Microsoft has published new findings that email attacks are not only becoming more destructive, but also harder to detect.
As seen in the company’s Cyber Signals reportIn 2018, the number of business email (BEC) attacks that businesses face every day reached 156,000, an increase of 38% compared to 2019.
During a BEC attack, the cybercriminal will try to impersonate a high-ranking official in the organization (for example, CFO or similar) and will try to use their powers to get an employee (for example, someone from the finance department) for a quick and silent transfer of funds. Often, the “CFO” will say that the company is finalizing a competitor’s buyout, a process that must be kept secret, and will ask the employee to “urgently” transfer the funds.
Millions of losses
The results are devastating, with companies losing millions of dollars in fraudulent transactions. Microsoft cited a recent UK government report on the cost of cybercrime, which found that these attacks cost the country’s economy around £27bn a year. The National Fraud Intelligence Bureau (NFIB) received more than 40,000 reports from victim organizations between April 2022 and 2023. These companies appear to have lost more than £2.2 billion in that time.
In addition, the effects of the incident will be felt in the coming months and years in the form of identity theft and data leaks.
BEC has grown in popularity recently, prompting some cybercriminals to facilitate this practice through various services. Some Cybercrime as a Service (CaaS) operators may share victims’ credentials and IP addresses, allowing cybercriminals to easily launch Business Email Compromise (BEC) campaigns that are harder to detect and disrupt.
With CaaS, malicious actors can buy entire business packages on the dark web that provide them with everything they need to carry out a successful attack, the company concluded.
“BEC attacks are a great example of why cyber risk needs to be addressed in an interdisciplinary way, involving IT, compliance and employee records such as social security numbers, tax returns, contact information and schedules,” noted Vasu Jakkal, VP of the company Microsoft Security, Compliance, Identity and Governance.
