If an average employee at your company got an email from an executive with an urgent request, would they question whether the email was coming from the actual sender? They probably wouldn’t. The reality is that most people would act on the request because of its time-sensitive nature. They assume that the IT team has the right technology in place to validate email senders so they can focus on doing their work. But this is why attackers succeed. Their target thinks the email is coming from someone they trust and consequently, their organization gets breached. This type of attack is called Business Email Compromise (BEC), email spoofing or spoof abuse. The FBI estimates it has cost companies $5.3B globally – far more than the $1B in 2016 for ransomware.
How does BEC work?
For those of you not familiar with the leading security breaches, you might be wondering…how does it actually work? In a nutshell, attackers impersonate someone you trust so they can trick you into releasing confidential information (like W2s or social security numbers here in the U.S.) or sending money via wire transfers. Like any good student, attackers do their homework performing extensive social media research on their target and building relevance and a message history to get their victim to take the bait at the right time. Attackers also play on an employee’s fear of consequences to drive a sense urgency that leads their target to act quickly versus taking other steps to verify the request. BEC attacks have been largely focused on impersonating high-value users such as the CEO or CFO. However, we know that attackers are broadening their horizons.
To give you one simple example of what attackers do, take a look at this image below. Can you spot the difference?
The left-hand side reflects the “Friendly From”. If you look at the underlying text for the address or “Mail From”, you get what’s on the right-hand side, which shows the actual address. Cisco is obviously spelled wrong – cisc0 – a zero rather than an o. While the username is also incorrect, what’s also worth pointing out is that the attacker is using a slight variation of the actual domain. This is only one of the ways attackers deceive users, there are others. From a technical point of view, BEC attacks will attempt to manipulate one or more parts of the SMTP message.
How to Protect
So now that you have an idea about what BEC is and how it works, you’re probably wondering what you can do to protect against it. There are two immediate ways: 1) educating your users and 2) making sure you have the right email security protection.
User Education and Training
First, you should raise awareness within your organization and train employees to be more aware about this type of attack. For example, at Cisco we recently received an email cautioning us about potential phishing scams given the increased number of emails related to online holiday shopping. In addition, IT sends out their own faux malicious emails. If a user falls for it and clicks the link, they’re taken to a page that talks about the dangers of phishing.
You can also train your users to compare the “Friendly From” with the “Mail From”. It sounds complicated, but it’s not. And you can do this on all mail user agents. Read this blog to learn more about how to do this. But you’re probably wondering, “what if I’m checking email on my mobile phone?”. Typically, mobile devices are too small to compare the “Mail From” and “Friendly From” addresses. If you’re checking your email from your mobile device and suspect it is not from the actual sender, you should wait to check the message until you are on your laptop.
Robust Sender Authentication in Your Email Security Solution
Another must when preventing BEC attacks is making sure that your email security solution has robust sender authentication capabilities. Cisco Email Security offers a suite of tools that include: DKIM, SPF, DMARC, as well as a feature called Forged Email Detection. This feature leverages a content filter that helps validate the sender’s identity and gives administrators a choice of remediation options. Also, by leveraging multiple pieces of intelligence available on Cisco Email Security, you can construct a customized policy to take the desired action. All of these tools make it harder for attackers to succeed.
To understand more about how Cisco can help address BEC and other email threats, visit http://www.cisco.com/go/emailsecurity. If you’re ready for a free test drive of Cisco Email Security, we’re offering a free, 45-day trial of our solution.
An interesting read, thank you. These sort of email-related attacks are just some that I've been trying to deal with lately (the most prominent one being the constant attempts to crack my WordPress site with basically brutal force). I am curious – there are plenty of projects and tools to check website validity and general information (such as http://webanalysis.tools , among many others). Is there a similar tool to check email validity? Perhaps automatically upon receiving the email?
This is still very true, yet the warnings have gone on for years. Make certain your security teams alert your teams with this threat.