Introduction
The FBI’s recent IC3 report [1] revealed that total losses from Business Email Compromise (BEC) scams in 2024 amounted to $2.7 billion USD. The success of these scams lies in their ability to exploit trust and instill a sense of urgency, making it difficult for recipients to question the legitimacy of the requests. For businesses, falling victim as seen from the FBI's report can lead to significant financial losses and severe reputational damage.
The BEC Attack Strategy: A Perfect Storm of Deception
In one of our deployments, NACE™ successfully intercepted an invoice scam that, if left undetected, would have resulted in a $47,706 USD loss. In this incident, a company received an email appearing to come from a senior executive, containing a fraudulent $47,706 invoice along with fabricated prior correspondence between the executive and the scammer.
This blog post delves into the intricate details of the scam and explains how NACE™ successfully detected and thwarted this attack—while shedding light on effective defense mechanisms to mitigate such threats.
Analyzing the Attack
The Business Email Compromise (BEC) attack described involves several strategic elements designed to deceive and manipulate the recipient into acting on a fraudulent request:
Fig. 1: Screenshot of Email
Fraudulent Invoice: The Final Touch
The email included a W-9 form and detailed invoice with Automated Clearing House (ACH) information. Both the invoice and W-9 contained details about a legitimate business that the scammers were trying to impersonate, further solidifying their deception.
Fig 2: Attached Fraudulent Invoice
NACETM Detection Approach
This email was flagged as malicious by the Inception Cyber Neural Analysis and Correlation Engine (NACE™), which analyzes the text in the body and attachments of emails to understand their deeper meaning i.e. intent of an email. Instead of relying solely on static indicators like sender domain or URL reputation, NACE™ focuses on identifying the underlying purpose of an email, making intent recognition a core feature in its decision-making process.
Semantic Analysis: Unveiling Intent
The semantic analysis revealed several indicators that acted as a feature set in detecting this BEC attack:
Suspicious Indicators Extracted from Invoice
Executive impersonation: The email was impersonating a C-Level Executive.
The contextual relationship between the email headers and intent aided NACE™ in classifying the email as an invoice scam.
Conclusion
Business Email Compromise (BEC) attacks are a growing concern for organizations of all sizes, as they exploit human trust and technological vulnerabilities with alarming success. The tactics used in these attacks, including fabricated email threads, impersonation of high-level executives, and fake invoices, can make it difficult to distinguish between legitimate and malicious requests.
The Inception Cyber Neural Analysis and Correlation Engine (NACE™) employs a comprehensive multimodal, semantic-aware zero-trust approach to detect BEC messages. It integrates multiple deep learning models to identify anomalous BEC signals from both the email body and any attachments. Additional features are extracted from SMTP headers, creating a rich, header-based feature set. The system processes the email body text through a suite of deep learning algorithms to determine topics, tone, sentiment, tactics, and the email’s intent or call-to-action. This is achieved using a combination of zero-shot classification with LLMs, semantic similarity analysis, and specialized pre-trained and fine-tuned transformer models for classification and natural language understanding—whether content is generated by a human threat actor or AI. The contextual relationship between the inferred intent and SMTP header signals further strengthens BEC detection.
Read more about how Inception Cyber stops BEC attacks
Reference