There has been a lot of news in 2016 about a particular species of phish, the so-called Business Email Compromise (BEC). In this scenario, the attacker poses as an executive of a company, asking someone--usually a subordinate employee--to perform a wire transfer or similar action. When the employee complies and completes the transfer, the company realizes--too late--that it has just given a large payment to a criminal. An investment company in Troy, Michigan, recently lost $495,000 from a BEC phish, so this is not a small matter.
It even hit close to my (professional) home: DomainTools’ CFO recently received a spear phish purporting to come from our CEO, asking her to make a wire transfer of funds. The sending email address was a clever look-alike of “domaintools.com,” using some substituted characters. Fortunately our CFO is very savvy and knew right away that her boss wouldn’t actually make such a request in that way. But it underscores how common this kind of BEC phish is -- and how easy it is for criminals to spoof legitimate emails.
Besides the obvious pain this causes to companies and their employees, this attack trend is troubling on many other levels:
Social engineering: The above example notwithstanding, collectively, people are still quite vulnerable to social engineering attacks. In the BEC scenario, the attacker is able to convincingly pose as the executive, and in the strongest examples, the fiction goes beyond the simple “from” address on the email. The attacker can comb through publicly available information to get details about the personnel and sprinkle these into the email, suppressing the victim’s defenses.
Corporate culture: Many companies still have a very hierarchical culture, and many executives expect prompt and, in some cases, unquestioning compliance, to requests. Promptness is not a bad thing by itself, but automatic obedience can be dangerous.
Messaging technology: Relying on email filtering to catch phony emails is dangerous. Many BEC emails sail right past such defenses because they don’t carry some of the payloads that can get them flagged (such as malware attachments, dangerous links, etc). Email filtering technologies are necessary, but not sufficient, to protect against spear phishes.
As in so many disasters (and the loss of millions of dollars to fraud would constitute a disaster for any firm), there is often a chain of events that had to occur in a specific way for the fraud to succeed. So there is a silver lining here in that each factor has potential mitigations that can disrupt the attack. Some are quite simple.
Social engineering can be thwarted via education. It’s not realistic to expect that 100% of such attacks can be averted, but any improvement is worthwhile. This is one of the places where employee education can pay big dividends. Social engineering is a human problem, not a technological one, so it must be answered in human terms as well.
As far as corporate culture goes, companies would do well to take a cue from the aviation industry, where many accident investigations have concluded that unquestioning compliance with (faulty) captains’ orders contributed to the disaster. Today, airline and military crew members are encouraged to challenge orders from a captain if they believe them to be dangerous or flawed.
There is a valuable analogy in verifying and, if necessary, challenging corporate orders that carry high stakes. It can be as simple as picking up the phone or walking to an office to ask the superior if the request is legitimate. If the subordinate employee doesn’t feel comfortable doing so, they may be able to find a co-worker who will. It could prevent a tremendous loss.
Messaging security, especially spam/phishing detection, has made many advances over the years, and helps cut the “noise level” of illicit emails tremendously. And, given the prevalence of BECs, it’s possible that detection of such emails will improve. From the forensics standpoint, the “from” email address will often contain a look-alike, illicitly registered domain, so that the attacker can carry out a chain of communications with the victim; such domains can in some cases be blocked before they have “fired their first shot.” But the bottom line is that automated detection will never reach 100%, so the other links in the chain have to be as strong as possible.
If the first few months are any indication, the info security retrospectives at the end of 2016 will cite BECs as one of the big stories, along with ransomware and critical infrastructure attacks. Let’s hope that those stories also contain accounts of successful foiling of BECs. It’s a realistic (if ambitious) goal, but it demands appropriate attention and action.