributed to social engineering, with 96% of all phishing attacks delivered via email. This is why advanced phishing attacks are seen as a growing cybersecurity challenge.

All it takes is one click   Phishing attempts are used for a range of cybercriminal objectives, for example delivering malware including ransomware onto unsuspecting victims’ computers. Often phishing campaigns are also waged for the harvesting of credentials to execute an account takeover (ATO) attack.    They’re difficult to spot, too. Phishing attempts can appear to be very legitimate, even to the trained eye.

The phishing attempt targeted PayPal customers, and used common phishing tactics, including leveraging corporate logos hosted via a third-party service provider, and creating a sense of urgency by stating that “Your PayPal Account Has Been Temporarily Restricted”.    But, when you actually click “Login to PayPal” as instructed, you’re directed to   hxxps://me2[.]do/xZD4rPKB Which redirects to hxxps://docs[.]05fmxoujyghzb[.]club/tmp/index/wildtt.php?97giuywdae   Despite the unusual URL, the landing page looks legitimate, and will prompt users to enter their login details. This information is then captured by cybercriminals in a scheme known as credential harvesting.    Just as every effort was taken to make the webpage look legitimate, every effort was also taken to mimic the authenticity of a legitimate PayPal customer email, including:

Email images  The email source points to linkpicture[.]com domain, a used free image hosting service. The primary reason for using a free service like this? It enables the threat actor to avoid any tie-backs to personal infrastructure, which enables a relatively high degree of anonymity and separation for carrying out the attack.

Quoted printable encoding   The threat actor also used quoted printable encoding inside key email fields and sections of the HTML body of the email – a common tactic for obfuscating spam filters. Web browsers automatically decode this encoded text to readable text displayed to the end user.  Sender

Display Name Decoded When adding the display name the attacker attempted to double encode part of it but this didn’t work which is why the first string does not fully decode. Body – Email Headline

Email Headline Decoded

Enhancing “authenticity”   Impersonating well-known and trusted brands like PayPal is a common modus operandi for phishing attacks. According to Tessian research and the analysis of 2 million malicious emails, Microsoft, Amazon, and Zoom all ranked among the top most impersonated brands. Likewise, the financial services sector tends to be heavily targeted in phishing attacks.    The threat actor also used what appears to be legitimate footer links from PayPal to enhance the appearance of authenticity of the phishing email – another common tactic observed in phishing attempts. The links included however are empty and have no URL  included.

Additional observations of interest, and avenues for further research   The HTML body contains the name of a UK based retailer “Sainsbury’s” indicating the reuse of this template for likely earlier phishing attempts, targeting a different retailer’s customers. The threat actor has, in this instance, forgotten to update the information. There might be utility in purchasing similar phishing templates off the dark web to identify phishing attack trends and indicators.   It also pays dividends for organizations to stay aware of how email security threats are evolving, with threat actors continuously adapting social engineering methods to bypass legacy, rule-based email security controls. Educating employees about threats and how to spot them is important, too. What to do if an email if you think an email is suspicious   Now that we’ve examined this particular example, we need to address what you should do if you suspect you’re being targeted by a phishing attack.   If anything seems unusual, do not follow or click links or download attachments.  If the email appears to be from a government organization or another trusted institution, visit their website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  Contact your line manager and/or IT team immediately and report the email.  

With an average cost to businesses of $5.01 million per breach, it’s no surprise that the FBI has named Business Email Compromise (BEC) a “$26 billion scam”, and the threat is only increasing. Business Email Compromise (BEC) attacks use real or impersonated business email accounts to defraud employees. In 2020, BEC scammers made over $1.8 billion – far more than via any other type of cybercrime.  You can find more information on what exactly BEC is and how it works in this article: What is Business Email Compromise and How Does it Work? , and understand how Tessian prevents BEC, across industries here.  But what does a BEC attack look like in real-life? This article details 16 examples of BEC attacks that have cost victims money, time, and reputation, to help you avoid making the same mistakes.

1. Facebook and Google: $121m BEC scam  First, let’s look at the biggest known BEC scam of all time: a VEC attack against tech giants Facebook and Google that resulted in around $121 million in collective losses. The scam took place between 2013 and 2015 — and the man at the center of this BEC attack, Evaldas Rimasauskas, was sentenced to five years in prison in 2019. So how did some of the world’s most tech-savvy employees fall for this elaborate hoax? Rimasauskas and associates set up a fake company named “Quanta Computer”  — the same name as a real hardware supplier. The group then presented Facebook and Google with convincing-looking invoices, which they duly paid to bank accounts controlled by Rimasauskas. As well as fake invoices, the scammers prepared counterfeit lawyers’ letters and contracts to ensure their banks accepted the transfers. The Rimasauskas scam stands as a lesson to all organizations. If two of the world’s biggest tech companies lost millions to BEC over a two-year period — it could happen to any business.   2. Ubiquiti: $46.7m vendor fraud In August 2015, IT company Ubiquiti filed a report to the U.S. Securities and Exchange Commission revealing it was the victim of a $46.7 million “business fraud.” This attack was an example of a type of BEC, sometimes called Vendor Email Compromise (VEC). The scammers impersonated employees at a third-party company and targeted Ubiquiti’s finance department. We still don’t know precisely how the cybercriminals pulled off this massive scam. VEC attacks previously relied on domain impersonation and email spoofing techniques, but these days, scammers are increasingly turning to the more sophisticated account takeover method.   3. Toyota 2019: $37 million BEC attack Kicking things off with a name you may recognize – in 2019 Japan’s Toyota Boshoku Corporation was hit with a $37 million BEC attack. The huge size of the company meant that though $37 million may appear alarming to you or I, hackers were able to implore an employee to transfer the sum out of the European subsidiary before being detected.  With BEC on the rise, and this attack being the third that Toyota had experienced that year so far, critics say that Toyota should have been on the lookout for the scam. As Toyota learnt the hard way, BEC attacks often exist in multiples – with one attack opening the door to many more as money, IP, data or identities are stolen.

4. Obinwanne Okeke: $11 million in losses In February 2021, celebrated entrepreneur Obinwanne Okeke was sentenced to 10 years in prison for his involvement in a BEC scheme that resulted in at least $11 million in losses to his victims. Using phishing emails to secure the login credentials of business executives (including the CFO of British company Unatrac Holding), these initial phishing scams then acted as a platform for BEC.  As is often the case, BEC was just one part of a tapestry of fraud and cybercrime, with Okeke also creating fraudulent webpages to further manipulate his victims. The money transfers also went directly into overseas accounts, meaning that local law enforcement couldn’t aid in recovering them.   5. Scouler Co.: $17.2m acquisition scam This example demonstrates how fraudsters can play on a target’s trust and exploit interpersonal relationships. In June 2014, Keith McMurtry, an employee at Scouler Co, a company in Omaha, Nebraska, received an email supposedly from his boss, CEO Chuck Elsea. The email informed McMurty that Scoular was set to acquire a Chinese company. Elsea instructed McMurty to contact a lawyer at accounting firm KPMG. The lawyer would help facilitate a transfer of funds and close the deal.  McMurty obeyed, and he soon found himself transferring $17.2 million to a Shanghai bank account in the name of “Dadi Co.” The CEO’s email, as you might have guessed, was fraudulent. The scammers had used email impersonation to create accounts imitating both Elsea and the KPMG lawyer. Aside from the gargantuan $17.2m loss, what’s special about the Scoular scam? Take a look at this excerpt from the email, provided by FT.com, from “Elsea” to McMurty: “We need the company to be funded properly and to show sufficient strength toward the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly.”Given the emotive language, the praise, and the promise of future rewards — it’s easy to see why an employee would go along with a scam like this.   6. Homeless Charity, Treasure Island: $625,000 BEC loss BEC rates have been rising for several years, as demonstrated by 2021 data from the FBI’s Internet Crime Complaint Center (IC3). So perhaps it’s unsurprising—if somewhat disheartening—that law enforcement agencies are struggling to cope with all the BEC incidents that companies are reporting to them. In June 2021, we learned that San Fransisco-based homelessness charity Treasure Island fell victim to a devastating, month-long $625,000 BEC attack after hackers infiltrated the organization’s bookkeeper’s email system. The hackers found and manipulated a legitimate invoice used by one of Treasure Island’s partner organizations. Staff at Treasure Island transferred a loan intended for the partner organization straight into the cybercriminals’ bank account.  The nonprofit sadly lacked cybercrime insurance. But even worse—the U.S. Attorney’s Office in San Fransisco, which would have been responsible for leading an investigation into the BEC attack, reportedly declined to investigate the incident. This case serves as a reminder that, when it comes to cybercrime, prevention is always better than cure. Building security into your systems is the only viable way to avoid the losses associated with BEC attacks.   7. Government of Puerto Rico: $2.6 million transfer In early 2020, while dealing with the aftermath of a 6.4-magnitude earthquake, the Puerto Rican government discovered they had fallen victim to a BEC scam. The direct victim of the scam was Rubén Rivera, finance director of Puerto Rico’s Industrial Development Company who mistakenly transferred over $2.6 million to a fraudulent bank account. Rivera had received an email explaining that there had been a change to the bank account tied to remittance payments. The email had come from a hacked email account of an employee of the Puerto Rico Employment Retirement System.  Three employees were suspended after the attack and fortunately, the money, which included public pension funds, was frozen by the FBI. Manuel Labor, executive director of the Industrial Development Company insisted that the incident “did not affect and will not affect pension payments to retirees”.

8. St. Ambrose Catholic Parish: $1.75 million While enjoying the recent restoration and repair of the church roof, St. Ambrose Catholic Parish in Ohio was given a nasty surprise when it fell victim to a BEC attack. Hackers pretended to be the construction firm that had repaired the roof, and emailed parish officials claiming that they had not been paid in two months. The parish swiftly wired $1.75 million into a fraudulent account, and the perpetrators swept it out before anyone knew what had happened. On top of hiring a third-party cybersecurity firm to assess their system and policies, the parish resolved to start sending manual checks again instead of wire transfers to stop any future fraudsters in their tracks.   9. Guillermo Perez: $2.2 million From (at least) October 2018 to October 2019, Guillermo Perez and his co-conspirators led a BEC scam that made them $2.2 million richer (allegedly – he’s awaiting trial). As part of the scheme, Perez and co-conspirators provided banks with false and misleading information regarding their affiliations. Lured into a false sense of security, the banks then opened business accounts for them that were fraudulent. Perez and his fellow attackers then used BEC to manipulate victims into transferring over $2.2 million into the fraudulent accounts – money that was moved swiftly into the attackers’ pockets. 10. Save the Children: $1 million There is seemingly no limit to who BEC attackers will target – as demonstrated in 2018 with an attack on Save the Children that cost the charity $1 million. The attacker gained access to an employee’s email account and from there sent fake invoices and other documents pretending that the money was needed to pay for health centre solar panels in Pakistan. The charity has had a base there for decades, so the attack was well-researched and effective, and before the scam was exposed the money had already been deposited in a Japanese bank account.   11. Noel Chimezuru Agoha, Sessieu Ange Oulai and Kelechi Arthur Ntibunka: $1.1 million In March 2021, Noel Chimezuru Agoha, Sessieu Ange Oulai, and Kelechi Arthur Ntibunka were charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and aggravated identity theft. This was all as (allegedly) part of a series of BEC scams that saw the attackers pose as clients of victims to intercept payments totaling over $1.1 million dollars. The BEC scam was accompanied by a dating scam, which involved manipulating victims on dating websites into believing they were in a romantic relationship with the scammers, and coaxing them into sending money. These scams exemplify the sophisticated social engineering techniques that are often found in BEC and other forms of cyberattacks.

12. Atlanta BEC scammer: Sentenced after making $250,000+ In June 2021, an Atlanta court sentenced Anthony Dwayne King to two and a half years in prison for his role in a BEC scam—but only after he’d earned nearly $250,000 ripping off businesses and individuals across four U.S. states. Between October 2018 and February 2019, King and his accomplices conducted BEC and vishing (phone phishing) operations, setting up fake companies and opening fraudulent bank accounts to redirect wire transfers. The cybercriminals targeted law firms and home movers but were thwarted by Georgia’s Cyber Fraud Task Force. As well as serving federal prison time, King will have to repay the money he stole from his victims.   13. Gift card scams Gift card BEC scams have always been popular amongst the cybercrime community – and according to the FBI, the prevalence of this type of scam is only increasing. Victims receive an email from attackers masquerading as an authority figure asking victims to purchase gift cards for personal or business reasons. Sometimes the attacker will also request a wire transfer payment, much like the classic BEC scam. An example of this type of attack was seen in 2019 when attackers impersonated Rabbis in Virginia and convinced their synagogue congregants to purchase gift cards for a fundraiser and told them to send back pictures of the serial numbers. As you might imagine, this type of attack is particularly common during the holiday season and Black Friday. According to a report from the Anti-Phishing Working Group, 66% of BEC attacks included a request for gift card payment in the second quarter of 2020.   14. Snapchat payroll information breach Many high-profile BEC attacks target a company’s finance department and request payment of an invoice to a new account. But not all BEC scams involve wire transfer fraud. Here’s an example of how BEC scams can target data, as well as money. In February 2016, cybercriminals launched a BEC attack against social media firm Snapchat. Impersonating Snapchat’s CEO, the attackers obtained “payroll information about some current and former employees.” The scam resulted in a breach of some highly sensitive data, including employees’ Social Security Numbers, tax information, salaries, and healthcare plans. Snapchat offered each affected employee two years of free credit monitoring and up to $1 million in reimbursement.

One of the leading challenges cybersecurity and risk leaders face is demonstrating the return on investment (ROI) of security tools deployed in their environments. Having easy access to data-rich cybersecurity metric reporting is increasingly a differentiator between the best-of-breed cybersecurity solutions and the rest.   At a tactical level and in a crowded cybersecurity stack, cyber metric reporting helps security leaders determine whether the tool deployed is having the desired effect (i.e. reducing cybersecurity risk.) Cyber metric reporting also plays a key role in annual budget justification –  an especially relevant consideration within the first 12 months of a tool’s deployment or upon contract renewal.   At a strategic level, with cybersecurity risk increasing, having access to, and being able to, report relevant cyber risk metrics on demand is essential for cybersecurity and risk leaders.   Regular and easy to understand cyber risk metrics reporting is fundamental for garnering executive and employee level support for cybersecurity initiatives and  plays a key role in improving the security culture and posture of an organization.

Tessian automated reporting: visibility on ROI   We know CISO time comes at a premium that is why time shouldn’t be spent validating past procurement decisions. This is why we engineered our reporting platform with the CISO in mind. But we also made it accessible for the non-security professional.   The latest automated reporting release from Tessian enables security leaders to stay focussed on their core tasks by delivering rich insight on demand.    The reporting capability extends across all of Tessian’s modules: email security and Data Loss Prevention (DLP).

Here are 5 benefits of Tessian’s automated email security metric reporting   1: Save time with automated reporting. Reporting email related incidents and associated risk to leadership is a core task for every security leader. On average organizations spend up to 600 hours per month dealing with employee-related emails security incidents, with 40% of organizations reporting 10 or more incidents per month.   The automated email security risk reporting from Tessian allows cybersecurity and risk leaders to stay focussed on their main job of keeping their organizations safe and secure, without the need for manual reporting. 

2: Employee-level email security risk distilled. At a glance, security leaders  are able to see how email cybersecurity risk is trending over a period of time, down to the employee level. This includes insight on the total number of inbound and outbound emails analyzed, as well as providing insight on threat vectors such as phishing attacks, data loss, and security awareness. 

3: Deep reporting insight on every module. Often cyber metric reports are diluted and not very useful. Granularity of threat intelligence reporting is at the core of Tessian’s automated reporting, providing module specific insight. For example on the Tessian Enforcer module that prevents data exfiltration (see below), reporting details include the total number of sensitive events, the severity of those events, as well as insight on the user experience.

4: Accessible, forensic-level threat intel with actionable insight. The reporting capability includes data rich and actionable insight on the types of email delivered attacks and threats thwarted – and is presented in user-friendly reports. Report recipients are also able to dig deeper on specific threat events documented in the report.

5: Automated reporting. Reports are available on demand or can be delivered to any employee on the recipient email list on a weekly, monthly or quarterly basis. And recipients have the ability to download the PDF report for this specific module (or any of the Tessian modules).

Client feedback on the new automated reporting capability has been overwhelmingly positive, with consensus that it takes the pain out of reporting and allows security and risk leaders to focus on their core tasks: keeping their organizations safe and secure.

By providing intuitive insight into cybersecurity risk mitigation measures, it is also playing an integral role in improving the security culture and hardening the security posture of client’s organizations. Automated reporting is one more reason why you need Tessian in your environment.   Click here to book a demo of our market leading email security and DLP platform.

Looking for something more visual? Check out this infographic of the key statistics.

The frequency of phishing attacks Phishing is a huge threat and growing more widespread every year. In 2021 Tessian research found that employees receive an average of 14 malicious emails per year. Some industries were hit particularly hard, with retail workers receiving an average of 49. ESET’s 2021 research found a 7.3% increase in email-based attacks between May and August 2021, the majority of which were part of phishing campaigns. And 2021 research from IBM confirmed this trend, citing a 2 percentage-point rise in phishing attacks between 2019 and 2020, partly driven by COVID-19 and supply chain uncertainty. CISCO’s 2021 Cybersecurity threat trends report suggests that at least one person clicked a phishing link in around 86% of organizations. The company’s data suggests that phishing accounts for around 90% of data breaches. There’s an uneven distribution in phishing attacks throughout the year. Cisco found that phishing tends to peak around holiday times, finding that phishing attacks soared by 52% in December. We’ve written about a similar phenomenon that typically occurs around Black Friday.

How phishing attacks are delivered 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites and just 1% via phone. When it’s done over the telephone, we call it vishing and when it’s done via text message, we call it smishing. The increase in phishing attacks means email communications networks are now riddled with cybercrime. Symantec research suggests that throughout 2020, 1 in every 4,200 emails was a phishing email. When it comes to targeted attacks, 65% of active groups relied on spear phishing as the primary infection vector. This is followed by watering hole websites (23%), trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). 

The most common subject lines According to Symantec’s 2019 Internet Security Threat Report (ISTR), the top five subject lines for business email compromise (BEC) attacks:  Urgent  Request  Important  Payment  Attention Analysis of real-world phishing emails revealed these to be the most common subject lines in Q4, 2020:  IT: Annual Asset Inventory  Changes to your health benefits  Twitter: Security alert: new or unusual Twitter login  Amazon: Action Required | Your Amazon Prime Membership has been declined  Zoom: Scheduled Meeting Error  Google Pay: Payment sent  Stimulus Cancellation Request Approved  Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription  RingCentral is coming!  Workday: Reminder: Important Security Upgrade Required

Research from Cofense suggests phishing emails are slightly more like to contain a link to a malicious website (38%) than a malicious attachment (36%). The most common malicious attachments 2021 Tessian research suggests that PDFs are the most common type of malicious file attached with phishing emails. This trusted and versatile file format can be used to hide phishing links, run JavaScript, and deliver fraudulent invoices. SonicWall’s 2021 Cyber Threat report suggests that there was a huge jump in the number of malicious PDFs and Microsoft Office files (sent via email) between 2018 and 2020. Workers are particularly likely to click these trusted formats. The volume of malicious Office and PDF files did start to dip in 2021, however, as some workers returned to working in the office. However, it’s important to note—as users become more wary of opening suspicious-looking files—that many malicious emails don’t contain an attachment. In fact, 2021 Tessian research found that 76% of malicious emails did not contain an attachment. The data that’s compromised in phishing attacks The top three “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Medical (treatment information, insurance claims) When asked about the impact of successful phishing attacks, security leaders cited the following consequences: 60% of organizations lost data 52% of organizations had credentials or accounts compromised 47% of organizations were infected with ransomware 29% of organizations were infected with malware 18% of organizations experienced financial losses

The cost of a breach In 2021, RiskIQ estimated that businesses worldwide lose $1,797,945 per minute due to cybercrime—and that the average breach costs a company $7.2 per minute. IBM’s 2021 research into the cost of a data breach ranks the causes of data breaches according to the level of costs they impose on businesses.  Phishing ranks as the second most expensive cause of data breaches—a breach caused by phishing costs businesses an average of $4.65 million, according to IBM. And Business Email Compromise (BEC)—a type of phishing whereby the attackers hijack or spoof a legitimate corporate email account—ranks at number one, costing businesses an average of $5.01 million per breach. That’s not the only way phishing can lead to a costly breach—attacks using compromised credentials were ranked as the fifth most costly cause of a data breach (averaging $4.37 million). And how do credentials get compromised? More often than not, due to phishing. On the plus side, IBM found that businesses with AI-based security solutions experienced a significant reduction in the costs associated with a data breach. In fact, AI security solutions were found to be the biggest factor in cutting breach costs, from $6.71 million to $2.90 million. According to Verizon, organizations also see a 5% drop in stock price in the 6 months following a breach. Losses from business email compromise (BEC) have skyrocketed over the last year. The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion – far more than via any other type of cybercrime. And, this number is only increasing. According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, the average wire-transfer loss from BEC attacks in the second quarter of 2020 was $80,183. This is up from $54,000 in the first quarter. This cost can be broken down into several different categories, including: Lost hours from employees Remediation Incident response Damaged reputation Lost intellectual property Direct monetary losses Compliance fines Lost revenue Legal fees Costs associated remediation generally account for the largest chunk of the total. Importantly, these costs can be mitigated by cybersecurity policies, procedures, technology, and training. Artificial Intelligence platforms can save organizations $8.97 per record.

The most targeted industries CISCO’s 2021 data suggests that financial services firms are the most likely to be targeted by phishing attacks, having been targeted by 60% more phishing attacks than the next-highest sector (which CISCO identifies as higher education). Tessian’s 2021 research suggests workers in the following industries received a particularly large quantity of malicious emails: Retail (an average of 49 malicious emails per worker, per year) Manufacturing (31) Food and beverage (22) Research and development (16) Tech (14) Phishing by country Not all countries and regions are impacted by phishing to the same extent, or in the same way. Here are some statistics from another source showing the percentage of companies that experienced a successful phishing attack in 2020, by country: United States: 74% United Kingdom: 66% Australia: 60% Japan: 56% Spain: 51% France: 48% Germany: 47% Phishing awareness also varies geographically. Here’s the percentage of people who correctly answered the question: “What is phishing?”, by country: United Kingdom: 69% Australia: 66% Japan: 66% Germany: 64% France: 63% Spain: 63% United States: 52% As you can see, there’s no direct correlation between phishing awareness and phishing susceptibility, which is why security training isn’t enough to prevent cybercrime. The most impersonated brands 2021 Tessian research found these to be the most commonly impersonated brands in phishing attacks: Microsoft ADP Amazon Adobe Sign Zoom The common factor between all of these consumer brands? They’re trusted and frequently communicate with their customers via email. Whether we’re asked to confirm credit card details, our home address, or our password, we often think nothing of it and willingly hand over this sensitive information. But it’s not just consumer brands that scammers impersonate. Public bodies are also commonly mimicked in phishing scams. Between August 2020 and July 2021, the UK’s tax authority (HMRC) reported: Over than 450 COVID-19-related financial support scams More than one million reports of “suspicious contact” (namely, phishing attempts) More than 13,000 malicious web pages (used as part of phishing attacks) The rates of phishing and other scams reported by HMRC more than doubled in this period.

Facts and figures related to COVID-19 scams Phishing scammers had a field day exploiting the fear and uncertainty that arose as a result of COVID-19. Crowdstrike identified the following most common themes among COVID-related phishing emails  Exploitation of individuals looking for details on disease tracking, testing and treatment  Impersonation of medical bodies, including the World Health Organization (WHO) and U.S. Centers for Disease Control and Prevention (CDC)  Financial assistance and government stimulus packages  Tailored attacks against employees working from home  Scams offering personal protective equipment (PPE)  Passing mention of COVID-19 within previously used phishing lure content (e.g., deliveries, invoices and purchase orders) And the COVID phishing surge is far from over. In December 2021, the US Federal Trade Commission (FTC) launched a new rule-making initiative aiming to combat the tidal wave of COVID scams, having received 12,491 complaints of government impersonation and 8,794 complaints of business impersonation related to the pandemic.

Phishing and the future of work The move to remote work has presented many challenges to business—and the increased range, frequency, and probability of security incidents are among the most serious. New working habits have contributed to the recent surge in phishing because IT teams have less oversight over how colleagues are using their devices and can struggle to provide support when things go wrong. According to Microsoft’s New Future of Work Report:  80% of security professionals surveyed said they had encountered increased security threats since the shift to remote work began.  Of these, 62% said phishing campaigns had increased more than any other type of threat. Employees said they believed IT departments would be able to mitigate these phishing attacks if they had been working in the office Furthermore, an August 2021 survey conducted by Palo Alto Networks found that: 35% of companies reported that their employees either circumvented or disabled remote security measures Workers at organizations that lacked effective remote collaboration tools were more than eight times as likely to report high levels of security evasion 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issue

What can individuals and organizations do to prevent being targeted by phishing attacks? While you can’t stop hackers from sending phishing or spear phishing emails, you can make sure you (and your employees) are prepared if and when one is received. You should start with training. Educate employees about the key characteristics of a phishing email and remind them to be scrupulous and inspect emails, attachments, and links before taking any further action. Review the email address of senders and look out for impersonations of trusted brands or people (Check out our blog CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives for more information.) Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands and professionals generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand or person directly, rather than hitting reply But, humans shouldn’t be the last line of defense. That’s why organizations need to invest in technology and other solutions to prevent successful phishing attacks. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in. By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones.

This post is part two of Why Confidence Matters, a series about how we improved Defender’s confidence score to unlock a number of important features. You can read part one here.   In this part, we will focus on how we measured the quality of confidence scores generated by Tessian Defender. As we’ll explain later, a key consideration when deciding on metrics and setting objectives for our research was a strong focus on product outcomes.   Part 2.1 – Confidence score fundamentals   Before we jump into the particular metrics and objectives we used for the project, it’s useful to discuss the fundamental attributes that constitute a good scoring model.   1. Discriminatory power   The discriminatory power of a score tells us how good the score is at separating between positive (i.e. phishy) and negative examples (i.e. safe). The chart below illustrates this idea.    For each of two models, the image shows a histogram of the model’s predicted scores on a sample of safe and phish emails, where 0 is very sure the email is safe and 1 is absolutely certain the email is phishing.    While both are generally likely to assign a higher score for a phishing email than a safe one, the example on the left shows a clearer distinction between the most likely score for a phishing vs a safe email.

 

Discriminatory power is very important in the context of phishing because it determines how well we can differentiate between phishing and safe emails, providing a meaningful ranking of flags from most to least likely to be malicious. This confidence also unlocks the ability for Tessian Defender to quarantine emails which are likely to be phishing, and reduce flagging on emails we are least confident about, improving the precision of our warnings.  

2. Calibration Calibration is another important attribute of the confidence score. A well-calibrated score will reliably reflect the probability that a sample is positive. Calibration is normally assessed using a calibration curve, which looks at the precision of unseen samples across different confidence scores (see below).

The above graph shows two example calibration curves. The gray line shows what a perfectly calibrated model would look like: the confidence score predicted for samples (x-axis) always matches the observed proportion of phishy emails (y-axis) at that score. In contrast, the poorly-calibrated red line shows a model that is underconfident for lower scores (model predicts a lower score than the observed precision) and overconfident for high scores.   From the end-user’s perspective, calibration is especially important to make the score interpretable, and especially matters if the score will be exposed to the user.

3. Consistency  A good score will also generalize well across different cuts of the samples it applies to. For example, in the context of Tessian Defender, we needed a score that would be comparable across different types of phishing. For example, we should expect the scoring to work just as well for Account Takeover (ATO) as it does for a Brand Impersonation. We also had to make sure that the score generalized well across different customers, who operate in different industries and send and receive very different types of emails. For example, a financial services firm may receive a phishing email in the form of a spoofed financial newsletter, but such an email would not appear in the inbox of someone working in the healthcare sector.

Metrics  How do we then quantify the above attributes for a good score? This is where metrics come into play – it is important to design appropriate metrics that are technically robust, yet easily understandable and translatable to a positive user experience.   A good metric for capturing the overall discriminatory power of a model is the area under the ROC curve (AUC-ROC) or the average precision of a model at different thresholds, which capture the performance of the model across all possible thresholds. Calibration can be measured with metrics that estimate the error between the predicted score and true probability, such as the Adaptive Calibration Error (ACE).    While these out-of-the-box metrics are commonly used to assess machine learning (ML) models, there are a few challenges which make it hard to use in a business context.    First, it is quite difficult to explain simply to stakeholders who are not familiar with statistics and ML. For example, the AUC-ROC score doesn’t tell most people how well they should expect a model to behave. Second, it’s difficult to translate real product requirements into AUC-ROC scores. Even for those who understand these metrics, it’s not easy to specify what increase in these scores would be required to achieve a particular outcome for the product.

Defender product-centric metrics   While we still use AUC-ROC scores within the team and compare models by this metric, the above limitations meant that we had to also design metrics that could be understood by everyone at Tessian, and directly translatable to a user’s product feature experience.    First, we defined five simpler-to-understand priority buckets that were easier to communicate with stakeholders and users (from Very Low to Very High). We aimed to be able to quarantine emails in the highest priority bucket, so we calibrated each bucket to the probability of an email being malicious. This makes each bucket intuitive to understand, and allows us to clearly translate to our users’ experience of the quarantine feature.    For the feature to be effective, we also defined a minimum number of malicious emails to prevent reaching the inbox, as a percentage of the company’s inbound email traffic. Keeping track of this metric prevents us from over-optimizing the accuracy of the Very-High bucket at the expense of capturing most of the malicious emails (recall), which would greatly limit the feature’s usefulness.   While good precision in the highest confidence bucket is important, so is accuracy on the lower end of the confidence spectrum.    A robust lower end score will allow us to stop warning on emails we are not confident in, unlocking improvements in overall precision to the Defender algorithm. Hence, we also set targets for accuracy amongst emails in the Very-Low/Low buckets.    For assurance of consistency, the success of this project also depended on achieving the above metrics across slices of data – the scores would have to be good across the different email threat types we detect, and different clients who use Tessian Defender.

Part 2.2 – Our Data: Leveraging User Feedback After identifying the metrics, we can now look at the data we used to train and benchmark our improvements to the confidence score.Having the right data is key to any ML application, and this is particularly difficult for phishing detection. Specifically, most ML applications rely on labelled datasets to learn from.    We found building a labelled dataset of phishing and non-phishing emails especially challenging for a few reasons:

Data challenges Phishing is a highly imbalanced problem. On the whole, phishing emails are extremely low in volumes compared to all other legitimate email transactions for the average user. On a daily basis, over 300 billion emails are being sent and received around the world, according to recent statistics. This means that efforts to try to label emails manually will be highly ineffective, like finding a needle in a haystack.   Also, phishing threats and techniques are constantly evolving, such that even thousands of emails labelled today would quickly become obsolete. The datasets we use to train phishing detection models must constantly be updated to reflect new types of attacks.   Email data is also very sensitive by nature. Our clients trust us to process their emails, many of which contain sensitive data, in a very secure manner.  For good reasons, this means we control who can access email data very strictly, which makes labelling harder.    All these challenges make it quite difficult to collect large amounts of labelled data to train end-to-end ML models to detect phishing.

User feedback and why it’s so useful   As you may remember from part one of this series, end-users have the ability to provide feedback about Tessian Defender warnings. We collect thousands of these user responses weekly, providing us with invaluable data about phishing.   User responses help address a number of the challenges mentioned above.    First, they provide a continually updated view of changes in the attack landscape. Unlike a static email dataset labelled at a particular point in time, user response labels can capture information about the latest phishing trends as we collect them, day-in and day-out. With each iteration of model retraining with the newest user labels, user feedback is automatically incorporated into the product. This creates a positive feedback loop, allowing the product to evolve in response to users’ needs.   Relying on end-users to label their own emails also helps alleviate concerns related to data sensitivity and security. In addition, end-users also have the most context about the particular emails they receive. Combined with explanations provided by Tessian warnings, they are more likely to provide accurate feedback.    These benefits address all the previous challenges we faced neatly, but it is not without its limitations.    For one, the difference between phishing, spam and graymail is not always clear to users, causing spam and graymail to often be labelled as malicious. Often, several recipients of the same email can also disagree on whether it is malicious. Secondly, user feedback data may not be a uniform representation of the email threat landscape – we often receive more feedback from some clients or certain types of phishing. Neglecting to address this under-representation would result in a model that performs better for some clients, something we absolutely need to avoid in order to ensure consistency in the quality of our product for all new and existing clients.   In the last part of the series Why Confidence Matters, we’ll discuss how we navigated the above challenges, delve deeper into the technical design of the research pipeline used to build the confidence-scoring model, and the impact that this has brought to our customers.

(Co-authored by Gabriel Goulet-Langlois and Cassie Quek)

Over the last several years, the cybercriminal economy has undergone a sea change in maturity and sophistication. And it’s not going to slow down any time soon. Looking at the numbers:   The cost of cybercrime damages, currently in the $6 trillion range, is expected to reach $10.5 trillion by 2025 – a +350% increase from 2015 The average cost of a cybersecurity breach escalated to $4.24 million in 2021 – up almost 10% year-over-year. By 2025 the lucrative nature of cybercrime will be 10x greater than all other illicit activities combined Ransomware is proving to be particularly problematic, with ransomware damages exceeding $20 billion for 2021 – a 57x fold increase from 2015 2021 also saw the largest ransomware payment yet, by insurer CNA for a sum of $40 million to regain access to their data and information systems The past 12 months have been equally tough for the cyber insurance industry, with claims up by 500% YoY – and ransomware responsible for 75% of those claims As a consequence, cyber insurance premiums are now in record territory, witnessing 75% to 100% increases over the past 12 months  – with some of the leading insurers now excluding coverage for nation-state cyber attacks.   The bottom line: the threat paradigm has evolved, and ransomware is the biggest challenge security leaders face.

Ransomware as organized cybercrime   The increasing sophistication of ransomware attacks (both in target acquisition and attack execution) points to a new level of maturity. Cybercriminals are displaying a level of sophistication akin to organized criminal groups. What compounds the challenge is a sizable share of these organized criminal groups have nation-state backing.   Recent trends point to increasing commercialization of offerings available on the dark web, with Ransomware-as-a-Service (RaaS) available for as little as $40 per month. Russian-linked cybercrime groups REvil and DarkSide have been particularly active on the RaaS front – with REvil being taken offline twice by law enforcement in 2021. 

Cybercriminals generally fall into two categories:   The purely criminal enterprise, either composed of solo or group actors that are loosely organized acting on their own initiative or available for hire. Motivations are primarily for financial gain. The organized cyber criminal gangs that are often transnational in scope, and often it is these groups that benefit from implicit or explicit nation-state support. Motivations for attacking include financial gain and /or political reasons (espionage and sabotage). These groups do not focus exclusively on deploying ransomware but continually adapt, seek and develop new exploit methods. Also commonly referred to as advanced persistent threat actors (APT), well known examples include the Russian state-linked Fancy Bear (APT 28) and Cozy Bear (APT 29), or the China-state linked Wekby (APT 18), Emissary Panda (APT27) and Wicked Panda (APT 41). Other countries linked to APT groups include Iran, North Korea (Lazarus Group) (APT 38) and Vietnam.

All threat actors deserve attention, but the APT actors and their association with ransomware attacks are of particular concern. APTs pose the greatest threat to companies and countries alike due to their advanced capabilities and degree of state sanction with which they operate. Industries like manufacturing, financial services, healthcare, and critical infrastructure, as well as countries around the world continue to be targeted.   APTs are often driven by a mandate of either financial gain, Intellectual Property and data theft, which can include industrial or state espionage – evident in the recent Chinese linked APT data harvesting campaigns. Additional motivations can include nation-state sabotage, either accidental as we saw in the Colonial Pipeline hack, or orchestrated such as the Russian-linked critical infrastructure destabilization campaigns in the Ukraine. 

The actions of ransomware campaigns can have devastating financial and other consequences including:   Financial costs associated with the ransomware payment – declared ransomware payments in the US totalled $590 million from January to June 2021 Cost of disruption damage – the damages associated with the NotPetya ransomware attack are estimated to be +$10 billion  Reputation damage – unquantifiable  Catastrophic data loss events resulting in significant business harm or business failure –  FEMA indicates a +90% probability of business failure for a data recovery effort that takes longer than 5 days.

The importance of hardening your email defensive capability One particular threat vector of concern is the targeting of employees via email through advanced and persistent social engineering campaigns, often driven by APT actors. And legacy email security solutions built for the on-premise world of email exchange servers, and relying on manual, static and rule-based security methodologies, offer rudimentary protection at best.

This helps explain why email continues to be the number one threat vector. With the average organization experiencing a click through rate of 30% on simulated phishing exercises, it’s of no surprise that 96% of phishing attempts are delivered via email. The odds are certainly in the bad actors’ favor.   This explains why phishing via email remains the number one delivery mechanism for ransomware – accounting for 54% of successful attacks.   The types of phishing attacks that are most devastating center on advanced spear phishing and business email compromise (BEC). Targeted at senior personnel in an organization, these attacks deploy a range of impersonation methods – also referred to as whaling or C-suite impersonation attacks.   Senior personnel are targeted due to the significant administrative privileges these email accounts carry. Once an attacker has successfully compromised an employee’s email account, the mean time for deploying the ransomware and demanding a ransom ranges from 12 to 76 hours. For small companies the incident usually plays out over 2 to 4 days, with larger enterprises this can take several weeks.   The fallibility of employees to phishing attacks, combined with legacy email security solutions built for an on-premise world, go some way in explaining why damages associated with cyber attacks are expected to increase exponentially in the coming months, especially with hybrid-working here to stay.

What the pandemic means for enterprise cybersecurity    The dramatic shift to a hybrid and remote operating model as a result of the pandemic has proved a boon for cybercriminals, with ransomware attacks being particularly rewarding. Even the “average” person is worried about cybercrime, with Americans saying it’s the crime they’re most worried about in 2021.   Security leaders are, too, with 69% saying they think ransomware attacks will be a greater concern in a hybrid work place.    Enterprises with significant on-premise footprints and associated legacy IT infrastructure have been particularly vulnerable to cyber attacks. Attack surface risk increased exponentially overnight, with employees logging into corporate networks from poorly secured home networks, and often on personal devices. The telemetry that on-premise cybersecurity tools provided was, and has been, severely curtailed. These legacy tools were built for a world of securing networks, endpoints and devices.   The pandemic set new parameters of where cyber risk could manifest and revealed a need for a new approach to cybersecurity – an approach that addresses cyber risk as it manifests, in real-time, regardless of network, endpoint or device.   

Integrated cloud email security for the post perimeter new order   It is for these reasons that 75% of cybersecurity leaders believe legacy email security approaches and tools are no longer adequate for the current threatscape. This is also why 58% of cybersecurity leaders are investing in behavioral intelligence enabled email security solutions. Only by securing an organization’s most important asset – its employees – will the risk of a cyber attack, including ransomware be mitigated.   Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprize.   Key features include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence Insider Threat Management Accidental & Malicious DLP   Want to learn more? See how Tessian prevents ransomware attacks, watch a product overview video, download our platform architecture whitepaper, or book a demo. 

‘Why Confidence Matters’ is a weekly three-part series. In this first article, we’ll explore why a reliable confidence score is important for our users. In part two, we’ll explain more about how we measured improvements in our scores using responses from our users. And finally, in part three, we’ll go over the pipeline we used to test different approaches and the resulting impact in production.   Part One: Why Confidence Matters   Across many applications of machine learning (ML), being able to quantify the uncertainty associated with the prediction of a model is almost as important as the prediction itself.    Take, for example, chatbots designed to resolve customer support queries. A bot which provides an answer when it is very uncertain about it, will likely cause confusion and dissatisfied users. In contrast, a bot that can quantify its own uncertainty, admit it doesn’t understand a question, and ask for clarification is much less likely to generate nonsense messages and cause frustration amongst its users.

The importance of quantifying uncertainty   Almost no ML model gets every prediction right every time – there’s always some uncertainty associated with a prediction. For many product features, the cost of errors can be quite high. For example, mis-labelling an important email as phishing and quarantining it could result in a customer missing a crucial invoice, or mislabelling a bank transaction as fraudulent could result in an abandoned purchase for an online merchant.      Hence, ML models that make critical decisions need to predict two key pieces of information: 1. the best answer to provide a user 2. a confidence score to quantify uncertainty about the answer. Quantifying the uncertainty associated with a prediction can help us to decide if, and what actions should be taken.

How does Tessian Defender work?   Every day, Tessian Defender checks millions of emails to prevent phishing and spear phishing attacks. In order to maximise coverage,  Defender is made up of multiple machine learning models, each contributing to the detection of a particular type of email threat (see our other posts on phishing, spear phishing, and account takeover).      Each model identifies phishing emails based on signals relevant to the specific type of attack it targets. Then, beyond this primary binary classification task, Defender also generates two key outputs for any email that is identified as potentially malicious across any of the models:   A confidence score, which is related to the probability that the email flagged is actually a phishing attack. This score is a value between 0 (most likely safe) and 1 (most certainly phishing), which is then broken down into 4 categories of Priority (from Low to Very High). This score is important for various reasons, which we further expand on in the next section. An explanation of why Defender flagged the email. This is an integral part of Tessian’s approach to Human Layer Security: we aim not only to detect phishy emails, but also to educate users in-the-moment so they can continually get better at spotting future phishing emails. In the banner, we aim to concisely explain the type of email attack, as well as why Defender thinks it is suspicious. Users who see these emails can then provide feedback about whether they think the email is indeed malicious or not. Developing explainable AI is a super interesting challenge which probably deserves its own content, so we won’t focus on it in this particular series. Watch this space!   

Why Confidence Scores Matters    Beyond Defender’s capability to warn on suspicious emails, there were several key product features we wanted to unlock for our customers that could only be done with a robust confidence score. These were: Email quarantine Based on the score, Defender first aims to quarantine the highest priority emails to prevent malicious emails from ever reaching their employees’ mailboxes. This not only reduces the risk exposure for the company from an employee still potentially interacting with a malicious email; it also removes burden and responsibility from the user to make a decision, and reduces interruption to their work.   Therefore, for malicious emails that we’re most confident about, quarantining is extremely useful. In order for quarantine to work effectively, we must:   Identify malicious emails with very high precision (i.e. very few false positives). We understand the reliance of our customers on emails to conduct their business, and so we needed to make sure that any important communications must still come through to their inboxes unimpeded. This was very important so that Tessian’s Defender can secure the human layer without security getting in our user’s way.  Identify a large enough subset of high confidence emails to quarantine. It would be easy to achieve a very high precision by quarantining very few emails with a very high score (a low recall), but this would greatly limit the impact of quarantine on how many threats we can prevent. In order to be a useful tool, Defender would need to quarantine a sizable volume of malicious emails.   Both these objectives directly depend on the quality of the confidence score. A good score would allow for a large proportion of flags to be quarantined with high precision.

Prioritizing phishy emails In today’s threat landscape, suspicious emails come into inboxes in large volumes, with varying levels of importance. That means it’s critical to provide security admins who review these flagged emails with a meaningful way to order and prioritize the ones that they need to act upon. A good score will provide a useful ranking of these emails, from most to least likely to be malicious, ensuring that an admin’s limited time is focused on mitigating the most likely threats, while having the assurance that Defender continues to warn and educate users on other emails that contain suspicious elements.   The bottom line: Being able to prioritize emails makes Defender a much more intelligent tool that is effective at improving workflows and saving our customers time, by drawing their attention to where it is most needed.  

Removing false positives We want to make sure that all warnings Tessian Defender shows employees are relevant and help prevent real attacks.    False positives occur when Defender warns on a safe email. If this happens too often, warnings could become a distraction, which could have a big impact on productivity for both security admins and email users. Beyond a certain point, a high false positive rate could mean that warnings lose their effectiveness altogether, as users may ignore it completely. Being aware of these risks, we take extra care to minimize the number of false positives flagged by Defender.    Similarly to quarantine, a good confidence score can be used to filter out false positives without impacting the number of malicious emails detected. For example, emails with a confidence score below a given threshold could be removed to avoid showing employees unnecessary warnings.

What’s next?   Overall, you can see there were plenty of important use cases for improving Tessian Defender’s confidence score. The next thing we had to do was to look at how we could measure any improvements to the score. You can find a link to part two in the series below (Co-authored by Gabriel Goulet-Langlois and Cassie Quek)

According to a recent Tessian survey, 74% of IT leaders think deepfakes are a threat to their organizations’ and their employees’ security*. Are they right to be worried? We take a look. What is a deepfake?

Deepfakes are highly convincing— and successfully track people into believing that a person did or said something that never happened. Most people associate deepfakes with misinformation—and the use of deepfakes to imitate leaders or celebrities could present a major risk to people’s reputations and to political stability.    Deepfake tech is still young, and not yet sophisticated enough to deceive the public at scale. But some reasonably deepfake clips of Barack Obama and Mark Zuckerberg have provided a glimpse of what the technology is capable of. But deepfakes are also an emerging cybersecurity concern and businesses increasingly will need to defend against them as the technology improves.   Here’s why security leaders are taking steps to protect their companies against deepfakes. How could deepfakes compromise security?   Cybercriminals can use deepfakes in social engineering attacks to trick their targets into providing personal information, account credentials, or money. Social engineering attacks, such as phishing, have always relied on impersonation—some of the most effective types involve pretending to be a trusted corporation (business email compromise), a company’s supplier (vendor email compromise), or the target’s boss (CEO fraud).   Typically, this impersonation takes place via email. But with deepfakes, bad actors can leverage multiple channels. Imagine your boss emails you to make an urgent wire transfer. It seems like an odd request for her to make but, just as you’re reading the email, your phone rings. You pick it up and hear a voice that sounds exactly like your bosses, confirming the validity of the email and asking you to transfer the funds ASAP. What would you do?    The bottom line is: Deepfake generation adds new ways to impersonate specific people and leverage employees’ trust.

Examples of deepfakes The first known deepfake attack occurred in March 2019 and was revealed by insurance company Euler Hermes (which covered the cost of the incident). The scam started when the CEO of a U.K. energy firm got a call from his boss, the head of the firm’s German parent company—or rather, someone the CEO thought was his boss.   According to Euler Hermes, the U.K.-based CEO heard his boss’s voice—which had exactly the right tone, intonation, and subtle German accent—asking him to transfer $243,000, supposedly into the account of a Hungarian supplier.   The energy firm’s CEO did as he was asked—only to learn later that he had been tricked. Fraud experts at the insurance firm believe this was an example of an AI-driven deepfake phishing attack. And in July 2020, Motherboard reported a failed deepfake phishing attempt targeting a tech firm. Even more concerning—an April 2021 report from Recorded Future found evidence that malicious actors are increasingly looking to leverage deepfake technology to use in cybercrime.   The report shows how users of certain dark web forums, plus communities on platforms like Discord and Telegram, are discussing how to use deepfakes to carry out social engineering, fraud, and blackmail. Consultancy Technologent has also warned that new patterns of remote working are putting employees at an even greater risk of falling victim to deepfake phishing—and reported three such cases among its clients in 2020.

But is deepfake technology really that convincing?   Deepfake technology is improving rapidly.   In her book Deepfakes: The Coming Infopocalypse, security advisor Nina Schick describes how recent innovations have substantially reduced the amount of time and data required to generate a convincing fake audio or video clip via AI. According to her, “this is not an emerging threat. This threat is here. Now”. Perhaps more worryingly—deepfakes are also becoming much easier to make. Deepfake expert Henry Ajder notes that the technology is becoming “increasingly democratized” thanks to “intuitive interfaces and off-device processing that require no special skills or computing power.” And last year, Philip Tully from security firm FireEye warned that non-experts could already use AI tools to manipulate audio and video content. Tully claimed that businesses were experiencing the “calm before the storm”—the “storm” being an oncoming wave of deepfake-driven fraud and cyberattacks.

How could deepfakes compromise election security?   There’s been a lot of talk about how deepfakes could be used to compromise the security of the 2020 U.S. presidential election. In fact, an overwhelming 76% of IT leaders believe deepfakes will be used as part of disinformation campaigns in the election*.    Fake messages about polling site disruptions, opening hours, and voting methods could affect turnout or prevent groups of people from voting. Worse still, disinformation and deepfake campaigns -whereby criminals swap out the messages delivered by trusted voices like government officials or journalists – threaten to cause even more chaos and confusion among voters.    Elvis Chan, a Supervisory Special Agent assigned to the FBI told us that people are right to be concerned.    “Deepfakes may be able to elicit a range of responses which can compromise election security,” he said. “On one end of the spectrum, deepfakes may erode the American public’s confidence in election integrity. On the other end of the spectrum, deepfakes may promote violence or suppress turnout at polling locations,” he said. So, how can you spot a deepfake and how can you protect your people from them? 

How to protect yourself and your organization from deepfakes   AI-driven technology is likely to be the best way to detect deepfakes in the future. Machine learning techniques already excel at detecting phishing via email because of how they can detect tiny irregularities and anomalies that humans can’t spot.   But for now, here are some of the best ways to help ensure you’re prepared for deepfake attacks: Ensure employees are aware of all potential security threats, including the possibility of deepfakes. Tessian research* suggests that 61% of IT leaders are already training their teams about deepfakes, with a further 27% planning to do so. Create a system whereby employees can verify calls via another medium, such as email. Verification is a good way to defend against conventional vishing (phone phishing) attacks, as well as deepfakes. Maintain a robust security policy—so that everyone on your team knows what to do if they have a concern.

Looking back at the last 12 months, Tessian’s Human Layer Security platform has scanned nearly 5 billion emails, identified over half a million malicious emails, stopped close to 30,000 account takeover attempts, and prevented over 100,000 data breaches due to a misdirected email…   At the same time, we rolled out a number of important product updates to help keep our customers safe. Here are the most important product updates to Tessian’s Human Layer Security platform from 2021.   We built world’s first Intelligent Data Loss Prevention Engine   We believe that the next generation of Data Loss Prevention is fundamentally about shifting away from entirely rule-based techniques towards a dynamic, behavioral approach. That’s why we built Guardian and Enforcer, to automatically prevent both accidental data loss and sensitive data exfiltration to unauthorized accounts.    But we have also seen that, when combined with dynamic behavioral analysis, custom DLP policies, play an important role in an organization’s data security strategy.   With the launch of Tessian Architect in October 2021, enterprises can now deploy powerful, intelligent DLP policies. Architect is a perfect complement to Tessian Guardian and Enforcer and provides the market’s best-in-class Email DLP platform:   Architect was built together with leading security teams – it’s intuitive, quick-to-learn and comes with a library of prebuilt policies Architect has built-in machine learning capabilities and features a powerful logic engine to address even the most complex DLP use cases Architect is designed to educate users about data security practices in-the-moment and guide people towards better behavior Want to learn more about Tessian Architect? Read more about it here.

We now protect customers from compromised external counterparties   This year, we saw a record number of bad actors compromising email accounts of trusted external senders (suppliers, customers, and other third-parties) to breach a target company. These attacks are canned external Account Takeovers (ATO), and they’re one of the main pathways to Business Email Compromise (BEC).   Because these malicious emails don’t just appear to have come from a trusted vendor or supplier’s legitimate email address, but actually do come from it, external ATOs are incredibly hard to spot, meaning organizations are exceptionally vulnerable to them.    Tessian Defender now automatically detects and stops external Account Takeover attacks.    By using machine learning to understand a sender’s normal email sending patterns (like where they usually send from, what they talk about, what services they use, and more), it can identify suspicious deviations from the norm and detect malicious emails.    When this happens, Defender can either block these attacks, or show educational alerts to end-users, helping them identify and self-triage attacks.   Learn more about External Account Takeover protection here.

We now stop more threats, with better accuracy, with less admin overhead   In-the-moment warnings are one of the features that set Tessian apart from the competition. When Tessian Defender detects a potentially malicious email, it warns users with a pop-up, explaining exactly why the email was flagged.   But, we know that sometimes, it’s better to automatically block phishing emails.   Tessian Defender now automatically blocks attacks, before they reach a user’s mailbox. This gives security teams an  additional layer of email security, preventing end-users from receiving emails that are highly likely to be phishing attacks.    Defender can also adapt the response it takes to remediate a threat. If our machine learning is close to certain an email is malicious, it can quarantine it. Otherwise, it can deliver it to the end-user with an educational warning. This adaptive approach is so powerful because it strikes a balance between disrupting end-users and protecting them.   Finally, this year, Tessian Defender’s detection algorithm made some big strides. In particular, improvements in our risk confidence model allowed us to reduce false positives by significantly providing a better experience to end-users and security teams.

We now stop employees from accidentally sending the wrong attachment   Accidental data loss is the number one security incident reported to the Information Commissioner’s Office, and sending an incorrect attachment is part of that problem. In fact, 1 in 5 external emails contain an attachment, and research shows nearly half (48%) of employees have attached the wrong file to an email.    42% of documents sent in error contained company research and data 39% contained security information like passwords and passcodes 38% contained financial information and client information.  36% of mistakenly attached documents contained employee data   Thanks to an upgrade to Tessian Guardian, organizations can now prevent employees from accidentally sending the wrong attachment in an email.    The upgrade uses historical learning, deep content inspection, natural language processing (NPL), and heuristics to detect counterparty anomalies, name anomalies, context anomalies, and file type anomalies to understand whether an employee is attaching the correct file or not. If a misattached file is detected, the sender is immediately alerted to the error before the email is sent. This is completely automated, requiring no overhead from IT teams.   Best of all, the warnings are helpful, and flag rates are extremely low. This means employees can do their jobs without security getting in the way.   Learn more about misattached file protection here.

We can now quantify and measure human layer risk   Comprehensive visibility into employee risk is one of the biggest challenges security leaders face. With the Tessian Human Layer Risk Hub, our customers can now deeply understand their organization’s security posture, with granular visibility into employee risk, and insights into their risk levels and drivers.   How does it work? Tessian creates risk profiles for each employee, modelled from a range of signals like email usage patterns, indirect risk indicators, and employee security decisions (both historic and in real-time). Because of this unique data modelling, Tessian can gauge employees’ risk level, including whether or not they’re careful, careless, frequently attacked, and more.   This offers organizations protection, training, and risk analytics all in one platform, providing a clear picture of risk and the tools needed to reduce it.   Learn more about the Human Layer Risk Hub here.

We now integrate with KnowBe4, Sumo Logic, Okta, and more… Tessian is even more powerful when integrated with other security solutions that help address the risk posed by employees. That’s why, in the last 12 months, we’ve announced exciting integrations with Okta, Sumo Logic, and KnowBe4, each with their own unique benefits for joint customers. With Sumo Logic + Tessian, security and risk team can understand their risk through out-of-the-box monitoring and analytics capabilities.

With Okta + Tessian, security and risk management teams geet granular visibility into their organization’s riskiest and most at-risk employees and consequently enable them to deploy policies that can help protect particular groups of users from threats like advanced spear phishing and account compromise and prevent accidental data leaks.

And with KnowBe4 + Tessian, security and risk management teams get more visibility into phishing risk than ever before.

Want to help us solve more challenges across use cases? Come build with us.

Phishing, spear phishing, smishing, vishing, and several other *ishing techniques all aim to do one thing: convince targets to reveal information which is either valuable in itself and can be ransomed or sold, or can be used to access financial systems to transfer money.   That information could be account logins, bank details, customer information, or personal identifiable information (PII).  Types of phishing attacks Phishing is a numbers game; hackers send hundreds or thousands of messages in the hope that even just oneeee person is distracted enough to click.    That’s why a lot of attacks leverage popular culture. For example, when the smash hit series Squid Games ended, bad actors wasted no time in sending out ‘exclusive look at season 2’ scams.  TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware https://t.co/iTTPjTSwWi @proofpoint #SquidGame #Dridex pic.twitter.com/ShwKRnoimi — David Bisson (@DMBisson) November 1, 2021 Scammers are like wasps at a picnic, they’ll try and attack anything to provoke you… even your daily cup of Joe. As one InfoSec attendee at our Human Layer Security Summit in November said, “If a hacker created a fake offer for free pumpkin spiced latte from Starbucks, trust me, this time a year, people will click on it”.   But there’s a much more targeted sub-category of phishing: spear phishing. Spear phishing attacks center on one or a few individuals. Hackers generally use information like a person’s whereabouts, nickname, or details about their work to craft customized, believable messages.   And getting that information is surprisingly easy. We live our lives online, and every action we take leaves a trail of data and information. Social media status updates, geo-located photographs, travel tickets, venue check-ins, all these can be used to build a picture about an individual’s movements and preferences.

In fact, our How to Hack a Human report revealed that 90% of people post information related to their personal and professional lives online. One-third of people share business travel updates and photos online, and 93% of people update their social profiles when they get a new job. Out of Office replies also contain plenty of data that can be harnessed for an attack.

Our research also revealed that 88% of people have received a suspicious message this year. Can you guess the most popular channel? Email.    Verizon’s 2021 Data Breach Investigations Report found that a staggering 96% of phishing or spear phishing attacks arrive via email (the other means are smishing, which uses SMS, and vishing, which uses faked voicemail or phone calls). Here then, is our ultimate guide to spear phishing attacks: how to spot them, how to stop them, and how to ensure your organization is alert, trained and protected.

How big of an issue are we talking about here? It’s a big problem. 2021’s Spear Phishing Threat Landscape Report revealed that 75% of organizations experienced some kind of phishing attack in 2020. Another 65% faced Business Email Compromise (BEC) attacks, and 35% experienced spear phishing attacks. Graph from the FBI’s Internet Crime Report 2020   And according to the FBI, phishing incidents nearly doubled in frequency, from 114,702 in 2019, to 241,324 incidents in 2020. In all, there were more than 11 times as many phishing complaints to the FBI in 2020 compared to 2016. The numbers for 2021 will no doubt be even higher.

Our report also found that the average employee receives 14 malicious emails a year. For a 500-person company, that’s 7,000 a year. However, this number rose dramatically in the retail sector to 49 on average. Manufacturing employees received 31, R&D 16, and tech employees 14. The problem is, you just can’t stop people from using email. For many of us, it’s a critical part of our jobs. In fact, according to data from Tessian’s own platform, employees send around 4800 emails a year. Our inboxes are a revolving door of links, documents, and information – a door bad actors are quietly trying to slip through.

How a phishing attack starts… Just like real fishing, the cyber version needs bait – something to entice, scare, or shock the target to act. For this, bad actors like to tap into the zeitgeist. Whatever trend, fashion, must-see TV show, or social concern is currently top of mind for their victims, they’ll try to exploit it.   What bad actors like most is something big that affects a large number of people at the same time, and things don’t get much bigger than a global pandemic. At the end of 2020, Britain’s National Cyber Security Centre (NCSC) revealed that it removed more online scams that year than in 2016 to 2019 combined.    In total they found 120 separate phishing campaigns in which the UK’s National Health Service was impersonated – up from just 36 in 2019. The lure commonly used in these scams? The vaccine roll-out.

Indeed, the pandemic provided – and is still providing – a once in a lifetime global opportunity for scammers. Our own survey from 2021 found that 35% of US citizens and 22% of UK citizens said they’d received a ‘proof of vaccination’ phishing email this year. On top of these were Zoom link scams as we all went remote, logistic firm scams as we ordered everything online, romance scams as we got lonely, and ‘back to school’ scams as young people went back into in-person education. Scammers even went for tax day scams as everyone prepared to file their tax returns.

The hook: impersonation Again, just like real fishing, you need a mechanism to get the bait into the water – the hook. An email has to come from someone, right? And getting someone to click a link that appears to have come from Zoom, Netflix, or their boss means convincing them that it’s really from that organization or person.    Business email compromise (BEC) One way scammers do this is with business email compromise (BEC). BEC is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address to convince a target that the email is from a legitimate business.

Here attackers are looking to spoof big global organizations that everyone will have heard of and therefore trust and potentially use – so think Microsoft, Apple, Google, as well as Amazon, DHL, and UPS. We all receive perfectly legitimate emails from these companies all the time, so our defenses are lower. You can find out more about spoof emails here   As well as global brands and companies, BEC attacks can also impersonate a person, typically a senior executive or leader. The target is often a junior employee who’s instructed to urgently help close a deal by transferring funds. This is called CEO Fraud.

CEO fraud   CEO fraud is a particular type of spear phishing in which a fraudster impersonates a senior company executive via email. This could be a CEO, CFO, Head of HR — or anyone with the power to ask employees to make payments or send sensitive information. In these types of attacks, there is again normally a sense of urgency, a perceived external threat, and crucially, often the promise of some sort of incentive for the employee to carry out the action.  Urgency is not always the case however, there’s also the ‘reasonable request’. As Glyn Wintle, CTO and co-founder of Tradecraft, told us, “If you say the request must be actioned in one day, you will get a large number of replies from employees complaining it’s not enough time. If you say it must be actioned in a week, a lot of people will forget about it. If you say it must be actioned in two working days, people think it’s a reasonable period of time and will do it immediately to avoid forgetting about it”.

It even happens to Tessian staffers, a hacker impersonated our CEO and co-founder, Tim Sadler, and tried to get an employee to get them some iTunes vouchers. Needless to say, they didn’t fall for it.   Account Takeover (ATO) Attacks launched from Account Takeovers (ATOs) are some of the hardest to stop because the attacker will start the phishing process from a genuine, compromised account belonging to a real person, rather than a spoofed or fake one.  That’s why ATOs are able to slip past traditional phishing solutions like Secure Email Gateways (SEGs).During the pandemic, ATO attacks increased 307% between 2019 and 2021, and for sectors like Fintech the figure was 850%

Why we click phishing links Hackers like to take advantage of psychological factors like stress, social relationships, and uncertainty that affect people’s decision-making, as this is often when they make mistakes.    In our Psychology of Human Error report we asked 2,000 professionals about mistakes they’ve made at work. The results made for interesting reading.    Worryingly, nearly half of employees (43%) say they’ve made a mistake at work that had security repercussions for themselves or their company.   One in four employees (25%) said they have clicked on a phishing email at work. Men were twice as likely as women to fall for phishing scams, with 34% of male respondents saying they have clicked on a link in a phishing email versus just 17% of women.

Distraction means bad action Nearly half of respondents (45%) surveyed in our report cited distraction as the top reason for falling for a phishing scam. Other reasons for clicking on phishing emails included the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%). Impersonating a position of trust or authority is a common and effective tactic used by hackers in phishing campaigns.

In our spring 2020 Human Layer Summit, Glyn Wintle gave us several examples of how to set up your people and security to mitigate the risks from spear phishing.  

So what does a phishing email look like? As we know, 75% of organizations experienced some kind of phishing attack in 2020 and almost all (96%) arrived via email. But what does an actual phishing attack look like? We’re rounded up five REAL examples of typical spear phishing attacks you can read here. All these attacks were detected (and prevented) by Tessian Defender, so no employees were harmed in the making of this blog post.

Most employees don’t really understand what a spear phishing email looks like until it’s too late. And while attacks can take lots of different forms and approaches, there are four commonalities in virtually all spear phishing emails: impersonation, motivation, urgency, and payload.

When are you most likely to be targeted by a phishing attack? Unsurprisingly, scammers have access to a huge amount of data and, like a regular business sending a newsletter or social media post, they’ve studied when is the best time to launch an attack.    A big event in every scammer’s calendar is Black Friday, and with lots of email, money, and pressure to grab a bargain flying around, it’s easy to see why. 

Black Friday came out as the worst time of the year in Our Spear Phishing Threat Landscape report, which details how Tessian detected nearly 2 million malicious emails that slipped past legacy phishing solutions over a 12-month period.   As for the most popular time of day to launch an attack, research shows that after lunch was the most popular time, followed by just before the end of the day. You can see why. People have just eaten, they’ve come back to a newly full inbox, and they’re trying to get on with the rest of their day.   At the end of the day people have one eye on the door, they might be thinking about the commute home, or dinner, or going somewhere…anything except phishing attacks.   

You’re secure, but what about your suppliers? Even if you’ve done the best you can to mitigate external risks to your organization’s staff, dangers can still come from your suppliers and other partners you work with. Businesses are porous institutions and rely on other businesses for everything from raw materials to stocking the stationary cupboard.

Big businesses rarely publish data on their supply chains, but according to this article from Forbes, Proctor and Gamble list over 75,000 suppliers, while the retailer Walmart uses over 100,000.    Hackers exploit these relationships in software supply chain attacks. These  involve inserting malicious code into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software. Like all other forms of attack, supply chain attacks are increasing, up 4 fold in 2021 from 2020. The UK’s National Cyber Security Center has detailed examples of typical supply chain attacks, as well as advice on how to defend against them.

The impact of an attack Phishing of all types is the threat most security leaders are concerned about for the following reasons: attacks are becoming more frequent, they’re performed at scale, they’re hard-to-spot, they’re time-consuming to investigate, and can be very expensive to recover from.    IBM’s annual Cost of a Data Breach found that the average cost in 2021 was $4.24 million, but can be as high as $7million depending on the sector involved and size of the breach.  Why so much?. There’s the potential ransom from the hacker, but also reputation damage, regulatory fines, and time and resources diverted from other things to deal with the attack. It adds up.

The problems with legacy phishing prevention solutions As the attacks have gotten smarter, faster, and more varied, existing solutions are struggling to stop them. Here’s why.    Secure Email Gateways (SEGs) Problem: SEGs lack the intelligence to learn user behavior or rapidly adapt. The backbone of a SEG is traditional email security approaches – static rules, signature based detection, library of known threats, etc. Meanwhile, attackers consistently evolve their techniques, email networks are dynamic in nature, and human behavior is inconsistent and unpredictable. That means rules are out of date as soon as they are created and signature-based approaches are ineffective.   SEGs can’t detect advanced impersonation, account takeover (ATO), third-party supply chain risk, or wire fraud.

Karl Knowles, Global Head of Cyber for law firm HFW, told us how there’s been a huge rise in impersonation attacks, accounting for more than half of the threats HFW gets. With domain impersonation attacks also getting more sophisticated, SEGs alone can’t cope.

And as James McQuiggan, Security Awareness Advocate at KnowBe4, explained in our Fall Summit, bad actors have upped their game and started to find ways to bypass these systems by buying and configuring the same off- the- shelf hardware and software firms use, and seeing what gets through.

Sandboxes Problem: Easily bypassed yet potential bottlenecks to genuine business needs   Any detection made by the sandbox is dependent on a file exhibiting malicious behavior. This is easy to work around. Hackers will often send a PDF that contains a link to a malicious form to avoid detection. Likewise, documents with a URI (Uniform Resource Identifier) have an extremely low footprint for sandboxes to detect. And the short TTL domain doesn’t leave much evidence for event analysis or threat intelligence.   There are issues with latency, too. Emails, communications, downloads, and important files can take several minutes to reach their destination because of the bottleneck sandboxes can create.

DMARC Problem: Only one-third of businesses employ DMARC and the info is publicly accessible.   Domain-Based Message Authentication Reporting and Conformance (DMARC), is an added authentication method that uses both Sender Policy Framework (SPF)  and DomainKeys Identified Mail (DKIM) to verify whether or not an email was actually sent by the owner of the domain that the user sees. However, DMARC, SPF, and DKIM records are inherently public information – they need to be so that receiving mail clients can authenticate a sender’s domain. Attackers can see not only if your organization has a DMARC policy, but also how strictly you have configured it. Before trying to impersonate your email domain directly, a sophisticated attacker will check if you have a strict DMARC policy in place. If you do, the attacker can still carry out an advanced spear phishing attack.

Ok so what about more security training? You might think that your legacy solutions in conjunction with more security awareness training (SAT), will help mitigate some of these attacks. Training is important, but the trouble with most security training is no matter how fun and engaging you try to make it, pretty much everyone in the room has somewhere else they’d rather be. It’s also expensive, time consuming, and will always be one step behind actual threats.  

 

For most non-IT staff, trying to explain things like how potentially spoofed domain URLs are constructed is just far too technical, and something they’re hardly likely to remember in the heat of their inboxes weeks or months later. After all, as we learned at our Human Layer Security Spring Summit, the average human makes 35,000 decisions a day – analysing a suspect domain URL in detail probably isn’t going to be one of them. Regardless of how frequent, tailored, and engaging it is – security awareness training can’t be your only defense against social engineering. Why? many of the more sophisticated attacks just aren’t detectable by humans.

How Tessian can help So the only question left to answer is this. When legacy solutions and training programs aren’t enough, how can we prevent employees from interacting with the malicious emails that land in their inbox? Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.   Tessian Defender uses machine learning (ML) to protect your people from even the most advanced inbound threats. Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learn employees’ normal communication patterns, and map their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential impersonation, ATO, or BEC threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, and sending patterns. Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language via an interactive notification. If you’re in InfoSec, you’ll know only too well that your organization is one click away from an ‘Oh Sh*t’ moment. Tessian automatically stops those moments from happening. Questions? We’d be happy to help. Book a demo today.