How to identify a potential fraudulent domain in a Business Email Compromise (BEC) scam

Identifying a potentially fraudulent domain in a Business Email Compromise (BEC) scam is crucial for protecting your organization from financial loss and reputational damage. Here are several steps and indicators to help you recognize such domains:

• Look for Misspellings: Scammers often create domains that closely resemble legitimate ones but contain slight variations, such as missing letters, extra characters, or typos (e.g., example.com vs. examp1e.com).
• Check for Unusual Extensions: Be cautious of domains using less common extensions (e.g., .xyz, .top, .info) instead of more typical ones like .com, .org, or .net.
• Analyze Length and Complexity: Fraudulent domains may be unusually long, complex, or made up of random letters, making them difficult to remember.

• Check Registrant Information: Use WHOIS lookup tools, URLForensics to obtain details about the domain owner. Look for:
  • Inconsistent Information: If the registrant’s name, email address,or organization doesn’t match known contacts or the legitimate business.
  • Privacy Protection Services: While privacy protection is common, be cautious if the information is completely obscured or if the same protection service is used across multiple suspicious domains.

• Review the Return Path: Check the return-path address in email headers to see if it matches the expected domain.
• Examine SPF/DKIM/DMARC Records: Ensure that the domain's SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records are properly configured. This helps verify that the email is sent from an authorized server. The SPF can be found in the URLForensic Report if its valid. https://urlforensics.com/
• Look for Red Flags in the Header: Unusual IP addresses or discrepancies in the sender's domain can indicate spoofing.

• Utilize Blacklists: Check the domain against known blacklists or databases that track fraudulent domains associated with BEC scams and other cybercrimes.
• Leverage Threat Intelligence Services: Use cybersecurity tools that provide threat intelligence to identify and report on suspicious domains.

• Check the Hosting Provider: Research the domain’s hosting provider. Reputable businesses are typically hosted by well-known providers. Fraudulent domains may be hosted on servers with poor reputations.
• Look for Short Lifespan: Scammers often register domains for short periods (e.g., a few months). A domain with a very recent registration date may be suspicious.

• Conduct a Web Search: Perform a search on the domain name to see if it has been associated with scams or fraud. Look for reviews, complaints, or alerts.
• Social Media Presence: Check for the domain's presence on social media. A legitimate business usually has a consistent and professional online presence.

• Analyse Email Content: Pay attention to the tone, urgency, and language used in emails. Phishing attempts often use high-pressure tactics or urgent language.
• Verify Unusual Requests: If an email requests sensitive information or financial transactions, confirm the request through a trusted communication channel.

• Enhance Security Measures: Use MFA for sensitive accounts to add an extra layer of protection, making it more difficult for attackers to gain access.

A toolset for a domain check is available to security professionals:

URL Forensics, a toolset to investigate fraudulent or suspected website domains. Analysis of URL data, identify IP address, hosting providers, email servers, domain creation date, registrant information, DMARC and SPF records. A forensic toolset for investigation and incident response teams. Create reports and track changes on domains. https://urlforensics.com/