reported lost to business email compromise
of all socially-engineered attacks impersonate individuals
increase in impersonated internal automated systems
Recognizing Business Email Compromise
Detecting a BEC Attack
This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:
It appears to be sent by a known executive within the organization, but the email address is spoofed
It includes a request and the tone suggests urgency
The victim is asked to respond back via text message for further instructions, a common tactic in phishing scams
Despite having no traditional indicators of compromise, Abnormal can determine that this email is malicious.
Stop BEC Scams That Bypass Secure Email Gateways
Detect Suspicious Language and Tone
This message from Michael Scott asks Pam if she is at her desk, with no added context.
Typical of phishing attacks, this message attempts to start a conversation with the victim, encouraging them to engage with their attacker for further instructions.
This message has no links or attachments to scan, but Abnormal recognizes that the language is typical of phishing attacks.
Inspect Email Headers to Expose Impersonators
Inspection of the email shows that it doesn’t come from the real dunder-mifflin.com domain name, but rather from a similar one that uses the number 1 in place of the l: dunder-miff1in.com.
By analyzing header information, Abnormal can determine that this email domain has been spoofed. It is attempting to trick users into believing that the email is legitimate, using a well-known trick of replacing letters in the original domain.
Understand Communication Patterns to Detect Suspicious Behavior
Michael does not typically email Pam at 8:03 am. And because he can see her desk from his own office, he’s never asked her if she’s at her desk.
Unlike secure email gateways, Abnormal uses natural language processing to understand people, their behavior, their communication patterns, and typical tone and content shared.
This understanding of known good behavior helps Abnormal flag suspicious behavior with a high degree of confidence.
Eliminate the Threat Before Unsuspecting Employees Are Scammed
Pam never sees the email, making it impossible for her to be scammed by the attackers impersonating Michael.
Because Abnormal understood that this email was not actually coming from Michael, the email was removed in milliseconds.
Pam never had the chance to open or respond to it, and was never aware of the threat.
With Abnormal, you can see who else was targeted by the same or a similar email as part of a broader attack campaign, and how those emails were remediated.