Email security

How security teams can defend against BECs

Today’s columnist, Tim Helming of Domain Tools, writes that the FBI found that BEC fraud has become the highest-grossing type of cybercrime. (Photo by Chip Somodevilla/Getty Images)

It’s difficult these days to find any enterprise that doesn’t have to share sensitive data with other organizations, including financial information, personal identifiable information (PII), and intellectual property. The volume of digital communication between the parties doesn’t always allow for verification of the author, which in turn lets criminals hijack conversations and commit business email compromise (BEC), phishing, and domain spoofing attacks. An average of 3.4 billion phishing emails have been sent out daily throughout the world since the beginning of this year, making this threat one of the most widespread cybercrimes internet users encounter.

What’s lurking in the shadows? Criminals carry out reconnaissance on their victims to understand with whom they do business, their communication patterns, and what kind of communication they share. Once they have determined the nature of the social engineering they plan to pull off, they then set up the infrastructure they need to carry out the scheme. This can include elements such as lookalike domains and email accounts to dupe people into sending them funds.

We can find one example in the FBI’s IC3 Internet Crime Report 2021, which detailed bad actors impersonating construction companies conducting BEC to defraud entities working with these companies for large-scale projects. Cybercriminals consulted publicly-available sources to collect information on all involved parties. Armed with this knowledge, they crafted fraudulent messages specific to those relationships.

In the town of Peterborough, N.H., in August 2021, scammers cost the authority’s taxpayers $2.3 million after they impersonated genuine firms involved in projects at the Con-Val School District and Main Street bridge. And in April 2021, a German health authority paid $2.4 million for PPE supplies to a bad actor impersonating a real supplier.

BEC fraud has become the highest-grossing type of cybercrime, according to the FBI. More than one-third of all cybercrime losses are attributed to BEC scams, causing about $2.4 billion in losses to U.S. businesses last year, a 33% increase from 2020 and a tenfold increase from just seven years ago.

The reason for this rash of BEC has largely to do with the returns phishing generates for criminals. It really does just take one click for users to hand the keys to the digital kingdom over the hackers, with data also revealing that 58% of ransomware attacks today originate from phishing and spam emails.

As threat actors and cybercriminals see higher earnings from their attacks, they are becoming even more crafty with their techniques. That being the case, how can an organization get ahead of adversaries and protect against BEC attacks and domain spoofing?

Protect against BEC attacks

The first and most important security measure all comes down to effective security awareness training that includes regularly showing employees the techniques that attackers use. It’s important to source high-quality training—many of us in the cybersecurity community have heard horror stories about dull, or perhaps even worse, insulting, security training. It pays to spend some time identifying well-regarded trainers and materials, to turn employees from risk vectors to potential early-warning systems. The right training will encourage employees not only to remain cautious and on guard for these types of threats, but to report them promptly to the security team.

Furthermore, it’s critical to put processes in place where employees must verify transactions and partner details before initiating transfers. It shouldn’t matter if a request seemingly coming from the CEO or has been flagged as urgent (word to the wise: most BEC phishes are, in fact, flagged as urgent): no transactions should get processed without first confirming the recipient’s details outside of the email context. For example, the recipient could call the CEO, or use an internal instant messenger service, or if in a brick-and-mortar environment, actually stop by their office, to verify whether the request was authentic.

Organizations also need to train employees in some of the more straightforward—but still effective—ways to spot fraud. They should verify the domains and email addresses people are contacting them from, being especially sensitive to typos or other variations that look similar to—but not exactly the same as—the legitimate domain. That being said, there are also a variety of tools available that give organizations feeds of recently registered domains. Some of these tools will look for intentional typos and other variations on keywords to catch some of the tricks that adversaries use. There are also tools that allow for exploration of DNS data to find connected infrastructure (for example, shared IP address hosting, shared name servers, shared registration details). Security teams can effectively use such tools to block or flag suspicious domains on an automated basis.

While ransomware continues to garner big headlines, BEC attacks remain a major concern for businesses today, with higher losses cumulatively than ransomware. Meanwhile, attackers enhance their scams by spoofing domains in a bid to secure more malicious funds. Companies must make protection against these attacks a priority, and with the right tools, training, and processes, organizations can remain one step ahead of the criminals who seek to prey on them.

Tim Helming, cybersecurity evangelist, DomainTools

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.