The Evolution of the Business Email Compromise

Over the past 48 hours, we have been tracking a significant uptick in a significantly more sophsiticated version of the business email compromise attack that has been making the news of late. Across a number of our clients, the GreatHorn platform has directly identified and interrupted these attacks – and in this post, we’re going to take a look at how these emails are being constructured, and how to protect yourself.

Understanding The Multi-Stage Business Email Compromise

The classic “business email compromise” attack relied on three things:

  • Impersonation of a senior executive, via email
  • Delivery to an individual with access to financial or data resources
  • A direct call to action, such as, “please wire money to this account”, with a routing number included

Recently, however, we’re seeing a modification to the third point. Specifically, we’re seeing the impersonated email not ask for a wire transfer directly, but rather, communicate that a confidential deal is underway, and that the recipient should expect a call from their organization’s outside counsel:


This is an example of the kind of message that we’re seeing. We’ve changed the sender and recipient to our own domain for the purposes of this blog, but the message is otherwise the same as a real attack.

Not that this message was entirely fraudulent — it was sent via a custom Python script, designed to exploit the core vulnerabilities of SMTP, to deliver an email to an individual inside of our company as though it came from me.

There are three major variants of this attack:

  • For domains without strong mail authentication enabled, messages can be sent that directly spoof the sender’s From: and Return-Path: fields; since the actual attack will come via a phone call, the attacker doesn’t need to rely on intercepting a reply.
  • Alternatively, for domains with SPF and DKIM enabled, but not DMARC, a seemingly valid third-party domain will be set up — “” is an example here — and used as the return-path. The attack message can pass SPF (because SPF here is checked against the return-path), and absent DKIM, the message will be delivered.
  • Finally and most significantly, even for domains with DMARC enabled, a look-alike domain, such as “” vs “”, will be used to deliver the message; this secondary domain often has valid SPF/DKIM/DMARC of its own, ensuring delivery.
    There’s no obvious indicator that this is a business email compromise attack, but GreatHorn picks it up immediately:


In this example, the GreatHorn Email Security Platform is calling out three items that are otherwise invisible to the recipient:

  • Sender Anomaly Score is in the critical”, because [email protected] never emails from this IP address; this score is drawn from GreatHorn’s proprietary, patent-pending detection and analysis system, comprised of data that no other organization in the world has access to, representing solely enterprise-grade security data
  • The Authenticity Risk score is low-moderate, because there is no DKIM signature here; under normal circumstances, we would expect to see this as present (thus the “highly unusual” designator)
    The Return Path Sender Score for the originating domain is 79, indicating risk in the email’s IP sending domain, something that is otherwise impossible to ascertain
  • At a glance, through this detail, an information security team can identify that this message represents a sophisticated attack — and since the “payload” will come via a phone call, detecting and alerting on this in realtime is essential.

How to Defend your Organization

We have three specific suggestions for protecting against this kind of attack:

  • Set up SPF and DKIM, and ensure that all of your (valid) mail is at least being signed properly
  • Enable a realtime, post-delivery security platform that can complement your email provider and/or email gateway
  • Implement strong authentication and DMARC across all of the domains you own, blocking direct spoofing

With over $2.3b in financial loss over the past 18 months alone related to this kind of attack, the only option you can’t afford is to do nothing. Across the GreatHorn customer base, we’re seeing a dramatic increase in the number and sophistication of business email compromise, spear phishing, and whaling attacks — the examples above representing only the latest variant of an ever-changing set of threats.

We’d love to hear from you, and if you’re ready to protect your company from attack, GreatHorn can be deployed in just 15 minutes, providing comprehensive inbound mail protection. Request your free security check and setup here:

The Human Factor In Targeted Emails Attacks

Harrowing is the word for the FBI’s recently published findings on CEO impersonation and related email fraud; according to the latest research from the FBI, there have been more than $2 billion in losses since 2013.

  • That maps to a 270% increase in victims and loss since 2015 (and those are merely the fraction of losses actually detected and reported.)
  • A Reuters story that ran this morning reports that an (undisclosed) US firm lost over $100m to an email spoofing impersonation attack
  • Only slightly less harrowing than the raw numbers is the standard advice on how to respond: stronger authentication protocols and yet more security awareness training.

While both are good InfoSec practices, neither stops breaches or losses because these sophisticated email scams ultimately depend upon one thing: honest human error.

The Role of the Individual

Human error often plays a role in successful breaches, and no amount of security awareness training or authentication improvements will eliminate that. Impersonators take a methodical approach to their prospective victims. They map out an organization, identify targets with access to information or funds, research executive travel schedules, create nearly identical imposter domains, and spoof legitimate email addresses to circumvent SPF, DKIM, etc. When they do make contact, scammers create a sense of urgency and secrecy, and exploit socially-engineered trust so that the target employee voluntarily transfers money or personally identifiable information. Here, the ineffectiveness of better authentication and security training begins to show.

Authentication plays a built-in role in the impersonation scam. Rather than compromise an account, impersonators simply gain the confidence of victims, whomust themselves be properly authenticated to send the desired funds or information.

An Impossible Challenge: Security Awareness Training’s Failure

This leaves only training. On top of high implementation costs, these programs are outright ineffective. According to Forrester, employees with extensive security training have a pitiful 4% higher chance of catching such attacks over their untrained colleagues.

Moreover, 46% of employees state that “security restrictions and policies make me less effective,” and 32% admit they “sometimes ignore or go around our security policies.” This all to show how even companies with strong security protocols have fallen victim. Ultimately, if the advice to improve authentication and training just leads back to the same opportunity for honest human error, then the logical answer is automation.

Expecting employees to catch scams themselves is precisely what attackers want.

Instead, it’s better to add a layer of automated protection. GreatHorn’s platform applies heuristic risk scores based on metadata from fraudulent email attacks to automatically detect threats as they reach the inbox and take sub-minute, policy-based action against them. (GreatHorn works with existing network topology to natively integrate with today’s most popular email platforms (Google, O365, etc) and deploys in under 15 minutes.)

Sadly, CEO impersonation is but one of many sophisticated attacks. In the last four months alone, over 60 companies have fallen for the similar W2 email scam. As security training catches up, attackers will simply continue to dream up new scams and inventive ways of tricking people.

Automated protection learns along with them and applies that knowledge in real time, so rather than reactively alerting and training employees, organizations can identify and remediate threats pro-actively, stopping the breach before it happens.

Stopping the W2 Email Scam

Stopping the W2 Email Scam

Over the past two weeks, a number of companies have experienced large scale data breaches which started with a sophisticated kind spear phishing attack: an email, supposedly written by the CEO, is sent to a member of the finance or human resources team. In it, the “CEO” asks for the W2 tax records for the company’s staff, as part of a research project.

If the victim falls for the ruse — and it’s often very carefully crafted, even indistinguishable from a legitimate message — those W2s are sent to an attacker outside of the company. Once in hand, the vast amounts of sensitive personally identifiable information inside of them are used for all manner of nefarious activities, from simple identify theft and credit card registration to money laundering and funding of international crime syndicates.

Today, it was reported that Seagate was hit with the same attack — all employee W2s compromised, with tax fraud as the expected outcome. We obviously extend our sympathies to the Seagate team; even smart, well-organized, and security-conscious teams can fall victim to these kinds of sophisticated attacks.

In this post, we are going to examine:

  • How “W2 Scams” work
  • Why native email provider security (such as Google Apps or Microsoft’s DLP solutions) are not the right tools for stopping them
  • How to safeguard your organization using GreatHorn, in less than 20 minutes

How W2 Scams Work

What’s notable about these kinds of attacks is that they exploit the weakest link in any security system: human beings.

Most employees, even executives, are responsive to requests from the C-suite. When an email from the CEO, CFO, or other senior member of the leadership team comes in, most people’s natural inclination is to respond and be helpful.

Unfortunately, it is relatively easy for an attacker to exploit this reaction. There are four primary means of executing an impersonation attempt, and except for the most basic kind of attack, none of them can be detected at the email provider level. Let’s examine them in turn:

Example Attack 1: “Pure” Spoofing

The simplest type of attack is the “pure” spoofing attack. In this scenario, an attacker simply rewrites the mail headers (the From: line, typically) to make their email appear as though it comes from someone inside of an organization’s mail domain.

In the screenshot below, which is an example of this kind of attack, note that the recipient’s Google Apps environment automatically adds the Google+ picture for the supposed CEO, Will Shorlin, even though this message was never actually sent by him.

Roy, the recipient, would likely never know that this was not really from Will. However, with GreatHorn in place, this message can be detected as a fraud within seconds, and automatically removed from Roy’s inbox, in addition to alerting the information security team of the fraud attempt. GreatHorn’s analysis shows that this is a fake for a number of reasons:

While Google Apps does not enforce DMARC rejection policies today, we expect that in the future they will; if a company publishes valid SPF, DKIM, and DMARC records, this simplest form of attack will presumably become more difficult in the future.

(If you don’t want to wait, you can defend against these kinds of threats today through the use of the GreatHorn platform.)


Example Attack 2: Homograph Domains

A more sophisticated attack is the “homograph domain” attack. In this variant, an attacker registers a domain that looks visually similar to their target’s domain, and even sets up SPF, DKIM, and DMARC to ensure that messages from that domain are deliverable.

The way that this works is that the attacker registers a name and domain that would trick the target. Often, we see this as a manipulation of the top-level domain; .com and .cm are commonly substituted, for example.

In combination with an identical “sender” — note the example below, where [email protected] is being impersonated by [email protected] — most users won’t notice the change, especially if they are working from a mobile device, where limited screen real estate can make it difficult to spot the difference:

With GreatHorn in place, however, organizations don’t need to reply on eagle-eyed users to catch these kinds of attacks. Here, the platform can identify the “look-alike” domain automatically, in addition to the duplicated sender address, and then take automated action such as deleting or quarantining the email before it leads to a breach:

Example Attack 3: Username and Private Email Spoofing

A third way that organizations get breached is through impersonation that doesn’t rely on a spoofed or look-alike domain, but rather, impersonation of the sender as an individual.

We most often see this kind of attack when an organization has a large number of domains and brands under management, and a large employee base. The attack begins with an email that mimics the “friendly” display name — “Will Shorlin” in this example — of an executive, and comes from a domain that looks familiar even if not identical to the recipient’s domain.

Unless the recipient knows every domain that their company uses, this can often be a highly effective attack mechanism. Likewise, we’ve seen attacks in the wild that use private email addresses (, for example) to mimic executive names and generate this type of attack.

Gateways and filter-based security tools can’t detect this as a potential attack — no spoofing is occurring, and the sender domain is likely not on any blacklist. However, GreatHorn’s combination of Keyword Detection, Display Name Impersonation Detection, and Sender Address Analysis can automatically find and remove even these highly sophisticated attacks:

Preventing W2 Scam Attacks

Since the nature of these attacks extends beyond what can be addressed by the email providers themselves, the only effective means of defense lies in a purpose-built spear phishing solution.

As a platform, GreatHorn protects over 10,000 mailboxes today, giving us access to over 50,000,000 emails that we analyze and defend from this kind of modern spear phishing attack. Out of that data, we’ve seen a marked increase in both the number and sophistication of these types of attempts in the past six months alone.

Roughly 1 in 5 (18%) of all of the identified threats we see today — emails that use one of the four attack mechanisms described above. CISOs have a decision to make: wait to be breached, or get proactive. Yesterday’s solutions (email gateways, employee training, and so on) simply can’t address these new kinds of attacks.

GreatHorn can deploy in under 15 minutes, and provide immediate and comprehensive security to ensure that these types of breaches don’t happen. We’re passionate about shutting down spear phishing, for every domain, in realtime and without requiring extensive training or changing mail routing rules.

Ready to protect yourself from W2 scams?

Should the CISO Report To The CEO?

Understanding risk is an important part of building an effective security program, but it’s no longer enough. Building an appropriate organizational structure can have a measurable effect on how at risk of data breach your organization is, and a key component to getting that structure right is ensuring that your CISO have both the capabilities and responsibilities needed to do his or her job effectively.

The New Role of Security

I recall sitting in a movie theater in the late 1990s, when I was first in my first job in the security industry, alongside colleagues from @stake and our peers at RSA. We’d rented out a theater (courtesy of RSA’s budget) to see a premiere of some terrible movie about hacking.

The pleasure was in seeing it with my colleagues, of course, and not in the movie’s plot. We spent our working hours reverse engineering software, often for large companies that wanted to ensure that they’d not left a buffer unchecked somewhere or somehow allowed a critical flaw to creep into their product before release. It’s been more than a decade, but I am fairly certain that we never did our jobs with a gun held to our heads, or with Halle Berry dancing in the room while we worked.

In many ways, this was a definitional experience for me: learning that “real” cybersecurity was the result of teamwork, and that it was most often a slow, somewhat tedious, and entirely unglamorous task. Over the course of the last 15 or so years, I’ve encountered many organizations who failed to appreciate this basic set of characteristics when designing their cybersecurity programs. Absent a foundation in data analysis and elbow grease, security programs end up being defined by the vendors and software that have been paid for. The result is, as the Brookings Institute argued in 2013, “reliance on the concept of risk management” rather than robust security.

CISO Reporting Structures

One of the problems that arises from risk-focused thinking is that organizations align their organizational structures to support it. Consider how most security teams’ reporting structures work:

  • CISO aligns with Information Technology, reports to the CIO/CTO
  • CISO aligns with Legal, reporting to the General Counsel
  • CISO is a peer to the CIO/CTO/GC, reports to the CEO

In the first case, the CISO is often the “first man through the door”. When things go awry, he (or she) is the one to take the heat. The organizational goals of IT are to support the business; by making security subservient to those goals, there is a guarantee of conflict at some point, and the idea that security is a “department of no” takes hold.

Moreover, in PWC’s 2014 State of Information Security survey, it was found that “organizations in which the CISO reported to the CIO experienced 14% more downtime due to cyber security incidents than those organizations in which the CISO reported to the CEO.”

Aligning security with the Legal department is usually a better arrangement, as the GC is fundamentally more aware of how risk and business objectives need to be balanced against one another. However, there are still problematic facets to this arrangement: legal teams tend to be less technologically focused than the security group, and mitigation and insurance are often seen as trade-offs for security investment.

Why It’s Vital That Your CISO Report to the CEO

In organizations that deal with significant amount of regulatory data or intellectual property, a third structure emerges: the CISO who reports directly to the CEO or board of directors. By giving security equal footing with technology, the data from the past three years of the PWC reports indicate that “reporting to the CEO or the Board of Directors, instead of the CIO, significantly reduces downtime and financial losses resulting from cyber security incidents.”

What this suggests is that the CISO function — and security in general — needs to be treated with the same respect and responsibility as technology, legal, sales, marketing, or any other functional area in your business.

Treating security as more than just a risk and compliance function means arming security teams with more than just a collection of purchased tools and a pat on the head. The trends toward data-driven decision making in other functions — see the rise of Predictable Revenue modeling in sales, of Inbound as a marketing strategy, and so on throughout the business — need to be replicated in the security department.

In addition to giving the CISO budget and authority, we need to find ways to give him or her data, intelligence, and the ability to use new kinds of data analytics to drive their decision and program processes.

GreatHorn helps organizations defend their cloud communication infrastructure from highly targeted attacks, including spear phishing and credential theft. Learn more in our free eBook: The CISO’S Guide to Spear Phishing.