Living in today’s world, it is extremely likely you have been using business email for quite a while. It’s also extremely likely that you’ve fallen prey to business email compromise / BEC attacks at one point or the other. If you’re confident you’ve been immune to BEC all these years, it just means you don’t know you’ve been a victim of this cyber-attack.
Yes, BEC is that subtle and just as deadly. In a nutshell, a BEC attack occurs when a hacker injects himself into an ongoing conversation, understands the discussion, and then uses a spoofed business email ID to send his own email prompting an action.
This action can be a request for the release of funds, or a notice of a change in bank account details, or a query for a sensitive document. Because the conversation has been going on in a normal flow and the email ID looks valid prima facie, nobody suspects illicit activity and the victim complies with the request.
This leads to the leakage of sensitive data, loss of money, or reputation tainting.
At the core of BEC attacks is social engineering which entails deep research about the target organization, its email communication lingo, and also the employee hierarchy. Armed with this intimate knowledge, hackers can understand whom to dupe and whom to impersonate so that the victim is likely to comply.
What sets BEC apart is that it rarely depends on malware injection or malicious payloads. Instead, it plays with human emotion and manipulation. The only technical part of BEC is domain spoofing, which allows impersonators to send emails from valid-looking email accounts.
For example, getting an email from email@example.com is one type of domain abuse, also called as display name deception. Now imagine you get an email from firstname.lastname@example.org (0 instead of o). That is a look-alike domain, and it relies on your anxiety to respond quickly preventing you from noticing the slight change.
But the deadliest attack is when the exact domain is spoofed, i.e., you get an email from email@example.com without typos or similar domains, but rather the exact domain. This is much harder to detect.
So, how does a hacker use your domain so easily? The answer is DMARC. Or rather the lack of DMARC. If any tool exists today that can straight out prevent spoofed domains from sending emails on your behalf, it’s DMARC.
DMARC works with allied protocols of SPF and DKIM to ascertain whether an email really originated from the domain that it is claiming to be. DMARC and SPF records, along with DKIM settings, allow for stringent checks at the domain level. With these checks in place, fraudulent emails cannot pass through to the victim’s inbox, period.
If DMARC detects a discrepancy in a suspicious mail, it notifies the receiving mail server to send it to quarantine or outrightly reject it. This is determined by the DMARC policy for your domain.
Moreover, setting up DMARC for your domain also unlocks insightful reports and data on email traffic for your domain. With better visibility and control over your email sender domain, you can stop BEC attacks once and for all.
For additional resources, you can also read our guide on BEC prevention.