Globally, the business email compromise (BEC) landscape has been drastically transformed over the past three years, witnessing a shocking 38% rise in cybercrime-as-a-service activities, reveals a recent report from Microsoft.
The Cyber Signals report, backed by Microsoft’s vast resources of 43 trillion daily security signals and the expertise of 8,500 security professionals, brings to light an alarming increase in cybercriminal exploits surrounding BEC. It underscores the most favored tactics of BEC culprits and outlines comprehensive strategies for businesses to counteract these security threats.
Over the span of one year from April 2022 to April 2023, Microsoft’s Threat Intelligence Center reported a whopping 35 million BEC attempts, averaging at 156,000 attempts each day. During the period from 2019 to 2022, there was a significant 38% upswing in cybercrime-as-a-service focusing on business email. An example of such a service is BulletProofLink, which specializes in large-scale malicious email campaigns, offering a complete package from email templates to hosting and automated services for BEC.
Prime targets for BEC attacks include C-suite executives, finance managers, and HR personnel with access to sensitive employee data like social security numbers and tax statements. New hires, who may not readily identify suspicious emails, are also commonly targeted. With BEC attacks in all forms witnessing a steady rise, the most common types of targeted BEC exploits include luring tactics (62.35%), payroll scams (14.87%), invoice fraud (8.29%), gift card deceptions (4.87%), and business information theft (4.4%).
Unlike exploiting device vulnerabilities, BEC fraudsters aim to infiltrate the vast ocean of daily email exchanges, coaxing victims into divulging financial details or unknowingly transferring funds to fraudulent accounts for money laundering.
Microsoft suggests a few robust countermeasures against BEC threats. This includes harnessing AI-powered cloud implementing advanced phishing protection and deploying suspicious forwarding detection. It’s also vital for organisations to secure identities, and prevent unauthorised access to applications and data with Zero Trust and automated identity governance.
Also read: Cyber Threat Escalation: Group-IB Presents Report On Trending Crimes Worldwide
Moreover, companies can minimise fraudulent activities by adopting secure payment platforms, thus moving away from email invoices to a system explicitly built to authenticate transactions. A significant part of the strategy also involves training employees to identify fraudulent and malicious emails, noticing discrepancies in domain and email addresses, and understanding the substantial risks and costs associated with successful BEC attacks.
Vasu Jakkal, Microsoft’s Corporate Vice President for Security, Compliance, Identity, and Management, emphasised the importance of cross-functional cooperation in tackling cybercriminal activity risk. He called upon IT, compliance and cyber risk officers to join forces with business executives, finance staff, and HR managers in enhancing AI-driven defences, phishing protection, and training employees to recognise red flags to avert BEC attacks.
This article is based on information provided by Marketing Interactive.