You’ve probably heard of the term Business Email Compromise (BEC) before. But maybe not the term Email Account Compromise (EAC), which is a close cousin of BEC. In fact, BEC and EAC are so intertwined that the FBI has been tracking these scams as a single crime type since 2017. So, what exactly is EAC?
What is EAC?
Email Account Compromise (EAC) is a highly sophisticated attack in which attackers use various tactics, such as password spray, phishing, malware, to compromise victims’ email accounts, gaining access to legitimate mailboxes. EAC also leads to email fraud, where the attacker uses social engineering to trick or threaten the target to make a fraudulent financial payment. In the case of EAC, there are almost always two victims- the person whose email account got compromised, and the other person who falls for the fraudulent request from the compromised email account.
How does EAC work?
There are several ways for attackers to obtain access to a legitimate mailbox. Performing a brute force attack is one of the most popular password cracking methods, in which attackers use automated tools to
try usernames and passwords over and over again, until they get in. Other common attack tactics include phishing, where attackers send an email with a link to a fake website that’s designed to steal credentials. Sometimes attackers utilize malware, like keyloggers or stealers, to break into the target’s account. Regardless of the tactic, the goal is for the attacker to become you.
Once attackers gain legitimate access to the target’s email account, they have access to a treasure trove of information—email, calendar, key meetings with suppliers or customers, corporate directory, and even files in the file shares—to profile their victim. More importantly, attackers maintain access by creating email forwarding rules or changing account permissions, so they can closely monitor the victim and study the business. They mimic the victim, craft very convincing and timely messages using the knowledge they gain to send email at the opportune time.
The targets for EAC attacks include your employees, both personal and corporate email, your business partners and your customers. Email Account Compromise often looks like the following schemes:
Supply Chain Hijacking
Scenario I: Your accounting department has been compromised
The attacker compromises the email account of an employee from your accounting department. Once inside, the attacker creates a forwarding rule within the email platform and starts gathering copies of all messages. He then uses the knowledge he gains from the compromised account, such as billing cadence and the interaction with customers, to craft identical looking invoices, using proper terminology and logos, and send those to your customer. When the customer pays the invoice, the money goes straight to the fraudsters’ bank account instead of your company’s. The customer thinks they pay your company, but indeed, they pay the fraudster unknowingly. Consequently, your company not only loses money owed to you, but also has a serious customer satisfaction issue.
Scenario II: Your supplier’s accounting department has been compromised
The attacker compromises the email account of your supplier. Just like the above example, the attacker learns all the details and interaction between you and your supplier. He then crafts identical looking invoices and sends them to your company. Only this time, the attacker replaces the banking information with the bank account he wants you to transfer the money to. As a result, your supplier never receives payment from your company, and your company experiences financial loss from wrongly paying to fraudster. This also damages your business relationship with supplier.
The attacker compromises the email account of an employee and sends an email to HR asking to update the victimized employee’s direct deposit with attacker’s bank account. In some cases, the attacker compromises the email account of a management executive and studies victim’s business, such as Merger and Acquisition (M&A) activities. The attacker then sends an email using the compromised executive account to the accounting department, requesting to execute a money wire transaction in order to complete an acquisition, only this time the bank account was replaced by the attacker.
BEC vs. EAC
What BEC and EAC have in common is that they target people, rely on social engineering and are designed to solicit fraudulent wire transfers or payments, or to steal information. The biggest difference between Business Email Compromise (BEC) and Email Account Compromise (EAC) is that in the case of BEC, the attacker pretends to be you; whereas in the case of EAC, the attacker IS you. For BEC, attackers often use identity deception tactics like domain spoofing, display-name spoofing, and lookalike domains, to trick people into making payments to fraudulent accounts. As for EAC, attackers find different ways to compromise your email account so they can “be you”. When they use your legitimate email to conduct email fraud internally or with your business partners or customers, it bypasses email authentication controls like SPF, DKIM and DMARC.
How to defend against BEC/EAC
Because EAC and BEC are so connected, it’s critical that you take a holistic approach to protecting your organization. In other words, if you’re only solving for EAC, you’re only addressing part of the problem. For the most effective protection, you need to solve for both BEC and EAC.
Given the complexity of multiple tactics and channels for these attacks, you need comprehensive solution that addresses all attackers’ tactics. Relying on only single technical control or security awareness training alone leaves your organization exposed. To learn more about how to protect your organization from BEC and EAC attacks, click here. Or check out How to Solve the $26 Billion Problem of Business Email & Account Compromise webinar.