Spoofing and Business Email Compromise Attacks – Planning Your Best Defense

Business Email Compromise (BEC) attacks target specific individuals in a company, usually executives. In piecing together compromised data by studying a company, its main players, and social media, the attacks are convincing and effective.

Threat actors are utilizing spoofing emails in two distinct ways. First internally, using the CEO’s or CFO’s email accounts, after social engineering research. Or carry out a defrauding attack extracting payments from what is perceived to be a vendor’s account but is really a threat actor’s account. Second externally, using a spoofable email infrastructure to send out emails to a company’s user base and customers – resulting in brand damage, as well as lost customers and revenue. 

This was the case of the malicious “netflix.om” website, by misspelling the Netflix’s website ever so subtly. Website spoofing refers to the creation and use of malicious sites which closely resemble legitimate, and usually, very well-known websites. With so much information available on social media, cyber attackers have many options for their attacks, and data points to how successful they are: Fifty percent of top Alexa 500 sites are spoofable.

Web spoofing attacks also come in the form of content theft by copying all of a legitimate site’s content via a “spider” and by altering links to a spoofed website. Once sites harvest online banking credentials, social security numbers, or any other highly valuable information, attackers load malware onto the visitor’s computer.

BEC: The Billion Dollar Threat

Phishing can net quite a haul when directed towards a company’s executives. In fact, such business email compromise (BEC) attacks are increasingly prevalent, costing companies around the globe more than $5 billion in losses over three years.

BEC attacks either convincingly spoof a CEO’s email account or infiltrate that executive email address first, and then send the attack messages from that compromised account. A study on manual hijacking incidents –  organized by humans as opposed to botnets – that occurred at Google, found that, “phishing requests target victims’ email (35%) and banking institutions (21%) accounts, as well as their app stores and social networking credentials.”

From that initial foothold, cyber criminals can then dupe someone in accounting to wire a large sum of money to an attacker’s overseas bank account or fool the head of HR to send W2s loaded with personally identifiable information (PII) straight to them.

In either case, traditional spam and even phishing filters are powerless to defend against this attack, as there’s no foreign prince, no obvious foreign IP address, or mention of Viagra. Besides sidestepping the usual digital defenses, BEC attacks bypass human scrutiny as well: people are 74% more likely to open an email if it comes from their teammates or someone else within the organization. Especially when the email is crafted to look and feel like it was actually sent from a legitimate teammate.

Luring Targets

Until the recent development of DomainKeys Identified Mail (DKIM), there hasn’t been a standard, reliable, and vendor-neutral mechanism for verifying that an email landing in someone’s inbox came from the address listed on the message. Cyber attackers exploit this lack of verification by using legitimate domains to disguise their malicious activity in the “From” and “Reply-To” fields. The recipient is tricked into clicking on any links in the message. Those links, in turn, take the target to a spoofed website.

Although these two types of spoofing can be used separately, attackers have learned that they are very effective when combined, resulting in a phishing attack. When phishing is combined with reconnaissance of the target’s public-facing online accounts (Google, LinkedIn, Facebook, etc.), social engineering, and a highly targeted email message, the result is spear phishing. With spear phishing, a highly targeted form of phishing, cyber criminals put much more effort and research into crafting the emails because they aim to compromise specific individuals within an organization. By expanding the extra time and effort, cyber attackers can make quite convincing fake emails which are more likely to be read and clicked on.

Tips for Defending Against BEC Attacks

No surprise:  the best defense is a multi-layered one. Thoroughly training all staff on how to spot phishing emails becomes a higher priority each year for companies. And enabling two-factor authentication for all email accounts (especially those belonging to HR, finance, IT, and the C-suite) can also prevent hackers from sending out the fraudulent emails even if they manage to obtain email login credentials.               

Another layer of defense is an efficient email threat management (ETM) solution which leverages both SPF and DKIM, two technologies email recipients can use to verify the sending domain of the message, stopping spoofing emails before they land in your inbox. By providing a dashboard overview of your DMARC data as well as daily and weekly reports on email rejections and other relevant performance data, an ETM can pay for itself many times over by preventing the bait of a phishing attack from ever reaching your employees,

With a robust ETM platform in place, you will have far fewer concerns and defenses set up to protect you and your business. It’s the win-win solution on this one.