Fraud Detection: WFH Leading to Increased BEC and Phishing Threats — What To Look For

A lot has changed in the past few weeks. And the percentage of us working from home (WFH) has increased tremendously. With increased WFH, we rely more on email communication, and this increases the opportunities for abuse by others.

One thing that has stayed constant: bad people want to do bad things. As we have seen in the past, when one avenue of attack is restricted, the fraudsters redouble their efforts in other areas, and online fraud attempts are already increasing during our new normal. Some estimates show phishing emails are up 600% driven by criminals looking to capitalize on the COVID-19 pandemic. 

With increased WFH scenarios, and less in person communication, it is more likely than ever that an employee would receive direction via email. A coworker may also communicate from an outside email address if their computer or network is unavailable. Vendors will likely be communicating via email as those vendors can no longer reach your employees at their office phone numbers. This can lead to users trusting email more than they have in the past. 

Business email compromise (BEC) and phishing are both tactics used by fraudsters to trick employees and steal from companies. Your organization is likely looking at incoming attachments for malware but may not be looking for email that leads to fraud. Such emails often have no attachments but may be designed to take users to phishing sites, convince users to wire money, or change an account number for bill payment. It is important to monitor for indicators that can separate these fraudulent emails from legitimate emails.

Splunk Security Essentials is a free download with hundreds of examples that can help you detect suspicious activity. Today we are going to look at a couple examples that can help detect BEC and phishing; you may already have the data in Splunk, take a look!

Let’s start by searching the available Security Content by filtering on “email” as a data source:

There are 44 matches returned, but we want to focus on 2­­ of these:

Emails from Outside the Organization with Company Domains: Phishers will often try to send emails where the “from address” uses your organization's domain name, e.g., emailing finance from

This simple search starts off by returning all events with a source email matching your domain that came from outside. It then creates a row for each IP address with a time range of “first seen” and “last seen.” Anything new (defined here as within 1 day) is considered an outlier.

This simple search should catch emails that pretend to come from within the company. The detected emails are broken down between new and old for easy visibility and action.

Emails with Lookalike Domains: Emailing from a domain name that is similar to your own is a common attack technique, such as receiving an email from This search will detect those similar domains.

This is a slightly more advanced search, that relies on “URL Toolbox” (another free Splunk tool on Splunkbase) which uses some well-known mathematical concepts to determine if a domain name looks like your company domain name. This example could also be enhanced to include the URLs of common vendors your company makes payments to, and in this way help to detect BEC.

In addition to the examples above, other techniques can include comparing the sender name to a list of executive employees’ email addresses; anything coming from outside or lookalike source pretending to be an executive would receive extra scrutiny.

If you have Splunk today, you can easily add Splunk Security Essentials and find many included examples that can be used for fraud analytics and detection. If you are not using Splunk, then check out a free Splunk Enterprise download first, and then install Splunk Security Essentials on top of that.

Andrew Morris

Posted by