BEC via ATO: When the Emails Are Coming from Inside the House

There is a classic horror movie trope where a babysitter is being prank called. When the police trace the call, they inform her that the calls are coming from inside the home. In cybersecurity, this happens in the most dangerous form of Business Email Compromise (BEC), called an Account Takeover (ATO).

What is Business Email Compromise?

BEC is an overarching category of cyber attack used by hackers. BEC scams are a specific and highly effective form of phishing emails — which are convincing or motivating communications designed to look like legitimate companies or vendors sent them.

BEC attacks are different from more generic phishing attacks in that they personalize the email with information culled from public sources including the target company’s website and the targeted user’s social media accounts. They use these emails to get prospective victims to share personal, account, or financial information to gain access to their accounts or the company at large.

A frequent attack pattern involves Invoice Fraud, where the hacker sends a fraudulent request for payment from a known and trusted vendor, but to an account the hacker controls. If the email looks like it’s from a trusted source, victims are liable to make the payment without thinking twice.

Another attack pattern involves the impersonation of a company executive, sometimes the CFO or CEO, targeting lower-level employees in functions like accounts payable and human resources. In this type of attack, the employee gets a seemingly authentic and urgent request for sending money or information to the attacker. Again, because the email looks authentic and in this case is coming from an executive, the employee is less likely to question or push back, and more likely to comply as fast as possible.

And BEC attacks are on the rise. According to a report from the FBI’s Internet Crime Complaint Center (IC3), “identified global exposed losses” from BEC scams increased 136% between December 2016 and May 2018.

Examples of recent BEC attacks are everywhere. Japan Airlines Co., lost ¥384 million (approximately $3.4 million) to hackers who used fraudulent accounts in China. And it was a  BEC attack that cost European-based cinema chain Pathé 10% of its total earnings at a staggering cost of $21.5 million — or what equates roughly to €19 million. Closer to home, Google and Facebook were phished for over $100 million due to BEC.

Account Takeover (ATO): Bad to Worse

BEC attacks like the ones described above are dangerous, but at least have a chance of being spotted. If you’ve implemented a security awareness program, then your employees are aware of looking at the actual email address (not just the “From” label) of the sender, and hopefully they’re hovering over links before clicking on them to ensure that they’re truly going to a trusted site.

But what if the bad emails are actually coming from a trusted sender? This happens when a trusted email account actually gets compromised -- this is known as Account Takeover (ATO). ATO happens when a legitimate user gets their email account credentials compromised. Attackers have numerous tactics to try and get credentials -- installing malware, password cracking, buying credentials on the dark web, and even plain old “shoulder surfing” where they watch the user type in their password.

How can these emails, coming from a legitimate sender’s account, possibly be caught?

(Spoiler alert: We can help)

How You Can Protect Yourself to Avoid a BEC Attack

Every company wants to avoid the reputation and financial losses associated with a BEC attack. Barring locking down every email account in your company or never allowing wire transfers to be sent without half the company being present, there is only one way to stop the threat that stems from phishing emails: use an anti phishing service that can prevent these types of ATO and BEC attacks.

Clearedin's anti phishing platform is designed to prevent these targeted spear phishing attacks. Unlike other solutions, Clearedin’s artificial intelligence (AI) and machine learning platform scans and analyzes your end users’ chat and email communications metadata from platforms like Gmail, Office 365, and Slack to identify patterns and build a business communications trust graph. The Trust Graph protects the company’s email from phishing and other BEC scams without reading the content of the communications, offering the best security while protecting the privacy of employees and clients.

But, how does Clearedin’s anti phishing solution work to prevent BEC through phishing emails?

  • Clearedin establishes a sender baseline. The AI assesses email sender patterns to determine how frequently individuals send emails, from which locations, at what times of day, and so on. If something registers as being out of alignment with the baseline pattern, the security administrator gets notified that the sender’s email may be compromised.
  • Clearedin establishes a recipient email baseline. The AI also assesses baseline internal receive patterns — meaning how often you receive emails from individual people — to determine whether an email is safe or should be flagged as suspicious.
  • Clearedin automatically labels and disarms perceived risks. When an email is identified as a potential risk by the platform, it is automatically labeled and disarmed. At the same time, it provides actionable information to help the end user make an informed decision about whether to unlock it.

A reliable anti phishing solution as part of your cyber defense is far more effective than relying on employee awareness training alone.

Keeping all of the virtual windows and doors locked on your company’s digital “house” is very difficult once a threat is already inside. Clearedin prevents you from being the stereotypical movie babysitter — It keeps the danger of BEC attacks outside of your business as much as possible, and warns you of anomalous activity even from internal trusted email senders.

To learn more about Clearedin or to learn how we can help protect your business from business email compromise in 2019 and beyond, reach out to one of our cyber security experts today.

New call-to-action

What to Know about CEO Fraud ...

Subscribe for updates

Get weekly updates on phishing and other web attacks