Cyber criminals are increasingly utilizing social engineering and deception to successfully conduct wire fraud and extract sensitive information from their targets. Spear phishing, also known as Business Email Compromise, is a cyber fraud where the attacker impersonates an employee and/or a system of the company by sending emails from a known or trusted sender in order to induce targeted individuals to wire money or reveal confidential information, is rapidly becoming the most devastating new cybersecurity threat. The attackers frequently embed personalized information in their electronic messages including names, emails, and signatures of individuals within a protected network to obtain funds, credentials, wire transfers and other sensitive information. Countless organizations and individuals have fallen prey, sending wire transfers and sensitive customer and employee information to attackers impersonating, e.g., their CEO, boss, or trusted colleagues. Note that such impersonation attacks do not always have to impersonate individuals, they can also impersonate a system or component that can send or receive electronic messages. For a non-limiting example, a networked printer on a company's internal network has been used by the so-called printer repo scam to initiate impersonation attacks against individuals of the company.
One specific type of attacks, email account takeover, where an attacker steals credentials of an email account and uses the email account to attack accounts of other internal and/or external users, has been on the rise. According to a recent report issued by FBI, over $12 billion worth of assets have been lost due to business email account takeover and compromise incidents. Existing email security solutions, however, are ineffective at detecting these attacks because the emails launched from the compromised accounts come from a legitimate sender, and therefore headers of the emails contain no malicious signals. Even worse, traditional email security solutions are typically located at the gateway or firewall to the internal network, e.g., they reside between the external network and the organization's email server, and thus cannot monitor or stop internal emails. An efficient approach to deal with email account takeover attacks is needed.
The foregoing examples of the related art and limitations related therewith are intended to be illustrative and not exclusive. Other limitations of the related art will become apparent upon a reading of the specification and a study of the drawings.