Business E-mail Compromise

Protect your Clients from Impostor E-mail

What is Business E-Mail Compromise?

Business E-mail Compromise, also known as Impostor E-Mail, Spear-Phishing, and Whaling, is a type of highly-targeted phishing attack aimed at defrauding businesses. Typically, the attackers send an e-mail purporting to be from an executive within the targeted company with purchasing authority, requesting that the targeted employee pay significant sums into an account controlled by the phishers.

How Can My Business Protect Itself?

The first stage of protection against any phishing attack is employee education. Ensuring that your employees know about Business E-Mail Compromise and are on the alert for suspicious purchase orders is an effective first step. Confirming expenditures via phone call or, if a phone call is for some reason not possible, by a separate e-mail to a trusted account- not a reply to the original request- can quickly identify most malicious requests, as well as serving as a best practice for catching simple accounting errors.

Unfortunately humans, even your employees, are prone to error. Adding another layer of protection before the message arrives can significantly reduce the risk of an attack slipping through. The first layer of technological protection you can add is a spam filter. Simply catching bulk unsolicited e-mail is a good start, but a spam filter can do more to help prevent phishing attacks- including business e-mail compromise. In this context, the most important anti-phishing measure a spam filter can add is proper adherence to standard e-mail protocols, which will flag any e-mails with spoofed domains.

The Protocols:

  • SPF: “Sender Policy Framework”. It is a mechanism that allows a domain’s administrator to list which hosts are allowed to originate e-mail claiming to come from that domain.
  • DKIM: "DomainKeys Identified Mail" lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. Roaring Penguin signs DKIM keys, including multiple keys for a single domain, to allow outbound mail sent from a domain to be signed using a cryptographic key which proves that that mail has really come from the original domain. DKIM improves the deliverability of a domain's e-mail by letting the recipient's e-mail system check its signature and trust the origin and integrity of its message.
  • DMARC: “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.

The Roaring Penguin Advantage:

Roaring Penguin’s Hosted CanIt service will enable and authenticate keys for all three standards, catching spoofed headers and moving them directly to your spam trap. Hosted CanIt is a valuable line of protection to protect your business from all kinds of phishing attacks, business e-mail compromise included. DMARC is a mechanism to help detect spoofed domains; support for DMARC allows all Roaring Penguin clients to defend themselves against domain spoofing attacks. A DMARC policy allows a domain's owner to indicate that the domain's messages are protected by SPF and/or DKIM, and to tell a receiver what to do if either of those authentication methods fails – such as to quarantine or to reject the message. In the case of a Business E-Mail Compromise style-attack, an example would be a false message claiming to be from an officer of your company would be automatically rejected if it pretended to have been sent from a business account inside your domain.