Business Email Compromise and S/MIME Certificates

There are a variety of scams in which attackers hack into a company’s emailing systems or create deceiving email templates in order to convince employees into transferring money to fraudulent bank accounts. Described generally as Business Email Compromise (BEC), including phishing, predatory phone calls, or general data theft.

These email-based attacks are considered to be some of the most financially costly cyber crimes in terms of damages inflicted. According to the FBI, 19,369 complaints of email-based attacks were recorded in 2020, amounting to a staggering total loss of $1.8 billion.

 

SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.

COMPARE SSL/TLS CERTIFICATES

How do email-based attacks work?

A BEC scammer may utilize any of the tactics below:

Spoofing websites or email accounts

A BEC hacker knows that employees do not scrutinize every letter in a sender’s email address if the message is convincing and the sender is a familiar transaction partner like a vendor. The sender’s email address might be something like johndoe@example.com but the hacker will cleverly change it to jhondoe@example.com.

Phishing emails

Phishing messages target specific and important members of the company to deceive victims into divulging sensitive information (such as passwords of the company’s accounts and other assets) to the hackers.      

Sending phone calls and messages

While not entirely email-based, those who use phishing messages or other predatory email tactics have also operated using mobile calls, text messages, and voicemail. In this tactic, the victim is contacted by a company official instructing for a money or document transfer. BEC attackers have also been known to use deep fake technology to impersonate company executives in phone calls and voicemail messages. This is what happened in 2019 to a company executive in the UK when attackers pretended to be his boss and directed him to transfer money to a Hungarian supplier. The criminals got away with 220,000 euros.  

What are prominent examples of Business Email Compromise?

Any, or a combination, of the following types of Business Email Compromise have been successfully implemented by cyber criminals.

CEO Fraud

In this type of Business Email Compromise, the cybercriminals pretend to be the top executive and email an employee in the company’s finance division, instructing money to be transferred to the attacker’s account.

Account Compromise

The email account of a company employee is hacked and is used to request invoice payments from customers or clients. The information in the fraudulent invoice is manipulated in order to direct the payments to an account that is owned by the BEC attacker.

Attorney Impersonation

The attacker impersonates the company’s lawyer, either on email or the phone, and requests an employee to transfer funds on behalf of the company, or with the approval of the CEO. The targeted victims are usually lower-level employees who do not have the authority or awareness to validate such a request. Crafty BEC scammers usually conduct this tactic before a weekend or long holiday break when employees are pressured to finish up work.

Data Theft

Employees in the Human Resource or Accounting department are the usual targets in this attack. Efforts are done by the cyber crooks to fool the employees into divulging confidential or critical information owned by the company. If these data are successfully obtained, the attackers can either sell these to the victim’s business competitors and the Dark Web, or use them as props for other types of BEC schemes such as the CEO Fraud. 

False Invoice Scheme

In this scam, cyber crooks pretend to be the suppliers or service providers of the company. They send deceiving emails to the target company employee requesting payment for services rendered or supplies sold. The employee is then fooled into sending money to a fraudulent account.

How can SSL.com protect your company from Business Email Compromise?

A primary reason why BEC is such an effective scam is that it takes advantage of human tendencies: work distraction or pressure and being influenced by authority. In a workplace environment where efficiency is required, the human brain does tend to think heuristically especially when dealing with familiar patterns. Training employees to be more vigilant can help but there is no full assurance. And with the rise of artificial technology that can imitate human speech patterns, fraudulent emails are able to be buttressed. What is needed are full-proof methods that can lead to better cybersecurity. This is where SSL.com can help your company.  

Securing your Emailing System with S/MIME

Secure/Multipurpose Internet Mail Extensions (S/MIME) is a tool based on asymmetric encryption and Public Key Infrastructure (PKI) that strongly encrypts and authenticates

email messages, thereby proving the identity of the source of the email.    

Our S/MIME service effectively prevents Business Email Compromise from victimizing company employees by encouraging a protocol which states that emails under the names of executives, colleagues, and service providers will only be entertained if they have an S/MIME certificate signed and validated by us. If employees are sent an email claiming to be from someone in the company head but is not digitally-signed, then they can be directed not to respond and instead report it to the IT department for expert determination. This protocol empowers even the weariest or easily-distracted employee from committing grave errors.

Document Signing

When it comes to dealing with Account Compromise, our document signing service shows its worth by providing assurance to your clients and customers that the payment invoices they are receiving really came from you. If there is no digital signature, then they should not entertain them no matter how realistic they look.

For the False Invoice Scheme, you can establish a system with your suppliers or service providers wherein you should only communicate using encrypted email and the documents used in your transactions should have a validated and tamper-proof digital signature. As for your employees, they can again be trained to sift through incoming documents and only respond to those that are digitally-signed.

Go to this page to see which S/MIME and document signing certificate from SSL.com best suits your needs.

Users can sign code with eSigner’s Extended Validation Code Signing capability. Click below for more info.

LEARN MORE

 

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.