Rise of the digital con artists: Microsoft unravels the surge in email fraud

Rise of digital con artists: Microsoft unravels the surge in email fraud

  • Cybercrime-as-a-Service’s business email targeting saw a 38% uptick from 2019 to 2022.
  • Between April 2022 to April 2023, Microsoft’s Threat Intelligence scrutinized a daily average of 156,000 business email compromise attempts, tallying up to 35 million.

In an era dominated by digital communication, the issue of business email fraud has emerged as a pressing concern. The Federal Bureau of Investigation (FBI) has reported a worrying escalation in cybercrime, with over 21,000 complaints and associated financial losses exceeding US$2.7 billion. Further complicating the situation is the growing sophistication of attack methodologies.

Organizations like Microsoft have reported an increase in the complexity of tactics used by cybercriminals specializing in business email compromise (BEC). A notable instance is the strategic use of residential Internet Protocol (IP) addresses to lend a veneer of local authenticity to their malicious campaigns.

This cunning strategy has significantly bolstered the profitability of Cybercrime-as-a-Service (CaaS), aiding criminals in amassing ill-gotten gains. Moreover, it has drawn the attention of federal law enforcement agencies.

Microsoft’s recently published fourth edition of Cyber Signals spotlights an alarming increase in cybercriminal activities, specifically around BEC. The report also delves into the commonly adopted strategies by BEC operators and suggests how enterprises can protect against these threats.

The proliferation of cybercrime, specifically targeting BEC, is a rapidly escalating concern. Microsoft has noted a significant rise in the use of platforms such as BulletProftLink, a service renowned for assisting in creating large-scale malicious email campaigns. This CaaS provider offers a comprehensive service package, including templates, hosting, and automation, ultimately furnishing adversaries with victim credentials and IP addresses.

The unseen facilitator of large-scale email fraud attacks

The financial repercussions of successful Business Email Compromise (BEC) attacks can be astronomical for organizations, often leading to losses in the hundreds of millions of dollars each year. To put this into context, the FBI’s Recovery Asset Team handled as many as 2,838 BEC complaints in the year 2022 alone. These complaints, associated with domestic transactions, projected potential losses that exceeded a staggering US$590 million.

This worrying trend and other vital insights are detailed in this edition of Cyber Signals, a cyber threat intelligence brief that illuminates security trends using data derived from Microsoft’s 43 trillion daily security signals and insights from its team of 8,500 security experts. Some important data include:

  • From April 2022 to April 2023, Microsoft Threat Intelligence detected and investigated 35 million BEC attempts, averaging 156,000 daily attempts.
  • Microsoft observed a 38% increase in the targeting of business emails via CaaS between 2019 and 2023, primarily attributed to BulletProftLink, a service specializing in large-scale malicious email campaigns.

BEC operators adeptly exploit the vast daily volume of email and other message traffic. They aim to trick individuals into revealing sensitive financial information or even unknowingly transferring funds to fraudulent accounts. These methods can take many forms, including phone calls, text messages, emails, and social media outreach.

These cybercriminals have developed specialized tools to facilitate their deceptive practices, including phishing kits and verified email address lists, targeting high-value individuals like C-suite executives and accounts payable leads. However, enterprises are not defenseless and can adopt proactive strategies to fend off attacks and minimize risks.

Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity, and Management at Microsoft, emphasizes that addressing cyber risk needs to be a cross-functional effort, involving IT, compliance, cyber risk officers, business executives, finance employees, human resource managers, and others with access to employee records. “To effectively counter BEC attacks, we need to enhance our defenses through AI capabilities and phishing protection, while simultaneously educating employees to recognize the tell-tale signs of these attacks,” she states.

How enterprises can mount a robust defense against BEC attacks

To combat BEC attacks, businesses should harness cloud applications that utilize AI capabilities to enhance defense, including the integration of advanced phishing protection and suspicious forwarding detection mechanisms. Businesses must prioritize identity security to prevent unauthorized access and lateral movement. This can be achieved by implementing a zero trust approach and automated identity governance to regulate access to apps and data.

Moreover, transitioning to a secure payment platform can significantly mitigate the risk of fraudulent activity, switching away from emailed invoices to a system specifically designed for payment authentication.

Lastly, continuous employee education is of paramount importance. Staff should be equipped to spot potentially fraudulent or malicious emails—for example, identifying discrepancies between domain and email addresses—and be aware of the potential risks and financial implications of successful BEC attacks. The continuous education and awareness of employees can play a vital role in safeguarding the organization from such cyber threats.