Whitelisting Won’t Protect You From BEC… Here’s Why

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By Armen Najarian

The 250% increase in business email compromise (BEC) scams over the past year should concern every organization, as should estimates of $26 billion in losses over the last five years from these attacks. While some organizations consider whitelisting their email lists to provide protection, occasionally encouraged by their email security provider, this strategy simply will not work with the ever-evolving email landscape.

Executive spoofing, spear phishing, and other advanced email threats have emerged as a critical issue for businesses everywhere, despite being relatively new to the scene. Ninety-two percent of organizations report being hit, with 23% suffering direct financial damage. According to the recent Verizon Data Breach Investigations report, 94 percent of all successful cyberattacks start with email sent to a well-targeted victim — resulting in average losses of $1.6 million. When an attack leads to a data breach, that figure climbs to an average $7 million per incident.

With all of this as a backdrop, it’s easy to see why a security model designed to only allow emails from trusted domains and IP addresses to reach employee inboxes would be tempting. Unfortunately, such whitelisting-based solutions are wishful thinking at best, and actually harmful in many circumstances. Here are just three of the reasons this approach could leave organizations wide open to attack.

#1 DMARC Can Only Do So Much

While DMARC has significant benefits, organizations using this approach must register every last possible permutation of each domain they own. Otherwise, there is nothing to stop fraudsters from registering those domains first, and even setting them up with legitimate DMARC records. Their emails would then be sent from trusted domains, despite being controlled by the fraudsters. It’s not as hard as you may think.

And given that only 17% of the Fortune 500 have a DMARC record that would block illegitimate email from reaching the inbox, whitelisting based strictly on DMARC authentication results would block legitimate mail from the vast majority of established businesses that have yet to implement a DMARC record.

#2 You Can’t Just Black Out the Cloud

In these schemes, fraudsters set up free accounts and simply insert the name of a trusted individual or brand into the “From” field. Since their point of origin is an established and widely used hosted email service, these identity-deception based attacks would fly past whitelisting -based security controls.

What’s more, by exploiting a Gmail feature that enables them to create countless variations of an email address with the same account, cybercrime groups are able to scale their attacks with ease. One international BEC ring we’ve been tracking, for instance, used this approach to register for 14 trial accounts with a commercial sales leads service to collect data for launching new attacks, and to submit 48 credit card applications for at least $65,000 in credit.

What’s more, despite the security controls built into hosted email platforms, businesses that have migrated email to the cloud increasing rank among the hardest hit by BEC. Whitelisting-based approaches could leave businesses wide open to this kind of attack.

#3 Low-Tech Strategy Needs High-Tech Defenses

A whitelist approach is static and would require constant updating in order to combat against this, populated by information that is only available once an attack hits the organization. And putting in measures to combat an attack after it has already happened is akin to stopping a leak once the house has flooded… great for prevention, but unable to fix the current mess.

#4 Compromised Accounts Could Crush You

A key driver for these attacks is the growing availability of stolen email login credentials on the Dark Web. Once a corporate email account has been taken over, cybercriminals have access to all of its owner’s contacts, ongoing email conversations, and historical email archives. In most cases, fraudsters use these compromised email accounts to launch phishing campaigns. Other times, the goal is to fool corporate employees into forking over their own login credentials, which can then be sold online.

In the most sophisticated cons, however, an intruder infiltrates a corporate email account and then lays low, surveilling email messages in order to launch highly personalized attacks on the businesses’ customers, partners, or employees, at just the right moment. In fact, that was the case with at least some of the nine publicly-traded companies that recently lost $100 million through BEC scams.

It’s Not the Domain, It’s the Identity

But attackers know how to evade these protections, which is why some take a more modern approach. Agari Advanced Threat Protection, for instance, leverages data science and real-time, anonymized intelligence from 2 trillion emails annually to map email communications across individuals, organizations, and infrastructures in order to model the trusted, authenticated behaviors that define each individual sender’s “good.” When email activity deviates from these established patterns due to impersonated or compromised accounts, businesses are able to detect and protect against these attacks in real-time. No whitelisting required.

To learn more, check out a special report from Agari and Osterman Research entitled, Best Practices for Protecting Against, Phishing, Ransomware, and BEC Attacks

Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store