Not All Business Email Compromise (BEC) Attacks Are The Same
Business email compromise (BEC) attacks are one of the biggest cyberthreats facing organizations today, with the FBI estimating that $26 billion has been lost to these attacks over the past 3 years. But not all BEC attacks can be painted with the same brush. Just like malware has strains that apply different techniques to bypass security controls, BEC attacks have categories that aim to cause financial loss by preying on different layers of the human psyche. The first step to spotting and preventing these attacks is to get specific about them.
In Business Email Compromise (BEC) scams, attackers claim to be a trusted entity - either internal or external - before using context, persuasion, and urgency to attempt financial theft from targeted accounts. Here’s how a BEC attack usually runs its course.
- Research: Attackers find target employees - usually in finance or accounting - and build a profile of the organization through reconnaissance and mining public data.
- Prepare: To set up the compromise, cybercriminals either spoof domains or take over the account of another employee in the target organization.
- Execute: An email is sent to request financial transactions, using persuasion and authority to gain the victim’s trust.
- Disseminate: Once the money is wired to the attacker, it is quickly transferred out into multiple accounts to eliminate traceability and retrieval.
BEC attacks are sneaking past current security controls for a variety of reasons:
- They are laser targeted: BEC attacks are not the mass-produced phishing attempts of old. Attackers harvest tons of personal information about the victim and send emails that make it sound like it’s from a trustworthy person.
- They don’t contain malicious payloads: Most BEC attacks are meant to induce human actions that lead to financial loss. These emails don’t need attachments with malware to fulfill their purpose, resulting in BEC attacks slipping past legacy security defenses.
- They avoid metadata-based detection: BEC attacks don’t have any one clear red flag that gets caught by email gateways and other traditional security layers.
- They are socially engineered: The payload, for want of a better word, within BEC emails is hidden in the tone, content, and context of the email itself.
Types of BEC
Vendor email compromise
In vendor email compromise, attackers can gain access to email accounts of third-party vendors that do business with organizations. They then silently sit and read through all the emails that flow through the vendor’s inbox, before inserting themselves into legitimate mail threads and attempting to divert organizational funds to private bank accounts. These attacks are so tough to catch because cybercriminals are willing to play the waiting game and surgically engineer the final attack to look as ‘real’ as possible.
In these attacks, cybercriminals impersonate trusted executives - like the CEO or CFO - and induce target employees to take actions that lead to compromise. These actions can range from sharing sensitive information to buying iTunes gift cards. Since these emails come from supposed authority figures, employees tend to rush and fulfill their demands without looking for telltale signs that may give the attackers away.
Payroll diversion fraud
Payroll diversion fraud is when the attacker sends an email to an organization’s payroll, HR, or finance department. This email is designed to look like it came from a legitimate employee, claiming that their direct deposit information has been updated. The email provides new bank account and routing numbers for an account that’s actually controlled by the attacker. Once the funds hit the account, they’re quickly disseminated to multiple other accounts controlled by the attacker, eliminating traceability and preventing fund recalls if and when the fraud is caught.
Broadly, criminals pose as an unfamiliar but benevolent entity and promise windfalls to victims in an attempt to steal money or private data. The benevolent entity might be a far-away prince, a recent widow, or a person with a massive inheritance. Attackers promise a huge chunk of money but ask for social security numbers, passport details, or even bank account information to handle ‘processing fees’.
There’s only so far eye tests and phishing awareness can take us with BEC attacks. Security vendors need to take a more holistic approach to analyzing email content, context, and metadata. Based on attacks we’ve witnessed recently, here’s an outline of signal categories that vendors should look at:
Identity: Email security vendors need to exhaustively analyze who users are in order to prevent impersonation and spoofing attempts. What’s the user’s name, role, and hierarchical status within the organization? What devices, browsers, and email clients do they normally use?
Behavior: Identity is a critical part of email analysis, but these signals can turn noisy if used in isolation. It’s also important to analyze what users do, create a behavior baseline, and study any anomalies from this baseline to accurately detect problems such as impersonation and payroll fraud. What’s the extent of interaction that a user has with internal and external recipients? What time of the day do they normally send most of their emails? What location and IP address do they usually login from?
Language: If cybercriminals are able to mask their identity and/or behavior, understanding the language in the email and the intent behind the email can be analysis signals that stop a pernicious attack. What’s a user’s normal writing style and are they noticeably deviating from it? Does the email have a tone of inordinate tone and urgency?
Analyzing signals across identity, behavior, and language can enable security vendors to detect BEC attacks that email gateways might let through. Armorblox has re-architected its detection policies based on specific BEC attack types, with each attack type getting triggered by a particular confluence of signals across identity, behavior, and language. Using Natural Language Understanding (NLU), deep learning, traditional ML, and statistical techniques, Armorblox has the breadth of detection techniques to accurately classify and detect the targeted attacks of today and tomorrow.