Symantec Email Security Community

Overview of Business Email Compromise

BEC scams, also known as “whaling’ or “CEO fraud”, involve crafted emails sent to recipients by fraudsters pretending to be senior executives. These emails leverage social engineering and urgent requests to get employees to carry out large wire transfers or send over sensitive information such as W2 forms.

BEC emails are typically characterized by:

• Impersonation of a high-level executive of your company
• Email domains similar to yours (Typosquatting)
• Prominent use of freeweb mail service providers (Gmail, Yahoo etc.)
• Emails that do not contain URLs, phone numbers, or attachments

The FBI has reinforced the growth and criticality of Business Email Compromise (BEC) with their latest Public Service Announcement, which found that BEC increased by 1,300% since 2015 and is responsible for more than $3 billion in exposed losses. This announcement also added a fifth BEC scenario of "Data Theft".

The FBI PSA outlined five scenarios of Business Email Compromise:

1. Business Working With a Foreign Supplier
2. Business [Executive] Receiving or Initiating a Request for a Wire Transfer
3. Business Contacts Receiving Fraudulent Correspondence through Compromised E-mail
4. Business Executive and Attorney Impersonation
5. Data Theft

In addition, learn more about W2 (tax return) related BEC fraud to better understand the recent updates from the FBI PSA about the Data Theft scenario we observed earlier this year during U.S. tax season.

While the financial damage of BEC scenarios 1-4 can be quantified and covered by a company or their cyber insurance, the new Data Theft scenario raises new challenges about how to quantify damage from personally identifiable information (PII), such as seen in the tax return fraud (W2) attempts, or even intellectual property loss. Therefore, it is even more important to view BEC as a serious threat to your organization.

Key Characteristics of Business Email Compromise

We wanted to highlight a few more email characteristics that can help identify a BEC attack:

• Common keywords in From and Reply-to Header (when reply-to is present)

(ceo,cto,cfo,coo,office,work,dir,director,executive,exec,chief,central,chairman,president,vp,vice,private,official,md,managing,managed,chief,accountant,admin,workmail,gmo,personal,home,personal)

• Common keywords in message body

(Transfer|Request|response|Verification|Payment|Update|Wire|Initiate|Instructions|Bank detail|international|finance department|urgent|remit|remittance|Attention|Attached|Outstanding|confidential|desk|office)

• Subject lines are between 1-3 words long (46% have 1 Word, 31% have 2 Words and 19% have 3 Words)
• Common used body parts are TXT/HTML with over 60%. TXT only based BEC are 23% and HTML only is used in about 15%.
• Between 1,500 and 8,000 bytes email size
  • 58% of BEC email have a size between 1,500 and 8,000 bytes
  • 30% of BEC email have a size between 8,000 and 10,000 bytes

The difficulty with BEC email is that you have a very limited set of features (i.e. checking attachments, URLs or common bad senders) you can leverage to detect such messages. Also, although the characteristics discussed above can help you detect BEC emails, this needs to be handled with care due to the risk of false positives. For instance, a financial institution that was to detect messages generically from a free mail account containing a keyword such as ‘transfer’ or ‘outstanding’ might accidently block both BEC and legitimate emails.

Symantec is Focused on Stopping BEC Attacks

Earlier this year, Symantec focused on typosquat domains to gather additional intelligence that is used to improve detection for these email attacks. Specific heuristic rules generated based on our research have shown success, stopping over 16.1 million emails since beginning of this year. Symantec Email Security contains many more detection technologies that stop attacks or unwanted mail such as phishing, spam, and unsolicited emails, and we are constantly working to stay ahead of attackers by making improvements to rulesets in our Email Security solutions to detect BEC emails for our customers -  without the need to purchase additional features or to use a specific product version.

How Symantec Protects Against Business Email Compromise

Symantec will continue to invest in creating specific BEC detection to target this attack. This type of attack due its limited set of features and individual company specific focus may also require a complementary set of solutions that Symantec is also in a position to provide.

• Symantec Email Security.cloud Data Protection provides granular control to identify suspicious messages based on various indicators, which also helps raise end-user awareness.
  • Use the common header and body keywords we mentioned earlier to detect and block/flag suspicious messages. See these KB entries on how to use Data Protection as additional protection from BEC attacks:
    http://www.symantec.com/docs/HOWTO124383
    http://www.symantec.com/docs/HOWTO124423
  • Data Protection can also help flag messages that are coming from outside the organization to raise end-user awareness of BEC emails. For example, when a message requiring immediate attention seems to come from a CEO but is coming from Internet-facing email gateways instead of the internal systems, the user is immediately informed.

• Symantec Data Loss Prevention helps combat the Data Theft BEC scenario by seamlessly integrating with our Email Security solutions to detect emails containing sensitive information such as PII that should not leave the organization. When combined with Symantec’s Policy Based Encryption Service, you can even ensure that this information is encrypted in case it’s accidently shared with the wrong person.

• Usage of Digital Signatures prove the authenticity of an email sender. Have your i.e. Executives like CEO use certificates to sign messages and to ensure that recipients question emails appearing to come from their CEO when they are not digitally signed.

• Conduct End-User Awareness training to raise overall awareness of BEC scams. Leverage Symantec Cyber Security Services to simulate and train employees on phishing by getting end-users to be more suspicious of emails and to empower them to recognize and report attacks.

Best Practices for Addressing BEC

In addition to these Symantec solutions, you should also leverage the following best practices for the most effective way to protect your organization from BEC attacks:

• Submit BEC samples to help improve protection against these scams, as sharing information allows organizations to quickly detect and stop these attacks
• Question any emails requesting actions that seem unusual or aren’t following normal procedures
• Users shouldn’t reply to any emails that seem suspicious. Obtain the sender’s address from the corporate address book and ask them about the message
• Use two-factor authentication for initiating wire transfers

For more information, see the latest research done by the Symantec Security Response team about Billion-dollar scams: The numbers behind BEC fraud.

To learn more about BEC check out these resources:

• Business Email Compromise Campaigns Continue Targeting C-level Employees Despite Warnings
• 2016 Symantec Internet Security Report (Pages 31-37)