• Business email fraud continues to rise, with losses exceeding $2.7 billion, as more than 21,000 complaints were filed with the Federal Bureau of Investigation (FBI).
• In 2022, the FBI's Recovery Asset Team initiated financial fraud investigations for 2,838 BEC complaints involving domestic transactions, potentially totalling over $590 million in losses.
• Microsoft's Digital Crime Unit reported 38% increase in business email attacks between 2019 and 2022.
• Between April 2022 and April 2023, Microsoft Threat Intelligence detected 35 million BEC attempts annually and 156,000 attempts daily.
• The Microsoft Digital Crimes Unit blocked 417,678 unique phishing URLs between May 2022 and April 2023.

Evolution of cybercriminal tactics

Cybercriminals specialising in BEC attacks have embraced increasingly sophisticated tools and techniques, making them more formidable adversaries. One notable tactic involves exploiting residential Internet Protocol (IP) addresses to circumvent "impossible journey" warnings that flag suspicious login attempts. This detection alerts organisations when a user account is accessed from two different geographical locations simultaneously, a clear sign of compromise.

Criminals often turn to phishing services, including Evil Proxy, Naked Pages, and Caffeine to launch phishing campaigns and obtain compromised credentials. However, the BulletProftLink platform takes this to an industrial scale, providing cybercriminals with a decentralised gateway design, end-to-end BEC services, and access to templates, hosting, automated BEC services, credentials, and IP addresses. To further obscure their actions, criminals acquire IP addresses corresponding to the victim's location from residential IP services, enabling them to bypass "impossible journey" warnings effectively.

Successful BEC attacks have far-reaching consequences, costing organisations hundreds of millions annually. Beyond the financial impact, the aftermath includes long-term damage from identity theft and the loss of sensitive data. Notably, BEC attacks predominantly target executives, senior leaders, finance managers, and human resources staff with access to valuable employee records, such as Social Security numbers and tax statements. Common BEC tactics encompass payroll manipulation, fraudulent invoices, gift card scams, and the pilfering of critical business information.

The industrialisation of localised IP address space for BEC attacks introduces new risks as attackers exploit the opportunity to route malicious emails through addresses near their targets. This tactic enhances the adaptability of BEC attacks, making them even more challenging to thwart.

Defending Against Email Fraud

Vigilance and awareness are pivotal in safeguarding against email fraud. Organisations can employ several strategies to defend against BEC attacks, including:

• Utilising mailbox protection security settings to flag external messages, enable notifications for unverified senders, and block emails from unknown sources.
• Implementing multi-factor authentication (MFA), requiring additional verification, such as a PIN or fingerprint, in addition to passwords, or choosing password-less technology.
• Embracing identity protection with Zero Trust principles and automated identity management.
• Leveraging secure email cloud platforms with enhanced threat detection capabilities.
• Utilising secure payment platforms for payment authentication.
• Training staff to recognise malicious emails and establishing clear guidelines for the authentication process.
• Implementing a domain-based message authentication, reporting, and compliance (DMARC) "reject" policy, which provides robust protection against email spoofing.
• Validating the policies of departments like accounting, internal audit, payroll, and human resources regarding payment, banking, and remittance change requests.

The battle against email fraud is ongoing, with cybercriminals constantly evolving their tactics. However, with vigilance, education, and the proper security measures, organisations can reduce their vulnerability and defend against the rising tide of email scams. Choose the Noventiq team of experts to achieve the highest level of email security for your organisation.