Microsoft’s latest Cyber Signals report reveals a sharp increase in cybercriminal activity targeting business email compromise (BEC) and provides valuable insights into the tactics employed by BEC operators. The report, which draws on Microsoft’s vast cybersecurity intelligence and the analysis of 35 million BEC attempts detected between April 2022 and April 2023, sheds light on the growing threat landscape and offers recommendations to help enterprises defend against these attacks.
According to the report, BEC operators have increasingly targeted business email systems, with an average of 156,000 BEC attempts detected daily. Microsoft also noted a significant 38% increase in Cybercrime-as-a-Service offerings aimed at exploiting business email, including services such as BulletProftLink, which facilitates industrial-scale malicious mail campaigns by providing end-to-end solutions for BEC attacks.
Why it matters
BEC operators have shifted their focus from exploiting device vulnerabilities to leveraging the sheer volume of daily email traffic. These operators employ various deceptive methods, including phishing, phone calls, text messages, emails, and social media outreach, to trick victims into divulging sensitive financial information or facilitating fraudulent money transfers. As such, mitigating the risks associated with BEC attacks has become an urgent priority for businesses.
What you can do
To address this growing threat, enterprises are advised to take proactive measures to preempt attacks and mitigate risks. Vasu Jakkal, Corporate Vice President of Security, Compliance, Identity, and Management at Microsoft, emphasized the need for a cross-functional approach to cybersecurity, involving IT, compliance, cyber risk officers, and business executives. Jakkal suggests enhancing existing defenses through AI capabilities, implementing advanced phishing protection, and training employees to recognize warning signs and prevent BEC attacks.
Continuous employee education is another vital aspect emphasized in the report, as it equips employees with the knowledge to identify fraudulent and malicious emails. Training should include recognizing domain and email address mismatches, as well as understanding the potential risks and costs associated with successful BEC attacks.