In today's world, electronic communications, such as email messages, are used to conduct business transactions every day. These electronic communications have become an accepted and adopted method for performing critical and trusted transactions such as, for example, facilitating the setup of payments, facilitation of sensitive data transfers, contracts negotiations, intellectual property research and development and business planning and strategy. This increase in the reliance on electronic communications as a mechanism to facilitate money transfers, however, has led to a dramatic rise in criminals and insiders taking advantage of the implicit trust that exists in our social networks today.
As known, there are a number of different types of attacks on businesses to try to fraudulently obtain information and/or money.
Criminals routinely trick people into communicating with another outside party who is privy to the conversations and social relationships that exist in a corporate environment. Here, the external criminal enters into an in-progress communication, or starts a new conversation with some context of the social relationship, in order to convince the person inside the target company to take an action that will benefit the criminal. This could be a wire transfer or to change a bank account number on a pending payment.
Attackers analyze organizations to identify users who process financial routing instructions to facilitate payments as part of their positions, e.g., CFOs or those working in accounts payable, accounts receivable, procurement, etc. Attackers “phish” these users to infect their computers with malware, in some cases to gain access to their email inbox, to identify in progress financial transactions.
Once attackers have the transactions identified, the criminals will create “similar” email addresses and domains in an attempt to fool their targets. For example, where the actual email address is: jim.weeble@hesiercorp.com, the fake email is presented as: jim.weeble@heseircorp.com. (Note the transposed letters in the latter domain name.)
After the domains are created, the criminal will set up rules to auto-forward the real email address to the fake email address to intercept any real communications.
The fake user will then “proxy” the communications from the real user through the fake email address but will change the payment instructions when the time comes for a funds transfer.
There are also different known scams including “The Bogus Invoice Scheme,” “The Supplier Swindle,” and “The Invoice Modification Scheme,” where a business, which often has a long standing relationship with a supplier, is asked to wire funds for invoice payment to an alternate, fraudulent account.
There are also the “CEO,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire” frauds where e-mail accounts of high-level business executives, e.g., CFO, CTO, etc., are compromised. A request for a wire transfer from the compromised account is made to a second employee within the company who is normally responsible for processing these requests. In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.”
There are also threats from insider malfeasance where individuals may become “privy” to communications and business related activity regarding information such as, for example, but not limited to, competitive intelligence and intellectual property, that could be leveraged through an external relationship. As a result, electronic communications may be used to pass along this information to outsiders for misuse.
Known approaches to preventing or detecting these problems, however, have gaps that make them inadequate for the task of securing financial, and other, resources. While keywords (financial triggers) can be detected, known approaches cannot detect historical activity in context with requests being made. While some approaches may quarantine email with spam detection engines, attackers may own the DNS domain being used and can set up SPF, DMARC and DKIM records coinciding with their domain to make them appear to be legitimate.
Users can be educated and trained to look for odd context, out of place activity or dis-similar email addresses. Fraudsters, however, may have access to a user's inbox giving them extensive knowledge of past activity to socially engineer the target or victim.
Spam engines may stop some of the phishing email from making it to the user. An attacker, however, may control the user's inbox allowing them to send and receive messages to train the spam engine so the emails are perceived as being valid.
What is needed is a better way to prevent fraudulent email communications from making their way through to a user.