These days, we hear a lot about Business Email Compromise (BEC). There’s good reason for concern. BEC phishing emails operate without links and without attachments, two of the standard markers that can signal someone is trying to hack you.
Instead of taking over your computer or stealing data, BEC hackers persuade you to perform some action, like wiring money or attaching information to an email. So it’s a social engineering attack, as well as a phishing attack.
Two tech companies recently wired a hacker $100 million. That should be a red flag because it shows how high the stakes are. It also should be a warning that being a big company with massive security budget doesn’t mean you’re immune to this type of hack.
One version of this attack asks the target to wire money, or to fulfill a payment. Another version simply asks for a file, like employee W-2’s. Companies as sophisticated as Snapchat have fallen for that one, and the company was forced to admit to attaching hundreds of employee records to an email reply.
BEC, the kind not served on a sesame bagel.
According to the FBI, these hacks have already cost companies $3.1 billion — and those numbers were compiled before the latest growing surge of popularity.
One of our clients reported that they received more than 30 of these emails a week, each one landing in an inbox, just waiting for a user to make a simple mistake. Corporate boards express a particular urgency in stopping these attacks since board members and executives are often targets.
However, along with concern there’s also a puzzling sense of complacency about this type of hack.
Many IT departments think they’re covered because their email infrastructure uses SPF, DKIM, and DMARC anti-spoofing technologies. Those standards have their place, and they’ve helped make us safer overall, but when it comes to these particularly pernicious BEC phishing attacks, they don’t protect us much. Here’s why.
Let’s start with a made-up example, based on an email that actually appeared in the inbox of the CFO at a major corporation. I’m changing the names, and we’ll pretend that “Walt Disney” happens to run this place.
Now, if you’re an employee who likes a paycheck, you’d drop everything to answer that, especially if it came from the CEO himself.
That seems like just the right response to keep your job.
Many factors make this scam work well from a human perspective: the email comes from authority. A victim can actually converse with the attacker, which lowers their guard. Also, there’s no link to click on, nor any attachment, which most of us now watch for as phishing red flags.
The emails often accurately mimic the tone of a boss-employee relationship. If they want to get sophisticated, attackers can even tailor their attacks to your, or your boss’s specific interests, often gleaned from LinkedIn or Facebook. If your company is in the news about an upcoming expansion, for example, that can be another avenue of attack.
In my example, I referred to company’s expansion to China and used some international business jargon (WFOE stands for wholly foreign owned entity) because I’ve found that companies thinking of doing business in China are particularly susceptible to these attacks. It’s hard enough for a CFO to keep up with their own country’s demands: a leap to another market is just the sort of confusion that a hacker can jump on. It’s also a business detail that might show up in the Wall Street Journal, tipping off an attacker to the perfect time to pounce.
From a technical perspective, how do emails like this keep getting through? Even with SPF, DKIM, and DMARC all turned on, this still ended up in your CFO’s inbox where you’re just a click from a six-digit loss.
Sender Policy Framework (SPF)
SPF allows you to authorize the set of outbound mail servers that use your name in your DNS records. Many SPF records include Gmail and Office 365 servers, as well as Mailchimp for newsletters. Large companies tend to authorize many entities on their SPF records and can’t always keep track.
SPF is outward-facing, which helps other companies screen emails pretending to be from you, but doesn’t help when you receive email — and it does nothing when an email is sent from another domain, which may actually have its own, correct SPF record.
Domain Keys Identified Mail (DKIM)
DKIM takes certain fields of the mail (you can specify which ones) and creates a cryptographic signature, allowing you to verify that they haven’t been changed. By verifying part of an email, DKIM is stronger than SPF. However, it does occasionally fail with mailing lists, for example, which forward and modify emails. With most DKIM implementations, you must create many exceptions. It’s still a useful tool, but like SPF, it looks outward, protecting other servers from someone misusing your domain. As we will see, it can’t stop BEC emails.
Domain Message Authentication Reporting & Conformance (DMARC)
DMARC takes both DKIM and SPF to the next level by providing a feedback mechanism for the rules you set in your DNS. If other mail servers have DMARC services turned on, you’ll get reports that someone is trying to use your domain, or sending emails that spoof your domain. So DMARC is great for giving you a heads-up that someone is misusing your domain, but again, aside from some flags in your inbox, there’s not a lot you can do about BEC.
Regarding our example, a close examination of the domain that this email was sent from would show that this Walt Disney is at executive-email-online.com. This domain, bought by a hacker (whom you can bet is not named Walt Disney) has SPF and DKIM turned on, so there is nothing for your server to flag.
As far as your system knows, “Walt Disney” might be a real user at the domain it was sent through, and the three policies noted don’t offer any way to stop it. This is because they’re exploiting your CFO’s name — not the company name.
Latching onto a somewhat official-sounding domain is a hacker trick. An email can pretend to be from an app or an email service you’ve never heard of. You might catch some of these if you happen to look at the full domain of the email in your inbox. But that’s something we rarely do.
An even more dangerous version of this hack uses an email address close to your company’s. My company, Area1Security.com might be spoofed with AreaSecurty or any of a large number of other minor spelling variants. A hacker may use something like area1security.enterprisemailservers.com. Similarly, an attack could spoof the name of someone you do business with, such as a supplier, banker, realtor, or media partner. The possibilities are endless; plus, the influx of new domain extensions makes this problem a lot worse.
But what if the example above was a bit bolder, and the attacker didn’t even bother with a fake domain and merely sent an email forged to be from your domain? Even with SPF active, you don’t end up much better off. You might get a message warning you that the sender may not be who it claims to be. In addition, if you use a service like Gmail, your email would notice that this Mr. Disney isn’t in your contact list. Accordingly, Gmail would treat this a little differently than an email from your actual Walt Disney, giving the contact a generic avatar like “WD” instead of a photo.
Again, this feature is better than nothing, but it still requires you to notice. Smart hackers might wait to send an email until they know you’re on your phone, perhaps on your commute home from work, where GMail’s mobile site displays fewer flags to alert you.
Protecting your executives’ names isn’t as straightforward as it sounds. There are actually a host of legitimate services that spoof display names. While I’m sure that companies have good reasons for doing this, there is no doubt that the practice greatly complicates the email ecosystem.
The following sample headers show how these might look:
I recently saw an attack where hackers registered a look-alike domain for a company, then signed up for trial offers of MailChimp and Microsoft 365. Phishing emails sent from this domain would be fine by most strict SPF rules because those are real services that many companies use!
If there’s a lesson in all this, it’s that modern phishing exploits do more than exploit brands, which have long been an important part of the hacking dark art. Your company has spent a lot of time and money to protect its domain, but almost nothing protects your name, and that’s what makes BEC so effective. This is also something that SPF, DKIM and DMARC — even if every server used them — weren’t designed to stop.