CEO fraud is a type of cybercrime in which the attacker impersonates a CEO or other company executive. The fraudster will most often use the CEO’s email account — or an email address that looks very similar to the CEO’s — to trick an employee into revealing sensitive data or transferring money. A report by UK Finance suggests that CEO fraud is among the main eight types of fraud attacks targeting consumers and businesses.   Like all types of phishing, CEO fraud attacks are very difficult for employees to spot. Some legal technical solutions, such as Secure Email Gateways (SEGs) can also struggle to detect this increasingly sophisticated type of cybercrime. But, there are still ways to prevent successful CEO fraud attacks. The key? Take a more holistic approach by combining training, policies, and technology. We’ve outlined three techniques that are crucial to help your organization defend against CEO fraud and other related types of cybercrime.   1. Raise employee awareness Security is everyone’s responsibility. That means everyone – regardless of department or role –  must understand what CEO fraud looks like. Staff training is getting tougher as CEO fraud gets more sophisticated. The FBI’s Internet Crime Complaint Centre (IC3) warns that along with CEOs, cybercriminals increasingly impersonate a broad range of actors, including vendors, lawyers, and payroll departments. So where do you start when training employees to detect CEO fraud attacks? Using real-world examples to point out common red flags can help.

What are the signs that this email is part of a CEO fraud attack? First off, note the lack of spelling errors. Poor spelling and grammar can be a phishing indicator, but this is increasingly unlikely in today’s more sophisticated cybercrime environment.   Also, notice the personal touches — Sam’s familiar tone, his references to Kat working from home, and his casual email sign-off. Fraudsters go to great efforts to research their subjects and their targets, whether via hacking or simply using publicly available information.   These persuasive elements aside, can you spot the red flags? Let’s break them down: The sender’s email address: The domain name is “abdbank.com” (which looks strikingly similar to abcbank.com, especially on mobile). Domain impersonation is a common tactic for CEO fraudsters. The sense of urgency: The subject line, the ongoing meeting, the late invoice—creating a sense of urgency is near-universal in social engineering attacks. Panicked people make poor decisions. The authoritative tone: “Please pay immediately”: there’s a reason cybercriminals impersonate CEOs — they’re powerful, and people tend to do what they say. Playing on the target’s trust: “I’m counting on you”. Everyone wants to be chosen to do the boss a favor. Westinghouse’s “new account details”: CEO fraud normally involves “wire transfer phishing”—this new account is controlled by the cybercriminals.   Your cybersecurity staff training program should educate employees on how to recognize CEO fraud, and what to do if they detect it. Check the sender’s email address for discrepancies. This is a dead giveaway of email impersonation. But remember that corporate email addresses can also be hacked or spoofed. Feeling pressured? Take a moment. Is this really something the CEO is likely to request so urgently? New account details? Always verify the payment. Don’t pay an invoice unless you know the money’s going to the right place.   Looking for a resource that you can share with your employees? We put together an infographic outlining how to spot a spear phishing email. While these are important lessons for your employees, there’s only so much you can achieve via staff training.   Take it from the U.K.’s National Cyber Security Centre (NCSC):“Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle.The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.”   Humans are often led by emotion, and they’re not good at spotting the small giveaways that might reveal a fraudulent email. Sometimes, even security experts can’t!

2. Implement best cybersecurity practice Beyond staff training, every thriving company takes an all-around approach to cybersecurity that minimizes the risk of serious fallout from an attack. Many companies choose to implement a cybersecurity framework, such as the CIS Critical Security Controls or the NIST Cybersecurity Framework, to help them adopt security controls and protections in a systematic and comprehensive way.   Here are some important security measures that will help protect your company’s assets and data from CEO fraud: Put a system in place so employees can verify large and non-routine wire transfers, ideally via phone Protect corporate email accounts and devices using multi-factor authentication (MFA) Ensure employees maintain strong passwords and change them regularly Buy domains that are similar to your company’s brand name to prevent domain impersonation Regularly patch all software Closely monitor financial accounts for irregularities such as missing deposits Deploy an email security solution   All the above points are crucial cybersecurity controls. But let’s take a closer look at that final point — email security solutions.   3. Deploy intelligent inbound email security   CEO fraud attacks overwhelmingly take place via email (along with 96% of all phishing attacks).  That’s why deploying an email security solution is one of the most effective steps you can take to prevent this type of cybercrime. But not just any email security solution.   Legacy solutions like Secure Email Gateways (SEGs), spam filters, and Microsoft and Google’s native tools generally can’t spot sophisticated attacks like CEO fraud. Why? Because they rely almost entirely on domain authentication and payload inspection. This means they tend to check publicly available records to verify the authenticity of an email address, and examine any attachments to see if they contain malware. Social engineering attacks like CEO fraud easily evade these mechanisms. Tessian is different. Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of signals indicative of CEO fraud. Tessian’s machine learning algorithms analyze your company’s email data. The software learns every employee’s normal communication patterns and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any signals suggestive of CEO fraud. For example, suspicious payloads, anomalous geophysical locations, out-of-the-ordinary IP addresses and email clients, keywords that suggests urgency, or unusual sending patterns. Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language.

Click here to learn more about how Tessian Defender protects your team from CEO fraud and other email-based cybersecurity attacks. You can also explore our customer stories to see how they’re using Tessian Defender to protect their people on email and prevent social engineering attacks like CEO Fraud.

If you’re familiar with phishing or malware, you’ve likely heard of “malicious websites”. But, do you know how to spot one?  In this article, we’ll answer four key questions (and provide plenty of examples).    What is a malicious website?  How many websites are malicious?  What red flags should I look out for to spot a malicious website?  How can I avoid visiting or interacting with malicious websites?   So, to start, let’s define what exactly a malicious website is. What is a malicious website?   A malicious website is any website that’s been designed to cause harm. In this article, we’ll focus on phishing websites and malware websites. A phishing website – sometimes called a “spoof” or “lookalike” website – steals your data. Phishing websites look like legitimate websites. But, when visitors are prompted to enter login credentials, personal information, or credit card details, the data is directed to cybercriminals.   Looking for an example? Tessian researchers discovered 75 domains spoofing websites related to mail-in voting in August 2020. For more information, read this article: How to Avoid Falling victim to Voting Scams in the 2020 Election. In this case, attackers were after personally identifiable information (PII) and credit card details.   Once a phishing website collects your data, it can be used in hacking operations and further phishing attacks, or sold on the dark web. A malware website, on the other hand, installs malicious software on your device. While this could happen after the visitor downloads an application or file, it can also happen without the visitor even noticing.   Why deploy malware? Malicious software can serve many different purposes, including extracting data from a person’s device, taking control of the device, or using the device as an entry point into a network. But phishing and malware sites aren’t the only problems.   Other websites, such as fake news and disinformation websites, might also be considered malicious websites. These sites aim to spread discord, affect election outcomes, and disrupt the activities of human rights groups.

How common are malicious websites?   It’s hard to say exactly how many malicious websites are out there. But one thing we do know is that malicious websites — particularly phishing websites — are popping up more and more frequently. One source that can help us understand the prevalence of malicious websites is Google’s Safe Browsing reports.   According to Google’s stats, phishing websites are increasingly common, whereas malware sites are less likely to be favored by cybercriminals.

In September 2020, Google counted nearly 1,960,000 phishing websites. This is up from around 68,000 in September 2010 — an increase of nearly 2800%. But malware sites have actually decreased in prevalence according to Google, with around 24.500 counted in September 2020, down from 78,500 in September 2010.   Venafi’s 2018 research supports the view that phishing sites are on the increase. In a study of domains associated with major retailers across five countries, Venafi found there were:   Twice as many spoof retail websites as genuine retail websites 12,000 spoof domains associated with one US retailer

Real-World Example: BAHAMUT   Let’s look at a real-life example of how criminals use malicious websites to dupe their targets into handing over data. Research from BlackBerry, published in 2020, studied the activities of a cybercrime syndicate known as BAHAMUT. The group targets consumers, businesses, and government officials via phishing emails, fake mobile apps, and a “staggering” network of malicious websites.   Among many other activities, BAHAMUT set up convincing-looking malicious “news” websites that directly copied headlines from genuine sources. Links on these sites redirected to phishing websites that harvested Google, Yahoo, Microsoft, and Telegram users’ credentials.   BAHAMUT also set up websites designed to distribute a series of malicious mobile apps. Once downloaded, these malicious apps set up a “backdoor” on the target device, allowing the group to track the user’s activities and location, and access the user’s files.   Perhaps the most alarming aspect of BAHAMUT’s activities is the convincing nature of the group’s fake websites. Some of these sites were previously well-established, legitimate news sources, whose domains were re-registered and used as vehicles for cybercrime.   Telltale signs of a malicious website   As we can see from the example of BAHAMUT, it’s not always easy to identify a malicious website. Some may display no obvious signs that they will steal your credentials or distribute malware. But, there are some traits common to many malicious websites. For example:   The website automatically asks you to run software or download a file when you’re not expecting to do so. The website tells you that your device is infected with malware or that your browser extensions or software are out-of-date. The website claims you have won a prize and requests your personal information to claim it.   These are outdated tactics, and most sophisticated malicious websites will not be so transparent. There can also be technical indications that a website is fake. For example:   The URL looks suspicious. https://google.com is safe. https://google.[something].com is not. This is a subdomain of [something].com — which could be a malicious website. The site does not use https. Most sites use https, rather than http, which indicates that they are protected by an SSL certificate. However, some sites have not yet made the upgrade to https, and not all https URLs are safe.   It can be very difficult to tell whether you are visiting a malicious website. The best tactic is to avoid arriving at a malicious website in the first place. But how?

How to avoid visiting a malicious website   When it comes to avoiding the harms associated with malicious websites — security and business leaders understand that prevention is better than cure. And, while it is possible to stumble upon a malicious website while browsing the web, search engines, like Google take steps to remove malicious sites from their search results. They can’t catch them all, though. But it’s important to note that it’s far more common to end up on a malicious website after receiving a phishing email. Phishing emails are extremely common — 88% of organizations experienced spear phishing (targeted phishing attacks) in 2019. Phishing emails can include links to malicious websites. It’s easy to fall for this type of scam — a phishing email can appear to come from a trusted person, and might look like the sort of correspondence you receive from that person regularly. That means identifying phishing emails may be more important than identifying malicious websites. If you’re looking for tips, we’ve put together this guide (including an infographic): What Does a Spear Phishing Email Look Like.   Note: Phishing can also take place via social media, phone, or SMS, but 96% of phishing attacks arrive via email. That’s why email is the threat vector security leaders are most concerned about. Email security solutions can help. How can Tessian help?   Tessian Defender detects and prevents advanced impersonation attacks including spear phishing.  If employees don’t fall for the phishing email, they won’t land on the malicious website.   How? Tessian’s machine learning algorithms learn from historical email data to understand specific user relationships and the context behind each email. When an email lands in your inbox, Tessian Defender automatically analyzes millions of data points, including the email address, Display Name, subject line and body copy. If anything seems “off”, it’ll be flagged.   To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.

As we’ll explain below, there are several different methods used by cybercriminals to carry out a CEO fraud attack. But they all have one thing in common: money.   Most often, a CEO fraud email will urgently request the employee to pay a supplier’s “invoice” using new account details. Cybercriminals use sophisticated techniques and meticulous research to make the attack as persuasive as possible.   Why do cybercriminals impersonate CEOs and other high-level executives? Two reasons:   Power: CEOs have the authority to instruct staff to make payments. Status: Employees tend to do what CEOs ask. No one wants to upset the boss. CEO fraud vs. other types of cybercrime   There’s some confusion about CEO fraud and how it relates to other types of cybercrime. Let’s clear a few things up before looking at CEO fraud in more detail.   CEO fraud is related to the following types of cybercrime: Social engineering attack: Any cyberattack in which the attacker impersonates someone that their target is likely to trust. Phishing: A social engineering attack conducted via email (there are other forms of phishing, such as “smishing” and “vishing” via SMS and phone). Spear phishing: A phishing attack targeting a named individual. Business Email Compromise (BEC): A phishing attack conducted via a hacked or spoofed corporate email account.

These types of cyberattack all utilize email and impersonation—two critical elements of a CEO fraud attack. CEO fraud is not to be confused with “whaling”: a phishing attack where the cybercriminal targets—rather than impersonates—a CEO or other senior company employee. More on that in this article: Whaling: Examples and Prevention Strategies.   CEO Fraud techniques As explained above, CEO fraud is related to Business Email Compromise. That’s because the attacker needs to make it look like they’re a senior employee of your company—so any email they send must appear to have come from a company account.   There are three main ways cybercriminals can compromise a CEO’s email account:   Hacking: Forcing entry into the CEO’s business email account and using it to send emails. This is the CEO fraud technique that’s most difficult to detect. Spoofing: Sending an email from a forged email address and evading authentication techniques such as DMARC. Impersonation: Using an email address that looks similar to a CEO’s email address. This can take the form of a “display name impersonation attack.” Once the threat actor has taken control of a CEO’s email account—or has convincingly impersonated their email address—they use one of the following techniques to attack the target organisation: Wire transfer phishing: The attacker asks the target to pay an invoice. According to the FBI, businesses lose billions of dollars per year via this type of phishing attack. Gift certificate phishing: The attacker asks the targets to buy them gift certificates. Gift certificates can be harder to trace than a bank transfer. Check out this (hilarious) example “from” Tessian’s own CEO. Malicious payload: The email contains an innocent-looking attachment that installs malware on the target company’s systems. Anatomy of a CEO fraud attack Now let’s take a look at an example of a CEO fraud attack to help you better understand the process. Like all social engineering attacks, CEO fraud attacks exploit people’s feelings of trust and urgency. When the CEO is “in a meeting” or “at a conference” and needs an urgent favor, employees don’t tend to second-guess them. Here’s how a CEO fraud email might look. Now, for the sake of the example, imagine your boss is Thomas Edison. Yes, that Thomas Edison.

There are a few things to note about this CEO fraud email: Note the subject line, “Urgent request,” and the impending payment deadline. This sense of urgency is ubiquitous among CEO fraud emails. The fraudster uses Thomas’s casual email tone and his trademark lightbulb emoji. Fraudsters can do a great impersonation of a CEO by scraping public data (plenty is available on social media!) or by hacking their email and observing their written style. Cybercriminals do meticulous research. Thomas probably is in Florida. “Filament Co.” might be a genuine supplier and an invoice might even actually be due tomorrow. There’s one more thing to note about the email above. Look at the display name — it’s “Thomas Edison”. But anyone can choose whatever email display name they want. Mobile email apps don’t show the full email address, leaving people vulnerable to crude “display name impersonation” attacks. Cybercriminals can also set up a fake email domain impersonating your company’s real domain name. The domain is the part of the email address after the “@” sign. A cybercriminal impersonating Bill Gates, for example, might purchase a domain such as “micros0ft.com” or “microsoft.co”. Likewise, using “freemail impersonation”, a less sophisticated attacker might simply set up an email account with any free email provider using the CEO’s name (think “bill.gates@gmail.com”). It sounds crude, but such attacks really can work. We explain domain impersonation in more detail – including plenty of examples – in this blog: Inside Email Impersonation: Why Domain Name Spoofs Could be Your Biggest Risk. How common is CEO fraud? It’s fair to say that cybercrime has gone into overdrive in recent years.Data from the FBI’s Internet Crime Complaint Center (IC3), released March 2021, shows a record-breaking number of cybercrime complaints in 2020.   The IC3 reports a 69% increase in the number of complaints since 2019, with reported losses exceeding $4.1 billion dollars. The main cause of cybercrime reported to the IC3 was—you guessed it—phishing. So it’s clear that cybercrime, particularly phishing, is pervasive—and increasingly so. But what about CEO fraud itself? CEO fraud once dominated the cybercrime landscape. However, there is some evidence that cybercriminals are moving away from CEO fraud and towards a broader range of more sophisticated social engineering attacks. In 2020, the FBI noted that while CEO fraud previously dominated BEC, cybercriminals now impersonate a broader range of actors, including vendors, lawyers, and payroll departments. And a report by UK Finance suggests that while CEO fraud is still among the main eight types of fraud attacks targeting consumers and businesses, there was a 14% percent drop in CEO fraud attacks between the first half of 2020 and the first half of 2021. (So it’s not all doom and gloom…) These days, employees don’t only have to be wary of CEO fraud attacks. They also need to watch out for more advanced cybercrime techniques like Account Takeover (ATO), deepfakes, and ransomware. But CEO fraud is still a big deal. And as with all other types of social engineering attacks, there’s evidence that CEO fraud attacks are becoming more sophisticated and easier for threat actors to carry out. For example, in March 2021, a CEO fraud “phishing kit” was discovered that enabled cybercriminals to easily host fake Office 365 login pages in the cloud storage tool Backblaze. Want to know how to protect yourself and your business from CEO fraud? Read our article: How to Prevent CEO Fraud Attacks.

Millions of companies around the world depend daily on Microsoft 365, including yours. So to better understand its native security tools, and any gaps within them, we’ve partnered with Enterprise Strategy Group (ESG Global) to produce a new report exploring Microsoft 365’s security environments.  The report covers several topics of Microsoft 365, both E3 and E5, including capabilities and gaps for protecting against ransomware, phishing, accidental data loss and sensitive data exfiltration, as well as architectural challenges to consider. The full report, ESG Whitepaper: Closing Critical Gaps in Microsoft 365 Native Security Tools can be found here. Report highlights Phishing was involved in 43% of breaches in the past year Over two-thirds (69%) of respondents to the ESG research survey report that email security has become one of their top 5 cybersecurity priorities 18% cite email security as their most important cybersecurity priority 62% of organizations are reevaluating all security controls currently available natively Ransomware ranks as a top-3 risk concern, with 77% of organizations classifying ransomware as high or medium risk. 45% or organizations report that more than 40% of their sensitive data flows through their email application. Cloud-delivered email solutions aren’t a panacea. Moving on-prem email solutions to the cloud replaces the operational infrastructure but doesn’t necessarily fully replace security controls. Successful credential phishing attacks can lead to email account takeover (ATO), enabling hackers to appear as legitimate insiders, facilitating BEC, data exfiltration, and ransomware.

As the report states, email continues to be the backbone of enterprise communications and is considered the most critical infrastructure to daily operations for most. Cloud-delivered email infrastructure has rapidly become the preferred approach to enable email communications, with over 2.3m companies depending on Microsoft 365. For many, handing over email infrastructure to a cloud service provider means transferring and trusting email security and resilience to the provider. Yet as phishing, which was involved in 43% of breaches in the past year, continues at epidemic levels, over two-thirds (69%) of respondents to an ESG research survey report say that email security has become one of their top 5 cybersecurity priorities, with 18% citing email security as their most important cybersecurity priority. While cloud-delivered email providers promise security and resilience, most fall short of what many security and IT teams would consider adequate. Further, adversaries are capitalizing on these homogenous security systems to bypass controls. As a result, ESG research found that 62% of organizations are re-evaluating all security controls currently available natively, with many turning to third-party email security and resilience solutions to supplement native controls. Organizations that are planning to move or have recently moved to cloud-based email should strongly consider the use of third-party email security solutions to ensure that critical email infrastructure and data are adequately secured against the expanding email threat landscape.    Unpacking Microsoft 365 native security controls in E3 and E5 While Microsoft has invested significantly in strengthening security controls for Microsoft 365 (M365), organizations report continuing gaps in the controls included in both E3 and E5 licensing bundles.    Email security While EOP provides many valuable security features, it is limited in its ability to protect against more sophisticated email attacks, such as social engineering (or “spear-phishing”), business email compromise, account takeover, and many types of ransomware. Detecting these types of more sophisticated attacks requires both behavioral analytics and a contextual understanding of individual communication activities, which don’t exist in EOP. So, while native controls are effective at detecting mass/generic phishing campaigns, they are less effective at detecting highly targeted attacks. For example, EOP uses block lists to detect spam and known malware. Safe Links (available in E5) rewrites URLs and checks them against known lists of malicious URLs before allowing the user to visit the link. Microsoft 365 E5 bundle includes additional security features by adding the Microsoft 365 Defender endpoint security solution. Additional protection against phishing and ransomware is provided through more advanced malicious URL and attachment protection, including link re-writing and attachment sandboxing. Both approaches, however, can still be vulnerable to new URLs and attacks without “payloads.” Microsoft Defender depends on multiple scan engines to detect malware attachments and malicious URL links, leveraging both signature matching and machine learning to perform behavioral analysis. Because BEC and ATO impersonations often contain no malicious links or attachments, these threats can commonly escape this approach.    Data loss prevention Minimal data loss protection capabilities are included in the E3 bundle, relying on end-users to manually label documents as sensitive to protect them. Relying on end-users to accurately and consistently classify content puts organizations at risk. On the other hand, applying blanket policies and blocking sensitive information is highly disruptive to users’ productivity and can be an immense burden on security teams. Further, companies that opt for applying a default classification to all documents and emails end up with the same label being applied to everything, while lacking any new visibility into sensitive data. As a result, organizations most often resort to tracking and post remediation instead of proactive detection and real-time response. Additionally, E3 lacks capabilities natively to detect and manage insider risk (for example, preventing data theft by departing employees). Native controls also often lack the ability to properly classify non-Microsoft data and files, requiring admins to use workarounds to achieve consistent protection.  Data loss prevention is included in the E5 bundle for emails, Teams, and files. Advanced email encryption functionality is also provided, as well as email retention policies. Customer keys for Office 365 are also supported, and some level of insider risk management capabilities is also included.    Context matters in data loss prevention M365 Email DLP capabilities are, however, not context-aware (meaning that they lack context between parties exchanging email), resulting in an inability to proactively identify wrong recipients or unintended inclusion of attachments. M365 detection instead utilizes a rules-based approach to define DLP policies and classify data (regex pattern matches, proximity of certain keywords to the matching patterns, exact data matching, and fingerprinting). These techniques alone are often unable to detect when email recipients are misaddressed or when wrong attachments are involved.  Additionally, because these capabilities rely on rule-based techniques or trainable classifiers to align specific data types with DLP policies and to label data (using Azure Information Protection), effectively detecting sensitive information in unstructured data can be problematic (legal, mergers and acquisitions, work orders, bidding documents, and other non-Microsoft formatted files), resulting in users exfiltrating sensitive data and additional false positives. While encryption is often mistakenly perceived as a solution to solve for misdirected emails, recipients included by mistake can still often decrypt emails to gain access to sensitive data. User experience/friction when encrypting emails can also be a barrier to use. 

Email security has long been focused on inbound filtering and the monitoring of user activities looking for well-known patterns of misuse. Yet email usage patterns are more often unique to individual users, those that they communicate with, what they communicate, and how they communicate. This individual usage context is required to detect and stop many of today’s more sophisticated attacks such as spear phishing, BEC, and ATO.  Much of this personal context can be derived through behavioral analytics of historical email, including the analysis of who, what, and when emails were sent in the past. When individual historical patterns, along with context, can be matched against future activity, modern email threats can be detected and stopped, often with little to no user or administrator involvement.  Microsoft 365, the dominant cloud-delivered email solution adopted today, may lack critical security controls needed for certain organizations, therefore motivating many to add supplemental security solutions to close gaps. Whether in the planning stage, implementation stage, or post-implementation, third-party email security controls should be considered with all cloud-delivered email solutions.  To learn more, download the full report.

Over a 12-month period, Tessian Defender detected nearly 2 million malicious emails, all of which slipped past Secure Email Gateways (SEGs) and native tools to land in employees’ inboxes. This represents a lot of risk. So, to help you understand what you’re up against and – more importantly – how to protect your organization, we analyzed them to identify the what, how, who, why, and when of today’s threat landscape. Here’s what we found out….

1. Cybercriminals have a type ❤

When it comes to who they target, bad actors cast a wide net, but do seem to have an affinity for Retail, Manufacturing, F&B, R&D, and Tech. But still, across all industries, Tessian flagged 14 malicious emails a year, per employee. That means that, without Tessian, each employee would have to successfully identify 14 carefully crafted emails a year in order to avoid a breach. That’s just too much risk. In terms of company size, bad actors will take whatever they can get.  Wondering why they don’t focus exclusively on the “big fish” (i.e. enterprise)?  Because smaller companies – who generally have less money to spend on cybersecurity – are often easier to infiltrate. This can be a foothold for lateral movement, especially for companies with large supply chains. Interestingly though, regardless of industry or company size, attacks look just about the same.  Across the board, display name spoofs are the most commonly used impersonation tactic.  Payloads are more often delivered via URLs than attachments. And keywords related to wire transfers are more frequently seen than keywords related to credentials.  This reinforces just how effective these tactics are, regardless of how much budget an organization has allocated to cybersecurity.    2. Most malicious emails don’t contain attachments 📎 While attachments are listed first in frameworks like MITRE, most bad emails don’t actually contain attachments. That’s why it’s important to train employees to spot a variety of different malicious payloads, including zero payload attacks. Zero payload attacks don’t rely on a malicious payloads like attachments or links. The attacker simply persuades the victim to action a request.  Zero payload attacks can be just as devastating as malicious payload attacks, and traditional antivirus and anti-phishing software – which often rely solely on keyword detection and deny/allow lists – struggle to detect them. But what about when bad actors do leverage attachments? Download the full report to see which file extension type is most common, and to download an infographic to share with your employees.   3. You’re most likely to be phished between 2PM and 6PM 🐟

We’re often told that bad actors borrow best practice from marketers. If that’s the case, most phishing attacks would land in employees’ inboxes around 10 AM on Wednesdays.  Our analysis tells a different story.  The most malicious emails are delivered between 2PM and 6PM, with very little fluctuation day-to-day (except over the weekend). This isn’t an accident.  Since employees are more likely to make mistakes when they’re stressed, tired, and distracted, the second half of the work day is a bad actor’s best bet. (Hello afternoon slump!) Help your employees stay alert by letting them know when they’re most likely to receive a phishing email, what they look like, and what to do if and when they do spot something suspicious.   There are dozens more insights in the report, including: Which brands are the most frequently impersonated in attacks What keywords appear most frequently in subject lines and body copy Which industry is most frequently compromised in ATO attacks Download it now while it’s ungated!

A cybersecurity breach on a single company is bad, but when an attack affects potentially hundreds of businesses in that firm’s supply chain, the results can be catastrophic.  Known as ‘software supply chain attacks’ these types of threats hit hard, spread quickly, and can devastate thousands of organizations simultaneously. Broadly speaking, a software supply chain attack involves inserting malicious code into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software. This article will look at some recent examples of software supply chain attacks, consider the different forms such attacks can take, and explore how both software vendors and their customers can avoid falling victim to this especially damaging security threat. Examples of software supply chain attacks First, to understand how software supply chain attacks work, let’s consider two recent high-profile examples. The SolarWinds attack The SolarWinds attack was first discovered in December 2020, after a cybersecurity company, FireEye, discovered that some of its software tools had been stolen.  When investigating the theft, FireEye learned that the attackers had gained access to its systems via a third-party software product called Orion; a network monitoring tool supplied by Texas-based software company SolarWinds. An update to Orion, released nine months earlier, in March 2020, had granted the attackers access to FireEye’s systems. This update enabled the cybercriminals full access to FireEye’s private data, enabling them to exfiltrate the company’s security tools. But FireEye wasn’t the only company affected by the hack. FireEye reported its discovery to the National Security Agency (NSA), the U.S. intelligence service tasked with defending the country against cyber threats. This was when the devastating impact of the SolarWinds attack became apparent. The NSA revealed that it also used SolarWinds—together with the U.S. Treasury, the Department for Homeland Security, and the National Nuclear Security Administration. In fact, twelve U.S. Federal Government departments were compromised by the malicious SolarWinds update, along with thousands of other organizations around the world.  All the attackers had to do was insert malicious code into SolarWinds’ software update, and let SolarWinds distribute the malware among the companies downstream in its supply chain. This ease of distribution is what makes supply chain attacks so effective for the attackers, and so devastating for the victims. The Kaseya attack  In response to SolarWinds, President Biden enacted his Executive Order on Improving the Nation’s Cybersecurity. But in July 2021, less than two months after Biden’s order passed, another colossal software supply chain attack occurred, this time originating from Miami-based software firm Kaseya. Like SolarWinds, Kaseya provides network monitoring tools and it sits at the start  of a very long supply chain. The Kaseya attack started when ransomware gang REvil inserted malicious code into an update for Kaseya’s Virtual System Administrator (VSA) software. After updating VSA with the malicious code, Kaseya’s customers found their systems were inaccessible due to ransomware. REvil claimed that over one million companies had been affected, whereas Kaseya put the number between 800 and 15,000. Either way, the attack caused havoc for thousands of people, and its effects were felt far and wide. Even a Swedish supermarket chain had to temporarily close when its payment processing equipment malfunctioned due to the attack. The Kaseya ransomware is another example of how software supply chain attacks can grow almost exponentially around the globe. Hack one Miami-based software company, and the next day a Swedish supermarket could be considering whether to pay you a ransom to decrypt its files. Types of software supply chain attacks Software supply chain attacks are just one type of supply chain attack (we’ll look at another type of supply chain attack below). But there are also different subtypes of software supply chain attacks that security-conscious organizations need to understand. The National Institute of Standards and Technology (NIST) identifies six types of software supply chain attacks: Design: Malicious actors can hijack a product’s initial design process to install or corrupt software. In 2016, a U.S. manufacturer shipped phones with malicious software that recorded users’ phone calls and texts. Development and production: Threat actors persist in an upstream company’s networks and infiltrate its downstream customers. The SolarWinds attack is an example of this type of supply chain attack. Distribution: The initial attack occurs between the manufacture of a product and its acquisition by end-users. For example, a 2012 investigation found pre-installed malware apps on retail desktop and laptop computers. Acquisition and deployment: Software companies can be acquired or influenced by malicious actors to spy directly on end-users. NIST cites a 2017 incident involving Kaspersky Antivirus. Maintenance: Backdoors can be embedded in routine updates, allowing cybercriminals to access the computers that install them. Both SolarWinds and Kaseya attacks leveraged this technique. Disposal: Improper wiping of hardware can lead to “data spillage,” enabling downstream actors purchasing or disposing of the equipment to access software or information on the device. How to prevent software supply chain attacks Two main actors in the supply chain can help detect and prevent software supply chain attacks:  The upstream companies who distribute software into the supply chain (vendors) The downstream organizations who purchase and use that software (customers) Here’s how each of these parties can defend against this type of threat. Vendors Vendors developing commercial software must be extremely diligent before releasing their products into the supply chain. Apply strong security standards at every stage of production as well as across your organization. Ensure your systems aren’t vulnerable to cyberattacks like phishing, SQL injection, or man-in-the-middle attacks. Carefully vet and document any third-party code employed in your development process. Maintain a library of any open-source code libraries you use. Carefully monitor any changes or security updates to the code. Implement a cyber security framework to ensure your organization meets good cybersecurity standards. Customers Once compromised software is installed on a company’s systems, there’s little they can do to stop the damage. As such, organizations must do everything reasonably possible to avoid installing compromised software or acquiring compromised hardware. Here’s some of the things you can do to mitigate that risk. Implement a cyber supply chain risk management (C-SCRM) program so you can fully account for all suppliers and products in your supply chain. Engage with your software suppliers to understand how they identify vulnerabilities and prevent cyber risks. Request a software component inventory from your software suppliers and consider changing suppliers if they cannot provide one. Monitor and defend endpoints to contain the spread of any malware infections. Implement a cyber security framework to ensure your organization meets good cybersecurity standards and can respond effectively to email supply chain attacks. Software supply chain attacks: just one type of supply chain attack Attacking software is just one of several ways cybercriminals can leverage the interconnected nature of supply chains. Another is email-based supply chain attacks, this is when cybercriminals hack vendors’ email accounts to deliver highly convincing phishing emails. Email-based supply chain attacks are sometimes called Account Takeover attacks. The Nobelium email campaign, conducted by the same actors who hit SolarWinds, is an example of an email supply chain attack: 150 government agencies, think tanks, and NGOs, received phishing emails after the cybercriminal hacked email provider Constant Contact. The good news is that email-based supply chain attacks, while potentially devastating, are avoidable by using an effective email security tool like Tessian. Tessian scans inbound emails to detect anomalies such as malicious links, inauthentic sender addresses, and signs of inconsistent language or behavior that suggest an email’s sender is not who they say they are. Read more about how Tessian’s machine learning-powered technology helps detect and defend against email-based supply chain attacks and other phishing threats.

88% of organizations around the world experienced spear phishing attempts in 2019. And, while security leaders are working hard to train their employees to spot these advanced impersonation attacks, every email looks different. A hacker could be impersonating your CEO or a client. They could be asking for a wire transfer or a spreadsheet. And malware can be distributed via a link or an attachment. But it’s not all bad news. While – yes – each email is different, there are four commonalities in virtually all spear phishing emails.

Download the infographic now and help your employees spot spear phishing attacks. Before we go into more detail about these four red flags, let’s get into the mind of a hacker.   What do hackers consider when creating a spear phishing attack? Hackers prey on their target’s psychological vulnerabilities. For example, immediately after the outbreak of COVID-19, we saw a spike in spear phishing attacks impersonating health organizations, insurance companies, government agencies, and remote-access tools. Why? Because people were stressed, anxious, and distracted and therefore more likely to trust emails containing “helpful” information and take the bait. We explore this in detail in our report, The Psychology of Human Error. While people cite distraction as the top reason for falling for phishing attacks, the perceived legitimacy of the email was a close second. Looking at real-world examples can help. Below are five articles that outline recent scams, including images of the emails. COVID-19: Real-Life Examples of Opportunistic Phishing Emails Everything You Need to Know About Tax Day Scams 2020 Spotting the Stimulus Check Scams How to Spot and Avoid 2020 Census Scams Look Out For Back to School Scams Now that you know broadly what to look for and what makes you more vulnerable, let’s take a deeper dive into the four things you should carefully inspect before replying to an email. 4 Things to Inspect Before Replying to An Email The Display Name and Email Address The first thing you should do is look at the Display Name and the email address. Do they match? Do you recognize the person and/or organization? Have you corresponded with them before?It’s important to note that some impersonations are easier to spot than others. For example, in the example below, the Display Name (zoom_meeting@tessian.com) is vastly different from the email address (fd29eaab47504bfa8bd773ee581bc7d4@tessian.com).

But, hackers can make slight changes to the domain that can be indiscernible unless the target is really looking for it. To make it easier to understand, we’ll use FedEx as an example. In the chart below you’ll see five different types of impersonations. For more information about domain impersonations, read this article: Inside Email Impersonation: Why Domain Name Spoofs Could Be Your Biggest Risk

The bottom line: Take the time to look closely at the sender’s information. The Subject Line As we’ve mentioned, hackers exploit the psychological vulnerabilities of their targets. It makes sense, then, that they’ll try to create a sense of urgency in the subject line. Here is a list of the Top 5 subject lines used in spear phishing attacks: Urgent Follow up Important Are you available? Payment Status And, when it comes to Business Email Compromise attacks, the Top 5 subject lines are: Urgent Request Important Payment Attention While – yes – these subject lines can certainly appear in legitimate emails, you should exercise caution when responding.   Attachments and Links Hackers will often direct their targets to follow a link or download an attachment. Links will direct users to a malicious website and attachments, once downloaded, will install malware on the user’s computer. These are called payloads. How can you spot one? While links may often look inconspicuous (especially when they’re hyperlinked to text) if you hover over them, you’ll be able to see the full URL. Look out for strange characters, unfamiliar domains, and redirects.

Unfortunately, you can’t spot a malicious attachment as easily. Your best bet, then, is to avoid downloading any attachments unless you trust the source. Note: Not all spear phishing emails contain a payload. Hackers can also request a wire transfer or simply build rapport with their target before making a request down the line. The Body Copy   Just like the subject line will create a sense of urgency, the body copy of the email will generally motivate the target to act. Look out for language that suggests there will be a consequence if you don’t act quickly. For example, a hacker may say that if a payment isn’t made within 2 hours, you’ll lose a customer. Or, if you don’t confirm your email address within 24 hours, your account will be deactivated. While spear phishing emails are generally carefully crafted, spelling errors and typos can also be giveaways. Likewise, you may notice language you wouldn’t expect from the alleged sender.For example, if an email appears to be sent from your CEO, but the copy doesn’t match previous emails from him or her, this could suggest that the email is a spear phishing attack. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today. What to do if an email if you think an email is suspicious   Now that you know what to look out for, what do you do if you think you’ve caught a phish? If anything seems unusual, do not follow or click links or download attachments. If the email appears to be from a government organization or another trusted institution, visit their website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative. Contact your line manager and/or IT team immediately and report the email.   But it’s not fair to leave people as the last line of defense. Even the most tech-savvy people can fall for spear phishing attacks. Case in point: Last month, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. That means organizations should invest in technology that can detect and prevent these threats. Tessian can help detect and prevent spear phishing attacks Unlike spam filters and Secure Email Gateways (SEGs) which can stop bulk phishing attacks, Tessian Defender can detect and prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. How? Tessian’s machine learning algorithms learn from historical email data to understand specific user relationships and the context behind each email. When an email lands in your inbox, Tessian Defender automatically analyzes millions of data points, including the email address, Display Name, subject line and body copy.

Phishing – in its many varieties – is the threat most security leaders are concerned about protecting their organizations against. Why? Because attacks are frequent, hard-to-spot, time-consuming to investigate, and expensive to recover from.  And legacy solutions like Secure Email Gateways (SEGs), sandboxes, DMARC, and security awareness training out there just aren’t enough. With these methods, users aren’t engaged in a meaningful way and unknown anomalies aren’t accounted for. But there’s a better way.  This blog evaluates the shortcomings of legacy phishing prevention solutions, and proposes a different approach: Human Layer Security. Note: This article is based on an extensive whitepaper available for download. The whitepaper provides greater depth as it compares Human Layer Security with the legacy security solutions discussed here. The problem with SEGs & native tools SEGs lack the intelligence to learn user behavior or rapidly adapt.  The backbone of a SEG is traditional email security approaches – static rules, signature based detection, library of known threats, etc. Meanwhile, attackers consistently evolve their techniques, email networks are dynamic in nature, and human behavior is inconsistent and unpredictable. That means rules are out of date as soon as they are created and signature-based approaches are ineffective. They can’t detect advanced impersonation, account takeover (ATO), third-party supply chain risk, or wire fraud. Worse still, SEGs don’t address other entry points like Microsoft SharePoint, OneDrive, and ShareFile, which are some of the most hacked cloud tools.  What about native controls like Microsoft ATP? O365’s native security controls do protect users against bulk phishing scams, spam, malware, and domain spoofing. And these tools are great when it comes to stopping broad-based, high-volume, low-effort attacks – they offer a baseline protection.  But, today’s email attacks have mutated to become more sophisticated and targeted.  Attackers use automation to make small, random modifications to existing malware signatures and use transformation techniques to bypass these native O365 security tools. Unsuspecting – and often untrained – users fall prey to socially engineered attacks that would be hard for even a security expert to spot.  To learn more about why Office 365 accounts are vulnerable to attack, click here. Why sandboxes fail to detect phishing attacks One of the primary ways sandboxes can fail is in phishing attempts.  Any detection made by the sandbox is dependent on a file exhibiting malicious behavior. This is easy to work around. Hackers will often send a PDF that contains a link to a malicious form to avoid detection.  Likewise, documents with a URI (Uniform Resource Identifier) have an extremely low footprint for sandboxes to detect. And the short TTL domain doesn’t leave much evidence for event analysis or threat intelligence. There are issues with latency, too. Emails, communications, downloads, and important files can take several minutes to reach their destination because of the bottleneck sandboxes can create. This is not an option in today’s modern enterprises where real-time communication and collaboration is paramount. Why DMARC isn’t enough Domain-Based Message Authentication Reporting and Conformance (DMARC), is an added authentication method that uses both SPF and DKIM to verify whether or not an email was actually sent by the owner of the domain that the user sees.  In order for DMARC to pass, both SPF and DKIM must pass, and at least one of them must be aligned. While impersonating a given domain is a common method used for phishing and other malicious activities, there are other attack vectors that DMARC does not address. For example, DMARC does not address domain impersonation attacks (i.e. sending from a domain that looks like the target being abused – e.g. exampl3.com vs. example.com), or display name impersonation (i.e. modifying the “From” field to look as if it comes from the target being abused). The other misunderstood aspect of DMARC is that enabling DMARC on your domain protects your domain from being used in a phishing attack. But to protect your organization against phishing and spear phishing attacks, all domains used in communication with your employees should have DMARC enabled on them.  But still, only one-third of businesses employ DMARC.  This makes the security of your organization dependent on other companies communicating with your organization and vulnerable to supply chain risk, especially since DMARC records are publicly available, meaning attackers can easily identify and target domains that are not registered, and thus are vulnerable to impersonation. Finally, in addition to their own internal domains, organizations are likely to use some combination of Office 365, Gmail, MailChimp, Salesforce.com and other third-party email services. But it’s a challenge to then retrofit them all with DMARC. Want to learn more? We explore the limitations of DMARC in more detail here. The limitations of security awareness training Security Awareness Training (SAT) is seen as a “quick win” when it comes to security – a box-ticking exercise that companies can do in order to tell their shareholders, regulators and customers that they’re taking security seriously.  Sadly, the evidence of these initiatives being conducted is much more important than the effectiveness of them.  And engagement is a big problem. Too many SAT programs are delivered once or twice a year in lengthy sessions. This makes it really hard for employees to remember the training they were given, and the sessions themselves have to cram in too much content to be memorable.  It’s also difficult for security leaders to trains their employees to spot today’s sophisticated attacks. That’s because SAT platforms rely on simulating phishing threats by using pre-defined templates of common threats. This is a fair approach for generic phishing awareness (e.g. beware the fake O365 password login page), but it’s ineffective at driving awareness and preparing employees for the highly targeted and continuously evolving phishing threats they’re increasingly likely to see today (e.g. an email impersonating their CFO with a spoofed domain). We explore the pros and cons of phishing awareness training here. What is Human Layer Security?  The only question left to answer is: When legacy solutions and training programs aren’t enough, how can we prevent employees from interacting with the malicious emails that land in their inbox? The answer is Human Layer Security (HLS). SEGS and native tools like O365 provide basic phishing protection, but organizations need an intelligent solution like Tessian to detect and prevent advanced inbound attacks like BEC, ATO, and CEO Fraud that make it through inbuilt bulk phishing and spam filters. Tessian Defender uses machine learning (ML) to protect your people from even the most advanced inbound threats.  Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learn employees’ normal communication patterns, and map their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential impersonation, ATO, or BEC threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, and sending patterns.  Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language via an interactive notification.

When it comes to supply chain risks, cybersecurity and data loss are top of mind for security analysts and other professionals. The EU Agency for Cybersecurity (ENISA) notes that there has been a marked increase in such attacks since early 2020—and that most supply chain attacks target data (mainly personal information and intellectual property).   Manufacturers are typically involved in long and complex supply chains with many actors, making them particularly vulnerable to disruption and malicious activity in the supply chain. You must protect against these risks. Keep reading to learn more, including prevention tips.   Five manufacturing supply chain cyber risks   First, let’s look at five crucial supply chain cyber risks for manufacturers. We’ll then consider how manufacturers can improve their supply chain cybersecurity, referencing some real-life examples.   1. Intellectual property theft   One major concern for manufacturers is that third parties in their supply chain may abuse their access to intellectual property and other valuable or sensitive data. According to research by Kroll, guarding against supply chain IP theft is a priority for nearly three-quarters of companies.   Even if all your supply chain partners are legitimate, there is always the possibility that a rogue employee could steal your IP or trade secrets and pass them on to your competitors. Don’t believe us? Check out these 17 examples of real-world insider threats.     2. Supply chain attacks   Supply chain attacks leverage security vulnerabilities to steal data and spread malware such as ransomware. Some recent high-profile supply chain attacks include the attacks on software companies Solarwinds and Kaseya. These incidents involved software vendors pushing compromised updates to their customers, resulting in widespread malware infections.   There’s a reason that supply chains are particularly vulnerable to cyberattacks. The more organizations are involved in a manufacturing process, the greater the likelihood that one of the members will fall victim to a cyberattack and spread malware to their business partners. But that doesn’t mean that the chain is “only as strong as its weakest link.” A well-defended organization can stop a supply chain attack in its tracks.   Case study: supply chain attack   Here’s an example of a supply chain attack that leveraged email in an attempt to undermine a company’s security defenses. This type of threat is known as an “account take over” (ATO) attack. The cybercriminals targeted a medium-sized construction firm by first infiltrating one of the company’s trusted vendors.   The attackers managed to take over the email account of one of this vendor’s employees. By reading the employee’s emails, the criminals learned that the employee was in contact with several high-ranking staff members at the construction firm.   After observing the employee’s communication patterns and email style, the attackers then used the mailbox to send phishing emails to a targeted group of individuals at the construction firm.   The phishing emails encouraged the recipients to click a link to a cloud storage folder, claiming that the folder contained a request for a proposal. Clicking the link would have downloaded malware onto the recipient’s device.   Protecting against supply chain attacks   Protecting against supply chain attacks requires a comprehensive cybersecurity policy, including staff training, network defenses, and security software. Implementing email security software is a vital part of your defensive strategy in the case of email-based supply chain attacks, such as the one above.   The case study above is a real-life example of how Tessian, a comprehensive email security solution driven by machine learning, can help thwart supply chain attacks. Tessian Defender scans inbound emails for suspicious activity. The software also learns your employees’ communication patterns to understand what constitutes “normal” email activity.   In the attack described above, Tessian noted several subtle signs—including the sender’s location and choice of cloud storage platform—suggesting that the email could be part of a supply chain attack. Tessian alerted the employee to the potential danger, and the supply chain attack was averted.   It’s important to note that legacy email security software, which normally operates on a “rule-based” basis, can fall short when it comes to sophisticated account take-over attacks like this. Tessian was not the only security product this construction firm was running. But it was the only one to spot the attack.   3. Compromised hardware and software   Malicious actors can compromise hardware and software during the manufacturing process, creating vulnerabilities that are passed on down the supply chain or to equipment end-users. Hardware can be tampered with at any stage in the supply chain. As a manufacturer, you might obtain compromised hardware—or malicious actors could interrupt the manufacturing process downstream, tampering with products to install rootkits or other technologies.   But as a manufacturer, you must also protect against threats in your own portion of the supply chain—where internal or external actors could interfere with the products or components you create.   Case study: compromised software   In August 2020, reports emerged that Chinese phone manufacturer Transsion had shipped thousands of mobile devices containing pre-installed malware that signed users up to subscription services without their consent.   The pre-installed malware, known as Triada, automatically downloads and installs a trojan called “xHelper” that cannot be easily removed by users. The program covertly submits requests for subscription products at the user’s expense.Transsion blamed a malicious actor in its supply chain for installing Triada on its devices—but the culprit has yet to be discovered.   Defending against software compromise   One step towards to avoiding any type of malicious actor in your supply chain is conducting thorough due diligence. Identify and document all supply chain partners—as mentioned, you could be accountable for their malicious or negligent activity.   Integrating cybersecurity measures into your quality assurance regime may also be a way to prevent upstream malicious actors from tampering with firmware before your manufacturing process takes place.   And as we’ve seen, it’s crucial to protect your own systems from cyberattacks—which means ensuring the security of key communications channels like email.   4. Downstream software or hardware security vulnerabilities   It’s vital to protect data against access by other parties in your supply chain. But even if you could trust your supply chain partners not to steal your data, you must also ensure that they don’t make it accessible to unauthorized third parties.   No matter how much work you put into protecting your own systems from unauthorized access, your efforts could be rendered futile due to software or hardware vulnerabilities among other parties downstream.   5. Legal non-compliance   In addition to maintaining poor cybersecurity practices that directly impact your own organization’s security, third parties in the supply chain may follow poor information security practices for which you could be liable.   Case study: third-party legal non-compliance   In 2019 a U.K. pharmaceuticals company was fined after a third-party contractor left documents containing personal information publicly accessible in unsecured containers.   Under the GDPR, “data controllers” are responsible for many of the actions of their service providers. As such, the pharmaceuticals company was deemed liable for the error. The firm received a fine and engaged in a drawn-out legal battle with the U.K.’s data regulator.   Mitigating poor security practices among third parties   Research is crucial to ensure you’re working with reputable third parties that will undertake compliant and responsible data protection practices. Contracts stipulating particular security measures are also important. Such agreements can also contain contractual clauses that serve to indemnify your company against legal violations by the other party.   Under some data protection laws, including the GDPR and the upcoming Colorado Privacy Act, service providers processing personal information on another company’s behalf are required to submit to audits and inspections. Routinely inspecting the data security practices of your vendors and other service providers is an excellent way to ensure they are meeting their compliance obligations on your behalf.   How to prevent manufacturing supply chain risks In general, manufacturers can manage cyber risks in supply chains via a robust and comprehensive cybersecurity program. Here are some key cybersecurity principles for supply chain management from the National Institute for Standards and Technology (NIST): Assume your systems will be breached. This means considering not only how to defend against breaches, but determining how you will mitigate breaches once they have occurred. Think beyond technology. Cybersecurity is also about people, processes, and knowledge. Cybersecurity also means physical security. Threat actors can use physical security vulnerabilities to launch cyberattacks.   Implementing a cybersecurity framework is key to defending against supply chain threats. Manufacturers of any size can work towards cybersecurity framework compliance, implementing controls according to their resources and priorities.   The NIST Cybersecurity Framework Version Manufacturing Profile: NISTIR 8183 Revision 1 is an excellent starting point for manufacturers. For more information about the NIST framework, read our article on NIST and email security.   More specifically, manufacturers should be taking the following steps to protect their data and systems in supply chains: Identify and document all supply chain members Conduct careful due diligence on parties in the supply chain Require supply chain partners to contractually agree to maintain good cybersecurity and data protection practices Ensure inbound communications (particularly via email) are scanned for signs of phishing and other social engineering attacks Scan outbound communications to prevent data loss Ensure all employees are aware of the risks and their responsibilities Email is a key supply chain vulnerability   Of all the risks inherent to working in a supply chain, cyberattacks are perhaps the most critical in the current climate.   As ENISA notes, most supply chain attacks use malware to target company data. We also know that 96% of phishing attacks—which are the primary means of infecting business networks with malware—take place via email. The bottom line: email security is a crucial step for manufacturers to defend against supply chain cyber risks.  

Phishing and spear phishing are both “social engineering” cyberattacks. In both types of attacks, a cybercriminal impersonates a trustworthy person and tricks their target into revealing login credentials, installing malware, or making a wire transfer.

Think of it this way: Phishing is like catching fish using a line — you cast your rod into the water and see what bites.  With spear phishing, you choose the fish you want and aim the spear right at it. This distinction is a crucial one, affecting how you detect, mitigate, and prevent both types of attacks.

What is phishing?   As we explained in our article “What Is Phishing?,” the term “phishing” can mean two things: An umbrella term covering many types of cyberattacks A specific type of cyberattack: an untargeted social engineering attack, conducted via email     In the first instance, “phishing” can refer to cyberattacks including: Business Email Compromise: A phishing attack utilizing an impersonated, spoofed, or hacked business email address Wire transfer phishing: A phishing attack that attempts to trick the target into making a fraudulent transfer to the attacker Smishing: Phishing via SMS Vishing: Phishing via voice, e.g., phone or VoIP software   In the second, specific sense, phishing means a social engineering attack (conducted via email) with no specific target. We sometimes call this “spray-and-pray” phishing. The cybercriminal sends as many emails as they can in the hope that someone falls for their scam. But don’t be fooled: phishing attacks aren’t necessarily amateurish operations.   What is spear phishing?   Spear phishing is a targeted phishing attack. The target receives an email that addresses them directly — by name.   Any type of targeted phishing attack is a “spear phishing” attack, including: Whaling: A spear phishing attack targeting company executive CEO fraud: A spear phishing attack where the fraudster impersonates a company’s CEO and targets another of the company’s employees.   But spear phishing is broader than this: if a Business Email Compromise attack, wire transfer phishing attack — or any other type of phishing attack — targets a specific individual, it’s a spear phishing attack.   Looking for more information about spear phishing? Check out this article: What is Spear Phishing? Targeted Phishing Attacks Explained.    

Phishing vs. spear phishing examples   Now we’re going to look at some phishing attacks and spear phishing attacks side-by-side so you can understand the differences. The two emails below demonstrate the essential difference between phishing and spear phishing:

This is an example of a “bulk” phishing email. It doesn’t address the target by name and doesn’t contain any personal information. But, because it appears to come from a trusted brand (Netflix) someone is likely to click the link.

This is an example of a spear phishing email: CEO fraud, to be precise. The attacker has exploited a professional relationship to elicit feelings of urgency and trust — the CEO urgently needs a favor and requests an employee to pay an invoice to an unknown account. But the “CEO” is a cybercriminal who controls the “new account.”   These examples should help you better understand the difference between phishing and spear phishing:   Phishing succeeds by sheer volume: send a fraudulent email out to enough people and someone will fall for it eventually. Spear phishing succeeds through more sophisticated methods: send one fraudulent email containing personal information to a specific individual. Looking for more resources?   We explore  phishing, spear phishing, and other social engineering attacks in greater detail in the following articles:   Phishing 101: What is Phishing? What is Spear Phishing? Targeted Phishing Attacks Explained Spear Phishing Examples: Real Examples of Email Attacks How to Hack a Human: How Attackers Use Social Media to Craft Targeted Spear Phishing Campaigns

Before we dig into how Tessian can help prevent ransomware attacks, let’s first define what exactly ransomware is, and explain the scope of the problem. What is ransomware? Ransomware is a type of malware that threatens to publish a victim’s data (or perpetually block access to it) unless a ransom is paid.  Most ransomware and their variants have multiple attack vectors and often the ransomware (and other malware) is distributed using email spam campaigns, or through targeted attacks. For example, a phishing  email may contain a link to a website hosting a malicious download or an attachment. If the email recipient falls for the phish, then the ransomware is downloaded and executed on their computer.  After a successful ransomware attack, security professionals and business executives are faced with conflicting options. Paying the ransom encourages future attacks. Yet the recovery could be far more costly than  the original demand.  You can learn more about what ransomware is in this article: What is Ransomware? How is it Delivered?  How big of a problem is ransomware?  In a word: BIG. You can’t go a day without seeing a headline related to ransomware. That’s because ransomware continues to evolve and can halt businesses, slow down productivity, and destroy an organization’s reputation overnight. These types of attacks are often subtle and highly effective, using social engineering attacks until users are tricked into clicking a phishing link or opening a file attachment. Worse still, the majority of organizations are unable to prevent ransomware early in the email cyberattack kill chain and remain vulnerable against these highly sophisticated attacks. Why? Because legacy solutions don’t effectively detect and prevent this type of threat and there can be multiple threat vectors attacking a single organization in several different ways. The chances of success (for the hacker) are high. Want to see examples of email cyber attack kills chains for ransomware? Download our Solution Brief.  To paint a more clear picture of the impact, check out these stats: A new organization will fall victim to ransomware every 14 seconds in  2019, and every 11 seconds by 2021 Ransomware damage costs will rise to $20 billion by 2021 and a  business will fall victim to a ransomware attack every 11 seconds at that  time The ransomware attack on Universal Health Services (UHS) cost them $67 million. (This is mostly due to the operational problems post attack — diverting patients to competing facilities for urgent care.)  If you’re looking for real-world examples of ransomware attacks, we share seven here: 7 (Recent) Examples of Ransomware Attacks. How does Tessian help prevent ransomware? Unlike legacy solutions, Tessian Defender is powered by machine learning and automatically detects and prevents advanced forms of phishing attacks – including those that deliver ransomware – by default.  Importantly, this happens early in the kill chain to prevent credential theft, lateral movement, exfiltration, and more. In addition to detecting and preventing threats, Tessian also provides in-the-moment training to help employees identify malicious emails, and nudge them towards safer behavior. Solution highlights include:  Threat detection Tessian’s algorithms continuously analyze and learn from email communications across its global network to build profiles and models of companies and their employees, to understand what their normal email communication looks like.  This helps catch even the most advanced forms of phishing attacks that could lead to ransomware.  Learn more about Tessian’s technology here. Rapid remediation Real-time alerts of inbound email threats to  dedicated mailboxes. Explainable machine  learning helps SOC teams understand quickly why an email has been classified  as malicious.  By aggregating similar events and grouping emails from the same compromised account, Tessian allows administrators to clawback/delete multiple  events with a single click.  Learn more about Tessian’s robust remediation tools here.  In-the-moment training Non-disruptive in-the-moment training and  awareness is provided to employees through  contextualized, easy to understand warning  messages that continually drive them  towards secure behavior.  Learn more about Tessian in the moment warnings here.  Flexible deployment and seamless integrations  Defender deploys in minutes and automatically prevents data breaches through email within 24 hours of  deployment, across all devices, desktop and mobile.  Learn more about Tessian’s integrations, compatibility, and partnerships here and see what customers have to say about deployment here.

If you’re aiming to achieve compliance with the MITRE ATT&CK Framework, email security will be among your top priorities. Why? Because securing your organization’s email is critical to detect, mitigate, and defend against some of the most widespread and harmful online threats.   In this article, we’ll offer a brief overview of the MITRE ATT&CK framework, then consider which attack techniques you can mitigate by improving your organization’s email security.   MITRE ATT&CK Framework 101   Here’s a brief introduction to the MITRE ATT&CK framework. Outlining the framework is important as it’ll help you see how its components tie in with your email security program. But feel free to skip ahead f you already know the basics.   ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework has three iterations—ATT&CK for Enterprise, ATT&CK for Mobile, and Pre-ATT&CK.   We’re focusing on ATT&CK for Enterprise, covering threats to Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS, and Network environments. You can check out the Mobile Matrices here, and the PRE Matric here.   MITRE ATT&CK tactics, techniques, sub-techniques, and mitigations   At the core of the framework is the ATT&CK matrix—a set of “Tactics” and corresponding “Techniques” used by “Adversaries” (threat actors).   The ATT&ACK for Enterprise matrix includes 14 Tactics: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact   Think of these Tactics as the Adversary’s main objectives. For example, under the “Collection” Tactic (TA0009), the adversary is “trying to gather data of interest to their goal.” If you want to learn more about these tactics, or see a full list of the Techniques, Sub-Techniques, and Mitigations we mention below, click here.   A set of Techniques and sometimes “Sub-Techniques” is associated with each Tactic. Techniques are the methods an Adversary uses to achieve their tactical objectives. Sub-Techniques are variations on certain Techniques. We won’t list all the MITRE ATT&CK Techniques here, but we’ll identify some relevant to email security in just a second.   But first (and finally) there are “Mitigations”—methods of preventing or defending against adversaries. Examples of Mitigations include M1041: “Encrypt Sensitive Information,” and M1027: “Password Policies.” Back to email security… MITRE and Email Security   Now we’ll identify the MITRE ATT&CK framework Tactics and Techniques that are relevant to email security specifically. We’ll consider MITRE’s recommended Mitigations and look at how you can align your email security program to meet the framework’s requirements. Technique T1566: Phishing   “Phishing” is a MITRE ATT&CK Technique associated with the “Initial Access” Tactic (TA0001). As you’ll probably know, phishing is a type of social engineering attack—usually conducted via email—where an adversary impersonates a trusted person and brand and attempts to trick their target into divulging information, downloading malware, or transferring money.   The MITRE ATT&CK framework identifies both targeted phishing attacks (a technique known as “spear phishing”) and more general phishing attacks (conducted in bulk via spam emails). Now let’s look at the three Sub-Techniques associated with the Phishing Technique.   📎 T1566.001: Spearphishing Attachment   Sub-Technique T1566.001 involves sending a spear phishing email with a malicious attachment. The attachment is malware, such as a virus, spyware, or ransomware file that enables the adversary to harm or gain control of the target device or system.   A spear phishing attachment is usually disguised as a harmless Office, PDF, or ZIP file, and legacy email security software and spam filters can struggle to determine whether an attachment is malicious.   The spear phishing email itself will usually try to persuade the target to open the file. The Adversary may impersonate a trusted person and can even provide the target with instructions on opening the file that will bypass system protections. For more information about malicious email attachments, read What is a Malicious Payload?   🔗  T1566.002: Spearphishing Link   Alternatively to using a malicious attachment, a spear phishing email can include a link that leads to a malicious site such as a fraudulent account login page or a webpage that hosts a malicious download.   Like with the “Spearphishing Attachment” Sub-Technique, the “Spearphishing Link” Sub-Technique will normally employ social engineering methods—this time as a way to persuade the target to click the malicious link.   For example, the spear phishing email may be disguised as a “security alert” email from Microsoft, urging the target to log into their account. Upon following the link and “logging in,” the target’s login credentials will be sent to the adversary.   We’ve written in detail about this type of attack in our article What is Credential Phishing?   📱T1566.003: Spearphishing via Service   The “Spearphishing via Service” Sub-Technique uses platforms other than email to initiate a spearphishing attack—for example, a LinkedIn job post or WhatsApp message.   This Sub-Technique is not directly related to email security—but email security is still relevant here. For example, if an Adversary is able to establish rapport with their target via social media, then they might follow up with a spear phishing email.   ❌ Phishing Detection and Mitigation   Now let’s look at which Mitigations MITRE recommends for dealing with the Phishing Technique and its three associated Sub-Techniques: M1049: Antivirus/Antimalware — Quarantine suspicious files arriving via email. M1031: Network Intrusion Prevention — Monitor inbound email traffic for malicious attachments and links. M1021: Restrict Web-Based Content — Block access to web-based content and file types that are not necessary for business activity. M1054: Software Configuration — Use anti-spoofing methods to detect invalid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures. M1017: User Training — Educate employees to help them detect signs of a phishing attack.   Note: None of MITRE’s recommended Phishing Mitigations is sufficient on its own.   Antivirus Software, for example, can quarantine malicious files but is less likely to detect suspicious links. User Training helps embed a security-focused workplace culture—but you can’t expect employees to recognize sophisticated social engineering scenarios.   To prevent phishing attacks, it’s vital security leaders take a layered approach, including training, policies, and technology. Your best bet when it comes to technology? A next-gen email security solution that can automatically scan internal and external email communication for signs of malicious activity based on historical analysis.   Email security software can use several methods of detecting phishing attacks. Older solutions rely on techniques such as labeling and filtering—an administrator manually inputs the domain names, file types, and subject lines that the software should block.   Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound emails for signs of phishing, the software scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior.   This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, access the legitimate files and links they need— while being alerted to anomalous and suspicious email content.

These in-the-moment warnings help reinforce training, and nudges employees towards safer behavior over time.  Download the Tessian Platform Overview to learn more.   Technique T1534: Internal Spearphishing   The “Internal Spearphishing” Technique is associated with the “Lateral Movement” Tactic (TA0008) and is distinct from the “Phishing” Technique.   Internal Spearphishing takes place once an adversary has already penetrated your system or account. The adversary leverages existing account access to conduct an internal spear phishing campaign.   Internal Spearphishing is particularly damaging because the emails come from a genuine (albeit compromised) account. This makes them virtually impossible to spot, and therefore very persuasive.   Internal Spearphishing Detection and Mitigations   MITRE notes that detecting an Internal Spearphishing attack (also known as Account Takeover) can be difficult. There are no mitigations associated with the “Internal Spearphishing” Technique in the MITRE ATT&CK framework.   According to MITRE, the main difficulty associated with detecting and mitigating Internal Spearphishing attacks is that “network intrusion detection systems do not usually scan internal email.”   The main hallmarks of a spear phishing email—such as email impersonation or spoofing—are not present once an adversary has successfully compromised an internal email account. This means legacy email security software may be unable to detect Internal Spear Phishing attacks.   However, an AI-driven email security solution such as Tessian can scan internal email and will pick up on small inconsistencies in the sender’s email behavior and communication patterns.   If a sender is communicating outside of their normal internal networks or writing in an uncharacteristic style, Tessian can flag this unusual behavior and notify the recipient of any suspicious emails.   Learn more about how Tessian Defender defends against internal spear phishing. Technique T1598: Phishing for Information   T1598: Phishing for Information is a MITRE ATT&CK Technique associated with the “Reconnaissance” Tactic (TA0043). While Phishing involves an attempt to penetrate an organization’s defenses, Phishing for Information is a way to gather information about the target for use in an attack.   As such, Phishing for Information may occur via email—or via other communications channels, such as instant messaging applications or social media.   Phishing for Information Detection and Mitigations   To detect Phishing for Information, MITRE suggests monitoring for suspicious email activity. Email security software can monitor signs of a phishing attack, including DKIM misconfiguration, suspicious language, or erratic communication methods.   But legacy email security programs can only detect the more obvious indicators of phishing. On the other hand, Tessian is uniquely equipped to identify the subtle but distinctive signs that a sender is not who they say they are.   Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals: Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too Leveraging email security for MITRE ATT&CK framework compliance   We’ve seen how email security is a major factor in meeting the MITRE ATT&CK framework requirements.   To recap, Tessian can serve as a key Mitigation in respect of the following Techniques and Sub-Techniques: T1566: Phishing T1566.01: Spearphishing Attachment T1566.02: Spearphishing Link T1566.03: Spearphishing via Service T1534: Internal Spearphishing T1598: Phishing for Information Learn more about how Tessian can transform your organization’s cybersecurity program.