Business Email Compromise (BEC) and Email Account Compromise (EAC)
Business email compromise (BEC) attacks ask the victim to send personal information or money out of the organization. Attackers do this by spoofing a person in authority, such as a CEO, COO, or Head of Finance.
Email Account Compromise (EAC) is a highly sophisticated attack in which cybercriminals use tactics such as password spraying, bruteforce, phishing, key loggers or malware to compromise victims' email accounts, gaining unauthorized access to user mailboxes.
Email account compromise can occur if an attacker successfully tricks a user into providing their credentials or if the attacker accesses an account through other means. If an account is compromised, it can be used to move laterally within an organization, steal data, or fraudulently communicate with your business partners or clients.
It is critical to be able to identify attempted email account compromise and the symptoms of accounts that are already compromised. In this way, your organization can limit exposure to both infection and data loss.
BEC is a complex, costly and ever changing security risk in today’s world that often leads to identity theft and spoofing which in turn lead to data compromise and loss of millions in fraudulent transactions. MailSafi offers a multi-layered approach to address the multitude of bad actors out there out to target businesses like yours.
Identity theft could be placing your business at risk
Whether they are spoofing an identity (BEC) or stealing a valid identity (EAC), attackers are using identity theft. This is therefore the mutual email fraud component that needs to be tackled.
BEC/EAC attacks rely on deceiving a user into believing the attacker is someone they are not. What makes BEC/EAC attacks so effective at evading traditional email security solutions is the fact that they don’t utilize traditional malware-based or virus-based methods. Instead BEC/EAC attacks are created by people to deceive people using a variety of methods to such as credential phishing, account compromise, identity deception and social engineering techniques to trick users into divulging confidential information or into activating an unauthorized transfer of funds.
Types of BEC and EAC Attacks
While the end goal of BEC/EAC attacks are the same—to defraud your organization—there are several different attack types or scams. Here are the four current BEC/EAC attack types:
BEC/EAC attacks rely on deceiving a user into believing the attacker is someone they are not. What makes BEC/EAC attacks so effective at evading traditional email security solutions is the fact that they don’t utilize traditional malware-based or virus-based methods. Instead BEC/EAC attacks are created by people to deceive people using a variety of methods to such as credential phishing, account compromise, identity deception and social engineering techniques to trick users into divulging confidential information or into activating an unauthorized transfer of funds.
1. Payroll diversion:
In a payroll diversion scam, a criminal sends a fraudulent email to HR or payroll employees requesting to change or update direct deposit information from a legitimate employee bank account to the fraudster’s account or a pre-paid card account.
2. Gift card scam:
In this attack, the criminal poses as a supervisor or employee with authority and sends an urgent email requesting assistance to purchase gift cards for staff or clients. The email asks for serial numbers so s/he can email them out right away.
3. Supplier invoicing:
Here, the cybercriminal will impersonate a supplier your company regularly does business with and send a request to update bank information for payment of outstanding invoices. When you consider the large dollar amounts often associated with supplier invoices, this type of scam leads to the biggest losses.
4. Merger & Acquisition fraud:
Merger & Acquisition fraud involves the fraudster pretending to be an executive of the victim company (either using impersonation or a compromised account). He or she requests that funds be transferred to a given 3rd party. For example, the email might say something like “We’re buying Company X and we need to make a payment or we risk losing the deal.”
BEC/EAC Tactics
In BEC/EAC attacks, fraudsters leverage these key tactics to impersonate (suppliers or employees) or compromise accounts (of suppliers or employees):
| Impersonation | Display name spoofing Domain spoofing Look-a-like domains |
| Compromised accounts | Credential phishing Bruteforce attacks Password spraying attacks 3rd-party application auth tokens |
Impersonation in email occurs by exploiting technical and human weaknesses. Because people wired to ignore subtle textual differences, look-a-like domains have become a useful tactic in BEC/EAC attacks. Likewise, Simple Mail Transfer Protocol (SMTP) is, by its own admission, “inherently insecure” and therefore prone to both Display Name spoofing and domain spoofing.
Compromised accounts enable cybercriminals time to explore and learn more about their target/target organizations. This means that fraudulent emails sent from that account will be almost indistinguishable from legitimate emails because they will come with the same Display Name and email address. They will also be sent from the same mail server; and they will, therefore, pass all the email authentication protocols (SPF, DKIM, DMARC). Accounts are compromised using stolen credentials (often obtained via phishing, password spraying, 3rd-party application auth tokens or bruteforce attacks).
While every BEC/EAC attack can be mapped to at least one of the tactics discussed above, there are now also more and more attacks that span multiple tactics in a single attempt to defraud. For example:
· The target company’s domain is spoofed (employee impersonation) to steal credentials that gives the threat actor access to an employee’s account (employee account compromise) from which they can then conduct payroll diversion or gift carding scams.
· Cybercriminals use stolen credentials to access the account of a supplier (supplier account compromise) from which they initiate or intercept discussions with the target company’s Accounts Payable team before switching the conversation (very often by introducing the new email addresses into the Cc field) to a lookalike domain of that supplier (supplier impersonation) from which a demand for payment is made.
Multifaceted Defense for a Multifaceted BEC/EAC Problem
No two BEC/EAC attacks are the same. It is therefore important to have a multi-layered approach to security. Additionally, because cybercriminals employ multiple tactics and combinations of impersonation and account compromise, defending against one or two of these tactics is insufficient to address the threat as a whole.
Email security providers that rely only on reputation and malware sandboxing won’t help when good/legitimate email accounts are being used to socially engineer the theft of money by sending payload-less (e.g. text only) messages. You need:
• An email security solution that invests in detecting and stopping impersonation, account compromise, credential phishing and social engineering.
• To invest in training your users (employees or suppliers) to spot and report on these attacks/tactics.
To build such a solution, email security providers need access to the right data sources: email traffic, cloud account activity, user data and domain data. With that information, threat analysts and machine learning models can detect the use of multiple tactics in these types of attacks and implement integrated, adaptive controls across the attack surface of email, cloud accounts and people.
Preventing BEC/EAC Attacks
MailSafi helps in protection against spoofing and phishing attacks; therefore offers protection from BEC. This is achieved by using a multi-layered approach as follows:
• Incoming email traffic analysis and filtering: This analyses source, header and content of email and domain to ascertain and protect against spoofing/identify theft
• Deploying domain validation and email authentication mechanisms (SPF, DKIM and DMARC) to protect client domains and email against identify theft and spoofing
• Blocking all attempts to send unauthorized emails from your trusted domains
• Offering an option to limit access to email accounts by geographical location or by IP address
• Account monitoring to ensure authentication is from an authorized device
• We use intrusion detection systems to identify password spraying and bruteforce attacks on our email and collaboration platforms
• We help in reporting on look-a-like domain registrations
• Removes suspicious and unwanted email from end user inboxes
• Show authentication status across supply chain and business partners
• Highlight brute force attacks and suspicious user behavior across cloud applications
• Force password resets on email accounts that are compromised
• User awareness training on how to identify email security threats and credential theft
• We also give you access to a control panel that gives you visibility and control across your email. This helps you prevent the loss of credentials and identify suspicious behavior accessing these accounts
