Skip to main content
SpringerLink
Log in

Detection of Business Email Compromise Attacks with Writing Style Analysis

  • Conference paper
  • First Online:
Mobile Internet Security (MobiSec 2021)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1544))

Included in the following conference series:

Abstract

Phishing scams have long been used to obtain sensitive information via email. Recently, scammers have increasingly been using spear-phishing and targeting corporate employees, this type of attack is called Business Email Compromise (BEC-attacks). BEC-attacks problem is highly relevant to mobile networks, as mobile users are much more vulnerable to such types of attacks than regular users. The main methods of detecting BEC-attacks are considered and their comparative analysis is made. It is demonstrated that the most promising approach for detecting BEC-attacks is a complex analysis of email headers, content analysis, and authors writing-style analysis with machine learning algorithms. BEC-attacks detection method is proposed based on the above-mentioned analysis and its decomposed functional model is presented. A feature space includes writing-style features (words 3-grams); day of the week and time of sending the email; email’s urgency features; email headers features. To evaluate the BEC-attacks detection accuracy, the experiments on datasets, containing emails in Russian and English, were carried out. The experiments showed that the best accuracy is achieved with word n-grams and LSVC with a feature scaling method for emails in Russian and English.

The research is supported by the grant of RSF 21-71-20078 in SPC RAS.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Symantec Corporation, Internet security threat report. https://docs.broadcom.com/docs/istr-21-2016-en. Accessed 21 July 2021

  2. Business email compromise (BEC) attacks moving to mobile. http://www.wpcentral.com/ie9-windows-phone-7-adobe-flash-demos-and-development-videos. Accessed 21 July 2021

  3. Encyclopedia by Kaspersky, Business email compromise (BEC-SCAM). https://encyclopedia.kaspersky.ru/glossary/bec. Accessed 21 July 2021

  4. Discovery of European subsidiary being subject of fraud. https://www.toyota-boshoku.com/global/content/wp-content/uploads/190906e.pdf. Accessed 21 July 2021

  5. FBI Warns Companies to Be Vigilant as COVID-19-Themed BEC Scams Continue to Grow. https://www.jdsupra.com/legalnews/fbi-warns-companies-to-be-vigilant-as-53073. Accessed 21 July 2021

  6. Kitana, A., Traore, I., Woungang, I.: Towards an epidemic SMS-based cellular botnet. J. Internet Serv. Inf. Secur. 10(4), 38–58 (2020)

    Google Scholar 

  7. Huang, D.Y., et al.: Tracking ransomware end-to-end. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 618–631. IEEE (2018)

    Google Scholar 

  8. Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing pages (2010)

    Google Scholar 

  9. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)

    Article  Google Scholar 

  10. Johnson, C., Khadka, B., Basnet, R.B., Doleck, T.: Towards detecting and classifying malicious URLs using deep learning. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. 11(4), 31–48 (2020)

    Google Scholar 

  11. Lemay, D.J., Basnet, R.B., Doleck, T.: Examining the relationship between threat and coping appraisal in phishing detection among college students. J. Internet Serv. Inf. Secur. 10(1), 38–49 (2020)

    Google Scholar 

  12. Duman, S., Kalkan-Cakmakci, K., Egele, M., Robertson, W., Kirda, E.: Email-profiler: spearphishing filtering with header and stylometric features of emails. In: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMP-SAC), vol. 1, pp. 408–416. IEEE (2016)

    Google Scholar 

  13. Stringhini, G., Thonnard, O.: That ain’t you: blocking spearphishing through behavioral modelling. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 78–97. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_5

    Chapter  Google Scholar 

  14. Gascon, H., Ullrich, S., Stritter, B., Rieck, K.: Reading between the lines: content-agnostic detection of spear-phishing emails. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 69–91. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_4

    Chapter  Google Scholar 

  15. Ho, G., Sharma, A., Javed, M., Paxson, V., Wagner, D.: Detecting credential spearphishing in enterprise settings. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 469–485 (2017)

    Google Scholar 

  16. Cidon, A., Gavish, L., Bleier, I., Korshun, N., Schweighauser, M., Tsitkin, A.: High precision detection of business email compromise. In: 28th USENIXSecurity Symposium (USENIXSecurity 19), pp. 1291–1307 (2019)

    Google Scholar 

  17. Business email compromise: attack that has no defense. https://habr.com/ru/company/trendmicro/blog/460941. Accessed 21 July 2021

  18. Kurematsu, M., Yamazaki, R., Ogasawara, R., Hakura, J., Fujita, H.: A study of email author identification using machine learning for business email compromise. In: Fujita, H., Selamat, A. (eds.) Advancing Technology Industrialization Through Intelligent Software Methodologies, Tools and Techniques - Proceedings of the 18th International Conference on New Trends in Intelligent Software Methodologies, Tools and Techniques (SoMeT 19), vol. 318, pp. 205–216. IOS Press (2019)

    Google Scholar 

  19. Aviv, S., Levy, Y., Wang, L., Geri, N.: An expert assessment of corporate professional users to measure business email compromise detection skills and develop a knowledge and awareness training program. In: Proceedings of the 14th Pre-ICIS Workshop on Information Security and Privacy, Munich, Germany, vol. 15 (2019)

    Google Scholar 

  20. Corney, M.W., Anderson, A.M., Mohay, G.M., de Vel, O.: Identifying the authors of suspect email (2001)

    Google Scholar 

  21. De Vel, O., Anderson, A., Corney, M., Mohay, G.: Mining e-mail content for author identification forensics. ACM SIGMOD Rec. 30(4), 55–64 (2001)

    Article  Google Scholar 

  22. Zheng, R., Li, J., Chen, H., Huang, Z.: A framework for authorship identification of online messages: writing-style features and classification techniques. J. Am. Soc. Inform. Sci. Technol. 57(3), 378–393 (2006)

    Article  Google Scholar 

  23. Afroz, S., Brennan, M., Greenstadt, R.: Detecting hoaxes, frauds, and deception in writing style online. In: 2012 IEEE Symposium on Security and Privacy, pp. 461–475. IEEE (2012)

    Google Scholar 

  24. Afroz, S., Islam, A.C., Stolerman, A., Greenstadt, R., McCoy, D.: Doppelganger finder: taking stylometry to the underground. In: 2014 IEEE Symposium on Security and Privacy, pp. 212–226. IEEE (2014)

    Google Scholar 

  25. Abbasi, A., Chen, H.: Writeprints: a stylometric approach to identity-level identification and similarity detection in cyberspace. ACM Trans. Inf. Syst. (TOIS) 26(2), 1–29 (2008)

    Article  Google Scholar 

  26. Luyckx, K., Daelemans, W.: Personae: a corpus for author and personality prediction from text. In: LREC (2008)

    Google Scholar 

  27. Stamatatos, E.: A survey of modern authorship attribution methods. J. Am. Soc. Inform. Sci. Technol. 60(3), 538–556 (2009)

    Article  Google Scholar 

  28. Houvardas, J., Stamatatos, E.: N-gram feature selection for authorship identification. In: Euzenat, J., Domingue, J. (eds.) AIMSA 2006. LNCS (LNAI), vol. 4183, pp. 77–86. Springer, Heidelberg (2006). https://doi.org/10.1007/11861461_10

    Chapter  Google Scholar 

  29. Vorobeva, A.: Anonymous website user identification based on combined feature set (writing-style and technical features). Sci. Tech. J. Inf. Technol. Mech. Opt. 89(1), 139–144 (2014)

    Google Scholar 

  30. Vorobeva, A.: Dynamic feature selection for web user identification on linguistic and stylistic features of online texts. Sci. Tech. J. Inf. Technol. Mech. Opt. 17, 117–128 (2017)

    Google Scholar 

  31. Romanov, A.: Methodology and software package for identifying the author of an unknown text. Extended abstract of candidate’s thesis, Tomsk State University of Control Systems and Radioelectronics (2010)

    Google Scholar 

  32. Vorobeva, A.: Technique of web-user identification based on stylistic and linguistic features of short online texts. Inf. Space 1, 127–130 (2017)

    Google Scholar 

  33. Kotenko, I.V., Saenko, I., Kushnerevich, A.: Parallel big data processing system for security monitoring in internet of things networks. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. 8(4), 60–74 (2017)

    Google Scholar 

  34. Kotenko, I.V., Saenko, I., Branitskiy, A.: Applying big data processing and machine learning methods for mobile internet of things security monitoring. J. Internet Serv. Inf. Secur. 8(3), 54–63 (2018)

    Google Scholar 

  35. Kholod, I., Shorov, A., Gorlatch, S.: Efficient distribution and processing of data for parallelizing data mining in mobile clouds. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. 11(1), 2–17 (2020)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. ITMO University, Kronverksky pr. 49, St. Petersburg, Russia

    Alisa Vorobeva, Guldar Khisaeva & Danil Zakoldaev

  2. St. Petersburg Federal Research Center of the Russian Academy of Sciences (SPC RAS), St. Petersburg, Russia

    Igor Kotenko

Authors
  1. Alisa Vorobeva
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guldar Khisaeva
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Danil Zakoldaev
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Igor Kotenko
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alisa Vorobeva .

Editor information

Editors and Affiliations

  1. Soonchunhyang University, Asan, Korea (Republic of)

    Ilsun You

  2. Sangmyung University, Cheonan, Korea (Republic of)

    Hwankuk Kim

  3. Dankook University, Yongin, Korea (Republic of)

    Taek-Young Youn

  4. University of Salerno, Fisciano, Italy

    Francesco Palmieri

  5. St. Petersburg Federal Research Center of the Russian Academy of Sciences, St. Petersburg, Russia

    Igor Kotenko

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Vorobeva, A., Khisaeva, G., Zakoldaev, D., Kotenko, I. (2022). Detection of Business Email Compromise Attacks with Writing Style Analysis. In: You, I., Kim, H., Youn, TY., Palmieri, F., Kotenko, I. (eds) Mobile Internet Security. MobiSec 2021. Communications in Computer and Information Science, vol 1544. Springer, Singapore. https://doi.org/10.1007/978-981-16-9576-6_18

Download citation

  • DOI: https://doi.org/10.1007/978-981-16-9576-6_18

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-16-9575-9

  • Online ISBN: 978-981-16-9576-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation