You will be hacked – NOT if but WHEN! We didn’t look into the crystal ball to tell you this. It comes straight from an FBI agent who told this to a roomful of lawyers recently at an annual tech symposium.
FBI says there’s a substantial 65% jump in identified global exposed losses from Business Email Compromise (BEC) fraud with over 241, 206 incidents reported in the last few years. These losses include both actual and attempted losses. Also, an average of $43 billion are mis-wired globally every year due to BEC fraud, and the agency is just scratching the surface.
BEC scams are not just limited to the United States (reported in all 50 states) but 177 countries, with over 140 countries receiving fraudulent transfers. And the threat is only increasing. In 2020, BEC scammers made over $1.8 billion – far more than via any other type of cybercrime. The number rose to $18.7 billion in 2021 and $43 billion in 2022!
However, not all BEC crimes relate to wire fraud. After all, email scams have existed for probably as long as email addresses. What makes BEC dangerous is the sheer sophistry involved. We break down how a typical BEC attack works, its types, techniques, and how can you protect against these threat vectors.
Osterman Research defines BEC as “a specific type of phishing (spear phishing) attack, relying on targeting (i.e., going after a specific person or role type in an organization) and normally seeking monetary payment as a direct outcome.” BEC attacks differ from other forms of cyber threats, relying almost entirely on social engineering to trigger human susceptibility to plausible requests.
These are becoming notoriously difficult to prevent as the traditional threat detection solutions (inbound email security) that analyze email headers, links, and metadata often miss these attack strategies. Spear phishing emails, texts, or phone calls are directed at specific individuals or organizations. You will not find messages riddled with bad grammar, broken links, or punctuation errors. Such attacks do not generally carry malware, include weaponized links, or seek to compromise email account credentials.
Instead, in this technique, attackers carefully research and spend time to make the messages highly personalized – right from sending an email from a lookalike company email domain down to adding company sayings, slogans, or common phrases to appear more legitimate. Such social engineering tricks include establishing rapport (pretexting), promising personal benefit, and invoking urgency.
Let us explore this in detail.
The primary reason business email compromise attacks are difficult to spot is the extensive preparation that goes behind them. Attackers pose as someone the recipient trusts – it could be a boss, colleague, or vendor. Even the conversations with which they entice the recipients are fairly relatable and people don’t generally think twice.
Though the hackers will use several patterns, there are four major types of BEC scams doing the rounds.
Fake Invoice Scheme
This type of scam targets businesses that deal with foreign suppliers. The attackers will pretend to be the suppliers requesting fund transfers for payments to an account owned by them and not the original supplier. Such attacks involve sophisticated social engineering tactics of building trust and impersonation. Here is an example of how it works.
The attacker breaches the email of someone in finance or payroll. The email address can be easily obtained from social networks and these fraudsters are generally pros at hacking passwords (especially, if the target does not follow the best email protection practices, it is very easy to hack!). The attacker then continues to eavesdrop on the email, learns how the billing and payment process works in the organization and waits for a legitimate transaction to happen.
Once they get wind of a transaction about to take place, they look for a legitimate invoice, modify the details of the beneficiary, such as the routing number to which the amount needs to be credited, and spoof the vendor’s address to submit the invoice. The last piece of the scam is the email written with an urgent tone, which is then sent to you or the target saying that “the vendor has updated its payment terms” without highlighting the new account number. Since the target trusts the email sender, they would proceed with the wire transfer request after verifying the name of the vendor and the service.
The attackers spend a considerable amount of time doing the reconnaissance, employing money mules to choose specific targets, craft targeted campaigns, and launder fraudulent funds into untraceable offshore accounts.
CEO Fraud
“Hi, Jane – I’m on a conference call right now. I can’t talk on the phone but let me know if you got my text. Thanks, John Doe (CEO).” Through such emails, most of us are becoming too familiar with CEO fraud. Contrary to its name, it is not always the CEO who will be impersonated; it could be CFO, COO, or any high-profile C-level executive. And the targets are usually the finance, HR, or IT teams.
In such scams, attackers trick employees into transferring money or divulging sensitive information, building on the pretext of urgency. Per the FBI, CEO fraud is a $26 billion scam! It works in two ways.
To orchestrate such scams, cybercriminals will crawl company websites, social media pages, media coverage, and more to collect information on their target. Their aim is to get access to a variety of information, including:
Email Account Compromise (EAC)
In this BEC scam, the email account of an executive or a vendor is hacked and used to request money transfers to fraudulent accounts. It is also known as email account takeover or email hijacking. In most instances, the person is not even aware that their email account is being hacked.
Such scams use several tactics, such as phishing, malware, and purchasing employee credentials from the dark web to gain unauthorized access to email accounts. Once they gain access to the account, criminals have a vast treasure trove of data to exploit to “become the target” – files, calendar meetings with customers or suppliers, emails with sensitive information, etc. The attackers profile their target thoroughly and start setting email forwarding rules and changing email account permissions.
The use cases are many – the most prominent being supplier invoices and payroll. In the case of payroll, the attacker usually compromises the email account of an employee and sends an email to HR asking to update the said employee’s direct deposit with their own bank account. In some instances, on a much bigger scale, the attacker compromises the email account of a management executive and studies the Merger and Acquisition (M&A) activities. From the executive’s email account, the attacker then sends an email to the accounting department, requesting to execute a wire transfer to complete an acquisition. The email is to-the-point with the same business language and details the executive uses; only this time the bank account is replaced by the attacker’s own account.
EAC scams are quite difficult to detect because the emails originate from the authorized sender’s account itself, which does not register a blip on the security radar of company servers. The modus operandi of EAC attacks prey on the trust established between colleagues and teams.
Lawyer or Attorney Impersonation
As the name suggests, this scam specifically targets legal professionals who are privy to crucial and confidential information. The attackers impersonate a senior lawyer to target lower-level employees who would not question the validity of the request. Scammers go to great lengths to compromise or spoof company emails or to use social engineering to assume the identity of the company attorney.
Law firms are especially vulnerable to such scams because they possess confidential data, financial records, and information on corporations, patent applications, political figures, heavily-guarded mergers and acquisitions, and more. They also operate in a sector where reputation is the key. Here are two usual scenarios of lawyer impersonation BEC scams.
Scenario #1: The attacker compromises an executive’s account and sends an email to an employee saying that he/she is part of a confidential or time-sensitive transaction. The attacker also tells the employee that they will be contacted by an attorney later in the matter. To make the scam perfect, the employee is then contacted by the attacker’s “team” via email, phone call, or SMS, informing them about the case and the next steps. Once the trust is established, the employee easily falls into the trap set by the attackers and does not suspect anything.
Scenario #2: This is the most common scenario used in an attorney impersonation scheme, where the attacker directly contacts the employee posing as an attorney. The attacker generally creates a sense of urgency, stating that he/she is being included in an important case for the company, the company leadership has engaged the services of the said law firm, and he/she should be on the lookout for the next steps. The communication continues until trust is established and the employee completes the attacker’s request.
You can avoid falling into the trap of such simple, yet sophisticated scams by following some best practices like setting up multi-factor authentication, conducting cybersecurity and BEC scam awareness training for employees, establishing protocols for what will be sent over email, and what needs to be done with a phone call, and more.
Impostor emails are purpose-built to impersonate someone your users trust and trick them into sending money or personal information to cybercriminals. What you would need is an integrated, holistic solution that can address all attackers’ tactics, provides visibility into malicious activities and user behavior, and automates the detection and threat response.
RMail, a global email security solution from RPost, can help.
Well known for its Registered Email™ and Registered Encryption™ features that mitigate risk by providing proof of who said what when, or audit-ready proof of the fact of privacy compliance, RMail’s AI continues to evolve. It now includes a suite of features designed to pre-empt cybercrime: PRE-Crime™. Put simply, this means stopping the e-crime after the hook is in, but before the steal (crime) completes – a boon to thwart and pre-empt business email compromise attacks.
PRE-Crime has components designed to alert you or your administrator of a potential e-crime in progress before it is too late - whether the cyber trickery is happening inside your organization or at your recipient’s email account.
RMail’s PRE-Crime suite of services follows a targeted attack defense approach of stopping the crime after the cybercriminal has:
There is no one provider that specializes in defending against all the threats. So, you might ask, where does RMail’s PRE-Crime “targeted attack defense” fit within your organization, without overlapping your existing tools? In other words, if you already have the top-of-the-line inbound email security gateway and all it has to offer, for what scenarios will RMail add value and security?
It is here where RMail’s PRE-Crime service differs in the sense that its technology focuses on outgoing emails, with features that range from tracking email opens to detecting email account compromise (even at your recipients’) to alerting senders that they are about to reply to an impostor before they do so.
i. Transmission Level: RMail’s default encryption is set to transmission level at the minimum sender-acceptable security level, delivering the encrypted email right to the recipient’s inbox. The sender can send the email like a regular one, without any logins, links, or the need to create an account. Recipients can also reply encrypted. If the minimum security cannot be automatically achieved, the message dynamically reverts to message level encryption.
ii. Message Level: If RMail SMART engine detects that the recipient’s server is not able to receive your message with the minimum acceptable security level, it automatically reverts to message level encryption. The email and any attachments will be automatically wrapped inside an AES-256-bit password-protected, digitally signed PDF, which would be delivered straight to the recipient’s inbox along with the instructions to decrypt.
The security forensics provided by RMail are fact, and allow IT admins to easily justify and demonstrate their hypothesis about where cybercriminals may have accessed an email in the path from sender to recipient, even if the breach occurred at the recipient's end.
b.1 Lookalike Domain™ Detector. Consider a scenario where you are about to receive an invoice or payment request from your vendor or supplier and the email is intercepted or compromised at their end. There is a high probability that you would receive an altered email. The alteration ultimately (often after some back and forth) may have different payment coordinates, luring your unsuspecting payment staff into sending funds to the cybercriminal.
When the cybercriminal creates the impostor email to send to you (the recipient) using a legitimate lookalike domain (that is one letter off), they can bypass sophisticated inbound email security gateway and firewall security (e.g., DKIM, SPF, DMARC, phishing detectors, malicious link detectors).
With RMail’s “Right Recipient email Lookalike Domain alert,” running inside Outlook, if the recipient replies to one of these newly purchased legitimate email addresses (technically legitimate but created with criminal intent), the RMail system will alert the user in milliseconds. And this would be after they click send, but before the reply is sent.
Notice one letter “r” which is not there in the email address highlighted in red – “nothendassoc.com” instead of “northendassoc.com.” Though it’s a legitimate domain, but RMail’s AI tells you that it was created just a week ago, alerting you to proceed with caution. This would help you thwart the impostor wire or funding instructions lures and mis-wiring of money.
Your existing email security systems will not protect you or your recipient from such trickery as they will not flag such email domains, considering it is registered and legitimate ones. This is best automated with adaptive AI within the email program of the recipient, which is what RMail does.
b.2 Reply Hijack™ Alerts Sophisticated cybercriminals may also trick you by placing the newly created lookalike email domain within the hidden-to-recipient “reply-to” header of the message that they send to the target recipient. It is located right under the “Bcc” field in the Outlook email client. Or, they may also place another seemingly plausible email address that poses as a legitimate sender in the hidden-to-recipient “reply-to” header.
In both cases, they may put the actual email of the legitimate sender in the email “from” field – and send it to you or your recipient to make it appear as though the legitimate sender sent the email. The goal of this type of trickery is to have the recipient continue a back-and-forth email exchange with the impostor without arousing any suspicion, thinking it is a trusted sender (supplier, or otherwise). And ultimately, you or your recipient will end up making a payment to the impostor’s bank account. Such scams are also successful in convincing the payor to update recurring payment systems and even payroll systems.
Your existing email security systems will not protect you from this type of cybercrime as the security gateways will look for DKIM, SPF, or DMARC sender authentication failures, which can block some of these. However, if the impostor sends from a legitimate lookalike or plausibly alternative email address, these will generally pass the DKIM, SPF, and DMARC sender authentication policies. Email security gateways at the recipient level can also look for mismatches in the header of the inbound email (mismatch in the “from” and “reply-to” headers). However, there are legitimate reasons for such mismatches to occur, and blocking this traffic can block legitimate emails.
Such trickery is best automated at the email program of the recipient. This is where RMail employs its Reply-Hijack™ alert that runs within the Microsoft Outlook email program. This is also known as a “Whaling” type of “Spear phishing” or a “reply-to pivot.”
b.3 Fake Forward™ Alerts. Consider a scenario where your recipient forwards your email and it gets intercepted by an attacker at some level. You have no way to tell if the email that comes back to you from your recipient is not from an impostor. RMail’s “Fake Forward email detector” helps here. RMail will detect and alert that a fake email that was part of a “Reply-Hijack, reply-to pivot scheme” is about to be forwarded, unknowingly creating a sense of legitimacy for the impostor email content.
Your existing email security systems will not protect you or your recipient from this type of cybercrime. Email security gateways at the recipient can block an email if they have sender authentication policies like DKIM set up. However, not all recipients do. RMail’s Fake Forward™ alert running within the Microsoft Outlook email program can alert on some forms of email from impostor senders being forwarded on by the first recipient.
The Digital Seal technology employed by you protects your recipient from being fooled. It provides you with the assurance that only you will get the funds requested from the recipient and not an impostor who is impersonating you.
You could probably achieve the same effect by applying PKI digital signatures to email, while sending an email to your recipient, offering them a form of sender authentication of email. However, these “signatures” technically break if the email is forwarded and are not visible if the recipient views the email in certain email programs.
Similarly, applying DKIM and other (SPF, DMARC) sender authentication of email for a receiving server may also flag certain inbound email threats. However, they must be employed in your email system as well as at your recipient server. Even if you do so, the system will not be able to thwart lookalike domain trickery when an email is sent from valid domains purchased to trick a recipient even though the email sender is technically sending from a legitimately configured email account.
Each of the RMail technologies discussed above is additive layers that either the email security gateway systems employed by companies do not address completely or address only in half. RMail’s security services run within Microsoft Outlook, making it seamless. Besides, irrespective of your existing email systems, these RMail technologies also focus outside the boundaries of normal email security server filtering capabilities.
Try RMail to thwart a crime in progress, after the spear phishing hook is in, but before the steal, for free!
At RPost, we simply can’t afford to make you enter a support queue. Or upcharge for each
feature. Or not be the most affordable. Or not continuously innovate so that we can
always be the most feature-rich while easy to use. We can’t be anything less than the
best e-sign and e-security product with the best people and service to support you.
Obviously, the thing we try hardest at is just to be there for you. To start you out
right with new services that are easy to use, work well and have the features you need now (and
will need in the future). We will give you the training
and attention your team needs from a support staff that makes us proud every day.
Why do we do this? Because we’ve learned over the last 20 years in this business that our
customers are counting on us every day. Because we live and breathe security and process
optimization. Because we
can’t afford to take you for granted. We try harder to ensure your success.