In a corporate email compromise, the attacker generally uses emails and social engineering techniques to get one person with financial power in a company to transfer money to a bank account owned by the attacker. This type of fraud is a sophisticated scam targeting companies and individuals who perform legitimate wire transfers.
Statistics of the FBI’s Internet Crime Complaint Center, law enforcement and filings with financial institutions indicate that BEC alone caused an exposed loss of more than $43 billion USD between 2016 and 2021.
BEC detection and blocking based on email attributes
BEC attackers use a variety of social engineering techniques, but most often they use emails designed to pretend to be from a legitimate person who has contact with the target. To achieve that, they often register email addresses that are close to the legitimate ones of the person being impersonated.
SEE: Password breach: Why pop culture and passwords don’t mix (Free PDF) (TechRepublic)
Therefore, one way to take advantage of this situation for blocking purposes may be to only allow external emails from trusted senders. Another variant consists of blocking emails from free email providers because fraudsters often use them, such as: exposed by Cisco Talos (Image A).
Still, it can be difficult for users to build email block lists as they sometimes receive external emails from people who have not yet been added to their trust list.
Several security software options can help implement policy-based detections of BEC emails. Those solutions generally store executives’ names and email addresses in a database that is used on every incoming email. If the name is found in the “from” field of an email and does not match the legitimate one stored in the database, a BEC Attempt warning is issued.
There is another obvious limitation to this detection type: if the email comes from a person other than the supervisor, no warning is given. Attackers can also spoof the legitimate address in the “from” field in some cases, but use a different “reply to” field, which can help evade some detections if they are based solely on the “from” field.
And in some cases, the fraudsters have compromised the executive’s email box and could be sending emails pretending to be them without generating alerts for that kind of detection.
Another approach: ML-based model profile building
According to Talos research, it is possible to build a profile of C-level executives by using a machine learning algorithm to analyze all emails.
This profile would be based on various items such as the person’s writing style, activities, geolocation when sending emails, timestamp of posting. A relationships graph can also be generated that records the person’s email interactions with others.
A BEC warning may be issued in the event of a deviation from the profile.
As with traditional detection, the method has some limitations. Profile generation must be based on real traffic, and data collection, model building and training will take time. It would also be a challenge to build it for every employee of the company.
As for the non-executives who pretend to be individuals in companies, Talos states that they are engineers more than 50% of the time (Figure B).
An intent-based approach to BEC detection
This approach aims to solve the major problems of policy-based and machine learning algorithm methods: the non-scalability of the model and the difficulties of maintaining a database of sender email addresses and their names.
To overcome these limitations in detecting BEC fraud, Talos offers an intent-based approach.
This approach separates the detection of the BEC threat into two distinct problems. The first is a binary class problem. It classifies emails in a BEC message. The second is a multi-class issue where the BEC is classified by the scam type.
SEE: Optimize and Secure Your Team’s Apple Devices with Jamf Now (TechRepublic Academy)
The researcher explains that the intent-based approach not only detects BEC emails, but also categorizes them into a type of BEC scam: payroll, money transfer, initial enticement, gift card scam, billing scam, acquisition scam, W2 scam, aging reports, and more. .
Technically, it consists of extracting the email text and converting sentences into numerical vectors. This conversion is based on NNLM or BERT algorithms, which take the meaning of words in the sentence and then perform detection and classification using deep neural networks. The final output is a probability that the email is a BEC attempt. Low confidence in the result will lead to more analytical detections to give a definitive confidence indicator.
This approach works regardless of who is impersonated in the company.
The need for awareness
No matter what kind of automated solution is deployed to protect companies and employees from BEC fraud, it is still a great addition to train employees and raise awareness about what BEC fraud is, how it happens, what kind of social engineering tricks it uses, and which should arouse suspicion.
Users should also be aware that BEC fraud can occur not only by email but also by voice. Some BEC frauds may use phone calls to approach employees or even text message.
Any attempt to change a modus operandi for a financial transfer, any sudden change to a recipient’s bank account should immediately sound the alarm and be investigated. The intended user should never be afraid to contact the sender of the request through another communication channel to confirm that it is not a scam.
Secure your team’s mobile devices and detect phishing scams faster with the Mobile Device Security Policy from the policy experts at TechRepublic Premium.
Revelation: I work for Trend Micro, but the opinions expressed in this article are mine.