Business Email Compromise: Defend Against The $50 Billion Scam

The rise of business email compromise (BEC) has led the FBI to refer to those online crimes as the $50 billion scam. That’s the amount of financial damages reported during a nine-year period by organizations and individuals who fell victim to such attacks.

In a BEC scam, victims receive an email message that appears to come from a known source making what seems to be a legitimate request, like these actual examples:

• An inquiry from one of your company’s customers asks to be forwarded to the current account manager for pricing information.
• An email from a business development agency with a solid reputation suggests a brief consultation about their lead generation methods.

To land in your inbox, both emails passed SPF, DKIM, and DMARC authentication protocols, considered the first line of defense against spam and phishing attacks. Each email appeared to be valid, with no obvious red flags for malicious intent. Yet each turned out to be a BEC scam – a type of online attack on the rise because it’s so successful.

Business Email Compromise: A Growing Problem

According to Verizon’s 2023 Data Breach Investigations Report, phishing emails remain one of the top two methods (along with stolen credentials) used by attackers to access an organization. Sayers is rapidly seeing an increase in concern around BEC attacks; from environments that can range from tens of mailboxes, all the way to tens of thousands of mailboxes.  

Traditionally, organizations used an on-premise Exchange server and routed emails through a secure email gateway, which performed most of their security controls. But the shift from on-premise mail disrupted how a lot of companies look at email security. 

Today, some businesses think they can simply rely on simple security policies as well as SPF, DKIM, and DMARC protocols as authentication safeguards to stop malicious emails. However, 89% of unwanted messages “passed” SPF, DKIM, and DMARC checks and got through anyway, according to Cloudflare’s 2023 Phishing Threats Report.

Other organizations have embraced native Microsoft 365 email security controls; however, attackers are continuously testing how to circumvent these defenses. This increases the likelihood of landing a phishing email into a mailbox, where there’s a chance someone will click on it and result in a successful attack. 

There Is No Silver Bullet For Business Email Compromise

A standard gateway looking for specific domains or URLs already known to be malicious is only part of the solution to BEC attacks. A BEC solution also must stop what hasn’t been seen before, as well as attacks from a legitimate user, who unknowingly has become a victim of an email account takeover. 

That’s why BEC security should take a layered approach to catch a wide array of attacks. 

If your organization is moving away from an on-prem email gateway solution to the cloud, don’t rely solely on cloud-native email security capabilities. Those can be effective spam blockers but aren’t sufficient to stop the more sophisticated BEC attacks that use lookalike domains to appear legitimate. 

Some BEC attacks use URLs to short-lived fake landing pages long enough for the email to be scanned, deemed safe, and sit in someone’s inbox before retroactively changing the landing page into something malicious. Threat intelligence can find it difficult to keep up with these tactics. 

Many organizations are using API-based solutions such as Abnormal, Check Point’s Harmony Email and Collaboration, and Cloudflare Email Security to successfully augment cloud-delivered email security controls. 

In the case of one of the two BEC examples mentioned earlier, an API-based solution dug into the context of the email to make a security decision. It identified that the domain was new (only 13 days old), and had never communicated with the recipient company before. Although there was nothing specifically malicious, the solution put together the signals and flagged them as questionable. This lead to warning signals that blocked the message before the early stages of a compromise could even occur. 

Unfortunately, there is no silver bullet when reviewing email security technologies. What is critical is to find the correct formula of email security technologies and controls to meet the needs of an organization. That formula can and will change from client to client, but is fundamental in providing the necessary security as a first line of defense for employees. From utilizing a traditional secure email gateway, native M365 controls, all the way to an API integrated solution; each has their advantages and disadvantages. Like most other areas in security, layering can be an extremely effective approach to enhancing email security posture.  

When It’s Time To Reevaluate Your Email Security

Before your organization loses money or data from a BEC attack, consider this:

• How happy are you with your email security solution today? Is BEC a concern? 
• How much time is your team spending on investigating questionable emails and false positives?
• What gaps have you identified in your email security? Do you feel you’re adequately covered today?

Because of the success rate of BEC attacks, malicious actors are willing to invest more time and effort in refining their process. Efforts come in the form of utilizing GPT to make a message more believable, to purchasing onmicrosoft tenants to understand and test how to circumvent native controls. It is paramount to continually reevaluate an organization’s email security posture and what can be done to enhance its security. 

Questions? Contact us at Sayers today to schedule a 30-minute email security landscape overview as part of protecting your business.