Business Email Compromise (BEC) has become one of the most popular tactics deployed by fraudsters in recent years. A step up from the numerous but low-quality spam campaigns that clog most inboxes on a daily basis, BEC attacks involve a planned attack on a specific target, aided by the impersonation of a trusted contact.
The most commonly seen tactic is to take on the guise of the CEO and use their authority to trick a financial department into transferring funds, while variations include impersonating suppliers and business partners, and going after sensitive data rather than direct payment. In its most recent report, the FBI estimated that financial losses from these attacks is more than $5.3bn since October 2013.
Although highly successful, most of these attacks use the same handful of tricks to fool their targets. In order to get a better understanding of their tactics, I set about purposefully baiting some scammers to see what I could get them to reveal.
Finding a scammer
The first challenge was to find a scammer. As luck would have it, I didn’t have long to wait, as we soon had one try to target our company. The would-be fraudster had chosen to impersonate our founder, without apparently realising they were trying to launch an email attack on an email security company. It was quickly apparent we had an imposter, as the email came from, firstname.lastname@example.org, as well as being sent by a smartphone I know our founder doesn’t use.
The email was aimed at our financial controller, so I took the opportunity to take over and reply and ask what they needed. They quickly responded with a request for an urgent wire transfer of $44,960, and provided the payment details. In a further stroke of luck, I knew the fraud officer at the bank they were using, and decided to contact him to help look into it, and at the same time turned the Gmail address over to Google.
While I stalled the culprit, the bank and Google worked to shut down his accounts. Better yet, they found multiple other accounts associated with those and shut them all down too. We later learned criminals tend to reuse their bank accounts and email addresses, so our first takedown effort likely spoiled several ongoing scams.
O scammers, where art thou?
After this initial case, I expanded the project with the aid of our email monitoring solution, which tracks 10 billion emails on a daily basis and identifies millions of malicious fakes. We only have access to metadata rather than content, and I couldn’t simply borrow a keyboard to reply this time. Instead, I borrowed from the scammers’ playbook and did some impersonation of my own. Using LinkedIn I was quickly able to find all the details I needed to create convincing identities, and, armed with a free Gmail account using the same names, I was able to contact and easily fool the scammers I selected.
I eventually went through this song and dance 20 times, with each fraudster relying on the same basic moves. By the end, all of them had at least one email and bank account submitted to the authorities. In some cases, I was able to trick the same scammer into giving up multiple accounts by pretending there had been a problem.
Looking over my intel and putting pins on a map, I found the scammers were based all over the world, but with hotspots in Nigeria, Romania, and South Africa. All of the email servers were located in the United States however, in an attempt to make the email more trustworthy. Emails from Nigeria and other locations known to be cybercrime hotbeds are more likely to trigger spam filters. The majority of the banks used for the wire transfers were in the US as well. The non-US examples were European banks used in scams targeting companies based in Europe, as again a request from the same location is immediately less suspicious.
What can we learn?
While this kind of counteraction is all well and good for an email security expert, the average worker doesn’t have the time to foil email fraud attempts in the midst of their day job. Indeed, most won’t notice the tell-tale signs of a scammer until it becomes apparent thousands of dollars are missing. Due to the number of different tactics deployed in emails scams, I’d recommend against trying to train employees to detect them. However, staff should however be well-trained in best practice around operations such as transferring funds and sensitive data. Payments should never be authorised solely via email, and other sensitive data should be encrypted, with the password sent over another channel such as SMS or over the phone.
Overall, the best way to guard against these malicious emails is to stop them from reaching employees in the first place. Unfortunately, most companies still rely on traditional spam filters and antivirus solutions. As BEC attacks don’t use links or attachments, and a well-crafted message is identical to a legitimate one, there is nothing for these solutions to detect. Likewise, because they look for known signs of behaviour, such defences are forever a step behind as the criminals continually update their strategies.
How can users be protected from fraudulent emails?
Instead of looking for signs of malicious activity, defences should be built around identifying good behaviour. With the aid of machine learning, it is possible to analyse millions of legitimate emails to build a model of what real, genuine user behaviour should look like. Once a model has been established, potentially malicious activity which deviates from the pattern can be identified – even if the criminals are using new tactics.
Each email can then be analysed for anomalies that don’t fit the model, such as a mismatched sender name and identity. Anything that passes the test can be considered trusted and directed to the recipient’s inbox, while anything else will undergo additional scrutiny to detect further signs of digital impersonation.
If evidence of malicious activity is discovered, the email can be reported to the authorities or simply quarantined as the organisation desires. This doesn’t have to be a black and white solution either, and it’s possible to implement customised rules that will perform actions such as flagging an email as potentially suspicious. For example, an email may share the same name as the CEO without actually being a malicious attempt at impersonating them, and such emails could be set to display an extra warning that his contact is a stranger.
While the majority of companies still rely on traditional signature based security and spam-based measures for their email, opportunistic criminals will continue to use BEC attacks, confident their victims will never notice the difference. Although we have a good understanding of the tactics used by scammers, they will continue to score hit after hit unless organisations equip themselves to prevent the emails from reaching their victims at all.
John Wilson, Field CTO, Agari
Image Credit: Evannovostro / Shutterstock