Business Email Compromise (BEC), also known as CEO Fraud, is a type of spear phishing where the attacker impersonates a company executive and tries to get a customer, an employee, or a vendor to transfer funds or to provide sensitive information.
EMAIL IMPERSONATION ATTACKS
This type of attack comes in some forms: a fake invoice scam, impersonating a lawyer or an accountant, or impersonating a higher ranker employee, namely a CEO or CFO. Usually, this is a financially-motivated attack. Less frequently, it is competitor disruption or a country-sponsored attack (espionage).
For the impersonation to occur, the attackers will investigate which individuals have authority in financial transactions. The more the attackers know about a company’s structure and processes, the better this attack will be- there have been cases of exceptionally convincing documents.
Of all the types of phishing attacks, BEC has been growing rapidly for the past 2 years. For instance, the FBI estimated that the global cost of reported BEC incidents as of June 2016 was US$ 3.1 billion.
Then, the attackers need to gain access to the email account of the individual they will be impersonating. To gain such access, the attackers usually deploy malware ( with keylogging capabilities, for example), from a previous attack. The attacker will then proceed in initiating a very convincing conversation with the victim.
Other common solution involves domain squatting. These are very similar to legitimate domains, with subtle differences (spelling mistakes, similar letter combinations). The attacker will then bet on the victim not being careful enough to notice, for instance, that the email has come from CFO@greatconpany.com instead of the legitimate CFO@greatcompany.com.
EMAIL SECURITY MECHANISMS
As with everything in security, a good defense involves a strong strategy.
The most important aspect to consider is the email security of a company and making sure the organization is prepared to deal with such attacks. The best email security solutions are able to detect spoofing and typosquatting attacks, to ensure the messages are authenticated (SPF, DKIM, DMARC), and to do all this with proper email content and attachment analysis.
The organization’s mailboxes should also be protected with multi-factor authentication.
There needs to be an internal double-check or a supervisory process before sending money or data. On top of that, proper training - including teaching employees to spot phishing, or running spoof tests to understand how permeable your company may be in the face of a real attack, are necessary steps to keep your business safe.
Author: Rui Serra
With degrees in Computer Engineering and Marketing, Rui started his career managing training documentation for IT Training and consulting firms. He then joined Nokia Siemens Networks as a Documentation Specialist and Project Scrum Master before joining AnubisNetworks in 2009, where he has advanced from managing documentation to Product Manager for the growing Product Portfolio.