Business Email Compromise (BEC)

A familiar name in your inbox isn't always who you think it is.

Overview

Impostor emails trick people into sending money—sometimes hundreds of thousands of dollars in a single wire transfer—or sensitive corporate or personal data. They appear to come from the CEO or other high-level executive and urge the recipient to keep the details confidential.  

Understand The Threat

HOW DOES IT WORK?

Impostor email is known by different names, often also referred to as business email compromise (BEC) or CEO fraud. This threat is designed to trick the victim into thinking they received an email from an organization leader like the CEO or CFO asking for either: A transfer of money out of the company (this is usually the case) or Employee personally identifiable information (PII) such as W2 forms.

These threats are extremely targeted and start with a great deal of research to find the right person within an organization, find out their chain of command, and identify the best time to send the email – ideally when the “sender” is traveling in order to maximize success. But despite the amount of work required, these threats are not seen in low numbers, many thousands of companies get impacted by these threats every month. The FBI initially estimates that impostor emails cost organizations over $2 billion in 2015.

Because these threats rely on social engineering rather than malware, impostor emails can often evade security solutions that look for only malicious content or behavior.

bec_example-1.jpg

HOW DO I PROTECT AGAINST IT?

Many security defenses look for malicious documents or known blacklisted URLs to identify emails as suspicious. Impostor emails threats, though, rarely have these tell-tale features. They rely instead on social engineering and busy, tired, or naive employees responding to fake requests for money and information. Vigilant employees are the last line of defense against impostor threats. As with so many phishing schemes and other email-based attacks, impostor email threats bear common hallmarks that should send up a red flag for users if these messages make it past your organization's defenses:
 

  • High-level executives asking for unusual information: How many CEOs actually want to review W2 and tax information for individual employees? While most of us will naturally respond promptly to an email from the C-suite, it's worth pausing to consider whether the email request makes sense. A CFO might ask for aggregated compensation data or a special report, but individual employee data is less likely.
     
  • Requests to not communicate with others: Impostor emails often ask the recipient to keep the request confidential or only communicate with the sender via email.
     
  • Requests that bypass normal channels: Most organizations have accounting systems through which bills and payments must be processed, no matter how urgent the request. When these channels are bypassed by an email directly from an executive requesting, for example, that an urgent wire transfer be completed ASAP, the recipient should be suspicious.
     
  • Language issues and unusual date formats: Some lure emails have flawless grammar, and some CEOs write emails in broken English. But the presence of European date formats (day month year) or sentence construction that suggests an email was written by a non-native speaker are common in many of these attacks.
     
  • “Reply To” addresses that do not match sender addresses: This is rarely obvious in email clients or webmail applications, but impostor email threats are generally characterized by spoofed sender addresses. They may also use lookalike domains to fool recipients at a glance (yourc0mpany.com instead of yourcompany.com, for example).

50-50-threat-keyboard.jpg

 

Here are a few tips to keep organizations safe in the face of these increasingly common attacks:
 

  • Be suspicious. Asking for clarification, forwarding an email to IT, or checking with a colleague is better than wiring hundreds of thousands of dollars to a fake company in China.
  • If something doesn't feel right, it probably isn't. Encourage employees to trust their instincts and ask "Would my CEO actually tell me to do this?" or "Why isn't this supplier submitting an invoice through our portal?"
  • Slow down. Attackers often time their campaigns around our busiest periods of the day for good reason. If a human resources manager is quickly going through emails, she is less likely to pause and consider whether a particular request is suspect.

Perhaps the most important message is that robust email, network, and endpoint security solutions must work alongside user-education initiatives.

 

Defend Against Imposter Emails with Proofpoint Email Protection. Email security to protect against threats such as impostor email, phishing, spam, bulk email, and viruses.

white-paper-cover-1.jpg

Understand the Motives and Mayhem of Impostor Emails

Impostor emails are purpose-built to impersonate executives and trick you into sending money, or personal information to cybercriminals. Learn how Proofpoint Email Protection employs our dynamic classifier and quarantine functionality to allow you to quickly see, report and stop this attack technique.

Proofpoint Wins Best Email Security Solution Trust Award from SC Magazine

Cloud-based Enterprise Protection solution combines next-generation email security and compliance to stop messaging threats.

Business Email Compromise Attacks Increase, $3.1B in Exposed Losses: FBI Warning

The need to protect organizations, both large and small, from BEC threats has never been greater.

Proofpoint Positioned as a Leader in the 2015 Gartner Magic Quadrant for Secure Email Gateways

Proofpoint, Inc. announces Gartner, Inc. has positioned Proofpoint in the leader’s quadrant of its “Magic Quadrant for Secure Email Gateways” for the seventh consecutive year.