Machine Learning: The best defence against email spoofing and CEO fraud

Elvis look-alike impersonator man and Las Vegas sign on the strip. People having fun and Viva Las Vegas concept image with Elvis impersonator dancing doing some crazy moves outdoor.

In recent years, spear-phishing, the positioning of a fraudulent email as coming from a friend, family member or colleague, has exploded; resulting in worldwide financial losses of more than US $2.3 billion, according to the FBI.

In addition to spear-phishing threats, email spoofing has been a major catalyst for the rise of CEO fraud and business email compromise (BEC) attacks. According to TechTarget’s, email spoofing is defined as:

“forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation.”

In the United States, a Georgia man was recently arrested for spoofing the email of a CEO from Kansas, stealing US $566,000 before being caught. Recent email spoofing campaigns have also targeted Amazon and PayPal customers to much success. Just six months ago a CEO fraud campaign cost one company $40 million.

The common cure for Email Spoofing 

Unfortunately, email spoofing is easy to enact. According to an article in the Huffington Post, “all a person needs to spoof an email address is a Simple Mail Transfer Protocol (SMTP) server and the appropriate email software.”

To mitigate risk of falling victim to email spoofing, the CERT division at the Software Engineering Institute has issued  prevention guidelines. Their recommendations include:

  • Using cryptographic signatures
  • Configure mail delivery to prevent SMTP port connection
  • Configure firewalls as to have a single point of entry for email
  • Educate users

Other advice, such as the recommendations provided by Symantec, suggest that companies should:

  • Create a sender policy framework (SPF) record for the IP addresses within your domain and enable authentication via SPF records for your own domain
  • Enable DKIM, publish a DKIM key and DKIM policy, and sign your messages with it.

While these recommendations, and others, have proven to stop some email spoofing attacks, they are imperfect solutions at best. 

Machines on the Rise

With any type of phishing event, time is of the essence. That is, the time from identification to enterprise-wide remediation must take seconds to minutes and not hours to days.

With machine learning (ML), algorithms continuously improve in detection of both anomalies and irregular communications patterns based on learned experiences, negating false positives and bolstering proactive defenses. Using a “bottom up approach,” machines can learn every employee mailbox individually, collecting statistics about the sender, not just based on the volume of emails going through but also based on the actual correspondent and attachment/link interaction. This approach is proven more thorough than gateway/ISP solutions that rely on volume only. With local reputation analysis, users can better spot spear-phishing and email spoofing attempts, which ultimately enables the machine learning algorithm to get smarter in real-time.

In addition, ML can make sure all that all important and smart security related questions are being constantly asked for each and every email landing in an employee mailbox, visualizing the results for non-tech savvy employees. That consistency is important to counter the proliferation of CEO fraud and BEC spoofing and impersonations, since those attacks always appear as coming from high levels within an organization.  Most importantly, whenever ML identifies a malicious email, communications between the machine and people or technology solutions can occur in real-time, triggering automatic responses and/or SOC team notification.

Next week at RSA, we will demo, for the first time, our anti-impersonation & spoofing email security solution. Known as IronShield, the plugin for Microsoft Outlook inspects and analyzes all emails at the mailbox level using deep scans and machine learning. Acting as an employees’ virtual security analyst, IronShield automatically validates sender reputation and authenticity, while also assessing behavioral patterns in search of anomalies in communications. All suspicious emails are visually flagged the second the email hits the inbox, and a quick button link inside the Outlook toolbar enables instant notification to SOC teams for further investigation or immediate remediation.

Want to learn more about how machine learning can thwart email spoofing attacks attempting CEO fraud or BEC? Sign up for a demo at RSA by clicking here.

Leave a Reply

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.