Combating the New Scam - Business Email Compromise
Business Email Compromise (BEC), also known as CEO fraud or whaling, can be costly, both to the businesses affected and to employees who are unfortunate enough to comply unwittingly with scammers and press ‘send’. The FBI reports losses from BEC growing by almost 300 percent in the first half of 2015, and numbers reported by ZapFraud show that the problem has been in continuous and explosive growth since 2008. This sustained growth indicates how profitable the crime is, and how poorly prepared organizations are to respond to it.
BEC is successfully scoring both money and assets. It compromises corporate brands, as even customers and employees are at risk of their personal and private information being stolen, which could lead eventually to direct attack on more identities and assets.
BEC succeeds by establishing trust. Typically, a targeted victim will receive an email from what appears to be a trusted party - commonly a colleague or a supplier -- that includes a perfectly reasonable request that makes sense to the recipient. Precise timing can contribute to success if a recipient expects the contact or direction to take action. Social media, breaches, and other sources of data provide criminals with specific information about victims’ activities, interests and roles to easily manipulate targets, who think they are performing routine job functions as they respond unwittingly to scammers. The same type of social engineering is commonly used by criminals to infect enterprises with malware. Most people don’t hesitate to open attachments they think are sent by a colleague.
Most companies have no means to filter, detect and block social engineering attacks. BEC scams are not about Nigerian princesses or Internet lotteries, but about business as usual - and, of course, the need to transfer money or sensitive data. The persuasive power of BEC and the fact that there are no countermeasures contribute to its surging growth. BEC emails are not blocked, recognized or reported. Spam filters do not catch typically low-volume BEC emails from senders without poor reputation scores, and firewalls don’t protect the email channel - certainly not from emails that are undesirable simply for being deceptive.
The most common version of the attack involves a message sent from a domain that looks deceptively similar to that of a trusted party’s domain. Imagine that you commonly receive invoices from an Alice Anderson, and that her email address is <email@example.com>. One day, you get an email from Alice, containing an invoice. Would you have noticed that Alice’s email address was <firstname.lastname@example.org> - and that `organization’ was spelled in a creative way? If you did not notice, you would probably have scheduled the invoice to be paid - potentially after having responded to Alice (i.e., the new Alice), verifying that she wants to be paid by wire and not the normal check in the mail. (And she does.)
Even when employees are trained to carefully examine every email address upon receipt (an onerous expectation of every employee), it is not a recipe for security. A BEC target may receive an email that really is sent from Alice’s account - which the scammer has taken over, whether by phishing Alice for her email password or by tricking her to install malware. A third approach used by scammers involves spoofing senders. When DMARC is employed on both sending (impersonator) and receiving (target) domains, this third approach cannot work, but DMARC deployment is still limited - and DMARC today doesn’t address the range of scammer strategies.
The actual content of the email can be revealing to a trained eye. Scammers may begin modestly, asking only for a small payment of some fifty thousand dollars. As requests generate results, scammers up the ante with confidence, incrementally asking for ever-greater amounts to be paid. Some scammers, impersonating the CEO (while he or she is on a business trip, typically), ask the CFO to wire millions of dollars - for an acquisition: “This is very sensitive, so please only communicate with me through this email to avoid infringement of SEC regulations.” This worked on Scoular which lost more than $17m about a year ago, and resembles the Ubiquity case where they paid almost three times as much. There are patterns in the BEC approach -- cadence and language -- which could be discerned by a trained eye, but it’s unrealistic to expect that every employee will recognize such patterns.
New practices can be effected to help address the BEC problem. One is to establish better procedures before making payments or deposits (although this practice would not address the problem when data theft is the goal, as Seagate and Snapchat learned firsthand). Raising employee awareness of the problem and encouraging vigilance and double checking on unusual requests can help in establishing best practices in email security and hygiene.
Though better practices and procedures are encouraged, ZapFraud advocates technology to assess the scope of an organization’s existing problem and evaluate its capabilities to combat threats. ZapFraud’s free evaluations examine any organization’s existing email security and filtering, detecting and reporting social engineering attempts, scams waiting in inboxes or on the network, and compromises which may be underway. ZapFraud filters identify hallmarks of common scammer strategies, such as an email that looks a lot like it comes from a trusted contact - but does not.
Traditional security technologies fall short because they don’t adequately consider or represent the human component -- that is, what things actually look like to real users. ZapFraud demonstrates that to effectively address the BEC problem, one needs computers to first “think like people” and then automatically react to scams like a computer: concluding that an email is “really is not from Alice … it just looks like it is.” Clearly, effective countermeasures to BEC require automatic identification, blocking and reporting of scams BEFORE they can reach the inbox and become a temptation to any employee.
About the Author
Dr. Markus Jakobsson is CTO of ZapFraud, a company which detects business email compromise scams based on automated analysis of deceptive content and structure. A security researcher with interests in applied security, ranging from device security to user interfaces, he is one of the main contributors to the understanding of phishing and crimeware, and is currently focusing his efforts on human aspects of security and mobile security.
Edited by Peter Bernstein