Business Email Compromise (BEC) attacks have become a highly remunerative line of business for threat actors. A new research from the APWG (Anti-Phishing Working Group) revealed how enterprises lose their wealth to BEC attacks. In its “Phishing Activity Trends Report,” APWG highlighted that the average wire transfer loss from BEC attacks surged from $54,000 in Q1 2020 to $80,183 in Q2 2020, as cybercriminals expected high returns.
In a BEC attack, cybercriminals first steal legitimate business email account credentials, which are later used to launch financial fraud campaigns like fraudulent email messages, requests for out-of-channel funds transfers, and deleted accounting trails.
BEC- A Lucrative Attack Vector
BEC attackers demand 66% of funds in the form of gift cards, stating that the average amount of gift cards requested during Q2 of 2020 was $1,213, down from $1,453 in Q1 of 2020. In addition, the number of phishing sites detected in Q2 of 2020 was 146,994, down from the 165,772 observed in Q1 of 2020. Phishing attacks targeting the social media industry increased in Q2 by about 20%, with the most targeted attacks against Facebook and WhatsApp.
Threat from Russian Hackers
The research also found the movement of a BEC attackers’ gang in Russia known as “Cosmic Lynx,” in addition to the West African scammers targeting organizations with BEC attacks. It is found that the average ransom demanded by the Cosmic Lynx group is about $1.27 million. “We were expecting that Russian cybercriminals would move into the world of BEC because the return on investment for basic social engineering attacks is much higher than launching more sophisticated (and more expensive) malware-based attacks,” the report said.
A Rising Concern
Recently, the FBI warned that organizations that use cloud-based email systems are at high risk to BEC attacks. The bureau advised employees about the email scams that begin with phishing kits designed to mimic two popular cloud-based email services to lure employees into compromising business email accounts and misdirecting funds transfers. The FBI stated that its Internet Crime Complaint Center (IC3) received complaints, between January 2014 and October 2019, claiming more than US$2.1 billion losses from BEC scams.