The FBI’s Internet Crime Complaint Center (IC3) published an alert warning that criminals are exploiting cloud-based email services to carry out business email compromise (BEC) scams. The attackers are using phishing kits that impersonate email services like Google’s G Suite or Microsoft’s 365 to compromise corporate email accounts. Once they gain access to an account, they’ll try to request or intercept money transfers.
Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cybercriminal to target victims using cloud-based services. The cybercriminals analyze the content of compromised email accounts for evidence of financial transactions. Often, the actors configure mailbox rules of a compromised account to delete critical messages. They may enable automatic forwarding to an outside email account
IC3 says it has received complaints totaling $2.1 billion in losses as a result of BEC attacks using the two popular cloud-based email services. Over the past decade, organizations have increasingly moved from on-site email systems to cloud-based email services. Losses from BEC scams overall have increased every year since IC3 began tracking scams in 2013. BEC scams have been reported in all 50 states and 177 countries. Small and medium-sized organizations, or those with limited IT resources, are most vulnerable to BEC scams because of the costs of robust cyber defense.
These attacks could potentially be avoided with security awareness training, where the email account owner would spot the initial phishing attack and avoid having their account compromised. The FBI did point out that most of these email services have security features that can help defend against BEC attacks, but these features often have to be manually configured. It is recommended to implement multi-factor authentication on all email accounts, as well as educating employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.
This is just another reason why security awareness training is so vital to your IT security procedures. It is an easy, low-cost, and highly effective way to protect your business from these types of attacks. Contact our team to prevent cloud-based business email compromise scams. We can set up a free security assessment and phishing test.