"Phishing Remains Primary Gateway for Cybercriminals"

Headline: Increased Business Email Compromise (BEC) Attacks Pose Threat to Small and Medium-Sized Businesses

In recent years, cybercriminals have been targeting small and medium-sized businesses, with a particular focus on financial gain through Business Email Compromise (BEC) scams. These attacks, which have seen a significant increase in Germany in 2024 and 2025, can result in substantial financial loss.

One of the main reasons for the success of BEC scams is the reliance on credentials as the skeleton key to unlocking business systems. With many businesses running hybrid environments, cloud apps, and SaaS platforms, stolen credentials can grant attackers access to a wealth of sensitive information. Even a small number of employees falling for a phishing attempt can lead to stolen credentials, session cookies, or malware deployment.

Phishing remains a large vector for most cyber threat actors. Attackers prefer phishing because it is the path of least resistance, requiring only a minimal investment of time and resources. With tools like Mailchimp clones, attackers can craft convincing emails in just five minutes. Phishing works because it targets people, not firewalls or antivirus, exploiting human trust and vulnerabilities.

BEC scams often involve attackers posing as IT support or executives, tricking employees into making unauthorized transfers. In some cases, attackers have intercepted supplier invoices and diverted funds to their own accounts, as seen in the Valladolid, Spain, case where €3,100 was diverted from a legitimate supplier invoice.

However, not all is lost. In the Valladolid case, investigators were able to recover the stolen funds. This highlights the importance of a solid Incident Response (IR) plan, as well as other defensive measures such as Multi-Factor Authentication (MFA), adaptive MFA, conditional access, risk-based authentication policies, user awareness training, regular phishing simulations, email security filters, DMARC, DKIM, SPF, logging and monitoring, and a focus on reducing the effectiveness of phishing when it does get through.

BEC scams do not rely on flashy malware but instead on social engineering tactics. Attackers impersonate trusted figures, mimic vendor domains, inject urgency, and weaponize trust. As such, defenders must prioritize building layers of defense to limit damage and contain breaches quickly.

The job of IT and security professionals is to build a robust defense against phishing, despite its ability to exploit human trust. With the right measures in place, businesses can protect themselves from the financial loss and damage that BEC scams can cause.