Skip to main content
Microsoft Security

Protect your business from email phishing with multi-factor authentication

Cybersecurity has been in the news far more often in the past 12 months than in previous years, as cybercriminals escalated their activity during the COVID-19 pandemic quarantine. The seismic shift of hundreds of millions of people connecting and working from home every day presented cybercriminals with greater opportunities to attack and new threat vectors to exploit, as was detailed in the Microsoft 2020 Digital Defense Report.

Cybercrime is a large and flourishing enterprise, unfortunately. Like in any business, innovation fuels success and profit.

Business email compromise is on the rise

Even the oldest tricks of cybercriminals are constantly evolving in techniques to bring more revenue from nefarious customers. Email phishing—when individuals or organizations receive a fraudulent email encouraging them to click on a link, giving the cybercriminal access to a device or personal information—has become a dominant vector to attack enterprise digital estates. Known as business email compromise (BEC), cybercriminals have responded to technical advancements in detection by developing fast-moving phishing scams that can victimize even the savviest professionals.

BEC criminals know that email is today’s de facto method of communication. People have been encouraged to “go paperless” by companies, and most feel confident they can spot a spam email. But they also inherently trust those they work with and are more likely to respond to requests from their company’s executives, as well as their trusted suppliers and business partners. A real but compromised account anywhere in the communication stream can lead to disastrous results.

Cybercriminals bank, quite literally, on these human, socially reinforced patterns. And it’s not surprising that cybercriminals succeed with schemes that appear, at least in retrospect, unbelievably primitive and transparent. In fact, one quite well-known BEC scam that used keylogger malware to fine-tune email access—and operated without detection for six months in 2015—redirected invoice payments totaling $75 million to cybercriminal bank accounts. In hindsight, one might expect that someone would notice, given the vast amount of money involved. But no one did.

As severe as the consequences of BEC can be, they are unfortunately also quite frequent. Since 2009, 17 percent of the cyber incidents reported to Chubb have stemmed from social engineering. And the risk is only increasing—the scale and threat of email phishing attacks are growing.

Take action: Reduce email phishing attacks with MFA

Enabling multi-factor authentication (MFA) can be one of the quickest and most impactful ways to protect user identities, and an effective means to reduce the threat and potential impact of BEC. MFA has been available for all Microsoft Office 365 users since 2014, yet many small- to mid-sized business system administrators have not enabled it for their users.

In a joint white paper co-written by Microsoft and Chubb, the world’s largest publicly traded insurance provider, we explain how multi-factor authentication foils fraud, and how implementing MFA may be much easier and painless for your users than you may think. It’s a simple yet effective means to reduce the threat and potential impact of BEC.

The paper is available for download on Chubb’s website.

Embrace Zero Trust to protect your complex digital estate

Beyond the benefits of multi-factor authentication, the move toward Zero Trust security can enable and secure your remote workforce, increase the speed of threat detection and remediation, mitigate the impact of potential breaches, and make it harder for cybercriminals to make money.

The business of cybercrime will continue to grow. However, by increasing the complexity and cost of perpetrating that crime, businesses can disincentivize the criminals to the point where they move on toward easier targets.

Learn more

To learn more about email phishing and how to protect your organization, read these blogs:

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.