Defending the SMB Customer: The Latest Trends and Tactics in BEC & Phishing Attacks

Download the PDF Version here.

“The cybercriminal world is highly organized and extremely business and commercially oriented. Cybercrime is a business, not a hobby, and incredibly lucrative. Cybercrime is now split into components, each specializing in the cybercriminal needs. Some act as providers to other cybercriminals; essentially, there's a vendor structure within the cybercrime world, and Phishing-as-a-Service is a key part of that.” - Sean Morris, CTO, TitanHQ.

Business Email Compromise (BEC) and phishing go hand-in-hand. A BEC scam often begins with a compromised or impersonated email account belonging to a C-level executive. A BEC scam results in the transfer of large sums of money to a fraudster's bank account. BEC and phishing are big cybercrime businesses, and losses for legitimate business owners are eye-watering. According to a survey by IBM, the global average cost of a BEC incident is around $4.67 million. The FBI IC3 unit found that BEC scams are the second most costly crime type.

Phishing has a broad remit. Phishing is part of the circle of cybercrime that leads to BEC scams, data and credential theft, ransomware infection, and other cyber-attacks.

An MSP customer is a single click away from an incident. If just one phishing email lands in an employee's inbox, clicking on a malicious link could lead to disaster. Business Email Compromise (BEC) scams are expected to explode in volume and profitability as attacks bypass traditional safeguards.

Osterman Research and TitanHQ recently published a research paper titled “Stopping The One That Got Through A Phishing Tale.” The paper explores the world of BEC and phishing and discusses the techniques and tactics used in this highly complex attack.

This short white paper will give you a sneak peek at some of the findings of Osterman's research to help you double down on your SMB customer defenses.

The cybercriminal world is highly organized and extremely business and commercially oriented. Cybercrime is a business, not a hobby, and incredibly lucrative.

Sean Morris, CTO, TitanHQ.

Why Do Attackers Target SMBs?

Small to Medium Enterprises (SMBs) are the stalwarts of commerce. An estimated 333 million SMBs worldwide work diligently to build economies, provide employment, and deliver services and products to a broad community. These beacons of industry are a target for cybercriminals for several reasons:

• SMBs are often part of a broader supply chain and can be used to attack members of that chain.
• Smaller organizations often lack staff with security skills and are, therefore, seen as an easy target by cybercriminals.
• SMBs, like their enterprise cousins, are highly vulnerable to the impact of a ransomware attack and may be more likely to pay ransoms.
• Smaller organizations may not have enough money to pay for the sophisticated cyber defenses larger companies deploy.

In the UK alone, 1.5 million businesses were victims of cybercrime in 2023. The SMB is especially aware of cybercrime. A recent survey by ConnectWise found that 78% of SMBs were worried a cyberattack would cause them to close their business doors in 2024.

Highly sophisticated BEC scams and phishing campaigns are now targeting the SMBs. An MSP is the best defense for an SMB in tackling this growing threat to smaller organizations.

In the UK alone, 1.5 million businesses were victims of cybercrime in 2023.

Beaming

The Ones to Watch: BEC and Phishing Attack Variations

“Question: What do you get when you cross the world’s largest email service with one of the world’s most spoofed brands? Answer: A desirable target for cybercrime gangs.” - Osterman Research

Vigilance is the watchword of cybercrime prevention. Cybercriminals are adept at changing tactics to evade detection and capture, making detection challenging. The Osterman report points out that the current plethora of attacks is circumventing MFA and utilizing Generative AI to design perfectly mimicked phishing emails. According to Osterman, there are several current trends to watch out for:

Phishing-as-a-Service (PaaS)

Seasoned hackers develop PaaS offerings that allow anyone to become a cybercriminal. These rentable options for phishing attacks provide all the tools needed to carry out a targeted phishing attack against an SMB.

MFA Circumvention Toolkits

MFA was a hopeful candidate for attack mitigation, using multiple factors and layers of security to stop unauthorized access. However, cybercriminals have developed MFA circumvention kits that use automation to submit real user credentials and one-time codes (like an SMS text code) via a phishing site to the actual site. The accurate site is often a popular productivity suite that SMBs like Microsoft 365 use.

Generative AI

Cybercriminals increasingly use GenAI tools like ChatGPT to craft realistic phishing email messages that evade human detection and conventional anti-phishing tools. GenAI is used to mimic human targets to more closely replicate the tone and content of emails sent by that individual.

Hyper-Personalization

The use of GenAI, along with gathered intelligence on a target, results in highly personalized phishing emails. This technique takes social engineering to new heights of success.

Compromised Internal Accounts Used for Phishing

Incidents are often multi-part, using previously stolen login credentials to infiltrate an SMB's broader network further. Once an account is compromised, typically via stolen credentials, it can be used to send out legitimate-looking but phishing emails. This dangerous combo of real account-initiated phishing is challenging to detect. BEC scams are typical outcomes of account compromise.

QR Code Phishing (Quishing)

QR Codes are increasingly being used in phishing attacks. Osterman points to a survey that found 89.3% of all QR code-based phishing attacks sent via email were phishing for account credentials. QR Codes redirect recipients to spoof websites that look identical to a productivity suite, like Google Docs or Office 365, where login credentials are requested. The credentials are stolen and used to access the real account if submitted.

Which Employees Do Scammers Love to Target?

Generative AI is upping the ante, allowing cybercriminals to develop believable impersonations of crucial staff members. According to Osterman's research findings, the manager of a victim is an essential target. Gathered evidence identifying the target's projects and travel plans is typically used to compose believable email requests that appear normal and follow the usual communication patterns of the target. Osterman points out that this clever use of impersonation tactics means that the standard warning signals in a phishing message are absent, making it difficult for traditional email security defenses to detect them.

An alignment of cybercrime planets, phishing-as-a-service, MFA bypass capabilities, and generative AI are being used to manipulate victims masterfully. This is social engineering hitting new heights of sophistication.

The personalization of phishing messages has taken target phishing to new levels of success. Osterman has outlined the concept of "Micro-targeting," where cybercriminals take advantage of the billions of compromised data records breached in recent years to hyper-personalize phishing messages. The net result is that specific employees become easy prey for cybercriminals who can impersonate other co-workers and managers, exploiting their standard communication patterns.

The specific type of employee target in a cyber-attack depends on the required outcome. For example, top-level executives and employees who work in accounts payable are common targets of a BEC scam. Reports show that the C-suite is the most common target of phishing messages that may result in a BEC scam or other cyber-attack. One survey found that the C-level is 42 times more likely to receive QR Code-based phishing (Quishing) attacks than the average employee. Other types of phishing incidents that focus on installing ransomware may target administrators to steal credentials to gain unauthorized access to the SMB network.

BEC and phishing fraudsters constantly change their tactics, and new channels are added as needed to improve success rates.

Channels Used for BEC and Phishing Attacks

Channels, like email and mobile text messages, are commonly used in cyber-attack scenarios. There are no bars to entry, and whatever channel works in a specific cyber-attack will be used. Osterman points out that multi-stage phishing attacks will often work across communication channels, utilizing a mix of email, WhatsApp, SMS text, and phone calls. Another mode of operation within the cybercriminal community is a coordinated attack, an example being the "Phantom Hacker" attack. The FBI notes that attackers used impersonation tactics, posing as tech support and financial institution officers to trick victims into handing over bank account details. The scammers used multiple channels to carry out the attack and impersonated various entities during the attack. Channels included a phone call, SMS text, email, or a popup window on their computer.

How to Deploy a Successful Defense-in-Depth Approach

The complex, multi-part, and multiple-channel nature of modern BEC and phishing attacks challenges conventional cybersecurity solutions. Osterman notes, "Relying on Microsoft 365 only for email security is risky." Osterman explains that using AI-driven, hyper-personalized, internal phishing attacks has challenged Microsoft's native email security capabilities to identify these sophisticated phishing attacks. Circumvention of MFA has also destroyed this layer of protection. The result is that phishing attacks are frequent and incidents costly.

The issue lies with the fragmented nature of cybersecurity measures and technologies.

Disparate technologies and a fragmented MSP tech stack lead to a lack of capability in tackling modern BEC and phishing threats.

Relying on Microsoft 365 only for email security is risky.

Osterman

Over the last few years, Osterman's research has pointed to the benefits of a strategic approach. This involves protecting an SMB against a cyber threat by augmenting Microsoft 365's native email security with advanced email security capabilities from third-party vendors like TitanHQ. This "defense-in-depth" approach to cybersecurity is a belt-and-braces way to detect and prevent sophisticated and evasive cyber-threat tactics. Advanced anti-phishing tools like PhishTitan provide the fine-grained net to capture evasive cyber-attacks, including BEC and targeted, hyper-personalized phishing.

An MSP can follow Osterman's recommended strategy of complementing less costly Microsoft 365 plans with third-party email security offerings rather than licensing the costliest Microsoft 365 plans. MSPs can benefit from third-party email security solutions that support multi-tenancy, thereby improving the security posture of multiple customers.

PhishTitan is designed to become part of the M365 ecosystem, adding an essential layer of security to protect against persistent phishing and BEC threats. PhishTitan is a Defense-in-Depth security tool that prevents complex multi-layered attacks targeting SMBs. PhishTitan uses layers of integrated security to catch all possible threats, sweeping up after M365 native security has captured more straightforward attacks. The layers used by PhishTitan to tackle complex threats include the following:

• AI-driven threat intelligence based on machine learning detection models. The detection picks up emerging and Zero-Minute URLs. The AI-driven natural language processing can analyze text and links and scan attachments for malicious content.
• Real-time threat analysis stops Zero-Minute attacks that are unknown and not included on conventional blocklists.
• URL analysis is a sub-layer of protection that rewrites URLs to protect against phishing links. Using a unique ‘Link Lock’ service, PhishTitan inspects and rewrites URLs, checking for links to malicious websites.
• Post-delivery remediation ensures that the attack will be stopped even if a phishing message somehow gets past PhishTitan. Post-delivery remediation continuously monitors and removes malicious mail if it lands in an inbox.
• Data Loss Prevention (DLP) ensures that even outbound emails are checked for malicious or sensitive content. A Data Loss Prevention (DLP) layer prevents sensitive data from leaving the corporate network.
• QR Code phishing prevention is integral to PhishTitan’s anti-phishing capabilities.

PhishTitan seamlessly integrates into M365, augmenting and enhancing Microsoft native security. It is a SaaS solution designed to be delivered by an MSP.

The Importance of Multi-Layered Defense-in-Depth Protection for an MSP’s Customers

New developments in cybercrime have led to increased threats by removing the protective layer of MFA. The introduction of GenAI to generate believable and highly personalized emails and texts has made conventional anti-phishing less effective. In addition, mega password leaks like the RockYou2024 leak involved the release of around 10 billion passwords from old and new data breaches.

An MSP is uniquely positioned to guide customers down the defense-in-depth security route. As Osterman explains,” Different security solutions have complementary strengths.” M365 native security alone is unlikely to pick up all the tactical measures modern fraudsters use. Augmenting the M365 native secure email gateway (SEG) with an integrated cloud email security solution like PhishTitan will detect and mitigate many email threats.

Osterman Research describes the prevention of complex phishing and BEC attacks as a “game of multiples.” An SMB is at high risk of a BEC attack and must take every precaution to prevent it. This game of multiples translates to using a multi-layered defense-in-depth approach to anti-phishing and BEC protection. This may seem costly for a small business. However, an MSP is perfectly positioned to provide these exceptional security services to an SMB.

PhishTitan is a cost-effective, powerful AI-driven security tool designed to catch complex BEC threats. When an MSP deploys PhishTitan for an SMB customer, they are providing enterprise-grade protection. Without this level of anti-phishing protection, a customer is at risk of some of the harshest cyberattacks in history.

A final word from Osterman Research:

“This research concludes that organizations are under relentless attack by phishing and BEC fraud. Relying solely on Microsoft 365's native email security is risky for any organization, and our recommendation is to complement Microsoft 365's native protections with advanced email protections.” Michael Simpson, Principal Analyst, Osterman Research

You can download the full Osterman Research paper here.

Take a closer look at PhishTitan today and keep your SMB clients safe.