2. Holds 30+ patents on detection algorithms
and security technologies, authored books in
information security.
Led research and detection engineering at
FireEye, Microsoft and others before coming
to Talos
Cisco Engineering Leader
Abhishek Singh
2019 Reboot Leadership Award (Innovators
Category): SC Media, Nominee for Prestigious
Virus Bulletin’s 2018 Péter Szőr Award.
MS in Computer Science, MS in Info Security
from Georgia Tech, B.Tech. in EE from IIT-BHU,
Engineering Leadership program from UC Berkley
3. • Cisco Email Security technologies like CMD, ESA
• Detection algorithms: BEC, Phishing, Scams
• Based in Auckland, New Zealand
Cybersecurity Researcher and Data Science
enthusiast
• 10+ of cybersecurity research experience
Sr. Research Scientist Engineer
Fahim Abbasi,
Ph.D.
Security Researcher
• Trustwave (Mailmarshal): Email, BEC,
Phishing and Scams
• FireEye (NX): Malicious URL, Phishing
Published several industry blogs, patents and
academic journals and papers
4. BEC Definition
FBI IC3 Internet Crime Report 2020
BEC is a scam targeting businesses (not
individuals) working with foreign suppliers
and/or businesses regularly performing wire
transfer payments. These sophisticated
scams are carried out by fraudsters
compromising email accounts through social
engineering or computer intrusion
techniques to conduct unauthorized transfer
of funds.
5. Scale of the BEC
Problem
• According to the FBI, such scams
have led to losses over USD $43
billion since 2013
• $2.3 Billion in 2021 (FBI IC3
Internet Crime Report 2020)
• Move from Malware to BEC
• Attacks have surged since early
2020 (pandemic)
• Move to remote work
8. BEC Email Domain
Domains used by BEC
scammers to send out
BEC emails.
Free email providers
top the charts with
Gmail.com leading
with 86% of BEC
scams seen in the last
12 months.
16. Initial Lure
• Social engineering tactics like
authority, urgency and trust to lure
victims with short messages to and
encourage a response.
• Rapport with subsequent
messages to build rapport
• Victim exploited via fund transfer
18. BEC Gift card
Scams
• Email request from management
to purchase gift cards for a
personal or business reason with a
promise of reimbursement.
• Why Gift cards?
• Easy to buy but hard to trace
• No consumer protection
• Used to purchase goods or
converted to bitcoin
19. Types of gift cards requested most often by BEC attackers
20. BEC Payroll
Scam: Your
Salary is Mine!
• Scammers identify payroll/accounts
staff e.g., LinkedIn etc.
• Target Payroll staff with a goal to
change payroll account.
• Short emails sent to the targets
requesting payroll change
22. Business Email Compromise
Broad term covering wide variety of threats
• Simplistic
• Commonly gift card related
• Uses free email services
• No spoofing
• Most common
• Affects all verticals and
business sizes
• More sophisticated
• Commonly asking for money
directly
• Combination of free email
and actor owned domains
• Spoofing more common
• Uses reply-to technique
• Tends to affect more medium
to large sized businesses
• Highest level of sophistication
• Uncommon
• Involves stolen credentials
(phishing or other means)
• Emails originate from
compromised
internal/trusted account
• Almost always involves
money or wire transfers
• Substantial losses can occur
Intermediate
Basic Advanced
23. Stages of BEC Attacks in Email
1.25”
blue
icon
1.25”
orange
icon
1.25”
yellow
orange
icon
Identify and study the target
organization e.g., company
website, LinkedIn, etc.
Groom target using social engineering
tactics like authority, urgency and
trust. Impersonate and build rapport
to lure and manipulate them.
Instruct the victim to sending
money, gift card or sensitive
information to the attacker.
Information
Gathering and Recon
Grooming/
Relationship building Exploitation
24. BEC Trends
Exploitation emails will have a sense of urgency
in the subject and body of the email
Threat actors send the majority of BEC emails
when the office is about to close, and
employees are leaving work
Engineers and Presidents are most prone to
impersonation amongst non-executives and C-
Level executives respectively
Most emails are plain text with no encodings
even on display names
1” blue
icon
1”
orange
icon
1” yellow
orange
icon
1”
yellow
icon
25. Solutions to Detect BEC
1.25”
blue
icon
1.25”
orange
icon
1.25”
yellow
orange
icon
Policy-based Machine learning Model to build a
profile of executives
Algorithms to detect
exploitation techniques
26. Approaches
to Detect BEC:
Policy-based
approach
• Names of executives and the email
address which they use to send emails
are kept in a database.
• For every incoming email, a policy rule is
enforced that identifies messages that
contain the names of key executives in
the display name of the "From" field and
which originate from outside of the
tenant.
• If the message is not from the email
address specified in the database, alert
for BEC is raised.
28. Cons of Policy-
based solution
• BEC is not limited to Impersonating
C-Level executives, leads to false
negatives.
• Having a policy around email
address of every employee does
not scale.
• Policy-based detection lacks
display of intent of threat actor.
29. ML Model to Build
Profile of C-Level
Executive and
Detect BEC
• Machine learning algorithms to build a
profile using feature sets, such as:
• Writing Style
• Syntactic: Adverb, adjective, tense
features
• Semantic: Sentiment Analysis
• Subject: Caps, letters
• Activity-based: Date, Time,
Geolocation...
• Relationship graph / Jaccard index: CC,
BCC, Reply-To...
• Network URLs
• In case of deviation from the profile, raise
an alert
30. Limitations of the approach
1.25”
blue
icon
1.25”
orange
icon
1.25”
yellow
orange
icon
Model will require data set for
training and testing from real
traffic, opening window of
opportunity for exploitation
Building models only to detect threat
actors that are impersonating
executives limits the scope, scaling it
for a larger company could be a
challenge
Output of the email will lack the
context. Phishing, BEC initial
lure, exploitation stage...
31. Detecting
Exploitation
Techniques
Email from employees will have anomalies
• Attacker-controlled look-alike domain.
• Brand name embedding with ('-'),
• Brand name homograph
• Miss-spelled brand name
• Brand name embedded in subdomains
• Brand name registered with an
uncommon generic top-level domain
• Difference in "From" and "Reply-To"
32. Limitation of the
Approach
Detection lacks the intent of the threat actors
BEC scams using email account compromise
will evade detection.
1” blue
icon
1”
orange
icon
33. Recommended
Solution
Intent-based detection: Breaks BEC detection
into two distinct problems.
• Detect BEC: Binary class problem
• Classify BEC into types of scams
reflecting intent of threat actor: Multi-
class problem
• Payroll Scam
• Money Transfer Scam
• Initial Lure Scam
• Gift card Scam
• Invoice Scam
• Acquisition Scam
• W2 Scam
• Aging Report
34. BEC Classifier:
Methodology
BEC Classifier: Binary classifier to
classify email as BEC and benign
• Text Extractor
• Extract text from text/plain and text/html
sections of email
• Text Vectorizer
• Convert sentences to numeric vectors used as
feature set
• Encode meaning of the words in the
sentences (Word Embeddings)
• Use NNLM or BERT as vectorization method
and classification
• Classification
• Probability prediction with a supervised
learning model
• Result is a probability score
• Apply threshold for high confidence detection
35. Why Intent-Based Detection
1.25”
blue
icon
1.25”
orange
icon
1.25”
yellow
orange
icon
1.25”
yellow
icon
Detect BEC exploitation
without relying on the
sender information.
Helps to identify which
segment of a company is
getting targeted such as
payroll department, invoice
payment, etc...
Insight into the victims
that a threat actor is
impersonating in an
organization
Insight into the stage at
which the exploitation
attempt is getting detected
Detection at initial lure is
always better than
detecting fraudulent bank
account of threat actor
36. Comparison of Different Approach
Different
Approaches
Detect Classify
Detect BEC Emails
Targeted to Non-
Executive
False Positives
in BEC
Detection &
Classification
Insight into
Exploitation
Stage
Exploitation
Techniques
Yes No Yes Yes No
Approaches
around Executives
(Policy, ML
algorithm to
build profile)
Yes No No No No
BEC Detect
and Classify
Yes Yes Yes No Yes
37. We would like to express our gratitude and thanks to our
colleagues Sachin Shukla and Ankit Tater for helping to generate statistics,
and Nick Biasini for review and feedback
Acknowledgement
