Although business email compromise (BEC) and phishing are often included in the same breath, their differences extend beyond how they are launched to how they are caught.
BEC requires deeper context-aware detection than basic phishing tools provide, and AI delivers that.
BEC vs. Phishing: The Security Perspective
From a practitioner’s point of view, stopping a BEC scam can look very different than spotting a phish.
Phishing Scams
- General – but maybe too general. Most often spray-and-pray. Attackers target a wide range of victims with essentially the same campaign. The message must be general to apply to everyone, and that lack of specificity knocks it down a few notches in terms of sophistication. This makes it easier to catch.
- Malware, much? The answer is yes, many phishing ploys still use malware, which makes them detectable by traditional cybersecurity tools (to say nothing of more advanced ones).
- QR codes, steganography, and more. In addition, more “detectable” methods are used, like hiding malicious code within QR codes, images (steganography), and attachments. While these are designed to evade detection, advanced email protection solutions like integrated cloud email security (ICES), for example, are getting more adept at ferreting them out.
BEC Scams
- They know more than your name. BEC scams are highly targeted. Think of spear phishing campaigns, where the attacker has done their research and knows not only your personal details, but some convincing details about your boss and workplace, too.
- They don’t leave a technical trail. This is the most infuriating part of BEC scams for traditional security deployments. There is literally nothing to catch. No malware, no bad code, no red-flagged IP addresses, no unusual location. In many cases, the BEC threat actor has used stolen credentials (a la dark web) to infiltrate and take over an employee’s account, so the email is coming directly from “them.” These internal-to-internal communications are often outside the realm of even advanced email security solutions.
This puts SOCs in a tough spot. BEC emails fly under the radar, leaving nothing but an employee’s own wits to figure out the scam in real time. Because of AI, this is getting even more difficult; the grammar is correct, the verbiage is often in the style of the “sender” (thanks to machine learning (ML)), and the sign-offs are even the same.
The tools that caught phishing emails yesterday – employee training, malware scans, and even behavior-based detection – are not enough to catch BEC scams today.
BEC Security: What AI Catches that Other Tools Can’t
If attackers are using AI to level-up their BEC game, defenders need to do the same to level-up defenses. AI provides context-aware detection that takes multiple factors into account.
These are the contextual clues that humans alone might miss.
What is the communication style of your boss?
Your CEO and other “most likely to be impersonated” individuals will be studied by AI email security models. Those models will compare the tone of incoming emails to those historically written by that person. If the style doesn’t match up, it’s flagged.
While this may not work in instances of account takeover, the “good news” is that not every BEC scam comes from a compromised account; many still come from the outside. (After all, freshly spun-up domains, aged domains, spoofed domains, and fake protocols can still get past human eyes and email defenses).
What is the intent of the email?
Another context clue AI picks up is the meaning of the message itself. If the intent is to pressure or force, words like “immediate,” “emergency,” or “urgent” will automatically flag an AI-powered engine to set that message aside.
What is the tone of the thread?
BEC attackers like to insert themselves in email threads, coming in part-way to really confuse their victims. AI can analyze the tone of the thread, how the (actual) Sender responded and communicated historically, and spot the differences between a new voice and the old.
Anomalies in geography and time
If the email is being sent from a different part of the world than the sender typically resides, AI-powered email security tools will catch it. The same goes if a message is sent at an abnormal time that doesn’t fit the pattern of the sender. Thanks to ML, the AI model can quickly learn these habit patterns and use them for security compare-and-contrasts.
Flagging a suspicious email is only part of the BEC-catching process. As Prophet Security notes, “Once you suspect a BEC attack, it is critical to analyze behavioral telemetry and authentication logs to confirm account compromise or malicious activity.”
While human SOC analysts are capable of using tools to probe authentication logs, looking for signs of bad behavior that would betray a possible BEC attack, it is incredibly difficult to do so at scale. The number of tools the average company uses is somewhere in the ballpark of 83 (from 29 different vendors, no less). Checking logs across the board can be weighty work.
AI-powered engines can reach across solutions, integrate with their outputs, and scan those logs at scale to find indicators of bad behavior faster than human analysts alone, even those using fancy, non-AI tools.
Finding BEC Fast with AI-Powered SOCs
It is nearly impossible to catch BEC today without the help of AI. And yet, with nearly every tool and vendor leaning into AI in some way, which AI solution will work best?
Many are turning to AI-powered SOCs as a way to leverage the power of AI across a range of multiple tools, environments, and ecosystems. Instead of applying AI/ML to just one solution, it leverages the solutions companies already have (SEIM, EDR, cloud platforms, IAM, SaaS, workflow tools, and more) to make them work together better.
A mix of these tools is necessary to chase BEC scams down at their multiple stages: from detecting context clues to hunting down bad behaviors should one get away. The best AI SOC platforms do the work of an actual SOC analyst, drawing from each of these tools and bringing them together to detect, investigate, and respond to threats, but at an AI-induced pace.
Which is what it is going to take to keep up with BEC threats at scale.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.