GF 02 720x478 2x

Stop Business Email Compromise

Keep costly and convincing BEC attacks from landing in user inboxes.

Get Our CISO Guide to Business Email Compromise

$2.4B

reported lost to business email compromise

Source: FBI Internet Crime Report, 2021

29%

of all socially-engineered attacks impersonate individuals

Source: Abnormal Security, 2021

46%

increase in impersonated internal automated systems

Source: Abnormal Security, 2021

Recognizing Business Email Compromise

In this type of socially engineered scam, an attacker sends an email that impersonates a trusted source — a vendor or company CEO, for example — to trick employees into sharing sensitive information, sending money, or installing malware. In these attacks, the threat actor:

1.

Conducts research on the target, their responsibilities, and the overall organization.

2.

Sends a targeted email, often impersonating a known and trusted individual.

3.

Engages with the victim with an increasing sense of urgency.

4.

Convinces victim to send funds, provide access to information, or submit credentials.

suspicious email with urgent request from unusual sender

Detecting a BEC Attack

This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:

  • It appears to be sent by a known executive within the organization, but the email address is spoofed

  • It includes a request and the tone suggests urgency

  • The victim is asked to respond back via text message for further instructions, a common tactic in phishing scams

Despite having no traditional indicators of compromise, Abnormal can determine that this email is malicious.

Stop BEC Scams That Bypass Secure Email Gateways

detecting a sample email with suspicious language

Detect Suspicious Language and Tone

This message from Michael Scott asks Pam if she is at her desk, with no added context.

Typical of phishing attacks, this message attempts to start a conversation with the victim, encouraging them to engage with their attacker for further instructions.

This message has no links or attachments to scan, but Abnormal recognizes that the language is typical of phishing attacks.

inspecting email headers to spot impersonation

Inspect Email Headers to Expose Impersonators

Inspection of the email shows that it doesn’t come from the real dunder-mifflin.com domain name, but rather from a similar one that uses the number 1 in place of the l: dunder-miff1in.com.

By analyzing header information, Abnormal can determine that this email domain has been spoofed. It is attempting to trick users into believing that the email is legitimate, using a well-known trick of replacing letters in the original domain.

analyzing sample email communication pattern for suspicious behavior

Understand Communication Patterns to Detect Suspicious Behavior

Michael does not typically email Pam at 8:03 am. And because he can see her desk from his own office, he’s never asked her if she’s at her desk.

Unlike secure email gateways, Abnormal uses natural language processing to understand people, their behavior, their communication patterns, and typical tone and content shared.

This understanding of known good behavior helps Abnormal flag suspicious behavior with a high degree of confidence.

automatic remediation of suspicious email

Eliminate the Threat Before Unsuspecting Employees Are Scammed

Pam never sees the email, making it impossible for her to be scammed by the attackers impersonating Michael.

Because Abnormal understood that this email was not actually coming from Michael, the email was removed in milliseconds.

Pam never had the chance to open or respond to it, and was never aware of the threat.

With Abnormal, you can see who else was targeted by the same or a similar email as part of a broader attack campaign, and how those emails were remediated.


Trusted by Global Enterprises

HOMEPAGE DEMO 630 X480

Prevent the Attacks That Matter Most

See a Demo

Related Resources