The Latest Business Email Compromise (BEC) Targets, Topics and Tactics: Impostor Email

April 18, 2016
Mark Guntrip

Impostor emails continue to hit a wide range of businesses around the world, and they don’t show any signs of slowing. According to reports, one unidentified U.S. company lost nearly $100 Million as a result. The FBI also recently increased the overall cost of impostor email, also known as business email compromise (BEC), to $2.3 billion. That’s up from $1.7 billion cited in its initial report late last year.

As we’ve described in earlier posts, impostor emails trick people into sending money (sometimes hundreds of thousands of dollars in a single wire transfer) or sensitive corporate data to cybercriminals. They often appear to come from the CEO or other high-level executives and urge the recipient to keep the details confidential. Eager to please the boss, the recipient complies—realizing only later that the whole thing was a scam.

Our team conducted an analysis of recent impostor email trends and who they target. For example:

  • The targets - 47% of impostor emails target the CFO. HR is the second with 25%.
  • The topics – 30% of impostor emails request employee tax information. Wire transfer is next at 21%.
  • The tactics – 75% of impostor emails spoof their reply-to address to fool victims.

For the full results, view the infographic.

Targets range from the largest banks to small schools worldwide. Because these threats do not use malicious attachments or URLs, they can evade security solutions that look for only malicious content and behavior. That’s why impostor emails require a solution that can dynamically analyze the attributes of all email as it arrives and detect anomalies that reveal the threat.

Why Classifying Impostor Email is Important

Many email tools have trouble detecting and classifying impostor email. Unlike other kinds of email threats, impostor email usually arrives in low volumes and contains no malware. Detecting impostor email requires a combination of dynamic and algorithmic approaches that incorporate the following:

  • Sender/recipient reputation. This means understanding the relationship between a sender and recipient. The level of trust between the two helps determine the likelihood that an impostor sent the message.
  • Domain reputation. Investigating the sender’s domain can unveil clues that the email is from an impostor. Things such as if the domain cannot be resolved, is newly registered, or is in close proximity to the recipient domain all paint the picture of an impostor email.
  • Algorithmic analysis. This involves analyzing hundreds of attributes and factors for every email received. For example, email headers, reply-to address and display name.

Proofpoint Email Protection now offers dynamic protection against impostor email

Proofpoint Email Protection has been able to protect against impostor emails for some time using DMARC and pre-defined impostor email rules. We recently enhanced this capability with a new dynamic impostor email classifier. This classifier makes blocking impostor emails even easier by generating an impostor score that customers can use to build policy—just like they already do for spam, bulk, adult, phishing, malware and low-priority email.

Email Protection detects and classifies impostor email dynamically. That means we can adjust as attackers change tactics. And mail administrators don’t have to manage the additional burden of building and maintaining inaccurate static rules (such as terms that might be contained within an impostor email). Static rules can’t keep pace with attackers, who constantly change their methods.

Impostor emails are placed into a separate quarantine, giving customers visibility into this emerging threat and a clearer picture of who within their environment is being targeted.

Free Proofpoint Email Protection upgrade enhances protection against impostor threats

To take advantage of the newest impostor email classifier features, we encourage our Proofpoint Email Protection customers to upgrade to the latest release. The upgrade is free to existing customers and offers increased security against this dangerous threat.

To find out more about how Proofpoint Email Protection defends against impostor email, visit https://www.proofpoint.com/us/products/email-protection