May 19, 2023 - Technology

Business email compromise is on the rise, Microsoft warns

Illustration of a laptop wearing glasses and moustache set disguise.

Illustration: Aïda Amer/Axios

An often-overlooked cybercrime tactic is getting more sophisticated and growing in popularity among criminal gangs, Microsoft warned in a report released Friday.

Why it matters: Business email compromise — where a criminal poses as someone a victim regularly interacts with in their daily lives to lure them into sending money or confidential information — remains one of the most lucrative tactics for cybercriminals.

  • Last year, the FBI saw nearly 22,000 complaints about business email compromise cases and reported losses of more than $2.7 billion tied to these scams.
  • However, this tactic is often eclipsed in public conversations about cybercrime by ransomware and data theft.

The big picture: Microsoft detected and investigated 35 million attempted cases of business email compromise between April 2022 and last month, according to the report. The company also warned that "nearly all forms of BEC attacks are on the rise."

  • Attackers in these scams have started adopting new tools and tricks to avert traditional email security tools, such as those that flag when an employee is sending an email from a different location, Microsoft warned.

What they're saying: "Microsoft shares federal law enforcement and other organizations' concern that this trend can be rapidly scaled, making it difficult to detect activity with traditional alarms or notifications," Vasu Jakkal, corporate vice president of security at Microsoft, wrote in a blog post.

The intrigue: One of the new tools attackers have latched onto is BulletProftLink, which helps users do everything from setting up email templates to hosting malicious sites linked in the phishing emails.

  • The attackers will also purchase IP addresses from third parties to create "residential IP proxies" that allow cybercriminals to "mask their origin" so it looks like the email came from the same place their victims are based, the Microsoft report said.
  • After those tools are in place, attackers need only rely on their social engineering skills to craft a believable message, per the report.

Be smart: Microsoft suggests organizations set up their email systems to flag messages sent from external parties and retrain employees to spot the warning signs of a malicious email.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper