The Technical Guide to Combatting Business Email Compromise

Business email compromise – abbreviated as BEC – is evolving every day. Yahoo business predicts the cost of BEC exploits to eclipse $3.3 billion by 2028. With attacks becoming progressively more sophisticated and deliberately targeted to specific industries – like financial services companies that manage accounting and online banking, among others – it’s imperative that all levels of a company’s employees be cognizant of what information they are receiving electronically and how to identify potential “spear phishing” attacks. 

With the outbreak of COVID-19 and the mass shift to remote work – and the increased use of cloud-based services to get data to team members – it became easier to deceive users into accepting a bogus email that would compromise credentials. The threat of BEC and the need for education about its risk skyrocketed. 

Managed security providers can prove themselves to be an indispensable part of a business’s BEC defense strategy, but IT leaders and technicians need training and education to adequately prepare and protect customers from business email compromise.  

Business email compromise and what to look for 

Phishing and spoofed emails come in many clever forms, commonly targeted at high-level employees that are in executive positions, finance chairs, and human resources (a cybercriminal will typically target areas where the payoff is going to be worthwhile). To protect your business – and that of your customer – from a BEC incident, you need to know how to identify suspicious emails, how to block them, and how to protect a company’s integrity and reputation if a breach does occur. 

So, what does business email compromise look like? BEC is a cyberattack involving the hacking, spoofing, or impersonation of a business email address. When executed, the victim of the attack receives an email that appears to come from a trusted organization. The email looks and feels genuine, but it likely contains a phishing link, a malicious attachment, or a request to transfer money to the attacker. Here are some of the most common ways a potential phishing attack may be carried out:  

• Phishing: A social engineering attack conducted via email. There’s also "smishing” and “vishing” – social engineering attacks conducted via SMS and voice, respectively. 
  
  
• CEO fraud: A phishing attack in which the attacker impersonates a company executive. 
  
  
• Whaling: A phishing attack targeting a high-level corporate executive.
  
  
• Wire transfer fraud: A phishing attack in which the attacker persuades the target to transfer money to their account. 

• Money: According to Verizon’s 2021 Data Breach Investigation Report, the vast majority of cyberattacks are financially motivated. 
• Account credentials: A fraudulent email might contain a phishing link leading to a fake account login page from which the attacker can obtain a user’s username and password. The FBI warns that this variant of BEC is on the rise.
• Gift certificates: BEC attackers may be able to persuade their target to purchase gift certificates rather than transferring funds. Payment is exchanged, but a gift certificate is never received.  

Remember, if anything looks out of the ordinary, lean on the side of caution. Report suspicious emails and don’t click on suspicious links. When someone is asking for money, account credentials, gift certificates, or other sensitive information, find an additional way to verify with that person before taking action.  

A closer look at BEC tactics 

As stated above, a BEC attack is any phishing attempt where the target believes they have received an email from a legitimate contact or business. There are several ways a cybercriminal may mimic a business email. Email impersonation and email spoofing are two of the most common methods. 

Email impersonation

Email impersonation is when the attacker creates an email account that looks like a business email account. They will impersonate someone from a company or professional network and create a dummy account. A domain like Microsoft.com may be used, but it would appear as ‘microsott.com’. Or a name that is similar to your company name may be used but places an ‘N’ where an ‘M’ should be, so at first glance, it goes unnoticed. Even if an email like this contains a request for payment or a phony attachment, it may not cause alarm if a person is used to receiving similar emails that are legitimate. The impersonation doesn’t have to be precise – as noted by Verizon, “BEC doesn’t even have to compromise a business email address. ‘Your.CEO@davesmailservice.com’ comes up all too often in our dataset.” 

Email spoofing 

Email spoofing involves forging an email’s sender address. If you receive a spoofed email, the “from” field may contain a genuine email address, identical to one that’s familiar to you – but it’s not from who it appears to be. Instead, it’s a hacker.  Spoofed email addresses may include a trusted contact, a corporate email address, a high-level CEO, or a vendor in a company’s supply chain, among other variations. Spoofed emails can also be used to send commercial spam to a large volume of people. 

While email spoofing can have serious consequences, it’s not particularly difficult for a hacker to do – it just requires some backend software engineering. Despite the fact that email filters and apps are getting better at detecting spoofed emails, they still slip through.  

So how, technically, is an email address spoofed? Let’s break it down: 

All emails consist of several parts: 

• Envelope: Tells the receiving email server who sent the email and who will receive it. When you get an email, you don’t see the envelope. 
• Header: Contains metadata about the email, including the sender’s name and email address, the send date, subject, and “reply to” email address. When you get an email, you see the header. 
• Body: The content of the email itself. 

Spoofing is so common because it’s surprisingly easy to forge the “from” elements of an email’s envelope and header to make it seem like someone else has sent it. To decipher an email legitimacy, a technical expert should look at the “authentication path” using SPF, DKIM, DMARC, and other pieces of the email header. For example, X-Forefront-Antispam-Report-Untrusted in the header means that a message has been detected as spam. The “received” details and email path should also be studied; if the email is bouncing around from server to server, it’s likely malicious. 

Email impersonation and email spoofing are similar, but email spoofing differs in that the sender’s address is identical to a real email address. They’re both ways for an attacker to achieve some sort of monetary gain, because either can appear that they come from a trusted source. 

Verify the validity of every email 

Every business email should be scrutinized with caution. If you’re not 100% sure of an email’s validity, pick up the phone and call to verify the source of the email – and advise your colleagues and customers to do the same. Educate your techs, employees, and customers about the various business email compromise tactics that exist and train them to recognize the signs that something’s amiss. Security isn’t only the job of a technical expert; a company’s employees are its first line of defense. BEC is ever-changing and new threats and vulnerabilities are being discovered each day.  

Collabrance offers MSPs the comprehensive security solutions their customers need and can trust. To learn more about business email compromise and how to protect your business and customers from compromise, contact Collabrance today.