BEC and EAC

BEC Taxonomy: Lures and Tasks

Last Time in the BEC Taxonomy Series…    

Proofpoint researchers in the fourth of the Business Email Compromise (BEC) taxonomy series dived into extortion email fraud from the Theme tier of the Email Fraud Taxonomy framework (Figure 1). We touched on the various subtypes—data release, ransom distributed denial of service, physical harm, and sextortion—and demonstrated how this type of email fraud regularly does not use any deception as a tactic. Now we will explore another theme whose importance from an email fraud perspective is often overlooked because of its basic nature. This theme is lures and tasks.     

Graphical user interface

Description automatically generatedFigure 1. Email Fraud Taxonomy Framework. 

What are Lures and Tasks? 

Lures and tasks are essentially all the fraudulent emails that attempt to see if recipients are available to perform some simple, even menial, task. These emails are characterized by a direct question and can include an assigned action to the recipient. Since this type of fraud can either occur in one stage or multiple, the initial messages can be vague requests in the vein of "Are you available?," "i need a quick favor?,” and "Do you have a moment,” or can inform the recipient of exactly what the threat actor wants done, such as “Are you there? I need you to buy me giftcards.” 

Lure and task email fraud can act as a gatekeeper to the other themes noted in the Email Fraud Taxonomy Framework. A multi-stage lure/task email can engage the victim in a virtual conversation while the ultimate intent of the threat actor may be to request a payment redirect or engage the victim in invoice fraud. Ultimately what distinguishes lures and tasks from the other themes is whether Proofpoint researchers observe the actor’s intentions beyond the initial email asking if the recipient is available. If we observe just the initial email with the task-oriented request, then that is how we categorize it versus if we observe the second stage of a lure/task email, it may become clear that the threat actor’s intent is related to a different theme. In those cases, the emails would be categorized as both lure/task and the other theme. 

Lures/Tasks and the Email Fraud Taxonomy Framework 

Lure and task emails only leverage impersonation from the Deception layer of the Email Fraud Taxonomy. Attackers commonly masquerade as someone recognizable to the intended victim, including those in positions of authority in either their personal or professional lives, close friends, or even family members. Posing as such increases the likelihood that the recipient will overlook the oddity of receiving such an email and feel compelled to respond. A simple response from the victim achieves the actor’s first objective of identifying an active email account and a potentially receptive audience.  

Most lure/task emails leverage display name spoofing, as illustrated in Figure 2, to deceive the recipient. To a lesser extent threat actors will use the other impersonation tactics, such as spoofing the domain or using reply-to addresses. After receiving a response, the threat actor may change the deception tactics employed to further the credibility of their scheme. 

Graphical user interface

Description automatically generated Figure 2.   

Real World Example 

Many of the lure/task fraudulent emails Proofpoint researchers observe begin with a very brief email that tests the receptivity of the intended victim. As can be seen in Figure 3, these initial emails do not even necessarily attempt to capitalize on a sense of urgency.