Google can’t stop fraudsters spoofing company email messages, but Gmail will now warn G Suite users if they attempt to reply to one of these messages.
BEC or business email compromise fraud has exposed businesses worldwide to about $5 billion in losses over the past three years, according to the FBI. The scam has affected most industries, including Silicon Valley giants. Even Google and Facebook lost $100 million to one scammer who’d posed as a representative of a Taiwanese hardware supplier.
BEC scammers create a look-alike company email domain or spoof the exact domain of the targeted company. The attack doesn’t contain a malicious attachment, but rather instructions, supposedly from a senior officer, to a subordinate to wire funds to, say, a supplier. If the recipient of the scam email is using a mobile device, it’s likely they won’t even see the full address, increasing the chances of the scammer’s success.
As of today, business Gmail users may get a last chance to dodge the BEC bullet if G Suite admins enable a feature called ‘unintended external reply warning’. For now, Google is making it available as off by default, though any company already burned by BEC fraud may be inclined to enable it.
The security feature is rolling out over the next few days and will automate one of the FBI’s key steps to preventing spoofed email accounts triggering a conversation that may result in a misdirected wire transaction.
As the FBI emphasized in a recent advisory, users likely to be targeted by BEC fraud should never use the “Reply” button to respond to business e-mails, but instead use the “Forward” option, which doesn't pre-fill the recipient’s address. The user then must type in the correct email address or pick one from their address book.
While it may be an effective method of cutting fraudsters out of an email thread, it’s also likely an inconvenience to users who, under daily work pressures, may also forget the procedure.
Google will take some of the load out of this precautionary step by displaying a warning beneath the reply address if a reply address meets two key conditions.
The extra defense kicks in when a user hits reply to a message in Gmail. Before the message is sent, Google will scan addresses in the To, Cc, and Bcc recipient list. The warning will only be displayed if the recipient is not from the organization and also not in the user’s Contacts.
The warning will not be displayed when users are email a company’s subdomains. Also, the user can dismiss the warning and proceed with the reply if they intended to send the message, which in turn will result in that particular recipient being whitelisted for future replies.
Admins can use the G Suite console to manage the unintended external reply warning feature, which is launching by default off.
Microsoft has also, since early last year, boosting defenses against BEC fraud through its Exchange Online Protection (EOP) email filtering service for Office 365. Similarly, EOP allows a message that sent internally, and relies on reputation checks and machine learning to analyze data about the sender to flag potentially spoofed email.
The new BEC prevention feature was announced today along with new Gmail protections for consumers against phishing and malicious attachments that could be used to deliver an exploit, ransomware or other malware.
Google says it’s correlating spam signals with attachment and sender heuristics to predict messages containing new malware. It’s also continuing to develop the machine learning model behind it’s early phishing detection system that delays select messages for analysis. This works in conjunction with Google’s Safe Browsing technology, which tests suspicious links.