The Rise of Social Engineering Fraud in Business Email Compromise

We Keep you Connected

The Rise of Social Engineering Fraud in Business Email Compromise

Cybersecurity insights from industry experts.
By examining common social engineering tactics and four of the most devious threat groups, organizations can better defend themselves.
March 6, 2024
Social engineering is present in 90% of phishing attacks today. However, business email compromise (BEC) attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception. 
Part of what makes social engineering such a prominent part of BEC and other types of phishing attacks is its ability to manipulate human levers to achieve a desired outcome. Oftentimes, social engineers will create a false sense of urgency, push victims into a heightened emotional state, or capitalize on existing habits or routines in order to get their victims to behave in a way that might otherwise be out of character.
By examining common social engineering tactics and prevalent threat groups, organizations can better defend against these attack vectors.
Social engineers often target company executives, senior leadership, finance managers, and human resources staff to gain access to sensitive information, such as Social Security numbers, tax statements, or other personally identifiable information. New employees, who may be more susceptible to verifying unfamiliar email requests, are also at risk.
In order to help defend against BEC attacks, organizations need to stay up to date on the latest threat intelligence and adversarial activity. Following are four prominent threat groups that leverage social engineering and BEC to enact harm.
Octo Tempest: This financially motivated collective of native English-speaking threat actors is known for launching wide-ranging campaigns that prominently feature adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping capabilities. First spotted in early 2022, the group initially targeted mobile telecommunications and business process outsourcing organizations with SIM swaps. However, it has since partnered with ALPHV/BlackCat — a human-operated ransomware-as-a-service (RaaS) operation — to drive greater impact.
Diamond Sleet: In August 2023, Diamond Sleet conducted a software supply chain attack on German software provider JetBrains that compromised servers for software building, testing, and deployment processes. Because Diamond Sleet has successfully infiltrated build environments in the past, Microsoft assesses that this activity poses a particularly high risk to affected organizations.
Sangria Tempest: Also known as FIN, Sangria Tempest frequently targets the restaurant industry to steal payment card data. One of the group's most effective lures involves accusing restaurants of food poisoning by sending a malicious email attachment with further details. This Eastern European group uses underground forums to recruit native English speakers and train them on how to deliver the email lure. Sangria Tempest has successfully stolen tens of millions of payment card data through this process.
Midnight Blizzard: Midnight Blizzard is a Russia-based threat actor that primarily targets governments, diplomatic entities, nongovernment organizations (NGOs), and IT service providers across the US and Europe. The group leverages Teams messages to send lures that attempt to steal credentials from targeted organizations by engaging users and eliciting approval of multifactor authentication (MFA) prompts.
Social engineering is generally a long con. These types of attacks can take months of planning and labor-intensive research as adversaries seek to build a strong foundation of trust with their victims. Once this trust has been established, social engineers can manipulate victims into taking certain actions that would otherwise be out of character.
There are many ways that organizations can protect themselves against social engineering fraud. First, employees should keep their personal and work accounts separate. When people use their work email for personal accounts, threat actors can take advantage by impersonating these programs and reaching out to gain access to their corporate information. Organizations should also enforce the use of MFA, as social engineers frequently target login credentials. However, it's important to note that MFA is not a perfect solution. Attackers are increasingly using SIM swapping to compromise phone numbers used for MFA. Organizations can remediate this risk by using an authentication app to link MFA to a user's device rather than their phone number.
Next, organizations should educate users on the danger of oversharing personal information online. Social engineers need their targets to trust them for their scams to work. If they can find personal details from an employee's social media profile, they can use those details to help make their scams seem more legitimate. 
Finally, secure company computers and devices with endpoint security software, firewalls, and email filters. If a threat does make its way to a company device, protection will be in place to help safeguard user information.
Ultimately, social engineers are constantly looking for new ways to make their attacks more effective. By monitoring ongoing threat intelligence and ensuring your defenses are up to date, organizations can better prevent social engineers from using previously successful attack vectors to compromise future victims.
— Read more Partner Perspectives from Microsoft Security
Read more about:
Microsoft Security
Protect it all with Microsoft Security.
Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.
We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.