Organizations Heavily Invested in Security Solutions Fall Victim to Social Engineering Attacks and Human Error
By Ameet Naik, Director of Product Marketing, Armorblox
A recent report from the Financial Crimes Enforcement Network(FinCEN), a division of the US Treasury, shows that Business Email Compromise (BEC) costs the US economy over $300 million each month. This is a staggering amount, especially considering that a large portion of this is borne by small and mid-sized businesses.
FinCEN has issued an advisory to financial institutions alerting them to the scope of the problem. While banks can do their part in detecting and blocking suspicious transfers, information security practices also need to evolve to counter these threats. BEC scams don’t just steal money, they also steal data, which can then be used to perpetrate more sophisticated scams, and leave organizations exposed to liabilities and compliance penalties.
Why BECs Work: Social Engineering Not Hacking
Unlike malware or phishing links, BEC attacks are simple textual emails that look just like any other email. Invoices, contracts and payroll documents are routinely shared over email both within an organization and with external parties, such as vendors, contractors, business partners, and former employees. An attacker with some knowledge of these workflows can inject a spoofed email into the flow with a fake invoice, or a request for gift cards for example. These emails often use social engineering tricks like pretending to be from an authority figure or feigning urgency.
The top method for BEC scams according to the FinCEN report is invoice fraud, followed by gift cards. The funds are usually first sent to an account within the US to take advantage of the high-speed payment networks. By the time the organization realizes they have been scammed, the funds are usually wired to overseas accounts or converted into hard-to-trace cryptocurrency.
The victims often have little recourse once this happens. The FBI’s Internet Crimes Complaint Center (IC3), tasked with fighting BEC fraud, estimates that over $12 billion have been lost to such attacks since 2013. If the attack is detected early, the FBI can work with financial institutions to block or reverse wire transfers. However, in the majority of the cases, the funds are lost for good.
Email is a Truck-Sized Hole
Email is a truck-sized hole in most organizations’ cyber defenses. It’s an open communication channel over which employees can exchange documents, invoices, contracts with almost anybody on the Internet. Email’s simplicity is very attractive to organizations that are more recent digital converts. Sadly, they’re the ones most vulnerable to BEC attacks. According to the FinCEN report, manufacturing and construction were the top hit industries in 2018, followed by real estate. BEC attacks not only cause financial loss to these organizations but also poison the ecosystem by eroding trust in digital channels like email.
Traditional email defenses have focused on inbound threats, such as spam and malware. However, BEC attacks are targeted and contain no malware, which means they can sail past all legacy inbound email defenses. Email data loss prevention (DLP) solutions try to prevent data exfiltration over email but suffer from a high rate of false positives, which clog up incident queues and lead to alert fatigue. Hence most organizations don’t have effective outbound controls in place to prevent BEC-induced data leakage.
Infosec teams are struggling to solve this problem since any restrictions on inbound or outbound emails risk throttling business processes, impacting productivity. Technical controls, like DMARC, DKIM, and SPF, are blunt instruments that risk blocking vast swathes of legitimate emails. So most organizations that validate DKIM/SPF have a fail-open policy that lets in non-compliant emails. Metadata controls like these are ineffective in preventing BEC.
The Need for Understanding
Detecting and stopping BEC attacks requires a thorough understanding of not just the metadata, but also the contents of emails and attachments. Some of the indicators of BEC emails are:
- Impersonation: The email appears to be from a known party, but the email address is different. Sometimes these differences are difficult to notice; ex. açme.com, instead of acme.com.
- Tone: The email has a tone of urgency, or it’s sent during busy periods, such as the end of the quarter, or tax season.
- Writing Style: The email appears to be from a trusted party but exhibits a different writing style.
- Content: The email contains sensitive information, like wire transfer details, gift card numbers, etc.
Security awareness training can help users recognize signs of BECs, but human cognition has its limits. Social engineering has been highly effective in exploiting these limits. Even the best of us have days when we’re vulnerable to compromise.
Security Powered by Understanding
This is where machine intelligence can make a marked difference. Natural Language Understanding (NLU) is a branch of Natural Language Processing dealing with language comprehension. (If you ever used Siri or Alexa, you have already used NLU.) Using NLU, machines can actually understand the tone, content and writing style of emails. This is a brand new signal which, when combined with legacy metadata signals and an understanding of communication patterns, can accurately detect BEC attacks.
Machines are immune to social engineering, and their comprehension does not change with the time of day or their workload. As a result, they can make objective observations and inform the recipient when an email is a potential threat.
Armorblox has built the world’s first natural language understanding (NLU) platform for cybersecurity to help information security practitioners and organizations defend against BEC attacks. Amorblox analyzes context, tone and writing styles across communications platforms, stopping today’s biggest attacks by detecting and preventing inbound threats and outbound data loss.
The Armorblox NLU-powered cybersecurity platform connects to your cloud-based or on-premises email platforms such as Office 365, G Suite or Microsoft Exchange. Using the latest advances in NLU and deep learning, Armorblox analyzes emails to understand social interactions, writing styles, and conversation topics between users both inside and outside your organization. When new emails come in, or are sent out, Armorblox can detect if the email represents a BEC attack or data leakage. Depending on customizable policies, Armorblox can then alert the user using labels within the email, or quarantine the email and alert the security admin.
About the Author
Ameet Naik is the Director of Product Marketing at Armorblox, with more than 20 years of experience in information security and data networks. Having held senior solutions engineering roles for several of the leading networking and security vendors, Ameet has advised multiple global service providers and financial services organizations on best practices in enterprise security since the early days of the Internet. A nerd at heart, Ameet loves to write, speak at industry conferences and travel the world in search of clever ideas and good food. Ameet holds an MBA from the Kellogg School of Management and a Bachelors degree in Computer Engineering from the University of Mumbai. Ameet can be reached online at Ameet@armorblox.com or @naik_ameet, and at our company website https://www.armorblox.com/