BEC scams: How to avoid them and how to fight back

Phishing and spear-phishing emails are a constant threat to all users, but enterprises are positively inundated with them.

“Most businesses will use a spam filter and anti-virus solutions, but unfortunately these cannot prevent all forms of email identity deception or stop social engineering attacks. The spam filter will stop malicious email if there is a payload, but targeted attacks generally do not have a link or file attachment to set off any alarm bells,” says John Wilson, Field CTO for Agari, a cybersecurity company that offers protection against advanced email phishing attacks.

“Ensuring your employees have anti-phishing training is good practice, but because there are so many different forms the deception might take, it’s best to have an email security solution specifically designed to detect digital impersonation,” he notes. “After all, you cannot expect every employee in your company to spend several minutes per email examining headers in order to determine if the message is authentic.”

Detecting BEC scams

Business Email Compromise (BEC) scams can be particularly devastating for companies and offer huge rewards to the scammers, so it’s no wonder that more and more criminals are trying out this approach.

“The attacker will have researched their target and already knows their victim’s email address and job title, generally targeting senior people at an organization who are authorized to release payments,” Wilson explains.

“The attacker may simply spoof the real executive’s email address, which is trivial to do when the victim company hasn’t implemented a standard known as DMARC to prevent this sort of spoofing. In these cases, the attacker will use a different Reply-To: address, so that replies will go back to the attacker’s mailbox. Some attackers will set up a similar looking email address, such as pa1adium.co.uk instead of paladium.co.uk. Easy as either of these schemes are, most attackers take a much more simplistic approach: They simply create a free webmail account such as ceoemail123@gmail.com and set their display name to match the executive they wish to impersonate. After all, who even bothers to look at the email address these days?”

Aside from implementing an email validation policy such as DMARC, which will protect the organization but also its customers and partners from being deceived by somebody posing as one of its employees, companies would do well to use a solution designed to prevent targeted email attacks.

“By examining the identity of the sender rather than looking for specific signals in the email content that resemble previously seen attacks, it is possible to catch attacks that traditional content-scanning solutions miss,” he says.

Traditional security measures fall short of detecting these type of deceptive emails because they work by looking for known signs of bad behaviour instead for good behaviour.

“Aided by machine learning, it is possible to analyze emails to build a model of what good, legitimate user behaviour should look like and identify malicious activity which deviates from this pattern,” he explains.

Among the unusual but incomplete solutions he saw deployed to stop this type of emails are custom rules on company email gateways to block any message purporting to come from one of the company’s executives.

“Unfortunately, these are usually easy to circumvent by simply replacing an English character with a Cyrillic character that is visually similar. False positives can be a problem as well, for example, when your CEO forwards an Uber receipt from her personal account to her assistant,” Wilson points out.

“Finally, these custom rules only deal with one particular type of Business Email Compromise. What if the attacker poses as a vendor instead, and sends your accounting team an invoice with the correct amount, purchase order number, and date of service but with different wire instructions?”

As an endmost solution to stop scammers getting the money, he advises firms to not rely on a single channel (e.g. email) to authorize monetary transactions. He also says that if it is necessary to send sensitive information to someone via email, the sender should ensure the data is encrypted, and the password should be communicated via a second channel (e.g. via telephone or text message).

Scamming the scammers

Companies might not want to be just sitting ducks for scammers, and might want to do their part to actively frustrate and discourage them and other potential ones.

Wilson says that a simple way to fight back is to scam the scammers by creating a new email address to communicate with the scammer, and try to get useful information out of them.

“Just as they expect with their victims, they are unlikely to notice a response coming from a different email account if it is using the same name. Often the scam emails are sent via proxy servers which can make it difficult to know where they are originally sent from. Eventually many scammers will let down their guard, enabling us to identify their true location. These scams are global; however, we’ve identified hotspots of activity in Nigeria, South Africa and Romania,” he shared.

“Once we have communication with the scammer and they have provided the bank account details which the money is to be released into, we can contact the fraud team at the recipient bank and get the account shut down. Turning the tables using the scammer’s tactics has been so effective that we have had a 100 percent success rate when responding via email.”