BEC Trends: Payroll Diversion Dominates and Sneaky Multi-Persona Attacks Emerge
Business Email Compromise (BEC) remains a lucrative threat vector for attackers. The FBI’s IC3 reported that in 2022, they received 21,832 complaints with adjusted losses of over $2.7 billion. When it comes to targeted attacks, threat actor sophistication is evident in their ever-evolving tactics, even as detection capabilities and preventative measures improve. Let’s take a look at the current BEC landscape for the first half of 2023.
Figure 1 Monthly Volume of BEC Emails Intercepted by Trustwave
On average, Trustwave’s MailMarshal Cloud intercepts over 2000 BEC messages per month. For the first quarter of the year, we saw a 25% increase in unique attacks compared to the last quarter of 2022. February accounted for the highest volume of BEC emails in the first half of the year. January is the second most active month for BEC. Based on our historical data, BEC emails appear to increase during the first quarter after the December holiday slump. As the year begins, people are gearing up for the tax season and the start of new endeavours. Fraudsters are sure to take advantage of this.
There’s a noticeable 31% decrease in attacks for the second quarter of the year. June is the least active month currently and attacks decreased by 39% compared to January.
Free Email Services Used in BEC
The vast majority of BEC messages are sent from free email services. Below are the top 10 webmail services used by threat actors:
- gmail.com
- icloud.com
- mail.ru
- optonline.net
- aol.com
- mail.com
- outlook.com
- bk.ru
- tutanota.com
- optimum.net
Google was the free email service provider of choice for BEC spammers in H1 2023, with a whopping 84% of all the free webmail addresses used. Other webmail services observed include: iCloud, VK (mail.ru), and Optimum (optonline.net).
Aside from free email services, new-born domains that were created to mimic legitimate company domains in the From and Reply-to header fields were also used by spammers. 35% of newly registered BEC domains also use Google as their registrar, followed by NameCheap Inc. with 25%.
Lures and Themes
BEC uses different bait topics to gain the attention of their victims. We delved into our data to determine what the most popular lures and themes were.
- Payroll Diversion - Asks to change their bank account, payroll, or direct deposit information.
- Request for Contact - Asks for the recipient’s mobile number or personal email address.
- Task – Requesting assistance for urgent tasks or favours.
- Availability - Very short emails asking if the victim is available, at the desk or at the office.
- Invoice Transaction – Fraudulent emails about overdue invoice statements.
- Gift Purchase - Talks about surprising employees with a gift, usually asks the recipient to buy a gift card.
- Wire Transfer - Orders the recipient to prepare a certain amount of money for wire transfer.
- Request for Document – Requests for a copy of aging report, w2, or vendor list.
Figure 2 Breakdown of the top BEC lures for H1 2023
Almost half of the total amount of observed attacks is using the Payroll Diversion tactic, where attackers pretend to be employees of the targeted company and try to redirect the payroll to their own bank account. It is no surprise to see that this lure is popular among fraudsters as changing payroll account is not an uncommon work practice.
Inquiry emails for requesting personal contact information is still widely used, coming in at second place. The social engineering technique used in this campaign utilizes email as the first point of contact. Once they successfully deceive and get the recipients’ contact information, like phone number or WhatsApp, they move the conversation to mobile where it is more likely to evade detection.
Fourth on the list is asking for the recipient’s availability, typically a one-liner email. Yes, spammers still use the good old “Are you available?” phrase in their attacks.
Gift Card Fraud
BEC attacks using a gift card lure is unique. Threat actors typically leverage the sense of urgency in their BEC messages like payroll diversion or task-related requests. Gift card fraud tugs at the heartstrings of the victims. Fraudsters impersonate the company’s executive and relay a message to their victims that they want to show appreciation for the employees’ hard work and efforts. They then ask them to purchase a gift card that supposedly will be sent out to the employees of the company.
For the first half of the year, Amazon is the most sought-after brand of gift card, with 64% of requests for gift card purchases. Apple’s iTunes gift card is the second most popular brand with 18%. Liquid cards, such as Visa and Amex, were also solicited by scammers and made up 11% of gift card fraud. Google Play card, which is typically used for apps and games, is also observed at 7%
Rise of Invoice Fraud and Multi-Persona BEC Spam
An interesting type of BEC has surfaced recently, which involves the impersonation of at least two entities. This BEC scam uses an “Invoice Transaction” lure to gain the attention of the recipient.
In this scheme, the threat actors disguise as both a company executive and a representative of the vendor company, typically from financial institutions. In the example shown below, the representative is supposedly from MHA MacIntyre Hudson, an accounting firm based in the United Kingdom.
Figure 3 First Email of Invoice Fraud Attack
The first email sent by the supposed executive tells the victim that a representative from the financial company is requesting payment for an unpaid invoice. Using the social engineering technique called Pretexting, the victim is given the background of the situation so the second email that will come from the vendor representative is not unusual.
Figure 4 Second Email of Invoice Fraud Attack
The second email is then sent by the alleged vendor official where they reiterate the request for payment of the overdue invoice.
We also observed a new variant of the invoice fraud scheme with a different method of correspondence. The first example discussed previously shows a classic tactic where fraudsters disguising as a vendor representative approach their victim. With this new variant, the supposed company executive orders the victim to initiate contact with the fake vendor representative.
Figure 5 New variant of Invoice Fraud BEC
To make the scam appear legitimate, these emails contain specific information such as an invoice number and date of scheduled payment. They are also longer in content and written in a professional manner unlike traditional BEC emails. The vendor representative names are real employees of the financial institutions that the scammers use in their invoice fraud scheme.. By impersonating a company executive and vendor, and using Pretexting, the threat actors put on a remarkably convincing front.
Conclusion
To summarize our findings, BEC messages increased in the first half of 2023. There was a spike in the number of observed messages in the first quarter followed by a sharp decline in the second quarter. Free email services were heavily used to send malicious emails and Gmail is the most abused webmail service. Payroll diversion, Request for Contact and Task requests were the top lures used by threat actors. And lastly, Multi-Persona Impersonation where fraudsters impersonate company executives and third-party vendors and uses Invoice Transaction lure is growing in numbers.
The BEC and spam landscape is constantly shifting and evolving. Historically, BEC messages are short and impersonate one executive. As time goes on, we are seeing even more sophisticated social engineering techniques being used in these attacks. In order to face these ever-changing malicious schemes, organizations need to strengthen their technological and human cybersecurity defenses.
As always, we urge everyone to exercise caution and stay up to date with the latest threats to avoid falling for these schemes.
Reference:
https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf