Preventing Business Email Compromise Calls for Analyzing Email Language

Email security may be a relatively young industry, but it’s gone through more changes in the past ten years than most have in the past 50. That’s largely because phishing attack techniques are getting more sophisticated by the day, testing anti-phishing defenses with business email compromise (BEC), social engineering and impersonation attacks that carry no malware or links to malicious URLs.

As noted in the most recent Verizon Data Breach and Incident Response report, the vast majority (67%) of data breaches are caused by social attacks delivered via email phishing, and these attacks have proven to be a high-yield and lucrative endeavor for scammers.

The latest FBI Internet Crime Report recorded more than $3.5 billion in losses to individual and business victims, with the most frequent complaints being phishing, non-payment/non-delivery scams, and extortion. Businesses of all sizes have been susceptible to these attacks. 

Traditionally, companies have invested in phishing awareness training to help educate workers on the telltail signs of malicious emails, along with secure email gateways, DMARC and other email security point solutions.

More recently, Breach Attack Simulation (BAS) and Automated Penetration Testing have emerged as a way to continuously stress test the effectiveness of control points, and identify the gaps in email security that might exist. 

Despite these safeguards, email continues to serve as the vector for nine out of ten cyber-attacks. Fortunately, there’s a new technology being built into anti-phishing tools that is proving to be effective at identifying business email compromise and other payload-less attacks - natural language processing (NLP).

Natural Language Processing: An Extra Layer of Security

NLP is defined as a “subfield of linguistics, computer science, information engineering, and artificial intelligence concerned with the interactions between computers and human language.” While NLP is in its infancy with cybersecurity, it is particularly promising due to its ability to comprehend context.

As BEC attacks continue to increase in frequency and sophistication, NLP has begun to analyze the content of such messages, finding that the vast majority include variations of the same four messages, including:

  • Employee availability checks (“Hi are you available?”)
  • Requests for an unspecific task (“Hi, I’m in meetings today and need a quick task done.”)
  • Requests for a gift card (“Hi, I need you to purchase 20 Amazon gift cards as a present to our biggest client.”)
  • Requests to change direct deposit, bank details or request for payment. (“Hi, we need to change our direct deposit address for employees next week, can you update?”) 

While most email security tools are well-designed to stop malware or malicious links at the gateway, it’s far more difficult to prevent messages, like the above, from reaching their intended targets if NLP is not in deployed. That’s because most email security tools are designed to look for the what (links, attachments) and the who (identified cybercriminals) of email but not the actual language of an email. That’s why companies that rely on traditional indications of compromise (IOC), such as malicious links or attachments, take on more risk.

Avoiding False Phishing Positives

We’ve all received an email from a colleague or superior who asks if you can come by their office in 15 minutes. The savviest phishing emails will play on these dynamics with highly targeted attacks that spoof a sender of whom a recipient is used to seeing an email come from (i.e. a CEO emailing a CFO).

This opens up a lot of possible false positives and false negatives if we were to only look at language in a silo without more indicators of potential compromise. That’s why It’s no longer enough to rely on one authentication protocol to detect BEC attacks. When an email hits the mailbox, there needs to be a three-step process:

  • Scan the content, links and attachments (the What).
  • Verify the sender and prevent impersonation by analyzing email communications, behavior and meta data in real time (the Who). 
  • Analyze the language for typical BEC indicators using natural language processing (the Intent).

To further boost security infrastructure, natural language processing uses machine learning and artificial intelligence to scrape and analyze metadata of email syntax, looking for patterns to watch for and flag. This added layer of authentication also help to prevent vendor account compromise by picking up the differences in language between internal and external senders.

That’s why natural language processing can achieve such great results, compared to traditional software that simply matched keywords and back-end signatures. For companies that don’t have this in place, the consequences could be severe.

In an example from last year, a European arm of Toyota, Toyota Bokhoku Corporation, was targeted by a scam with reported losses totaling $37 million. On the surface, the BEC attack was not very sophisticated: an attacker posed as a business partner of the Toyota subsidiary, and sent emails to members of the finance and accounting department, requesting that funds be sent for payment into a specific bank account controlled by the hacker.

While the attack might have required the employee to obtain multiple signatures and approvals before making the payment, Toyota was large enough that $37 million didn’t raise the alarm bells it should have.

Without enforceable industry rules, regulations or standards, every organization is free to choose what type of email security to invest in. When looking at opportunity-cost for Toyota, had the car maker invested in BEC protections, then those emails may never have gotten through in the first place and the company could be $37 million richer than it is today.

What’s Hot on Infosecurity Magazine?