Last year, the FBI received more than 21,000 complaints about business email fraud, resulting in adjusted losses totaling over $2.7 billion. Unfortunately, this form of cyber attack shows no signs of slowing down. The techniques used in business email compromise (BEC) attacks have become increasingly sophisticated, and the rise of cybercrime-as-a-service (CasS) has made it easier for threat actors to evade detection. As a result, it is crucial for security teams to stay ahead of these evolving threats and take steps to mitigate the risks of email fraud.
At its core, BEC relies on social engineering to gain trust and manipulate individuals into taking certain actions. Threat actors will often create emails that appear legitimate, complete with logos and designs copied from real organizations. They may use links that download malware, direct users to fake websites, or manipulate them into making financial transactions. Ultimately, the goal is to convince someone to fulfill a request for payment or funds transfer.
To make matters worse, the rise of phishing-as-a-service providers has made it easier for threat actors to launch effective BEC campaigns without needing advanced technical skills. Criminal platforms such as BulletProofLink offer templates, automated services, and hosting platforms specifically for BEC attacks. This accessibility has not only made BEC available to any criminal organization willing to pay, but it has also significantly reduced the time it takes to launch new campaigns.
In a new trend, BEC threat actors are also purchasing residential IP addresses from residential IP services. By doing so, they can mask the origin of their emails and make it more difficult for authorities to track them. This tactic allows them to bypass systems that flag “impossible travel” and perform attacks from multiple locations without raising suspicion. The use of residential IP addresses may become even more prevalent as the specialization and consolidation of the cybercrime economy continues to grow.
To defend against BEC attacks, security teams can implement several key strategies. Firstly, configuring mail systems to flag messages from outside of the enterprise can help identify potential threats. Additionally, enabling alerts about unverified senders and blocking those who cannot be independently identified can further enhance inbox protection. Implementing multifactor authentication can also make it harder for attackers to compromise user emails.
Leveraging secure email platforms that utilize artificial intelligence and machine learning can provide enhanced protection, continuous updates, and centralized management of security policies. Identity and access management systems can be used to control access to an organization’s apps and data, utilizing zero trust principles and automated identity governance. Furthermore, it is crucial to replace emailed invoices with a system that authenticates payments and providers to ensure secure payments.
Education and empowerment play a significant role in defending against BEC attacks. Regularly training and reminding employees to exercise caution before clicking on suspicious links can reduce the risk of falling victim to BEC scams. Establishing and enforcing policies that require employees to verify payment requests through phone calls instead of clicking on email links can also help prevent fraudulent transfers. By fostering a culture of awareness and reinforcing the potential consequences of a single mistake, organizations can strengthen their defenses against BEC attacks.
Policy and governance are also crucial components of a comprehensive defense against BEC. Implementing domain-based message authentication, reporting, and conformance (DMARC) policies can ensure that unauthenticated messages are rejected at the mail server. Updating policies surrounding accounting, internal controls, payroll, and HR can also help employees better handle inbound requests for access, money, or personal information.
Thwarting BEC threats requires a collective effort from the entire organization. From the C-suite to IT, compliance, and risk management teams, everyone must be vigilant and committed to maintaining a strong defense. With awareness, supported by the right policies and technologies, organizations can effectively protect themselves against the ever-evolving tactics of BEC threat actors. As these techniques continue to evolve, staying proactive and adaptive is crucial in safeguarding sensitive information and financial resources.