Cybercriminals conducting BEC attacks by exploiting cloud-based email services are costing U.S. businesses over $2 billion.
The US Federal Bureau of Investigation warned private industry partners of threat actors abusing Microsoft Office 365 and Google G Suite as part of Business Email Compromise (BEC) attacks.
According to the FBI, the BEC attacks targeting Office 365 and G Suite“are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds.”
Furthermore, the Bureau states that “between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totalling over $2.1 billion in actual losses from BEC attacks targeting Microsoft Office 365 and G Suite.”
Businesses should implement human, as well as technological element security measures to protect themselves, as billions of dollars are being stolen from organisations through BEC scams.
“From a technology perspective, implementing verification of domains by using DMARC configuration in the mail server allows the organisation to request the domain to be checked for validation before allowing the email in the inbox,” stated James McQuiggan, security awareness advocate at security training firm KnowBe4 Inc. He also advised that “the Sender Policy Framework configuration in the mail server to authenticate the sender’s email address and finally using encryption of the headers prevents man-in-the-middle attacks with the DKIM or Domain Key Identified Mail.”
Overall, having a robust security awareness program that will educate employees to be aware of the red flags; and, spot fake emails is of vital importance. Thus, always check the email address and make sure the emails in your inbox are coming from people/businesses you know.