Business Email Compromise: No Defense Against Attack

Cybercriminals have invented many options for cyber attacks, differing in complexity of technical implementation and effectiveness. Among them, a special place is occupied by an attack, which is surprising in its technical simplicity and effectiveness - Business Email Compromise (BEC), or an attack using compromised business correspondence. It does not require deep technical knowledge, has the highest efficiency, it is almost impossible to defend against it with traditional means. According to the FBI, the damage from such attacks in 2018 amounted to more than 1.2 billion US dollars .

Father Bob Stack from the Parish of St. Ambrose in Brunswick, pc. Ohio, was unpleasantly surprised when the contractor Marous Brothers Construction phoned him and carried out the repair and restoration of the church building and asked why the payment stipulated by the contract had not been received for two months. Since Father Bob knew that the money was being transferred, he specified the details of the recipient and found that the payments went not to the contractor, but to unknown scammers. Two months ago, they sent a letter on the change of details on behalf of Marous Brothers Construction. Ward staff adjusted the recipient's account number and sent payment for the work there within two months. The amount of damage amounted to 1.75 million US dollars .

Father Bob Stack turned to the FBI. During the investigation, it turned out that unknown hackers, shortly before the attack, picked up passwords for the mailboxes of two ward employees, examined their correspondence with contractors, and then composed a convincing letter from the largest of them, Marous Brothers Construction. The design, return address, and all other attributes were copied from the old correspondence, so there was no doubt about their authenticity. As a result, the money flowed away in an unknown direction, and they were sent by unsuspecting employees.
')
The arrival of Bob’s father and he himself became a victim of a BEC attack.

How the BEC attack works

BEC is a scam focused mainly on companies working with foreign suppliers, as well as companies that regularly conduct non-cash payments.

The attack begins with the collection of information about the company: information about managers and accountants making payments, email addresses of employees, information about contractors. Using phishing or malware, criminals compromise the email accounts of managers, financiers and accountants, and study correspondence with counterparties. Their task is to find out how financial transactions occur, who requests the transfer, who confirms it and who directly performs it.

When the necessary information is collected, fraudsters act according to one of the following schemes.

Fictitious Invoices



Having ascertained the details of the company's relationship with suppliers, fraudsters send a letter on behalf of one of them about the change of details. Accountants correct information in financial documents and send money to criminals. The victim of this scheme was the parish of St. Ambrose.

False Executive Order



Using a compromised mailbox, fraudsters send a letter to the financial department on behalf of the CEO or another manager authorized to conduct monetary operations. The message contains a request to urgently transfer money to the specified account under any convincing excuse.

Letters from the False Accountant



Fraudsters send letters to the company’s counterparties about the change of details from a compromised e-mail of a financial unit employee. Upon receipt of the message, counterparties make corrections and begin to transfer money to scammers.

False lawyer



The cybercriminal contacts the finance department or the CEO by email or telephone and introduces himself as an employee of a law firm that deals with confidential and urgent matters. Having reported any fictitious but convincing threat, the fraudster offers to secretly transfer funds to him to urgently resolve the problem. As a rule, a “threat” is detected at the end of the working week several minutes before the end of the working day or on the eve of the holidays, when employees are preparing for rest and are not inclined to assess the situation too critically.

Reasons for the effectiveness of BEC attacks

• Social Engineering . Letters are sent at the end of the working day or on the eve of the holidays, when employees rush home. The texts of letters are prepared taking into account the peculiarities of the relationship between the sender and the recipient.
• Legitimate appearance . Fraudsters use the information collected to develop a unique letter, which in style and design will be indistinguishable from correspondence with counterparties familiar to employees. For example, an accountant may receive an instruction from the CEO to transfer funds that looks exactly like similar orders.
• Unlike phishing scams, emails used by BEC are sent in a single copy from legitimate mailboxes and do not end up in spam .
• No malicious content . BEC scam emails do not contain links and attachments, therefore, they are easily passed by antiviruses and other protective solutions.
• No penetration into the system . Employees transfer money of their own free will, because they are sure that they are doing everything right. Fraudsters do not have to study payment systems and gain access to them. Even if the bank asks a question regarding the new details, the victims will give the necessary explanations and even make efforts to make the payment as quickly as possible, and if necessary - in confidence.
• Urgency and other manipulative amplifiers . The need to urgently solve a problem under the threat of serious and inevitable consequences disables the critical thinking of employees, and they perform actions that cybercriminals are pushing them to.

Fighting BEC Attacks

The parish of St. Ambrose did not demand damages from its employees, but not all companies that became victims of the BEC are so lenient. For example, a media company from Scotland filed a lawsuit in the amount of £ 108,000 to its former employee who executed money transfers to BEC scammers for ignoring a warning from the bank about the fraudulent nature of the transfer.

However, personnel intimidation can hardly be seriously considered as an effective measure of protection against BEC attacks. A truly effective combination of organizational and technical measures.

Organizational activities

1. Train employees to carefully check each letter if it concerns money transfers or other significant orders from senior management. Pay special attention to urgent and confidential letters.
2. Train employees to recognize BEC attacks . Information security departments should teach each employee the principles of identifying compromised letters.
3. It is mandatory to check all letters and requests of a financial nature . If the supplier has sent a notice on the change of details, call him back and make sure that the document is real, and use the phone number from the official website of the company or from the contract, and not from the letter received.

Technical Activities

Since BEC letters do not contain links, attachments and, as a rule, do not have typical signs of malicious letters, traditional protective solutions cannot cope with their detection. Comprehensive email protection using artificial intelligence and machine learning can help here.

At Trend Micro, we use an AI tool called the Expert System. It mimics the decision making process of a security specialist. For this, the system evaluates the provider from which the letter was sent, compares the sender's email address with the actual address of the organization. If the letter came from the head of the organization, the presence of such a head in the staff list is checked, as well as its availability by contact information.

At the next stage, the expert system performs a content analysis of the contents of the email, revealing the sender's intentions regarding the factors specific to BEC letters - urgency, importance and requirements to carry out financial actions. The results of the analysis are transmitted to the machine learning system.


Identification of the author of the letter among Enron executives

If nothing suspicious is revealed in the letter, the system of text style analysis - Writing Style DNA (“writing style DNA”) comes into play. This Trend Micro development uses a machine learning system to compare the message of a leader or counterparty with his previous messages. Writing Style DNA uses over 7,000 message characteristics to identify a unique sender style. These include the use of capital letters in words and punctuation marks, the length of sentences, favorite words and phrases, and much more.

To create a style model, artificial intelligence needs to analyze from 300 to 500 previously sent letters. An important point: to protect confidentiality, the AI ​​retrieves only metadata characterizing the sender's style, but not the text itself.

What is the result

Compromise of business correspondence differs from ordinary attacks by minimal technological effectiveness. The success of BEC attacks directly depends on the quality of the information collected and the work of social engineers. In fact, these attacks are closer to the usual "offline" fraud, which makes it difficult to counter them using traditional technical solutions.

Successfully detecting and blocking BEC attacks allows the use of defense systems based on machine learning and artificial intelligence in combination with employee training and other organizational activities.