Commercial email crimes (BEC) refers to all types of email attacks without payload. Despite a variety of types, there are two main mechanisms of attackers to use BEC technology penetration organizations: deception and account takeover attacks.

In a recent study, 71% of organizations admit that they have encountered an enterprise email leak (BEC) attack in the past year. 43% of organizations have experienced security incidents over the past 12 months, and 35% of organizations represent more than 50% of commercial email crime / network fishing attacks.

The FBI Internet Crime Complaint Center (IC3) reported that BEC fraud was the largest network attack in 2020, and 19369 complaints were adjusted. The loss was about 1.8 billion US dollars. The nearest BEC attack includes the spoofing attack of Shark Tank host Barbara Corcoan, lost $ 380,000; Puerto Rico’s losses reached 4 million US dollars, and Japanese media giants Nikkei have been transferred $ 29 million according to fraudulent email.

To prevent BEC attacks, organizations must focus on more stringent transfer processes, data security, employee and technology unity.

More stringent transfer process

Each organization’s financial department has a financial expenditure authorization policy, which has established a clear approval level for any financial expenditure / payment of the company’s assets.

Although all financial expenditures / payments should be part of the approval budget, the policy provides a tool for the finance department to ensure that each payment is authorized by the correct individual or individual.

In some cases, the company’s CEO or president is awarded unlimited power when paying. Attackers realize this, this is why they deceive senior executive email accounts.

In view of the current network security situation, the financial department should re-assess the policy to develop a stricter process. This may mean that the main financial expenses payable by check, network transfer or any other channels are required to ensure that the payment request is legal, and it can also show how to obtain electronic authorization.

For example, if a person of the financial department receives an email requested by the CEO, handling the administrator of the request needs to follow the company’s policy to obtain additional approval, including email to a pre-approved list of propagation to obtain electronic approval And confirm by phone. The amount of financial expenditure determines who can sign and jointly sign, which is based on the risk preferences.

As a member of the IT team, the network security supervisor should communicate with the finance department, explaining how BEC and other spoofing attacks occur. Provide the true example of the recent BEC attack, brainstorming, so that the company will take more targeted way to block attacks. Based on these examples, the financial department should re-evaluate current policies, considering network security spoofing and BEC.

Data security

In recent months, extended detection and response (XDR) have become a highlighted topic for security suppliers and analysts. As with most traditional SIEM deployments, early XDR customers have been working hard to balance the relationship between investment and output. In fact, most companies have not fully considered the relationship between the cost and analysis of the data collection and analysis required by certain vendor XDR solutions. This article let us understand these challenges in detail, and consider how Sentinelone has completely changed the security dilemies encountered by XDR by addressing the biggest and most complicated obstacles of XDR – large-scale data management.

Data is exponentially growing. IDC predicts that by 2025, the total number of data stored in global storage will reach 175ZB! This is 5 times higher than 2018 (33ZB). For those who stopped using Gigabit, 1 Ze is equal to 1 trillion GB. But how this data is decomposed? How many of these data can be used to provide better security decisions to ensure companies from targeted attacks? In the predicted 175ZB, approximately 85% are corporate and or public cloud data storage. More importantly, IDC predicts that up to 30% of data will be classified as tracking analysis data from terminal and Internet access devices. For companies that hopes to improve their security status by using rich data, this is both a huge challenge and an opportunity. The data itself is useless, and the data must be created and analyzed to become information. Based on the same understanding, we know that only when we apply meaningful links between multiple information points, information will become knowledgeable when the situation is combined into operation. Therefore, data without background is often redundant.

Effective data management. Today, most companies generate a lot of data, including activity logs from users, devices, applications, and sensors. If there is no corresponding record, there will be no more important things. This usually uses the form of a log or event: a transactional message describing entities, operations, attributes, and possible response conditions. Other forms of telemetry technology can include simple metrics including sampling or summary measurements. Information security tells us that even the most harmful and flat data sets may also be related to the range of surveys or malicious detection in some way. Singularity ActiveedR / XDR uses Sentinelone to get the unique features of the patented Storyline technology, splicing different security events into a single timeline and attack visualization, and uses MitReatt & CK technology attributes and the details of the attacker in the case possible.


All company employees must receive training, what kind of network security attack is, what is doing, nothing, and this training should continue because the network security situation changes so fast.

People in the financial department or anyone who have the right to pay funds in any form should accept training on BEC and other deception attacks.

It is important to emphasize that there are many email forms from high-level managers, which are often “emergency” requests, sometimes the request is sent a few minutes before the end of the business, you need to pay immediately. Through this training, coupled with all employees to comply with the financial expenditure authorization policy, the company should prevent BEC attacks.

Many companies purchase insurance to pay these BEC losses, but no organization can determine that the carrier will pay. For example, trading company Virtu Financial lost $ 6.9 million in BEC scams, but their insurance company AXIS Insurance refused to pay, claiming that “computer system unauthorized access Virtu is not the direct cause of loss, but by Virtu employee Behavior, because they believe that ‘deceptive’ email that requires transfer funds is true. “

Virtu Financial has filed a complaint against Axis Insurance, saying that it violate the contract due to the rejection of online attacks.


Next-generation advanced network security technology can help prevent any email threats, including spam, phishing, BEC, and subsequent attacks, high-level persistent threats (APTs) and zero-day vulnerabilities for attack vulnerabilities.

These types of solutions include:

A anti-spam engine, block malicious communication by anti-spam and credit-based filters; an anti-network fishing engine, is used to detect malicious URLs and prevent any type of network fishing attack before reaching end users; an anti-spoofing engine, Can prevent non-load attacks, such as deception, similar domain, and display name spoofing; anti-escape technology detect malicious hidden content by recursively encapsorizing content into smaller units (files and URLs), and then by multiple engines for a few seconds Dynamic examination within the hour;

Machine Intelligence (MI) and Natural Language Processing (NLP) to check for content and specifications in the context, such as identifying an abnormal writing style, may indicate keywords of malicious activity, strange IP address, geographic location, time, etc .; To prevent advanced threats and zero-day attacks.

Temporary email analysis of end users in order to identify suspicious emails before taking reckless action.

End User Context helps use a customizable banner tag email based on policies and rules, providing extra context information for end users and improving their security awareness.

The solution should be able to detect and block spoofing and account takeover attacks, where an attacker can access legitimate email accounts and try to further enter the network.

This article is translated from: