As many workers do today, you probably get emails from your boss asking you to perform various tasks. You may also get unusual requests under unusual circumstances—perhaps to put out a fire for a big client or to impress a potential customer. Sometimes in haste you don’t follow standard procedures. But that makes you vulnerable to phishing attempts, a form of social engineering.
Imagine working in the finance department and receiving an email from the boss that says she is traveling and needs you to immediately send $5,000 for an overdue invoice. The request is out of the ordinary. Do you ask for more details, or do you send the money as requested? If you query your superior, you may delay a legitimate business dealing, so you send the money immediately. Whoops! It was a spoofed email and did not come from your boss. The five grand went to a scam artist. This type of request—and response—is reality for many victims of business email compromise (BEC, also known as phishing or whaling). One frightening aspect of BEC is that it can be spun off and applied to any form of valuable data. Instead of asking you to send physical dollars, a request may be for sensitive company information.
BEC is a tactic often used to trick your company into sending money to an attacker’s bank account through wire transfers. The attacker wants you to think you are sending money to a legitimate business partner for a legitimate reason. Messages are crafted to appear as authentic and can easily be misinterpreted. Typically an attacker has done extensive research and is familiar with the handful of people in the organization who can conduct monetary transactions. BEC scams are effective and in most cases involve routine amounts using social engineering tactics to target employees in charge of wire transfers.. Exorbitant requests are rare because they attract more attention. These emails constitute a very effective attack vector.
BEC scams are pretty general: overdue invoices, regular payments, beneficiary payouts, and complex company acquisitions. Here are several examples from current attacks:
“I have an invoice due from a company that i would like payment to be sent to them today via Wire Transfer, Can i send you their wiring instruction so you can help me get this process right away?”
“I want you to process a wire transfer to a beneficiary who will be needing the funds by noon, Do let me know if you are in so I can provide you with the banking information.”
“In regards to an Acquisition that we are currently undergoing, Attorney Julian Makin is going to be contacting you. If you can please devote your full attention to his demand to acquire some accounting information so that we can finalize this deal. I must bring up the fact that the operation is regulated by the Financial Market Authority which mean that you need to keep this matter extremely confidential as you are the only one currently aware of the situation. You will need to keep complete silence and work exclusively with Julian. Any questions you may have must be addressed directly to him. We are going public with the acquisition next week. I will personally meet with you and Julian a couple of days prior and expect to be fully updated on your progress. Thank you for treating this with your utmost attention.”
“I need you to kindly handle a financial obligation today, Please let me know if you can make out time to complete the funds transfer before the daily cut off time and also what are the required information you need to process the transfer? I will be grateful for any help you can provide.”
What does a BEC email look like?
The traits that make this a typical BEC are its urgency and vagueness. The scammers are vague because they don’t yet have all the details and they don’t want to raise suspicions by asking too many questions.
Three main types of BEC emails
Spoofed: Forged address emails appear to come from one address but are in fact from another. This scam can most easily be recognized when an email is replied to and To: field is different from the sending address. This tactic abuses the SMTP Reply-to header. The spoof is the most technical part of the scam, with the rest social engineering. An example:
One way organizations can defend against spoofing is by using a sender policy framework (SPF). Every domain should have published SPF records, with every inbox SPF enabled. We would all greatly benefit if these records were created as a best practice and consistently kept up to date. Spoofed email addresses are by far the No. 1 entry vector for BEC, used 99% of the time.
Look-a-like domains: Messages appear to be from a proper domain, but may differ only by a single well-placed character, for example, Boondocks.org vs. Boonclocks.org. If a receiver is multitasking or in a hurry this clue can easily be overlooked.
Internal compromise: This is the most effective BEC tactic but also the hardest for an attacker to exploit. In this case the BEC email is sent from a compromised account within the organization and in most cases appears legitimate.
Even though BEC attacks are highly sophisticated, they occur quite often. The best protection from these types of compromises is to stop them at the email level—before they reach their intended targets. Through active monitoring and thorough analysis, we can effectively combat BEC emails.