Impostor/Business Email Compromise (BEC) scams are growing more prevalent as cybercrime incidents are rising in numbers. Financially motivated cyber-criminals are looking for more businesses than ever before. It’s wise to be aware of the different varieties of impostor email threats you might encounter at work.

Cyber-criminals get your attention in that all-important subject line include tax information, wire transfer and, of course, the term ‘urgent’.

Why is an imposter rule especially dangerous and successful?

What is changing and how will it impact me?

In the past month, KAUST was the target of multiple imposter attacks that assumed the identities of senior management.  This presented a Business Email Compromise (BEC) risk to the organization and concerned some of the recipients as well as those executives whose identities were assumed.  Our defenses are capable of identifying the email as an imposter based on the display names, but the emails were still allowed to be delivered to the intended users. We will be changing our rules, which are currently “Quarantine and continue”, to “Quarantine and discard”. This new rule will result in imposter emails being dropped at the email gateway level. The Targeted Attack Protection (TAP) feature (which we introduced earlier this year) will continue to alert KAUST Incident Response Team and Email Messaging Team to identify if a malicious email is a false positive.

What benefits does this provide to me and the Community?

The KAUST Cyber Incident Response Team will be able to proactively stop imposters and fraudulent emails before they are able to target our community. This will also enable us to proactively protect and prevent business email compromise before it takes place.

However, even after implementing this enhancement to auto detect imposter emails, KAUST advises users to exercise vigilance when it comes to their inbox and check all email components carefully before replying to an email.

How to identify an imposter email?

There are four main types of imposter email scams:

1. Spoofed name, whereby the name of the KAUST user is in the ‘From’ field of the email, but the email address is an outside email account belonging to an attacker.
2. Reply-to spoofing is where the ‘From’ name, email address field and ‘Reply to’ name seems legitimate like one of KAUST user, but the reply address actually belongs to a cyber-criminal. *
3. Lookalike domain attack is when the attacker ‘From’ email address is close enough to KAUST email address, which can fool recipients.
4. Spoofed sender attack uses the name and email address of the spoofed KAUST user, but the email doesn’t contain a ‘Reply to’ address.

   * Our research shows that 75% of these attacks are ‘Reply to’ spoofing scams.

    

   To learn more please visit us at it.kaust.edu.sa/infosec or reach out to the IT Service Desk.

    

   KAUST IT

   it.kaust.edu.sa

   We make IT happen!