BrandPost: 5 key steps to push back against business email compromise – Source: www.csoonline.com

Business email fraud is accelerating, with attacks becoming much more sophisticated and successful. In its 2022 Internet Crime Report, the FBI cited more than 21,000 business email compromise (BEC) complaints, equivalent to adjusted losses of over $2.7 billion. While ransomware attacks are “noisy” and call a great deal of attention to themselves, BEC attacks are more subtle.

BEC is a confidence game designed around trust and human nature. Bad actors use widely available tools to improve the scale, plausibility, and success rate of malicious emails. This makes BEC attacks hard to fight. Instead of malware attacks exploiting unpatched devices, perpetrators rely on social engineering to get user credentials, financial information, or even con victims into transferring money. Defending against this line of attack takes a combination of technology and human awareness. Here’s what to watch out for, along with steps you can take now to help defend your enterprise.

BEC, an expanding part of the cybercrime economy

The growth of BEC is in no small part due to the growth of cybercrime-as-a-service (CaaS). BEC operators are looking for scale, as the more potential victims they can target, the greater the odds are of success. This is an opportunity for cybercrime platforms such as BulletProftLink, which can generate industrial-scale malicious mail campaigns on demand with an end-to-end service including templates, hosting, and automated mailing, data capture, and reporting. Their customers not only get user credentials but the IP address of victims.

This is a crucial part of the scam: once the operators have their victims’ IP addresses, they can create local proxies that mask the sources. This makes the email look even more convincing—even if the victim is educated and alert to this kind of attack. And because many legitimate businesses regularly use IP/proxy services for research and customer prospecting, targeting information is even more exposed—putting more people at risk, both within enterprises and at home.

Global threats, domestic impact

Armed with localized address details along with usernames and passwords, BEC attackers can obscure their movements, circumvent “impossible travel” flags, and open gateways to conduct further attacks. Microsoft has observed threat actors in Asia and Eastern Europe most frequently deploying this tactic.

Simeon Kakpovi, a Microsoft Senior Threat Intelligence Analyst, leads a team tracking more than 30 Iranian cybercrime groups. He says that the key trait they all share is tenacity. Social engineering takes patience, but building relationships over time can pay off by getting victims to lower their guard and ignore security alerts. The result: targeted users click the links in emails from those trusted sources, leading to malware and spyware downloads, credential theft, and compromised data.

Just what motivates Iranian threat actors varies. Some, such as Mint Sandstorm, target both government and commercial organizations, including U.S. critical infrastructure such as seaports and energy companies. Others, including Crimson Sandstorm, use fake social media accounts and spear-phishing to infiltrate Defense Industrial Base firms, giving them access to the DoD’s supply chain.

Still, other threat actors, whether representing nation-states or criminal organizations, use BEC to target C-suite and financial leaders in commercial firms to gain access to systems or steal credentials. This can lead to IP exfiltration or money transfers, both of which can cost companies millions of dollars or more. Long-term damage can include identity theft and reputation damage, both of which can take a great deal of time to repair.

But even with an ever-more sophisticated set of adversaries, organizations can act to help protect themselves from BEC.

Pushing back against BEC: Steps to take now

Email isn’t going away; it’s foundational to business, and the volume keeps growing daily, along with the threats. Fighting BEC requires vigilance and awareness. Here are five key actions enterprises can take:

1. Use a secure e-mail solution: Today’s email cloud platforms use AI and machine learning capabilities to advance phishing protection and suspicious forwarding detection. Cloud apps for email and productivity also provide continuous, automatic software updates and centralized management of security policies.
2. Maximize security settings: Set your email system to flag messages sent from external addresses and notify when senders are not verified.
3. Enable strong authentication: Turn on multifactor authentication. This limits the risk of compromised credentials and brute-force login attempts, regardless of the address space attackers use.
4. Secure identities to prohibit lateral movement: Protecting identities is a key pillar to combating BEC. Control access to apps and data with Zero Trust and automated identity governance.
5. Adopt a secure payment platform: Consider switching from emailed invoices to a system specifically designed to authenticate payments.

Your users are a critical part of your defenses against BEC. Educate them to spot the warning signs, such as a mismatch in domain and email addresses. Teach them to block and report senders if they can’t verify their identities—and to make a phone call to confirm, especially for financial transactions. And be sure to let them know the risk and costs of a successful attack.

 For more information on the latest cyberthreat insights, visit Microsoft Security Insider.