Cybercriminals Targeting Business Emails, Detected Over 1.5 Lakh Attempts Daily: Microsoft
Microsoft on Friday revealed that it detected and investigated 35 million Business Email Compromise (BEC) attempts with an average of 1,56,000 attempts daily between April 2022 and April 2023.
BEC attempts can take many forms such as phone calls, text messages, e-mails, or social media outreach. Successful BEC attacks cost organisations hundreds of millions of dollars annually.
The tech giant said it observed an increase in sophistication and tactics by threat actors specialising in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated.
This new tactic is helping criminals further monetise Cybercrime-as-a-Service (CaaS) and has caught federal law enforcement’s attention because it allows cybercriminals to evade “impossible travel” alerts used to identify and block anomalous login attempts and other suspicious activity
In its report, Microsoft said it observed a 38 per cent increase in Cybercrime-as-a-Service targeting business email between 2019 and 2022.
Business email fraud continues to rise, with the US Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over USD 2.7 billion. In 2022, the FBI’s Recovery Asset Team initiated the Financial Fraud Kill Chain on 2,838 BEC complaints involving domestic transactions with potential losses of over USD 590 million.
Microsoft said instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of e-mail traffic and other messages to lure victims into providing financial information or taking direct action like unknowingly sending funds to money mule accounts that help criminals perform fraudulent money transfers.
To protect against BEC attacks, businesses should leverage cloud apps that utilise AI capabilities to enhance defenses, adding advanced phishing protection and suspicious forwarding detection. Crucially, businesses need to secure identities to prohibit lateral movement by controlling access to apps and data with Zero Trust and automated identity governance, recommended Microsoft.
In a statement, Vasu Jakkal, corporate vice president, security, compliance, identity, and management at Microsoft said, “While we must enhance existing defenses through AI capabilities and phishing protection, enterprises also need to train employees to spot warning signs to prevent BEC attacks.”