Business email compromise (BEC) continues to be a costly thorn on the side of organizations and businesses the world over. In the recently published 2018 Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3), the agency states that in 2018 alone, it received 20,373 BEC/email account compromise (EAC) complaints that racked up a total of over US$1.2 billion in adjusted losses. The steep amount makes up 48% of the cybercrime-related financial losses reported in the past year, which amounts to US$2.7 billion. It also is an almost 77% increase from 2017’s losses.
BEC involves the sophisticated targeting of businesses and individuals by employing social engineering tactics to trick victims, who are usually in finance-related departments, into performing unauthorized wire transfers. Because a BEC attack does not usually involve malicious attachments in emails being sent to a target victim — and relies on an attacker’s cunningness and deception — it can evade traditional antivirus solutions. This is why, despite organizations being aware of what it is, BEC remains a lingering threat that affects more victims as the years go by. In the Trend Micro annual security roundup for 2018, Trend Micro telemetry showed a 28% increase in BEC attempts from 2017.
In addition, attackers have been seen diversifying their BEC tactics. The IC3 reports that in 2018, it saw an increase in the number of BEC complaints wherein the victims were fooled into buying gift cards. The request comes via fake emails, phone calls, or text messages from an attacker pretending to be a person of authority. The IC3 also states that among the thousands of complaints they received, it found that BEC attacks commonly involve the compromise of personal and vendor emails, fake lawyer email accounts, and requests for W-2 information, which are important personal tax information. The real estate sector has also been a constant target for BEC fraudsters.
In February 2018, the IC3 established the Recovery Asset Team (RAT) to help individuals and organizations recover funds that have been siphoned off by cybercriminals using BEC tactics. RAT also assists victims in communicating with various financial institutions to aid in the swift processing of fund reversals, as well as with law enforcement to foster proper investigations. Between February and December of last year, IC3’s RAT successfully recovered 75% of stolen funds from BEC incidents, which amounted to US$192 million.
Keeping BEC at Bay With a Combination of Practical and Advanced Solutions
To be vigilant and to be knowledgeable — these are important traits individuals and organizations should have to keep BEC at bay. Because BEC attacks succeed using sophisticated social engineering devices, getting educated on how to spot BEC emails is a must. Employees are a company’s best assets, but if untrained, they can also be its weakest links. Here are a few practices for organizations to enforce to stay protected against BEC attacks:
Employees should examine each email closely. Employees should carefully review emails coming from C-suite executives or vendors requesting for fund transfers, especially if they are requesting it in an urgent manner.
Training for employees on how to spot BEC emails should be provided. Information security teams should educate all employees on the importance of being wary of possibly malicious emails and following the company’s security best practices.
Finance-related requests should always be verified. Whether it’s a fund transfer approval or a change of vendor payment information, employees in finance and even payroll departments must always seek a documented sign-off. Calls to verify fund requests should be part of the process. The employees should make sure to call known and familiar company numbers, not those provided in the email requests.
Aside from these practical steps, enterprises can benefit from advanced technologies that can keep fraudsters from stealing substantial amounts of money from email-based attacks. Trend Micro™ email security products use artificial intelligence (AI) and machine learning to defend against BEC. This anti-BEC technology combines the knowledge of a security expert with a self-learning mathematical model to identify fake emails by looking at both behavioral factors and the intention of an email.
This unique AI technology, which Trend Micro calls Expert System, mimics the decision-making process of a security researcher. The system will assess if an email originates from a questionable email provider. It will flag the email if the sender’s email address is not similar to that of a target organization, or if it is using an executive’s name at the recipient’s organization, as well as other factors employees may not be able to immediately look for or spot. It also has a “high-profile user” function that allows the engine to apply additional scrutiny and correlation with commonly spoofed senders and their real email addresses.
Additionally, the Expert System engine is also able to securely assess the content of an email to decipher its intention and alert users of suspicious BEC factors, such as terms that express urgency, a request for action, or a financial implication. The Expert System compiles all the results and turns it over to the engine’s machine learning system.
Trend Micro solutions also employ Writing Style DNA technology, which uses AI to properly and securely recognize the DNA of a user’s writing style based on past written emails to compare it with suspected fake emails. The Writing Style DNA is used by Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™ solutions to cross-match a suspicious email’s writing style to the supposed sender’s using 7,000 writing characteristics as patterns, which include capitalization of words, usual sentence length, and the use of punctuation marks, among many others.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).