By Charles Buck, Co-Founder and CTO of SaaS Alerts, finalists in the Best SaaS Security Solution category, and shortlistee for Cloud Security Innovator of the Year at The 2024 Cloud Security Awards. More recently, they were a finalist in the ‘Best Security Innovation in a SaaS Product (B2B/Small Business)‘ category at The 2024 SaaS Awards.

Hybrid and remote work have many benefits: increased flexibility, less environmental impact, access to a wider talent pool and maybe even better employee retention.

But remote work could also benefit wannabe hackers. As workplaces have evolved away from device-based, on-site cybersecurity, companies could be leaving a door open for bad actors to steal important information — or money.

One of the biggest cybersecurity trends we’re seeing in this new working environment is business email compromise (BEC): attacks where hackers infiltrate an organization’s email communications to steal money or confidential data.

Those compromises take many forms. There’s phishing, where hackers solicit info via email while pretending to be someone else. There’s domain spoofing, where a bad actor uses a fake website name to trick a user into handing over information.

And finally, there’s token hijacking, where a cybercriminal sends an email masked to look like a “normal” request to log into a SaaS product, like Microsoft or Google. When the targeted employee enters their credentials (and MFA, if they have that set up), the hacker intercepts the access token that’s generated.

Game over.

That is, unless MSPs have properly prepared their client organizations to avoid these attacks. This preparation is some of the most important work they’ll do in today’s environment.

Why BEC and Token Hijacking are on the Rise

Hackers are a lot like us. They don’t enjoy tedious, time-consuming work. But that’s exactly what’s necessary for brute force attacks — the old hacking status quo, where bad actors used trial and error to guess login info.

Bad actors started looking for a way to work smarter, not harder. Enter BEC and token hijacking.

According to Microsoft, 91% of all cyberattacks start with email. So as millions of workers shifted to home offices during the COVID-19 pandemic, hackers saw an opportunity to take advantage of less-secure home Wi-Fi networks, fewer firewalls and more communication taking place over email.

Now, BEC and token-harvesting attacks have become some of the most common — and most damaging — cyber risks facing the corporate world. And MSPs are often at the front lines of keeping organizations safe.

BEC and Token Hijacking: What’s at Stake?

“Regular” phishing attacks — which may target someone’s personal contact info rather than an email associated with a business — are pretty random by nature. The stereotypical phishing email might involve a long-lost cousin or a secret prince who desperately needs your bank account info. Even people who aren’t cybersecurity experts are familiar with those kinds of attempts.

But BEC attacks are more targeted. They rely on context, leveraging previous conversations and existing relationships. These attacks are often successful because they don’t rely on malware to do the job. All they need is a little human error — which automated threat detection software can’t prevent.

People within a company who handle money (like the finance team or whoever runs payroll) are often targeted. And hackers are smart: They prey on humans’ need to act quickly and decisively when faced with (what they think is) an emergency.

So if the CFO gets an urgent email from an “angry vendor,” they’ll work quickly to solve the problem — paying the invoice right away. It’s likely they won’t check the domain name first or double check with the accounting team on whether that bill actually got paid weeks ago.

This is exactly what makes BEC attacks so easy to fall for. It’s also what makes these attacks harder for MSPs to prevent.

But there can be enormous consequences for their clients.

  • Financial losses: If someone within the organization falls for a scammer’s scheme, the price of those slip-ups is high. Current global losses from business email compromises are about $8 million — per day, according to the US Secret Service. In 2021 alone, the FBI fielded around 20,000 reports of BEC attacks. The median amount stolen was $50,000, according to Verizon’s latest data on social engineering attacks. That figure has been on the rise since 2018.
  • Higher insurance premiums. In this day and age, cybersecurity insurance is a must. But previous breaches are treated similarly to previous car accidents — reasons for insurance companies to charge more for coverage.
  • Potential fines. Depending on what industry the organization operates in, non-compliance could mean hefty penalties. For example, a hospital employee who falls for a token-harvesting scheme and unwittingly hands over access to their email account may have opened the door to a data breach. Bad news: That means the hospital probably just violated HIPAA. Regulators won’t care if it was accidental.
  • Reputational harm: After a breach (especially if it goes public), can future patients, clients or vendors trust the organization with their information?
  • Decreased market value: Do investors want to write more checks to a company that just wired thousands of dollars to a hacker?
  • Lost profits: It takes time to kick a bad actor out of an environment, recover lost data and get “back to normal” after a cyberattack. All that downtime eats into an organization’s ability to make money.
  • Non-monetary losses: In case all that isn’t enough to send you into a cold sweat, there’s also the potential loss of intellectual property or other confidential internal data (like employees’ bank account info or Social Security numbers).

How MSPs can Protect Clients from BEC

Although token harvesting and overall BEC are on the rise, MSPs have the tools to fight back.

  • MFA: MSPs will still need to educate their clients about how to recognize phishing attacks and when not to plug in their MFA codes. But this extra layer of security is still vital — especially if the secondary authentication is a hardware token, not just an SMS code.
  • More client training by MSPs: When end users can recognize the signs that something is amiss, they can better avoid BEC. This could be as simple as teaching an organization’s employees to always check the domain name of any email address they respond to. (Microsoft.com and Microsaft.com might look similar at a glance. But a closer look is always warranted.)
  • Communicate “red flags” to clients: Show them some of the signs that they could be under attack. For example, urgent requests. If someone in an email is frantically saying they need information or money AS SOON AS POSSIBLE, that’s suspicious.
  • Monitor user behavior: When MSPs regularly keep track of “normal” behavior from an organization, anomalies are easier to spot. If an MSP uses SaaS security tools, they can also establish organization-specific “indicators of compromise” — a set of abnormal behaviors that are precursors to an attack. Automated remediation (or a “kill chain”) can do clean-up work from there.

Whatever methods an MSP uses to secure their clients, one thing is certain: Today’s environment requires a robust plan of counterattack against BEC. Businesses’ livelihoods and operations depend on it.

Finalist for the 2024 Cloud Security Award for Best SaaS Security Solution

SaaS Alerts is a cybersecurity platform for managed service providers (MSPs) to detect and automate the remediation of SaaS security threats. The platform provides unified, real-time monitoring of core business SaaS applications to protect against data theft and malicious actors, including Microsoft 365, Google Workspace, Salesforce, Slack and Dropbox.

SaaS Alerts uses machine learning pattern detection to identify breaches, create instant alerts, and lock affected accounts, providing MSPs with valuable time to respond before further damage can occur. It also enables you to terminate dangerous end-user file sharing activities and automate essential security tasks, enhancing efficiency and overall customer security.

About the Author: Charles Buck

Chip Buck is the CTO and co-founder of SaaS Alerts. With a BS in Computer Science and an MS in Information Assurance, Chip's background in technology is second to none. Chip serves as an independent expert witness for legal teams engaged in litigation involving software, internet, data center, cloud computing and other topics in the areas of technology management and information security. In his spare time, Chip is an avid soccer player, referee, fan, skier, pilot, and whitewater kayaker.

Related Posts

Why Security Strategy Breaks Down Between Detection and Decision

Why Security Strategy Breaks Down Between Detection and Decision

May 14th, 2026|0 Comments
Email Governance is the Missing Layer in Cloud Strategy

Email Governance is the Missing Layer in Cloud Strategy

May 7th, 2026|0 Comments
Banks are Winning Over SMBs with Better Digital Banking and Cloud Payments

Banks are Winning Over SMBs with Better Digital Banking and Cloud Payments

April 30th, 2026|0 Comments
7 Ways AI-Powered FinOps Is Transforming Azure Cost Management

7 Ways AI-Powered FinOps Is Transforming Azure Cost Management

April 23rd, 2026|0 Comments
From Tool to Teammate: The 2026 Transformation of the Front Office

From Tool to Teammate: The 2026 Transformation of the Front Office

April 16th, 2026|0 Comments
Why Cybersecurity Leaders Are Rethinking the Role of AI in Decision-Making

Why Cybersecurity Leaders Are Rethinking the Role of AI in Decision-Making

April 9th, 2026|0 Comments
The Power of Two: How Combining Agentic AI and RAG Drives Enterprise Success

The Power of Two: How Combining Agentic AI and RAG Drives Enterprise Success

April 2nd, 2026|0 Comments
Tax Resolution and the AI Revolution: How a Proactive Stance Defends Against Predictive Enforcement

Tax Resolution and the AI Revolution: How a Proactive Stance Defends Against Predictive Enforcement

March 26th, 2026|0 Comments
Why Market Leaders are Moving to the Cloud in 2026

Why Market Leaders are Moving to the Cloud in 2026

March 17th, 2026|0 Comments