Business Email Compromise-as-a-Service Emerges as Attempted Fraud Soars to as High as $6 Million

BEC scammers set their sights on payoffs in the millions of dollars, and are following the path of their ransomware counterparts by evolving services while organizations struggle to keep up.

It shouldn’t come as a surprise (if you’ve been following the evolution of cybercrime) that we’re now seeing cybercriminal gangs looking for additional ways to elevate their own work into a service that can be utilized by others. We saw ransomware-as-a-service grow in popularity over the last two years; it should be expected that other types of cybercrime would follow suit.

In an interview with ZDNet, Deputy Director of Threat Intelligence for Palo Alto’s Unit 42, Jen Miller-Osborn highlights BEC taking the same path as that of Ransomware:

“Similar to ransomware, we’re seeing an increasing number of attackers getting into BEC, and we’re also seeing it mature into — like Ransomware-as-a-service — BEC-as-a-service. They’re becoming more tech-savvy. They’ve been in the commodity space and are starting to include publicly disclosed vulnerabilities. They’re becoming more professional.”

According to an analysis of BEC attacks since 2020 by Unit 42, the average wire fraud attempted was $567,000 with the highest at over $6 million. Because these attacks are almost exclusively email-based, Unit 42 offers some best practices for mitigating such attacks, including:

  • Use of multi-factor authentication – both Microsoft and Google offer MFA for their email platforms. Use of MFA would shut down an attacker’s ability to have continual access to a victim account.
  • Disabling Client-Side Forwarding – a trick used by attackers to have sensitive intel found in emails automatically forwarded to them, client-side forwarding can be a source of assistance to the threat actor, making it a focus for possible disabling.
  • Logging and Event Monitoring – watching for unusually high administrative or user activity within email platforms and finance applications can help identify potential fraud.
  • Security Awareness Training – even Unit 42 says “end-users are commonly the weakest link in security incidents.” Educating them on phishing tactics, campaigns, and themes helps users instantly spot content designed to trick them into giving up credentials.

This article originally appeared on the KnowBe4 website.

Stu Sjouwerman
About the Author
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4 Inc, a provider of the most popular Security Awareness Training and Simulated Phishing platform. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Along with his CEO duties, Stu is Editor-in-Chief of Cyberheist News, an e-zine tailored to deliver IT security news, technical updates, and social engineering alerts. Stu is a four-time Inc 500 award winner and EY Entrepreneur of the Year finalist.