BEC scams are a surging problem that grew in damages from $1.2 billion in 2018 to $1.8 billion in 2020. Also known as a 'man-in-the-email' attack, a BEC scam is intended to defraud companies, their customers, partners, and employees by duping them into sending money or sensitive information to fake accounts, sites, or users.
It’s important to pay close attention to the different BEC methods and identify the attack vectors quickly to be able to defend against them.
BEC Scams Prey On Human Error
BEC scams are usually fraudulent emails that use social engineering to target select individuals in a company. These emails are often meticulously designed with spoofed domains and corporate email signatures in an attempt to try to trick employees of their legitimacy. BEC oftentimes capitalizes on the power dynamic of lower-ranked employees who think they have been asked to perform a task from more senior-ranked employees. Attackers will leverage three elements to cultivate a sense of trust and urgency:
- The mail comes from a seemingly known and trusted sender.
- The mail targets the most logical recipient of a demand/request.
- The mail originates from a trusted domain.
Because of these elements, employees often fall victim to BEC scams due to their persuasiveness.For a deeper dive on BEC Scams, visit our blog on “What are BEC Scams?”.
The Anatomy of a BEC Scam
BEC scams can be broken down into 4 key stages. Below, we have mapped out the stages by which an attacker would execute their scam:
1. Picking the Right Target
Attackers can spend days or weeks canvassing potential targets to identify the right one. They must pick the right person to impersonate to obtain the best results. The reconnaissance covers the entire internet footprint of the target, including social media, messaging platforms, and their geolocation.
2. Setting up the Attack
Unlike a mass phishing email, BEC attacks are painstakingly crafted to appear as real as possible. Attackers either use a compromised email of a trusted third-party email to try to impersonate a trusted sender using spoofed emails and lookalike domains.
3. Executing the Attack
The execution differs from attack to attack. While some attacks use a single email to defraud, many others set up a long chain of correspondence to gain trust. Sometimes, an attacker can even use a Remote Access Trojan (RAT) to download files or malware to infect systems or applications.
4. Covering their Tracks
Once the final goal of tricking the intended target is achieved, the attacker will usually receive the fraudulent payment and quickly disburse the money into other accounts to try to cover their tracks and avoid account freezes.
Best Strategies For Stopping BEC Scams
BEC attacks are growing, and organizations need to leverage multiple forms of defense to help combat against this threat. Here's a list of the top five strategies that are effective in combating against BEC scams:
1. Tracking Spoofed Domain with MX records
The Mail Exchanger record is a type of resource record in the DNS that specifies the mail server responsible for accepting email messages on behalf of a recipient's domain. It also provides a preference value to prioritize mail delivery if multiple servers are available. It is a great resource to identify rogue domains with active MX records.
While domain monitoring is not a new tactic, it has primarily been focused on trademark infringement. The focus now needs to shift to BEC protection where organizations should track spoofed domains with active MX records. This strategy is critical to spotting potential BEC attacks before they even happen. Spoofed Domains with active MX records are dangerous because attackers can use them to launch emails that can steal funds, infect systems with malware, or give attackers privileged access.
Suspicious parked domains with active MX records need to also be flagged in the email protection suite to neutralize potential threat. This measure drastically brings down the risk of BEC and spear phishing attacks.
2. Leveraging URL Sandboxing
URL sandboxing helps protect against users going to malicious sites or downloading malware in emails. Harmful links are neutralized by the sandbox, keeping the user safe going to a malicious site or accidentally falling prey to a drive by download. Sandboxes can be configured with different policies for different types of threats such as blocking malicious emails or quarantining suspicious emails.
3. Using SPF, DKIM Signatures, and a DMARC Policy
Companies can negate the issue of fake internal correspondence by setting up SPF, using a DKIM signature, and implementing a DMARC policy. SPF specifies the servers authorized to send emails, DKIM signatures add an extra layer of authentication, and the DMARC policy tells the receiving servers what to do with outgoing messages that fail SPF and DKIM verification.
4. Automating Detection and Takedown of Phishing Sites
While implementing strong email security strategies such as URL sandboxing and enforcing DKIM signatures are critical, organizations need to look outside their existing infrastructure and neutralize external threats. Attackers leverage phishing sites in BEC scams to convince unsuspecting victims into giving up credentials or financial information.
To quickly and accurately detect phishing sites across the internet, the best strategy is to leverage a digital risk solution with AI and ML-powered detection engines. AI/ML powered engines can look at both text and image-based signals to identify malicious sites that will be weaponized in a BEC scam. Look to implement a automated strategy where lookalike domains spoofing your brand is detected, analyzed, and taken down before it has the opportunity to launch BEC attacks against employees.
5. Training Your Team on Spotting BEC Scams
While technology plays a crucial role in avoiding BEC scams, companies cannot choose to overlook the awareness levels of their employees on potential threats. Since most BEC attacks leverage end-user error, companies must train end-users to identify suspicious emails. Training programs should be delivered on a consistent basis so that employees keep BEC scams as top of mind to look out for.
How can Bolster help?
According to a cybercrime report, 43% of companies suffered severe security incidents in the last 12 months, and 35% stated that BEC attacks accounted for over 50% of the incidents. Manual detection and takedown cannot keep up with the number of attacks. These attacks' volume, scope, and sophistication require a robust zero-touch detection and takedown solution that continuously scours the internet for fraudulent sites and takes them down automatically within seconds.
While is important to train your users on BEC scams and implement good email security practices, organizations should also be proactive about taking down potential threats outside their perimeter that might lead to a BEC attack. Bolster's phishing and scam protection solution uses an AI-based detection engine that can render scam verdicts and effect takedowns in less than two minutes. It prevents attackers from spoofing your domain by monitoring typosquat variants across all TLDs. Security teams can block the flagged domains in the email protection solution. This renders the attack attempt worthless from the first step and makes it much harder for criminals to initiate a BEC scam.
See a custom demo of how your organization can implement an automated solution to monitor and take down potential BEC phishing domains.