Business Compromise Email (BEC)
The FBI’s Internet Crime Complaint Center (IC3) named BEC as one of the 5 hot topics in 2020. BEC scams used to be the most expensive scams, (ransomware apparently took over the leader board last year), but BEC is still worth public’s attention. One of the reasons is, some people didn’t realize they were the victim of a BEC scam.
What is?
Business Compromise Email (BEC) is a form of fraud that typically targets specific employee roles within an organization by sending a spoof email which fraudulently represent a colleague or a trusted customer. The email will issue instructions, such as approving payments or releaseing client data. The email often use social engineering to trick the victim into making money transfers to the bank account of the attackers.
FBI also defined 5 types of BEC scams, depends on how the attackers position themselves. CEO fraud, account compromise, false invoice scheme, attorney impersonation and data threft are the 5 subcategories of BEC. Let’s use False Invoice Scheme as an example. Here the attackers commonly target foreign suppliers through this tactic. The scammer acts as if they are the supplier and request fund transfers to fraudulent accounts.
Common Techniques
There are two common techniques used to launch a BEC attack:
1. Email Spoofing
The goal of spoofing is to trick users into believing the email is from someone they know or can trust. The attacker nomrally forge an email’s header so when receiving an email, client sees a false email address (e.g.: billgate@microsoft.com), but the actual sender is fraudster@cybercrime.com. Once an email message is compomsed, the scammer can forge many fields found within the message header, such as FROM, REPLY-TO and RETURN-PATH addresses.
Email spoofing is possible because the Simple Mail Transfer Protocol (SMTP) does not provide a mechanism for address authentication. Like most other security issue, the bad actors found a vulnerability of the system and they take advantage of the system to proceed. While the modern email security tools have some the fearures to defense. For example, the common email authentication mechanisms to enforce is:
*sender policy framework (SPF)
*domain keys identified mail (DKIM)
*DMARC. It’s mostly used for business brand protection. You need to identify a list of business domains though.
2. Email Impersonation
Email impersonation might not be the most sophisticated phishing method. It’s simple, widespread, but it can be devastating.
The attacker sets up an email address that looks like a legitimate email address (e.g. bill.gates@micr0soft.com). Did you notice it is ‘o’ instead of ‘0’ in the email domain? It’s much harder to detect and could suffer from high false positive rates. As a user, paying an extra eye on the emails contacts will reduce a good amount of risk. On the other hand, company should have some customized protection on such type of email impersonation fraud.
Read more:
https://www.tessian.com/blog/inside-domain-name-email-impersonation/