Targeted messages appearing to come from legitimate sources are being increasingly used by cybercriminals intent on causing disruption or achieving financial gain. Frustratingly for security teams, the tactic is working.

According to recent research by Barracuda¹, an average organisation is now targeted by more than 700 email-based social engineering attacks every year. The average chief executive alone received 57 targeted phishing attacks during the same period.

Growing sophistication

While such attacks are far from new, it’s the growing sophistication that has security experts most concerned. Where once they were relatively easy to spot because of clumsy wording or suspicious sending addresses, now they can be almost impossible to differentiate from legitimate emails.

During the 12-month period covered by the research, it was discovered that the Microsoft brand was used in 43% of all phishing attacks. This was followed by WeTransfer (18%), DHL (8%) and Google (8%).

Attacks are also becoming much more targeted. In the past, the same fraudulent email tended to be sent to large numbers of recipients in the hope that a small proportion would be tricked into opening them and either clicking on a link or opening an infected attachment.

Now, it’s more likely that phishing emails will be tailored for their recipients. This could be done by appearing to come from a business with which the recipient already has a relationship. Alternatively, the messages may seemingly have been sent by a friend or co-worker.

The types of people being targeted is also shifting. The research found 77% of business email compromise (BEC) attacks are aimed at employees outside of traditional financial and executive roles. Around one in five involve employees in sales positions.

Not just ransomware

Although ransomware is becoming an increasing issue for businesses, BEC attacks also take other forms.

For example, during 2020, an Australian hedge fund fell victim to an attack which forced it into bankruptcy. The attack involved the sending of false invoices which led to the company inadvertently transferring $8.7 million to bank accounts controlled by the cybercriminals.

That incident is not a one-off event. According to ACCC*, total losses amounted to $128 million in 2020 with the average loss per successful attack coming in at more than $50,000.

Protecting against attacks

With the threat of BEC attacks continuing to increase, there are some key protective measures that MSPs can support Australian businesses with. They include:

• Deploy AI tools:
  Artificial intelligence (AI) is becoming a valuable technology aiding the fight against cybercrime in general and BEC attacks in particular. AI-powered tools can spot suspicious attacks before they are launched and alert security teams that action is required.

• Train staff:
  Unfortunately, the weakest link in cybersecurity remains the users. It’s therefore vital that organisations ensure their staff are aware of the threats posed by BEC attacks and the steps they can take to avoid becoming victims.
• Review internal policies:
  Training should be backed up by a comprehensive review of existing policies on how email is managed. The policies should include how and where messages are stored, the security measures protecting accounts, and who should be alerted if suspicious activity is spotted.

• Deploy account takeover protection:
  Many BEC attacks originate from compromised email accounts. For this reason, it is important to have in place measures that secure staff accounts and ensure that
  unauthorised access is prevented.

Email is going to remain an enticing attack vendor for cybercriminals for some time to come. For this reason, it’s important for businesses to take all the necessary steps to reduce the likelihood that they will be successful. Make 2022 the year that BEC attacks awareness is highlighted within your organisation.

  * Source: Targeting scams: Report of the ACCC on scams activity 2020 (ACCC, 7 June 2021)

¹  https://www.barracuda.com/spearphishing-vol6