Cybercrime continues to pose a significant threat to businesses of all sizes. The widespread use of business email compromise (BEC) as a main threat vector shows how vulnerable employees can be to opening the door for hackers and scammers.

And it’s only getting worse.

With the rise in BEC incidents over the last few years, it’s clear to see where cybercriminals think they can best use their time to exploit cybersecurity.

Proactive protective measures must be taken to secure your systems. Let’s look at the threat BECs present, how effective they can be at successfully penetrating your organization, and how to avoid falling victim.

The Escalating BEC Landscape

21,000 reported BEC cases with adjusted losses exceeding $2.7 billion. That’s a staggering statistic recently reported by the Federal Bureau of Investigation (FBI). Add to that eye-popping report this from Microsoft's Digital Crimes Unit: a 38 percent increase in Cybercrime-as-a-Service targeting business emails between 2019 and 2022.

It’s critical to protect your systems with firewalls and technical barriers, but as long as people have access to your organization’s data and information, you’re leaving the door open for cybercrime to find its way inside.

And the threat is growing.

The Role of Residential IP Addresses

To make their attack campaigns appear locally generated and evade detection, cybercriminals specializing in BEC are leveraging residential internet protocol (IP) addresses. Today’s hackers and scammers are purchasing IP addresses from residential IP services matching the victim's location and creating residential IP proxies to appear as though they’re local to the target. This tactic empowers cybercriminals to obscure their movements, circumvent detection measures, and conduct a greater number of attacks.

Law Enforcement Roadblocks

Law enforcement agencies are increasingly concerned about the use of residential IP addresses by cybercriminals. It can be a much more tedious process to locate and eliminate cyberattacks coming through in this fashion as they can go unseen by traditional alarm systems or notifications. As a result, detecting malicious activity becomes more complex and requires innovative solutions.

Types of BEC Attacks

BEC attacks come in various forms, with the most common types being lure, payroll, invoice, gift card, and business information scams. These cyberattack themes target executives, senior leaders, finance managers, human resources staff, and even new employees who may be less likely to verify unfamiliar email requests or have yet to enroll in company-wide cybersecurity awareness training. Social engineering and deception play a crucial role in BEC attacks, emphasizing the need for continuous employee training to recognize warning signs and respond appropriately, mitigating human risk as much as possible.

Defending Against BEC Attacks

Organizations must adopt a proactive stance in defending against BEC attacks. Some effective strategies include:

Ramp up inbox security standards: Configuring mail systems to flag messages from external parties, enabling notifications for unverified senders, and blocking suspicious senders can help identify and prevent phishing attempts and allow IT personnel to review and analyze potential threats and block any communication coming from a particular source IP address.

Require multi-factor authentication: Enabling multifactor authentication (MFA) adds an additional layer of security to email accounts, making them more resistant to compromised credentials and brute-force login attempts.

Educate and train employees: Educating employees on the importance of recognizing fraudulent emails, such as doppelganger domain and email address mismatches, can help mitigate the risk of successful BEC attacks.

Additional Measures: These actions can bolster you overall security posture and strengthen your human firewall with technical power.

Checkpoints and controls on both administrative and engineered levels for your accounting, internal controls, payroll, and human resource departments will tighten your most key defense areas.

Implementing a domain-based message authentication, reporting, and conformance (DMARC) policy to protect against any spoofed email is also a best practice.

Any hybrid work needs to conform to your security policy. Public wifi, for example, should never be used to conduct any transaction or exchange privileged information.

Advanced phishing protection and suspicious forwarding detection should be utilized within your email platform. A layered approach can include capabilities included with your provider licenses as well as additional third-party filters to remove as much risk as possible from employee inboxes.

Zero Trust and automated identity governance restrict lateral movement within networks and wall off any potential breach.

Use secure payment platforms and verify financial transactions through phone calls with confirmed, verified, trusted numbers to avoid falling victim to fraudulent requests.

The Bottom Line

BEC attacks are increasing in frequency and utilize sophisticated tactics. This rising trend highlights the evolving nature of cybercrime and how easy it can be for even a well-trained employee to be duped. It is crucial for organizations to stay informed, remain vigilant, and adopt robust security measures to guard against the potentially devastating financial and reputational consequences of successful BEC attacks.

By implementing effective strategies and fostering cyber aware culture, businesses can better defend against this growing threat and safeguard their sensitive information and assets from prying eyes to keep employees, vendors, and customers as safe as possible.