A CISO’s Guide on How to Stop Email Fraud

Stopping BEC and EAC


Business email compromise (BEC) and email account compromise (EAC) are fast-growing problems with no easy solution. That’s because no two BEC and EAC scams are alike. While they all follow similar playbooks, each email fraud attack is as unique as the people they target, the personality traits they prey on, and the trust relationships they exploit. They start with a seemingly routine email request from a boss, colleague or business partner. "Wire money to this account." "Send the payment here." "Attach employee files."

BEC and EAC defined

In BEC and EAC attacks, the requests don’t come from the person they appear to be from. Instead, they’re from an impostor using a lookalike email address—or in some cases, the impersonated sender’s own email account.

According to the FBI, BEC and EAC attacks have cost businesses upwards of $26 billion worldwide since 2016 in exposed (actual and potential) losses. The average attack nets the attacker nearly $130,000. Gartner predicts that BEC and email fraud attacks will double each year, totaling $5 billion in actual losses by 2023.

EAC, also known as email account takeover, is often associated with BEC because compromised email accounts are used in a growing number of BEC-style scams. (EAC is also the basis of other kinds of cyber attacks). The FBI started to track them together in 2017.

The mounting toll

EAC is accelerating in an era of cloud-based infrastructure. A recent Proofpoint Threat Research study reveals that 40% of organizations using the cloud had at least one compromised account. And even as organizations fend off inbound BEC attacks, cyber criminals may be using their trusted domain to launch outbound attacks against business partners and customers. These attacks can strain business relationships and leave respected brands tarnished.

Stopping BEC and EAC requires a multilayered defense that blocks every tactic attackers use— not just some of them. Here’s a closer look at how Proofpoint Email Security safeguards your people from BEC and EAC attacks—and why it is the only solution that truly solves these growing problems.

Why BEC and EAC are so hard to stop

BEC attacks are difficult to detect because they don’t use malware or malicious URLs that can be analyzed with standard cyber defenses. BEC attacks rely instead on impersonation and other social engineering techniques to trick people interacting on the attacker’s behalf. That may include sending sensitive information, wiring money, diverting payroll and more. Because of their targeted nature and use of social engineering, manually investigating and remediating these attacks is difficult and time consuming. BEC attacks use a variety of impersonation techniques:

Domain Spoofing

The attacker forges the sender address (the “MAIL FROM” or “return-path” field in an email) using a trusted domain. The recipient sees the forged address rather than the sender’s actual domain.

Lookalike domains

To get around domain-spoofing measures, attackers often register a domain that resembles the one they’re trying to impersonate. The domain might use the numeral "0" instead of the letter "O," for example (y0urcompany.com).

Display-name spoofing

Email senders can easily set their display name to anything they want. Many mobile email clients show only the display name by default, especially on mobile devices, making this a simple but effective technique. Most BEC attacks use display-name spoofing alongside other spoofing methods.

How a people-centric defense can help

These email fraud attacks are effective because domain misuse is a complex problem. Stopping domain spoofing is hard enough—anticipating every potential lookalike domain is even harder. And that difficulty only multiplies with every domain of an outside partner that attackers can used in a BEC attack to exploit your users' trust.

In EAC, the attacker gains control of a legitimate email account, allowing them to launch similar attacks. But in these cases, the attacker isn’t just trying to pose as someone—for all practical purposes, the attacker is that person.

Because BEC and EAC focus on human frailty rather than technical vulnerabilities, they require a people-centric defense that can prevent, detect and respond to a wide range of BEC and EAC techniques.

Air travel as an analogy

Consider how airports manage a vast and changing mix of potential security issues. Most take a multipronged approach, each element featuring multiple checks and procedures. At Proofpoint, we take a similar approach to securing your email.

  • Passport control checks traveler’s passport (or driver’s license) and boarding pass to ensure they are 1) who they claim to be and 2) authorized to fly.
  • Screening scans the luggage and passengers to ensure that nothing bad is getting on the plane—and that nothing’s leaving that shouldn’t be.
  • TSA agents trained to spot and report suspicious traits and behavior.
  • Airport security armed with the authority and means of physically stopping bad actors and separating them from anyone they might harm.
  • Law enforcement aware of outside activity that may put travelers at risk, including identity theft, forged passports and coordinated criminal activity. Helps create no-fly lists, alerts airport security about potential threats and catches many criminals before they enter the airport.

Putting the pieces together

Proofpoint Email Security address all attackers’ tactics and secures all threat vectors, including corporate email, personal webmail, cloud apps to end-users. Our integrated, end-to-end solution:

  • Protects across broad range of attacker tactics
  • Provides visibility into all email sent using your domain
  • Provides visibility into compromised account risks from cloud apps
  • Stops imposter email and fraudulent use of trusted domains
  • Detects compromised cloud accounts and phishing, imposter emails
  • Identifies who’s vulnerable to credential theft
  • Enables you to apply adaptive controls to your Very Attacked PeopleTM
  • Trains your end users to become more resilient to BEC and EAC attacks