All news with #business email compromise tag

🔒 Cybercriminals are applying the ransomware playbook to steal freight, using phishing and compromised email accounts to alter shipments, register fraudulent carriers, and redirect loads to criminal warehouses. These tactics affect high-value and perishable goods and frequently go unreported, amplifying losses for small and midsized fleets. NMFTA highlights controls and resources and invites practitioners to the 2026 cybersecurity conference.

🔒 Tomorrow at 2:00 PM ET, BleepingComputer will host a live webinar titled "From phishing to fallout: Why MSPs must rethink both security and recovery," with Austin O'Saben and Adam Marget of Kaseya. The session explains why prevention alone is insufficient as AI-driven phishing, ransomware, SaaS abuse and BEC evolve faster than many defenses. It will show how attackers exploit trusted infrastructure and why organizations must combine security, backups and rapid recovery. Attendees will learn practical steps to reduce downtime and disruption.

🔍 Sri Lankan police arrested 37 people, all Chinese nationals, on 2 May after raiding a property in Talangama, a Colombo suburb, following a tip-off. Officers seized 35 tablets, 147 mobile phones and 100 SIM cards and say several occupants were working illegally or overstaying visas. Authorities suspect romance-baiting operations that groom victims online and funnel them into fake cryptocurrency investment platforms. The arrests follow earlier large detentions and deportations tied to similar scam centres.

⚠️ A new banking trojan named TCLBanker is being distributed via a trojanized MSI installer for Logitech AI Prompt Builder and targets 59 banking, fintech, and cryptocurrency platforms, with initial activity observed mainly in Brazil. Researchers at Elastic Security Labs report the malware uses DLL side-loading and strong anti-analysis defenses, runs persistent watchdogs to detect debuggers, and monitors the browser address bar to trigger theft routines. It provides remote-control capabilities (live streaming, screenshots, keylogging, clipboard theft, and shell execution) and uses WPF overlays to capture credentials. Uniquely, TCLBanker includes worm modules that hijack WhatsApp Web sessions and abuse Microsoft Outlook to self-propagate to contacts, increasing the risk of rapid spread.

🔒 On May 14, 2026 at 2:00 PM ET, BleepingComputer will host a live webinar titled From phishing to fallout: Why MSPs must rethink both security and recovery with Austin O'Saben and Adam Marget of Kaseya. The session examines how AI-driven phishing, business email compromise, ransomware, and SaaS compromise are reshaping the threat landscape for managed service providers. Attendees will learn why prevention and recovery must operate together and how SaaS backups and a formal BCDR plan can reduce downtime and data loss.

🔐 Rapid7 attributes a deception-driven intrusion to the Iranian-affiliated actor MuddyWater, which used Microsoft Teams social engineering to harvest credentials and manipulate MFA via live screen-sharing. Once inside, operators leveraged compromised accounts, remote-access tools like DWAgent and AnyDesk, and a trojanized WebView2 binary to maintain persistence and exfiltrate data rather than encrypt files. The campaign appears to have intentionally mimicked RaaS artefacts — including Chaos-related extortion indicators and a signed loader — to obscure state-backed motives and slow incident response.

🔒 Multi-factor authentication reduces credential risk but does not stop many business email compromise (BEC) attacks, because adversaries target human decision points and process gaps rather than accounts. High-profile cases — Toyota Boshoku (2019, ≈$30M) and Arup (2024, ≈$25M) — show attackers using cloned messages and deepfakes without stealing credentials. Organizations should redesign approval workflows, require out-of-band verification for high-risk requests, run realistic BEC simulations, embed micro-learning, introduce purposeful friction and assign clear ownership of payment verification to close operational blind spots.

🔒 ESET Chief Security Evangelist Tony Anscombe reviews April’s top cybersecurity developments, including rising Microsoft Teams helpdesk impersonation scams, an Iranian-linked campaign targeting Rockwell programmable logic controllers exposed on U.S. critical infrastructure networks, and the FBI IC3’s finding that U.S. victims lost nearly $21 billion to cyber-enabled crime last year. Tony offers practical mitigation advice — from stricter verification and access controls for remote support to network segmentation, patching, and monitoring for industrial control systems — and invites viewers to watch the video for deeper context and comparisons to prior years.

📧 Cybersecurity firm Cyberproof has identified a surge of “silent subject” phishing attacks in Q1 2026 that deliberately omit email subjects to evade filters and trigger recipient curiosity. These campaigns target executives and high-value accounts, delivering links, QR codes and attachments that often redirect to spoofed sites or mobile interactions. Attackers rotate domains, use shortened URLs and deploy legitimate tools like Datto RMM to persist. Organizations are advised to enforce MFA, inspect full sender addresses and deploy advanced content-aware email defenses.

🔒 Microsoft warns that threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk staff and gain remote access. Attackers initiate cross-tenant chats to request remote assistance—commonly via Quick Assist—then perform reconnaissance and deploy small payloads into user-writable locations. They abuse trusted, signed applications for execution and use HTTPS-based C2 and tools like Rclone to exfiltrate filtered, high-value data, often blending into normal traffic. Administrators are urged to treat external Teams contacts as untrusted, restrict remote-assistance tools, and limit WinRM usage.

🔒 Microsoft warns that attackers are exploiting Microsoft Teams cross-tenant features to impersonate IT helpdesk staff and trick employees into granting remote control. The cross-tenant helpdesk impersonation playbook leverages real-time chats, social engineering, and legitimate remote-support tools so access appears user-approved and avoids typical malware detections. Organizations are urged to tighten external access, restrict support workflows, enforce Zero Trust controls, and improve behavioral monitoring.

📧 Threat actors are exploiting Apple account-change notifications to deliver callback phishing within legitimate emails sent from Apple's infrastructure. They place scam text into the account's first and last name fields, then trigger a shipping-info update so Apple sends the altered notification. Because messages are sent from appleid@id.apple.com and pass SPF, DKIM, and DMARC, they appear authentic and can bypass filters, increasing the risk of successful callback scams.

🛡️ The FBI Atlanta field office, together with US and Indonesian authorities, dismantled a large-scale phishing operation built around the W3LL phishing kit. The kit, sold via a members-only marketplace called W3LL Store, enabled attackers to clone login pages and harvest credentials for as little as $500. Investigators seized the w3ll.store domain, identified an alleged developer known as 'G.L.', and say the toolkit may have been used against over 17,000 victims worldwide between 2023 and 2025.

📈 The FBI reports U.S. victims lost a record $21 billion to cyber-enabled crime in 2025, a 26% rise from 2024, as the Internet Crime Complaint Center (IC3) logged more than one million complaints. Losses were led by investment fraud, business email compromise, tech-support scams, and data breaches, while cryptocurrency-related fraud topped $11 billion. The report includes 22,300 AI-related scam complaints totaling $893 million and shows seniors over 60 suffered disproportionately. The FBI says proactive interventions, including 3,900 Financial Fraud Kill Chain actions and Operation Level Up, helped freeze $679 million and alert thousands of likely victims; it urges verification before sending funds and reporting incidents to ic3.gov.

🛡️ The FBI's 2025 Internet Crime Report shows US victims lost more than $17.7 billion to internet-enabled fraud, with the Internet Crime Complaint Center (IC3) receiving over one million complaints in 2025. Cryptocurrency investment scams were the single largest source of financial loss at $7.2 billion, followed by Business Email Compromise and fake tech support schemes. The report also highlights nearly $893 million lost to AI-enabled fraud and 22,364 AI-related complaints, warning that synthetic content and deepfakes are increasingly abused to perpetrate scams.

⚖️ Saheed Sunday Owolabi, 35, was sentenced to 15 years in a U.S. federal prison after a jury convicted him of conspiracy to commit wire fraud and money laundering. Prosecutors described how he posed as women online to cultivate romantic relationships, then persuaded victims to transfer funds and provided bank accounts used to launder proceeds—more than $1.5 million sent to Nigeria. Chat logs showing he had attempted to swindle another fraudster undermined his claim of being a mere middleman, and images recovered from his phone displayed luxury purchases made with stolen funds.

🔍 Abnormal researchers uncovered a targeted credential theft campaign active from November 2025 to March 2026 that focused on C‑suite and senior personnel across more than 20 industry verticals. The operation was powered by a previously undocumented phishing-as-a-service platform, Venom, and used SharePoint-themed lures with embedded QR codes. The phishing emails employed randomized HTML, fabricated multi-message threads and persona spoofing to evade detection and isolate human targets. Attackers used both AiTM relays and Microsoft’s device code flow to bypass MFA and achieve persistent access.

🔒 The Talos Threat Source newsletter warns that business email compromise (BEC) attacks have been democratised by AI, enabling attackers to cheaply and rapidly craft convincing payment requests that target small community organisations, charities, and businesses. Attackers can automate reconnaissance and generate tailored messages referencing projects, tone, and terminology. Defenders should verify unexpected payment requests via independent channels, enforce procurement controls, and increase awareness. The briefing also flags an automated credential-harvesting campaign exploiting React2Shell in Next.js applications that risks wide-scale token and key theft.

⚠️ EvilTokens is a commercially sold phishing kit that abuses the device code authorization flow to hijack Microsoft accounts and enable advanced BEC operations. Distributed via Telegram, campaigns deliver document lures with QR codes or links to phishing templates impersonating trusted services and workflows. Victims are prompted to authenticate on the real Microsoft device login, producing short-lived access tokens and refresh tokens that give attackers immediate and persistent access. Sekoia reported global campaigns and published IoCs and YARA rules; the author says support for Gmail and Okta is planned.

🧾Proofpoint researchers reported a surge of tax-themed campaigns in early 2026 delivering malware, remote access tools, fraud schemes and credential-phishing. The advisory published on March 30 notes increasing use of remote monitoring and management (RMM) tools and activity from newly identified threat actors. Attacks include BEC requests for W-2/W-9 forms and fake login pages targeting W-8BEN updates. Organisations are advised to educate users and monitor for topical tax lures during filing periods.