Microsoft 365 & G Suite Users Targeted In Business Email Compromise Scam

If you use Microsoft Office 365 or Google G Suite, then you need to be on the lookout for business email compromise. Cybersecurity technology won’t protect you from this cybercrime scam – it comes down to what you know.

The FBI has released a private industry notification that a specialized business email compromise campaign is being carried out against Microsoft Office 365 and Google G Suite users, so far causing $2.1 billion in damages.

Click the following link to read the full report:

https://www.kraftgrp.com/wp-content/uploads/2020/04/PIN-20200303-001.pdf

What Is Business Email Compromise?

Business Email Compromise is a social engineering technique used by cybercriminals in which they pose as a business or member of a business in order to execute fraudulent payments.

In layman’s terms, a cybercriminal will write an email pretending to be from a known contact or organization (e.g. your credit union), and request that a payment be processed – instead of sending the funds to a legitimate source, the payment will go to them.

Business Email Compromise can be carried out a number of ways:

  • Phishing
    Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
  • Spear Phishing
    This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
  • Online Research
    LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel, as do their company websites. This can include their contact information, connections, friends, ongoing business deals and more.

How Are Cybercriminals Targeting Microsoft Office 365 And Google G Suite Users?

Cybercriminals are using a specially developed phishing kit that mimics the cloud-based email services of both Microsoft Office 365 and G Suite. The fraudulent emails request or misdirect the transfer of funds, costing businesses large sums of money.

How Can You Protect Yourself From Business Email Compromise?

Share these three tips with your staff to help them mitigate the risk of business email compromise and other social engineering scams:

  • Verify Payments Via Phone: As you can’t meet in person to verify major financial transactions, the least you can do is confirm over the phone with the contact. Never execute a wire transfer based on an email request alone – it could very well be a cybercriminal posing as a business contact or third party organization.
  • Educate Your Employees: Now more than ever, your employees need to know how to spot social engineering scams like phishing. Phishing (and all social engineering techniques) is about the element of surprise. It’s a method in which cybercriminals send fraudulent emails that appear to be from reputable sources in order to get recipients to reveal sensitive information and execute significant financial transfers.
  • Implement Multi-Factor Authentication: Multi-factor authentication is a great way to add an extra layer of protection to the existing system and account logins. By requiring a second piece of information like a randomly-generated numerical code sent by text message, you’re able to make sure that the person using the login credentials is actually who they say they are. Biometrics like fingerprints, voice, or even iris scans are also options, as are physical objects like keycards.

The point is that this type of cybercrime methodology is that it doesn’t rely on digital security vulnerabilities or cutting-edge hacking technology; phishing targets the user, who, without the right training, will always be a security risk, regardless of the IT measures set in place.

Like this article? Check out the following blogs to learn more:

Are You Familiar With Cybercriminal Tactics?

What Do I Do After I’ve Been Hit with a Ransomware Attack?

Is Your Corporate VPN Putting You At Risk?

CISA Cyber Essentials Toolkits: Yourself, The Leader – Part One

Business Leadership Is First On CISA Cyber Essentials Toolkits Following their Cyber Essentials resource, CISA has rolled out an additional…

Learn more

Why Are You Not Defending Your Business From Ransomware?

Ransomware Is A Threat To Your Business - Why Aren’t You Defending Against It? Is your head in the sand…

Learn more

New Louisiana Legislation Launches MSP Registration

Louisiana Legislation Signs Louisiana Act 117 - Senate Bill 273, Requiring MSP Registration Louisiana Act 117 – Senate Bill 273…

Learn more