Business Email Compromise scams are the latest email attacks threatening organizations around the world. Also known as “whaling” or “CEO fraud”, Business Email Compromise attacks are highly targeted emails developed by scammers, who use social engineering to impersonate senior executives and urgent requests to trick employees into carrying out large wire transfers or sending over sensitive information.
These attacks have skyrocketed, with a staggering 2400% increase over the last three years, as they’ve proven lucrative to cybercriminals with potential losses of more than $5 billion from businesses through Business Email Compromise fraud. Organizations have lost millions, seen their stock prices plummet, or even fired their CEO as a result of falling for these schemes.
Even though these low-tech scams are fairly simple, businesses are having a hard time stopping them. Business Email Compromise attacks typically lack a malicious link or attachment (see Figure 1), the hallmarks of most email-borne threats. Many businesses try to use sender authentication such as DKIM, SPF, or DMARC to address Business Email Compromise attacks, but this approach is insufficient since many attacks disguise themselves by using cousin domains to impersonate legitimate email domains or by using free email providers such as Gmail or Yahoo to evade detection.
Figure 1: A typical Business Email Compromise scam
Responding to Sophisticated Attacks Requires Advanced Analytics
Business Email Compromise is just one of the advanced email threats targeting organizations. Email is the #1 threat vector for ransomware and spear phishing attacks are on the rise. Addressing these advanced attacks requires deep visibility and advanced analytics, especially as these attacks become increasingly sophisticated. For instance, if a threat gets through email defenses, security teams need to know if an attack is targeted and if so, where it is coming from. In addition, they must know which users within their organization are being targeted and if other security tools in their environment were able to stop the attack. Finally, they need to know what tools, techniques, and procedures (TTP) as well as attack artifacts were used by the adversary.
Traditional email security solutions lack this visibility since these solutions provide only basic telemetry and ignore the advanced analytics needed to uncover and respond to advanced attacks. For instance, traditional email security solutions will tell you they blocked a threat, but they won’t reveal the type of threat or how they detected the attack (see Figure 2). Most importantly, traditional email security solutions expose intelligence on just malicious emails, which gives only a partial view into the threat landscape. These solutions lack insights into clean emails, which are needed to get a complete understanding of the threat landscape. For instance, visibility into clean emails can help you discover a dangerous threat you originally considered clean or find a benign email sent by an attacker who’s about to send a series of malicious emails via a targeted attack campaign.
Figure 2: Differences between basic and advanced email analytics
Announcing a comprehensive approach to Business Email Compromise
We’re dedicated to continuously strengthening and enhancing our solution with new functionality that addresses customer needs, for a comprehensive approach to email security. As a result, we’re excited to announce new impersonation controls and advanced email security analytics that now include insights into both clean and malicious emails! These capabilities, which will be available as part of the Symantec Cloud Email Security solution, enable Symantec to provide the strongest protection from Business Email Compromise fraud and the deepest visibility into targeted & advanced email attacks.
We’re introducing new, automated impersonation controls to protect organizations from Business Email Compromise, spear phishing, and other spoofing threats by stopping attacks that masquerade as a user or domain in your organization. These policies detect Business Email Compromise scams by identifying attacks posing as a specific user or spoofing a legitimate email domain used by your business. This includes protection for specific senior executives or certain email domains and the ability to whitelist users, domains, and IP addresses trusted by your organization. In addition, this includes visibility into Business Email Compromise attacks with detailed reporting. These capabilities are available today in the Symantec Cloud Email Security solution. Please see the above video for more information on our new impersonation controls.
Introducing the deepest visibility into advanced attacks
In addition to these new controls, Symantec is extending our advanced email security analytics on malicious emails to clean emails scanned by Symantec Cloud Email Security. These analytics accelerate your response to targeted & advanced attacks by providing more visibility than ever into email threats. This includes more Indicators of Compromise than any other vendor with 60+ data points such as URLs, file hashes, and targeted attack information on both clean and malicious emails. Moreover, this includes visibility on phishing, ransomware, and Business Email Compromise attacks with data such as email domains, attachment information, and email headers. We even offer sandboxing information such as behavior indicators, network communication, and detailed execution analysis!
You can use this data to quickly correlate and respond to threats by exporting it to your SOC via integration with third-party SIEMs and other security solutions such as Symantec Advanced Threat Protection and Symantec Managed Security Services. In addition, clean email data makes it easier to identify patterns in threats, as attackers often use benign emails as pretense for future email campaigns. This new intelligence also helps security teams hunt down stealthy email attacks that are able to evade detection.
In addition to automated impersonation controls and advanced email security analytics, we’re pleased to announce the following new capabilities in the Symantec Cloud Email Security solution:
- Splunk App for Symantec Advanced Threat Protection for Email enables easy correlation and response to email threats with a free Splunk application, which allows you to export email threat intelligence directly to Splunk. This provides deep visibility into the threat landscape with data points such as malicious URLs and file hashes as well as information such as high risk users, a geographical view of incoming attacks, and a weekly view of email malware.
- Integration with Symantec Managed Security Services speeds detection and response of targeted & advanced threats by allowing Symantec Managed Security Services to monitor Symantec Cloud Email Security logs via a granular, API-driven feed.
To learn more about these new capabilities, join our webcast on August 30 to learn more about the latest capabilities and see them in action!
Follow us on Twitter: @SymantecEmail
Join the Symantec Email Security Community