You’re working from home. Your CEO is working from home. Everyone in the known universe is working from home. She sends you a message on her Gmail account (because, ugh, the email server is down again!). Quick—wire funds to a supplier immediately. Here is their banking information. Should you send the funds? You ping her back with a quick message. She confirms. Yes, send the money.
This little episode, which occurs thousands of times a day, offers several warnings that should slow down your response. It bears several of the hallmarks of a Business Email Compromise (BEC). This type of fraud, which involves social engineering to impersonate top executives, is surprisingly effective. It preys on command relationships to induce prompt action by subordinates who want to please the boss but are afraid of challenging her authority. Some American companies have been defrauded out of millions of dollars by BEC attackers.
The lock-downs and work-at-home mandates that are affecting millions of workers today are exacerbating the risks. The FBI has issued a warning, but the problem is understandable. The idea of the CEO sending a message on a personal device, from a personal email account, is not as far-fetched as it might have been when everyone was in the office. However, if you’ve been trained, you would know that a request for a quick funds transfer from the CEO’s personal email account is a huge red flag.
Relying on watchful employees to spot BEC is not optimal, however.
Relying on watchful employees to spot BEC is not optimal, however. It would be better if email security tools could flag suspected BEC messages in real time. This is getting more difficult, however, according to Ziv Mador, VP of Security Research at Trustwave. “BEC attacks are getting more sophisticated all the time,” he said. “The English is getting better. The trust-building process is more nuanced and consistent. The old BEC mitigation techniques are getting harder to apply with any success.”
For example, as Trustwave’s 2019 Global Security Report revealed, only one in five BEC emails have a different “From” and “reply to” email address—a typical “tell” that gave away what was going on in the past. Similarly, 84% of BEC messages do not spoof the domain in the “From” field, another classic signifier of fraud. Trustwave recently published an article detailing COVID-19 themed variants BEC scams, e.g. requests for pandemic-related medical expenses.
“This is a round-the-clock arms race,” Mador said. “We are constantly searching for the latest iteration of threats and learning how to detect signatures that are invisible to the naked eye.”
To detect and prevent BEC, providers of Managed Detection and Response (MDR) like Trustwave must engage in deep, pervasive threat hunting. “This is a round-the-clock arms race,” Mador said. “We are constantly searching for the latest iteration of threats and learning how to detect signatures that are invisible to the naked eye.” A BEC email might contain a single Cyrillic letter, for instance, that is impossible for a human being to identify.
Trustwave runs nine Security Operations Centers (SoCs) worldwide, which feed threat intelligence data into their analytical engines. These are used to build anti-BEC countermeasures on an ongoing basis. The threat intel spans many different kinds of attacks, such as Phishing and web-based malware. The company can cross-reference attacker signatures to prevent a BEC attack that comes from a known distributor of malware.
Covid-19 is leading to more BEC attacks. This is a good time to assess one’s countermeasures and work to build better protections against this challenging but preventable form of attack.