Microsoft has released a report, Cyber Signals, highlighting a surge in cybercriminal activity targeting business email compromise (BEC). Microsoft Threat Intelligence registered an average of 156,000 attempts per day from April 2022 to April 2023, and observed a 38% increase in Cybercrime-as-a-Service targeting business email between 2019 and 2022. Instead of exploiting vulnerabilities in devices, BEC operators exploit email traffic to lure victims to make fraudulent transactions. Threat actors have created specialized tools, such as phishing kits and verified email address lists, to facilitate BEC. Companies must take a cross-functional approach to address cyber risk, boost their defenses with AI capabilities, and train employees to recognize warning signs. They should also leverage cloud apps that add advanced functionality for phishing protection and suspicious transfer detection. Moreover, the adoption of a secure payment platform can simplify invoice authentication.
Microsoft’s Corporate Vice President of Security, Compliance, Identity and Management, Vasjakal, said that companies should protect identities to prevent lateral movement by controlling access to apps and data with Zero Trust and automated identity governance. Furthermore, firms must educate their employees to recognize fraudulent emails and understand the potential risks and costs associated with a successful BEC attack. Microsoft strongly urges companies to read the fourth edition of Cyber Signals to learn more about the BEC threat and to visit the Microsoft Security website and the Microsoft Security Blog for expert input on security issues.