BEC: Just Defend Against Business Email Compromise or Strike Back?

4 min readJul 10, 2019

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By John Wilson

With losses from business email compromise rising fast, the active defense movement is generating buzz — but what are the ramifications? Why just raise the shield without wielding the sword, too?

Organizations in the United States shouldered over one billion in losses from BEC in the last year alone, so the notion of using active defense measures that strike back at fraudsters seems to be gaining new currency. The term “active defense” describes methods by which organizations hit by spear phishing and other cyber attacks can trace them back to their source. More responsible efforts fall short of “hacking back,” and don’t involve counterstrikes meant to cripple the cybercriminals’ systems. But they can still net some serious results. But what about the danger?

Return to Sender

Agari has been focused on active defense, with multiple reports published on specific cybergangs in the last year. In one instance, researchers for the Agari Cyber Intelligence Division developed responsible active defense techniques that enabled them to puzzle together the perpetrators of a large number of email scams targeting several customers.

Taking care to keep the FBI informed of its effort during this ten-month operation, the Agari team identified 78 criminal email accounts and unmasked 10 international cybercrime organizations. By analyzing the accounts, Agari researchers were able to better understand their tactics, targets, and, in some cases, identify the perpetrators behind these attacks.

Along the way, our researchers warned financial institutions about accounts being used for money laundering and other criminal activities, and provided evidence to law enforcement. In one instance, quick action even helped a company recover its money before it was lost forever.

It’s the kind of technological prowess that’d make even the “Mission Impossible” team proud. But active defense isn’t to be taken lightly. And it can come with some major ramifications.

Social Engineering the Socially-Engineered

The appeal of active defense is understandable, of course — especially given the stakes. Despite billions of dollars of investment and major advances in sophisticated security technology, the vast majority of financial institutions, along with organizations across other industries, remain utterly vulnerable to BEC attacks, which use sophisticated forms of identity deception to impersonate a trusted contact. Through social engineering, cybercriminals use these deception techniques to completely bypass traditional perimeter defenses. There’s no malware to detect, nothing suspicious in the code, nothing unfamiliar in the message.

It’s just that the person on the other end of the email isn’t who they claim to be, and their aim is to lure the recipient into revealing sensitive information or making payments to accounts secretly controlled by the fraudsters. And those actions can come with a steep price tag.

A typical BEC campaign has a success rate of 3.7% and will snare its first victim in just under four minutes. In fact, BEC attacks can score $130,000 or more, according to CNBC. But it can climb much higher — there’s reason to believe that the $80 million heist at the Central Bank of Bangladesh in 2016 started with BEC attacks on low- to mid-level bank employees.

Given the fact that so many data breaches begin with email, BEC and other advanced email threats may figure into as much as $5 trillion in worldwide damages annually. With numbers like these, who wouldn’t want to hit back hard?

Email Fraud in the Danger Zone

Active defense has yet to become a product you can purchase. Instead, it’s an approach — one that falls within a precarious gray zone between hacking back or “offensive cyber” operations and more passive forms of defense such as firewalls, email filters, and so on. Offensive cyber is really meant for nation states hitting back against other nations or non-state actors. Besides the fact that it is illegal for companies to conduct such operations, it’s also a very bad idea.

Because of the sophisticated identity deception employed by today’s criminal networks, it’s very easy to end up targeting an innocent third party with your counterstrikes, including malware meant to take down their operations. Even when successful, it can end up just making the criminals set on waging an all-out war on your organization — creating far more trouble than it’s worth.

Within active defense, however, lies a full spectrum of activities ranging from low-risk efforts that include such things as information sharing, honeypots, and intelligence gathering on the dark web and higher-impact activities that include botnet takedowns, white-hat ransomware, rescue missions to recover assets, and more.

Better still? Avoiding the need for any of this in the first place.

Raising a Better Shield with Better Email Security

All this said, long before considering active defense measures, organizations should have proper protections against business email compromise and other advanced email threats in place.

Yet today, it’s unclear how many organizations are deploying modern machine learning technologies with the kind of modeling and analytics capabilities needed to go beyond email content analysis and sender infrastructure reputation to assess people, relationships and behaviors in order to stop email attacks from ever reaching their targets.

Who knows? As a growing number of organizations raise a more effective shield against BEC, perhaps we’ll all find less need to draw a sword — and more disruptive ways to use it when we do.

To learn more about active defense and its role in stopping the forces behind advanced BEC attacks, download an exclusive report, “Behind the ‘From’ Lines: 10 Cybercriminal Organizations Unmasked.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.