You’ve Got (Compromised) Mail!
There are two kinds of people in this world: those who have been affected by Business Email Compromise (BEC) scams and those who don’t know they have been hit with BEC. It’s happening all the time, in your company, right now. People are getting emails that look official, from a realistic company email address, requesting some form of action; the trouble is, they are not real and they can lead to loss of data, loss of money, or both.
Let’s back up a moment. There’s a third group of people. Those who don’t know what BEC is, let alone whether they have been hit and what to do about it. Let’s deal with that first before we move on to the implications and solutions.
Business Email Compromise (BEC) is the practice of using social engineering methods and sending a legitimate-looking email, from a sender name or email address that appears real, and tricking the recipient into sharing something confidential or valuable. There is rarely any malware involved and it’s largely an attack that dupes the user rather than infects a system. A recent report by security vendor Agari found that “62% of all email attacks against businesses now involve cybercriminals committing impersonation fraud by inserting the name of a trusted individual or brand into the “from sender” field of fraudulent emails.”
Imagine the phone rings. The person on the other end of the call claims to be from your favorite online service, Acme Goods, calling about a huge parcel that they’re planning to deliver later that day. But before they can do so, they need to confirm the information on your credit card. You happily share this information, and then wait eagerly for the parcel to arrive. However, nothing ever arrives. You got scammed out of personal information through a smart, targeted ruse.
That’s much how BEC scams works. Only back in email fraud world, the call is replaced by an email in which the actual sender has been replaced with the name of the sender which looks legit. You get an email from “Cisco Support” yet when you click the name to see the email address of the sender, it’s from “ciscosupport@gmail.com.” Hardly legit, and something we call display name deception. Alternatively, let’s say it’s from support@cisc0.com. This is a look-alike domain. Both of these pose a threat to the recipient of the email who may be fooled and to the company being spoofed which suffers a loss of trust in their brand.
In either case, a quick check of the email address in the From: header should be enough to raise suspicions that the sender is not who they say they are. However, there’s nothing stopping an attacker from spoofing the entire email as well (e.g. Cisco Support support@cisco.com). This is much harder to deduce by simply examining the From: header carefully and looks far more legitimate, even when it is not.
Help is at hand, because we can address this problem using the Domain Based Message Authentication Reporting (DMARC) validation system, which verifies email senders. If a DMARC record check detects a discrepancy in the validation checks set up at the domain (cisco.com), DMARC tells the receiving server to either accept the message or, more likely, to quarantine or reject it, based on policy defined.
In our original analogy, DMARC is much like caller ID. The fake caller may be able to claim verbally that they’re from Acme Goods, but they can’t make the call appear as though it came from within Acme Goods itself.
DMARC goes further, and, as part of the validation process, gives the domain owner reports on who is attempting to use their domain to send messages. It’s like they called Acme Goods just to tell them about the fake caller they caught, along with all the other fake callers caught recently. This visibility allows the sender to fine-tune their policy as new threats emerge. Cisco Domain Protection automates the DMARC email authentication process and gives you visibility into your own and third-party email senders using your domain.
In this way, DMARC helps companies establish brand trust by reducing the threat of non-validated or fraudulent email. The recipient, on the other hand, gets protected by more of our features that help block BEC scams, such as Advanced Phishing Protection, which enables you to block attacks that use identity-deception techniques and remove malicious emails from users’ inboxes automatically.
It’s possible that, if you identify as someone who does not know anything about BEC, it’s because you got duped without realizing it, or that you have an effective email security solution, with DMARC capabilities and advanced phishing protection in place.
Published with permission from blogs.cisco.com.