Shearwater champions new insights in battle against BEC
The data is in and the picture it paints isn’t good.
For thousands of recent Australian victims, the fact that Business Email Compromise (BEC) attacks are on the rise comes as no surprise.
BEC continues to be a highly profitable attack vector for cybercriminals.
Using highly sophisticated methods, attackers are targeting businesses across the world, and we are particularly vulnerable.
According to the Australian Competition and Consumer Commission (ACCC), BEC losses exceeded $3.8 million in 2018, representing a 53 percent increase from the previous year.
Combine these losses with those reported to the Australian Cybercrime Online Reporting Network, and email scams have cost Australian businesses in excess of $60 million!
Clearly new strategies are needed to fight this growing threat.
Using data to drive new insights
When it comes to the battle for email security, data offers us potential new strategies by yielding fresh insights.
During her final year as a student in the Bachelor of IT (Network Security) program at TAFE NSW, Fariha Uddin undertook her capstone project in conjunction with Shearwater.
Together, we sourced vast sets of email metadata that had been used by Enron, the defunct US energy giant.
Why Enron? As a large organisation that no longer exists, we could access many years’ worth of publicly available historical metadata, without breaching any privacy requirements.
By doing a deep dive into their metadata, Fariha was able to identify important patterns of behavior. Using heat-mapping data visualization techniques, Fariha explored the vast volumes of email traffic, and the times of day they were transmitted.
The key questions Fariha was seeking to answer included:
· When were emails sent and received?
· Who sent or received them?
· At what times of the day?
· Were they from internal or external sources?
This data offers the potential of yielding valuable insights to help predict where and when a BEC attack is likely to occur.
What are BEC attacks?
BEC attacks prey on people’s innate desire to be helpful by quickly responding to “urgent” or “important” email requests from superiors or suppliers.
Attack emails are sent from a compromised or spoofed email account with a forged sender address. The emails are cunningly crafted to persuade employees to transfer funds into a ‘new’ bank account.
For example, a CFO may regularly send requests to a member of their accounts team with instructions to pay for certain goods or services. A BEC email would exactly replicate the nature of such email requests, including the day and time when they are usually sent. The only difference would be that the fake CFO email would contain bank account details belonging to the attacker. The unsuspecting member of the accounts team would make the payment in line with the instructions in the fake CFO email. By the time the error is discovered, the attacker will have received the funds.
The high-quality nature of the emails and sending them at times when the employee is known to be under stress or particularly busy, make BEC email attacks extremely effective.
BEC attacks often occur after a prior phishing attack. A successful phishing attack can disclose valuable information to the attacker, such as the Chief Financial Officer’s correspondence, schedules, calendars, and much more. This detailed information enables the attacker to know the types of requests the CFO usually makes of their staff, the times they usually make them, and even their writing style can be impersonated.
Armed with so much valuable information, the attacker is able to ensure the requests to transfer funds seem like business as usual to staff in the organisation.
Knowing the tactics that are being used, Shearwater is keen to explore new avenues that can help us get one step ahead of the cybercriminals.
What have we learnt?
Thanks to Fariha’s analysis of the Enron email trove, new perspectives were ascertained to answer the critical question:
Who, in an organisation, is most likely to be susceptible to a BEC attack?
From her data analysis, we were able to visualise “normal” email behaviour patterns. Anything that did not conform to “normal” behaviour was flagged as a sign of a possible attack.
If we can learn who the attackers are likely to target, extra training can be provided to these individuals. Furthermore, care may need to be taken to ensure they are not deluged with email, so they have the capacity to adequately verify the veracity of items landing in their inboxes.
The collaboration between Fariha and Shearwater was so successful that this project will continue to Phase 2 and will be passed onto another student for further development.
How Shearwater can help you?
Shearwater’s commitment to innovation in the email security space is uncovering important insights that may ultimately prove invaluable in the battle to improve email security.
With rapidly escalating costs associated with BEC email attacks, such innovation is timely.
By developing the talents of the next generation of cybersecurity professionals with real-world problems to solve, Shearwater is looking to the long-term to provide a safer connected world.
Our commitment to innovation will give you the best chance to stay safe.
Phishing Awareness Training & Simulation Program
Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.