Cybercriminals are increasingly registering email addresses with legitimate services and using them in the commission of business email compromise (BEC) attacks.
A recent study of hacking methods published by Barracuda found that more than 6,000 email accounts using legitimate services had been linked to more than 100,000 BEC attacks on roughly 6,600 organizations this year.
Gmail accounted for 59% of the malicious accounts used in these attacks, which makes sense since the service is free, and widely used. The platform’s ubiquity, with 1.8 billion users worldwide also makes it harder for some spam and malware filters to detect and intercept a suspect email.
The report also found that many of the attacks (29%) used accounts that were up and running for a short period of time, often 24-hours, presumably to avoid detection or suspension by email providers.
BEC attacks were estimated by the FBI to have cost companies and organizations in the U.S. roughly $1.77 billion. Losses are expected to increase this year with more offices working remotely in the wake of the Covid-19 pandemic which has caused workers to rely more on remote communication.
It’s important for organizations, large and small alike, to review basic email security practices to avoid BEC attacks and other increasingly widespread scams targeting remote workforces.