Business email comprise (BEC), a type of phishing attack, has seen a surge in the last few years, with threat actors increasingly leveraging cybercrime-as-a-service (CaaS) to carry out malicious activities. Between 2019 and 2022, there has been a 38% increase in cybercrime-as-a-service (CaaS) targetting business emails, as per Microsoft’s latest Cyber Signals report. CaaS is a service model where threat actors sell their services and tools.
The Microsoft report said that CaaS platforms like BulletProftLink have become a popular choice among BEC attackers. These platforms offer service to create industrial-scale malicious mail campaigns, which includes selling templates, hosting, and automated services for BEC. Adversaries using these CaaS platforms can also get IP addresses to help guide BEC targeting.
As per Microsoft Threat Intelligence, between April 2022 and April 2023, there were 35 million BEC attempts, with an adjusted average of 156,000 attempts daily.
A phishing attack targeting organisations in particular, BEC can happen through several ways like phone calls, text messages, emails, and social media. Threat actors often spoof authentication request messages or impersonate genuine users for BEC.
The BEC operators exploit the large volume of daily email traffic and messages to extract financial information or take direct actions (like fraudulent money transfers). This kind of attack stands out because it exploits contrived deadlines and urgency to distract the recipients. BEC attackers focus on tools to improve scale, plausibility, and in-box success rate of malicious messages.
“BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with IT, compliance and cyber risk officers at the table alongside business executives and leaders, finance employees, human resource managers and others with access to employee records. While we must enhance existing defenses through AI capabilities and phishing protection, enterprises also need to train employees to spot warning signs to prevent BEC attacks,” said Vasu Jakkal, corporate vice president, security, compliance, identity, and management at Microsoft.
Further, CaaS providers like BulletProftLink also offers Internet Computer blockchain notes to create sophisticated decentralised web offering which is harder to identify, making their takedown actions more complex.
These BEC attacks cost companies hundreds of millions of dollars every year. In 2022, the US’ intelligence agency – the Federal Bureau of Investigation – investigated 2,838 BEC complaints with potential losses of more than $590 million. To protect an organisation from such attacks, Microsoft suggests taking steps like using secure email solutions; securing identities to stop lateral movement; adopting a secure payment platform; training employees.