Business email compromise (BEC) attacks are most commonly aimed at small and medium enterprises, Symantec has warned.
A BEC involves an email that appears to come from the chief executive or owner, instructing finance staff to make a payment to a particular account – or, more worryingly, via a money transfer service.
According to Symantec, more than 400 businesses are hit by these scams daily and that at least $US3 billion has been lost in the last three years. The security vendor says one criminal group is responsible for 12 percent of BEC emails.
'Spoofing' the sender's address is very easy to do if you know the person's name and email addresses. That's because what appears in a message's From field is whatever the sender told their email program to put there. The lack of any enforced relationship between the From field and the originating account is one of the weaknesses of the email protocol.
Setting up a Sender Policy Framework (SPF) record for your domain can help with that problem. An SPF basically provides a mechanism for checking that the IP address for the system where the email originated is allowed to send email for that domain.
It’s also possible, though much less common, for an attacker to have gained access to the executive's email account. (Which is why using the same password for multiple purposes is bad, and using your work email password with any other service is very bad.)
When it comes to detecting BEC attacks, it's really up to finance staff doing the right thing. Symantec suggests they should question any emails requesting actions that seem unusual or aren’t following normal procedures, and if an email seems suspicious they should not reply but instead make sure they have the executive's correct address and send a new message asking about the purported instructions. (Asking them face to face or by phone wouldn't be a bad idea too.)
Since Symantec observed that most BEC emails contain a single-word subject line and that the subject always contains one of the words request, payment, urgent, transfer and enquiry. It would appear to be good practice to avoid sending genuine message with such subject lines.
In addition, the company recommends using two-factor authentication for initiating wire transfers.