Business Email Compromise (BEC) attacks have overwhelmed traditional email security providers because they don’t rely on URLs or malicious attachments to compromise a user. Instead they use social engineering to convince the victim to wire money, send gift cards or turn over important information.
For example:
How would your vendor know that this is an impersonation of your CEO?
In this organization, the CEO and CFO refer to one another by their initials on a regular basis so this is very likely to fool her into continuing the conversation and falling victim to the attack.
It is impossible to identify impersonation attacks without internal context.
With social tools like LinkedIn and Facebook, attackers now have more information about your organization’s social structure than your email security vendor. When an external gateway sees an email from the “CEO” to the CFO, it would be the very first time it has seen such a conversation.
A gateway vendor that has no internal visibility will have never seen an email between the CFO and CEO before. A few of them claim to be able to import usernames and titles from Active Directory, it is complicated and rarely kept up to date. More importantly, they have no real context for conversational history between internal users. They are blind to nicknames,typical conversational styles and previous email chains. They don’t know who, or how, employees normally email.
Will purchasing my vendor’s internal email tool help with impersonation attacks?
No.
This is the challenge of trying to integrate multiple independent products into one holistic solution. In order to stop impersonation attacks, the external email filters must be informed by the social graph and relational analysis of historical internal email.
Your vendor’s internal email protection product is only designed to block malware and phishing attacks. It is not capturing the internal reputational context of legitimate email conversations. It is neither scanning historical threads or sharing internal information with the outside filter.
Our Phishing detection leverages 300+ features that include all aspects of the communication: text, attachments, reputation, social-graph/history, headers, images - all getting into a 3-tier deep learning architecture to detect phishing.