Last year, cyber criminals stole $2.3 million from the town of Peterborough, New Hampshire using email-based attacks. What’s worse, the losses are attributed to two separate attacks from the same criminal group, meaning Peterborough’s finance department could have minimized damage if they had realized the mistake sooner.
But there is a reason the department did not question the messages. Not only did the emails bypass filters, but they also appeared entirely legitimate. The messages lacked grammatical errors, unfamiliar senders, or suspicious links associated with malicious emails. Using a few strategically placed messages, the attackers successfully posed as a school district and later a construction company and diverted millions in city funds to their own accounts.
The Peterborough finance department had fallen victim to a highly targeted, difficult-to-detect scam called Business Email Compromise (BEC).
BEC is a phishing tactic that does not rely on malicious links or malware. The attacks often consist of one or two emails in which the attacker pretends to be a known and trusted entity; supplier, employee, etc. to trick the recipient into sending funds to an account the attacker controls.
Because of its targeted nature, BEC is not the most common type of email attack, but it can be one of the most devastating. In a sample of 31 million email-based threats, Cloudflare found BEC had the lowest volume of attacks at 1.34% but accounted for an estimated $354 million in losses — with individual losses averaging about $1.5 million each.
While attackers are increasingly adept at exploiting trust, traditional email security is ineffective at preventing BEC. Rather, to protect themselves and their employees, organizations require modern, proactive strategies. For example, preemptively identifying and neutralizing attacker infrastructure can block BEC attacks before they strike. At the same time, contextual analysis can flag messages that bypass filters or come from internal, compromised accounts. Modernizing email security with strategies like these can protect organizations from these costly attacks.
Traditional email security strategies were not built to handle BEC attacks and ultimately leave organizations vulnerable. These tactics include:
Built-in filters and secure email gateways (SEGs): Built-in email filtering from providers like Microsoft or Google is more suited to identify spam than BEC attempts. Secure email gateways (SEGs) filter out suspicious emails too, but also struggle to identify BEC and have significant overlap with built-in email functionality (which also makes them redundant).
Email authentication: Setting up Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) records can help prevent email spoofing. However, these measures do not work against emails from legitimate accounts, which are common with BEC.
Employee vigilance: Cloudflare found that 92% of user-reported emails are deemed not malicious. This high volume of false positives creates alert fatigue for security.
The specifics of BEC scams and the damage they cause vary according to type, but all of them exploit trust:
Spoofed executive sender or domain:These emails use an executive as a lure. The attacker spoofs either the executive’s name and/or the target company’s domain. Then, posing as the executive, the attacker asks an employee to perform a financial transaction such as wiring money or purchasing gift cards.
Compromised employee account:A step up in sophistication, this type of internal account takeover uses a compromised employee account as an entry point. By taking over an actual employee’s account (typically through stolen passwords), the attacker poses as the employee and asks a colleague (the victim) to help complete a financial transaction.
Impersonating vendor / supplier: In this attack, a cyber criminal impersonates a supplier or vendor with an existing relationship with the target organization. Since the spoofed sender is outside of the organization, unwary victims may not notice the telltale signs.
Compromised vendor / infiltrated supplier: This is the most advanced type of BEC, and can take months to execute. These attacks first compromise a supply chain partner or vendor through one or more email account takeovers. The attacker silently observes legitimate email threads, then injects themselves into the conversation at the right moment, pivoting payment requests to an attacker-controlled account. In some of these supply chain attacks, the victim may not even know they suffered financial loss until a future audit.
All of these attack types can share certain characteristics, including social engineering and creating urgency. Attackers manipulate the recipient to not only trust them but also to act quickly before they become suspicious. Often, they provide reasons why the recipient should not ask follow up questions before completing the requested task. For instance, an attack email supposedly from the CEO may say they are jumping on a flight and will be unavailable for a few hours.
To further complicate the matter, the highly targeted, low-volume style of these attacks often bypasses existing email filters, which rely on high attack volumes to aggregate data. For threat policies to work, email filters need this data to “learn” that things like domains, IPs, and malware should be considered suspicious. While this helps filter out traditional spam messages, it is insufficient against the precision of BEC attacks. Attackers can create brand new email addresses, spoof domains, or take over legitimate email accounts — all of which would not likely be caught by built-in email security functionality.
To effectively fight BEC attacks, companies should shape their strategies around the following tenets:
Proactive defense: Rather than waiting for malicious emails to hit the employee inbox, predictive technology can scan for attacker infrastructure — such as brand new email addresses or fraudulent domains — and preemptively block the sender. This can reduce the risk of an employee engaging with an attacker’s email before it is detected.
Contextual analysis: For instance, natural language processing (NLP) technology can analyze message sentiment, which may help to pinpoint “urgent” language. Additionally, computer vision technology can help spot phishing websites that often supplement attacks. Other solutions include thread analysis — which may be helpful when attackers interject within an existing thread — and analyzing sender profiles to determine what risk they pose.
Continuous protection: Filtering out messages upon arrival is not enough, especially because some emails inevitably bypass filters. Moreover, malicious emails are often only one part of a larger attack, so protection beyond the inbox is important. For instance, if a malicious email were to slip past filters and an employee were to click a suspicious link, the webpage could be loaded in an isolated remote browser, protecting the employee and their device. This type of continuous protection is necessary to enforce more holistic security strategies, like Zero Trust.
Multi-mode deployment: Some email security solutions like SEGs must be deployed inline, which means changing the mail exchange record (a DNS record that directs emails to mail servers). This method works best for external emails because it sits in front of the employee inbox and inspects all incoming and outgoing mail. API-deployed solutions, on the other hand, are generally faster to set up. However, an API-only approach has the drawback of not preempting an attack, creating the possibility for an employee to act on an email before it is neutralized. A multi-mode deployment (or one that can support inline or API deployment) is best because it can protect teams from internal and external threats, as well as pre and post-delivery messages.
Future-proofing and automation: Look for solutions that do not rely on hardware (which may require costly maintenance or age out over time), handle incident reports automatically (giving security teams time back), and do not require significant manual creation of threat policies (which can slow down protection and never fully account for all possible threats).
A modern email security strategy built on these tenets will offer comprehensive protection against BEC attacks and other forms of phishing at all stages of the attack cycle to better secure organizational resources and data.
Cloudflare offers cloud-native email security that proactively identifies attacker infrastructure while offering continuous protection against BEC and other forms of email attacks.
As part of the Cloudflare Zero Trust platform — which secures applications and employee browsing to stop malware, phishing, and data loss – integrating Email Security with Zero Trust services removes implicit trust from email to help customers stop BEC and phishing attacks.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
After reading this article you will be able to understand:
What’s behind the rise of BEC attacks
How BEC attacks differ from spam
Why traditional email security strategies do not work against BEC attacks
How to modernize email security strategies and prevent BEC