Business email compromise (BEC) attacks are among the biggest cyberthreats facing organizations today. The FBI estimates that $26 billion has been lost to these attacks over the past three years. But not all BEC attacks are the same.
Like malware applies various techniques to bypass security controls, BEC attacks cause financial losses by preying on different layers of the human psyche. So the first step to spotting and preventing Business Email Compromise understanding the various forms it can take.
This article will review what BEC is, various types of BEC, and how to identify these dangerous attacks.
In BEC scams, attackers claim to be a trusted entity - either internal or external - before using context, persuasion, and urgency to steal from targeted accounts. Here’s how a BEC attack usually runs its course.
- Research: Attackers target employees - usually in finance or accounting - and build a profile of the organization through reconnaissance and mining public data.
- Prepare: To set up the compromise, cybercriminals either spoof domains or take over another employee's account in the target organization.
- Execute: The hacker sends an email to request financial transactions, using persuasion and authority to gain the victim’s trust.
- Disseminate: Once the money is wired to the attacker, it is quickly transferred into multiple accounts to eliminate traceability and retrieval.
BEC attacks sneak past security controls for a variety of reasons:
- They are laser targeted: BEC attacks are not the mass-produced phishing attempts of old. Instead, attackers harvest tons of personal information about the victim and send emails that make them sound like they’re from a trustworthy person.
- They don’t contain malicious payloads: Most BEC attacks induce humans to take actions that result in financial loss rather than contain attachments with malware.
- They avoid metadata-based detection: BEC attacks don’t have any one clear red flag that gets caught by email gateways and other traditional security layers.
- They are socially engineered: The payload within BEC emails is hidden in the tone, content, and context of the email itself.
Types of BEC
Vendor email compromise
In vendor email compromise, attackers can gain access to email accounts of third-party vendors that do business with organizations. Then they read through all the emails that flow through the vendor’s inbox before inserting themselves into legitimate mail threads and attempting to divert corporate funds to private bank accounts.
These attacks are difficult to catch because cybercriminals are willing to play the waiting game and surgically engineer the final attack to look as ‘real’ as possible.
In these attacks, cybercriminals impersonate trusted executives - like the CEO or CFO - and induce target employees to take actions that lead to compromise. These actions can range from sharing sensitive information to buying iTunes gift cards. Since these emails come from supposed authority figures, employees tend to rush and fulfill their demands without looking for telltale signs that may give the attackers away.
Payroll diversion fraud
Payroll diversion fraud is when the attacker emails an organization’s payroll, HR, or finance department. The email claims to be from an employee whose direct deposit information has been updated. The email provides new bank account and routing numbers for an account the attacker controls.
Once the funds hit the account, they’re quickly disseminated to multiple other accounts controlled by the attacker, eliminating traceability and preventing fund recalls if and when the fraud is caught.
Criminals pose as an unknown but benevolent entity and promise windfalls to victims in an attempt to steal money or private data. The entity might be a far-away prince, a recent widow, or a person with a massive inheritance.
Attackers promise huge amounts of money but ask for social security numbers, passport details, or even bank account information to handle “processing fees.”
Eye tests and phishing awareness can only take us so far in defending against BEC attacks. Instead, security vendors need to take a holistic approach to analyze email content, context, and metadata. Based on attacks we’ve witnessed recently, here’s an outline of signal categories that vendors should look at:
Identity: Email security vendors need to exhaustively analyze users to prevent impersonation and spoofing attempts. What’s the user’s name, role, and hierarchical status within the organization? What devices, browsers, and email clients do they usually use?
Behavior: Identity is critical for email analysis, but these signals can be noisy if used in isolation. It’s also essential to analyze what users do, create a behavior baseline, and study any anomalies from this baseline to accurately detect problems such as impersonation and payroll fraud.
- To what extent does a user have interaction with internal and external recipients?
- What time of the day do they usually send most of their emails?
- What location and IP address do they usually log in from?
Language: If cybercriminals can mask their identity and/or behavior, understanding the language and intent behind the email can signal and stop a pernicious attack.
- What’s a user’s normal writing style, and are they noticeably deviating from it?
- Does the email have a tone of inordinate tone and urgency?
Analyzing identity, behavior, and language signals can enable security vendors to detect BEC attacks that get past email gateways. Armorblox has re-architected its detection policies based on specific BEC attack types, with each attack type getting triggered by a particular confluence of signals across identity, behavior, and language.
Using Natural Language Understanding (NLU), deep learning, traditional machine learning, and statistical techniques, Armorblox’s breadth of detection techniques accurately classify and detect present and future targeted attacks.