BEC Fraud; Unmasking the Fraudsters
Vivek Bhandari |@Area1Security| Area 1 Security
The worst type of fraud is one that betrays personal trust: that’s Business Email Compromise (BEC), a specific form of phishing; and it’s gaining ground as one of the most dangerous and costly cyber threats on the globe.
Recent studies, including the 2016 FBI report, put metrics to the spread of BEC:
- Losses of $5.3 billion to date through BEC fraud¹
- An increase of 2,370 percent in identified exposed losses since January 2015
- A BEC attack rate of over 80 percent — climbing towards 100 as it spreads to mid-size companies.
Even in this tech-savvy universe, a full 20 percent of targeted users actually fall for a BEC phishing attack, and then go on to do its bidding. Why do vetted users, entrusted with access to sensitive data or funds, keep falling for BEC?
The answer lies in the deviousness of phishing itself. Over 90 percent of BEC attacks begin with a phishing message — over email or social messaging. People are accustomed by now to the clumsy efforts to separate them from their money and personal data. They may be sure they can spot a scam. But that confidence, combined with trust of their own company’s brand and executives, actually sets them up for the biggest scams of all.
Phishing is not only the root cause of BEC — it is the core of the BEC strategy. Criminals may spend weeks or months studying an organization’s vendors and billing systems, the CEO’s email writing style, and even executives’ travel schedules, so they can mimic an executive credibly at just the right moment.
Exploiting human behavior and psychology
BEC phishing is effective because it relies on deeply ingrained social traits, such as eagerness to be helpful in a crisis, as well as the trust and goodwill people hold toward leaders in their organization.
So a BEC phishing email may present itself as a handshake, or, more pertinently, a hand reaching out for help. Messages often arrive when people are at their least vigilant; on a Friday, for example, or the day before a holiday. The hacker takes advantage of a moment when a person’s guard may be down, or they are in a hurry to leave the office. Playing on psychology, they are amazingly ingenious about which treacherous tricks to use.
Unlike customary scams, a BEC phishing email usually carries no attachments, malware, or payloads, and is “clean” of suspicious links or sites. This also inspires trust: after all, what danger could lurk in a simple email with no attachments or links?
Content is the key — to the bank account!
BEC message content is carefully crafted for just the right tone to reassure the target, lull any suspicions, and spur illegal action. The task might be presented as an urgent request by a traveling executive, for example.
BEC attacks leverage and manipulate trust in several ways:
- Domain spoof: An email seems to originate within the target user’s own company or partner domains that the company transacts business with.
- Name spoof: The swindler poses as a known, trusted, and powerful individual, such as the CEO or other similar executive. This not only grabs immediate attention, it commands priority. A name spoof combined with a job title spoof goes to the very front of the queue.
- Domain proximity: The company’s domain address might be registered or hosted on any number of providers, with just one or two letters slightly different. This seemingly minor detail is easily overlooked by a user intent on doing their executive’s bidding; for example, a name may be spelled “buslness.com” rather than “business.com” (note the upper case ‘l’ instead of ‘i’).
- Attributes spoof: The body or email headers are obfuscated, and can feature a copycat logo, logotype, brand name, or other recognizable identifier to win trust and make it appear safe for the target to take action.
BEC: a different sort of “animal”
Anti-spam solutions recognize and capture spam emails, swarming in like locusts. BEC phishing emails, however, are a different sort of “animal.” They are rare, low-volume, and targeted not to a mass audience, but to a single individual. Existing defenses like email gateways, web security solutions and firewalls have their use cases, but are ineffective with phishing attacks. A secure email gateway may do a fantastic job of filtering out 99 percent of spam, but with BEC, their defense tactics, such as collecting volume samples, don’t work. The damage is done the moment the BEC phish lands in an inbox.
Real-time reporting and alerting to catch phish
To defeat BEC fraud, the defense has to get ahead of the enemy. That means they need to detect and identify phishing emails on the hacker’s own doorstep, stopping them before they can land in the user’s inbox. The potential target is warned in real time by detection summaries and message forensics.
While phish are under construction, they are ideally vulnerable to detection and disablement. So Area 1 Security focuses on the earliest stages of phishing campaigns — finding, analyzing, and disabling phish across email, network, and web.
BEC may be today’s most notorious scam, but Area 1 Security’s innovative, preemptive approach shuts down phishing attacks before they reach the users, keeping funds and data secure.
But don’t take our word for it. Find out how it works. Watch the webinar or sign up for a complimentary demo and preview.
Sources:
- FBI 2016 Internet Crime Report
- The Security Ledger, September 28, 2017
