Phishing Remains Primary Route for Cybercriminals to Gain Access

In the digital age, businesses worldwide are increasingly becoming targets of cyber attacks. One such insidious form of cybercrime is Business Email Compromise (BEC) attacks, which have been causing significant financial losses for organisations.

In a shocking incident reported in November 2024, an Australian government agency lost a staggering $3.58 million in a fake contractor scam. Although most of the money was recovered, nearly $12,000 remains unaccounted for. This incident underscores the importance of robust email security measures and user awareness training.

Another troubling case occurred in November 2024, when scammers impersonated both the CEO and a KPMG lawyer, prompting staff to transfer $17.2 million to fraudulent accounts in Shanghai. This incident highlights the fact that BEC attacks are not about flashy malware but rather social engineering, as they involve impersonating trusted figures, mimicking vendor domains, injecting urgency, and weaponizing trust.

Phishing is the number one way attackers gain access to systems, despite awareness campaigns and security products. It is cheap, easy, and scales well from an attacker's perspective. Phishing works because it targets people, not firewalls or antivirus.

Recent incidents demonstrate that BEC is a significant problem for small and medium-sized businesses, as cybercriminals target them for financial gain. For instance, in Valladolid, Spain, attackers intercepted a company's email chain with their supplier, altered the bank details, and successfully diverted a €3,100 invoice payment to their own account. However, visibility and response are crucial in limiting the damage caused by BEC attacks, as demonstrated by the quick recovery of the stolen funds.

The problem of BEC attacks is not limited to Australia or Spain. Phishing remains a large vector for most cyber threat actors, despite the various threat actors with varying degrees of purpose. Tech giants like Google have also been victims of BEC attacks, with attackers impersonating IT support and accessing Salesforce data, compromising extensive business contacts.

To defend against phishing, it is important to implement multi-factor authentication, adaptive MFA, conditional access, risk-based authentication policies, user awareness training, regular phishing simulations, email security filters, DMARC, DKIM, SPF, logging and monitoring, and a solid incident response plan.

Unpatched software, password reuse, weak authentication policies, supply chain attacks, insider threats, and physical vectors like infected USBs are other ways attackers gain access. A couple in Queensland lost $250,000 in a property purchase scam when criminals hijacked their email thread and swapped the bank details for the deposit fund.

Criminals involved in these incidents face legal consequences. For example, the suspect in the Australian government agency case was charged and faces up to 12 years in prison. As businesses continue to rely on digital platforms for their operations, it is crucial to remain vigilant and proactive in implementing security measures to protect against BEC attacks.