Protect your employees from business email compromise attacks

Menlo imposter threat detection flags payloadless attacks that impersonate senior executives and other VIPs

Cyberattacks aren’t always delivered via a payload such as a link to a malicious URL or an infected file attachment. Rather than trick users into downloading malicious content, attacks without payloads—otherwise known as imposter threats—use fake communications to get victims to carry out risky behavior, often offline. These fakes include emails such as phony government requests for a Social Security number, a relative’s plea for a wire transfer, a request from the boss to release proprietary business information or, more recently, give up personal information in exchange for health information and remedies about Covid-19.

Also called “CEO wire fraud” or “business email compromise” attacks, imposter threats look to impersonate a senior executive with the aim of making the intended victim carry out any request as a matter of urgency—often without going through the proper checks or verification. These attacks are often well researched by gathering information about the intended victim or impersonated executive from social media and other online sources. These attacks can be quite effective. In fact, five CEOs of some of the world’s largest banks were victims of a coordinated imposter threat hoax in a single month, including Goldman Sachs, CitiGroup, Barclays, Morgan Stanley, and the Bank of England.

Menlo Threat Labs analyzed a sample of threats and observed the following:

• Subject lines in the emails did not follow any specific patterns; instead, they followed ones you would write if you were requesting a response from close colleagues. Some of the top observed subject lines included Response, Request, Quick Request, Urgent Reply, and Hello.
• In some cases the subject line included the name of the recipient, which is clearly a targeted threat (unless it’s the not the correct name of the recipient).

Menlo Imposter Threat Detection roots out and flags business email compromise attacks across the organization. It detects where senior executives and other key employees are being impersonated via display name spoofing and the use of “cousin” or look-alike domains.

It does this by automatically tracking the email behavior of senior executives or other VIPs to root out abnormal requests while detecting spoofed messages based on email headers and sender names. Menlo compiles a sender popularity score in real time to determine if the recipient is likely to receive communications from the sender. Visibility into attacks is provided through the Insights reporting module and can also be consumed through Menlo’s iSOC feed.

Part of a layered security strategy

The ability to detect payload less attacks—combined with Menlo’s existing strengths at protecting against credential phishing attacks, ransomware, and other payload-based attacks—gives organizations a single solution for protecting against a wide range of advanced email threats.

Contact us for more information or check out how we can augment existing email security to protect from advanced email attacks