Microsoft Reports Rise in Cybercriminal Activity Targeting Business Emails

Businesses have more reason to beef up their cybersecurity systems as more threats continue to arise.

According to Microsoft Threat Intelligence's fourth Cyber Signals report, there has been a rise in criminal activity targeting business emails in the last few years. The software giant's network of security experts and researchers found that there were over 35 million business email compromise (BEC) attempts between April 2022 and April 2023. That's an average of 156,000 attempts per day.

They also observed a 38% increase in Cybercrime-as-a-Service targeting business email between 2019 and 2022. A service called BulletProftLink, for example, creates industrial-scale malicious email campaigns and sells them to threat actors packaged with everything they need to launch the attack, including templates, hosting and automated services for BEC.

Microsoft warns that BEC attacks can take many forms, ranging from phone calls, text messages, emails or even a ring on social media. These types of attack rely on security vulnerabilities or unpatched devices, rather they exploit day-to-day email traffic within businesses to deceive victims into parting with their financial information, among other sensitive data.

But the software giant assures businesses that there are methods to combat such threats, despite the existence of specialised tools that facilitate BEC like phishing kits and lists of verified email addresses for targeting C-Suite leaders.

"BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with IT, compliance and cyber risk officers at the table alongside business executives and leaders, finance employees, human resource managers and others with access to employee records," said Mr Vasu Jakkal, Corporate Vice President of Security, Compliance, Identity and Management at Microsoft.

"While we must enhance existing defences through AI capabilities and phishing protection, enterprises also need to train employees to spot warning signs to prevent BEC attacks," he added.

He recommends businesses employ the help of cloud apps that leverage artificial intelligence (AI) capabilities to strengthen defences, which include advanced phishing protection and suspicious forwarding detection. They additionally should secure the identities of their employees by controlling access to apps and data. Also, they should adopt a secure payment platform to reduce the risk of fraudulent activity by switching from emailed invoices to a system specifically designed to authenticate payments.

The Federal Bureau of Investigation (FBI) found that there were more than 21,000 reported complaints of BEC in the U.S. in 2022, with adjusted losses totaling over US$2.7 billion.

• Microsoft reports there has been a rise in criminal activity targeting business emails in the last few years.

• The software giant's network of security experts and researchers found that there were over 35 million business email compromise (BEC) attempts between April 2022 and April 2023.

• They also observed a 38% increase in Cybercrime-as-a-Service targeting business email between 2019 and 2022.