BEC Attack Payments Are on the Rise, Report Finds

  • Criminals look for higher BEC payments
  • Gift card frauds are the most common BEC incidents
  • One Russian BEC operation tries to hit companies with $1.27 million attack

The average payments made through Business Email Compromise (BEC) attacks are increasing significantly, according to a new report APWG Phishing Activity Trends Report.

While data breaches and ransomware get the spotlight, BEC attacks tend to be considered second-tier security issues. The unfortunate truth is that companies are seriously affected by BEC attacks, especially since they don’t require the technical knowledge needed for some of the more complex ransomware incidents.

The latest APWG Phishing Activity Trends Report goes into detail about BEC and phishing attacks, which often go hand in hand. One of the main attack vectors for BEC attacks starts with phishing, or tricking people into sharing their credentials and establishing the foundation of the entire fraud.

In BEC attacks, cybercriminals persuade employees to make financial transactions to a different account or to make new payments at the behest of someone higher up the company’s hierarchy. The average payments in such frauds are not usually very large to avoid drawing suspicion.

“BEC attacks that ask for wire transfers are pursuing much larger amounts,” states the report. “The average BEC wire transfer attempt requested in the second quarter of 2020 was for $80,183, up notably from $54,000 in the first quarter.”

“About 72 percent of BEC attacks in Q2 were sent from free webmail accounts, up from 61 percent in Q1. Half of all BEC attacks sent from free webmail providers used Gmail. Notably, BEC attackers used several services in the Czech Republic, including Seznam.cz, Email.cz, and Post.cz,” the report also notes.

There’s at least one recorded instance of a Russian BEC operations targeting companies for an average of $1.27 million, showing how some groups will not hesitate to try and get as much as possible from one go.

Not all BEC attacks affect financial transactions. In fact, most incidents revolve around gift cards, which comprise 66 percent of BEC attacks. Moreover, about 16 percent of attacks requested payroll diversions, down from 25 percent in Q3 2019. Gift card frauds are more popular because they can be approved by multiple people in the same company and the sum is small enough that it doesn’t attract much attention.

“The amount of money that an attacker can make by getting gift cards is significantly less than he can get with a wire transfer. During the second quarter of 2020, the average amount of gift cards requested by BEC attackers was $1,213, down from $1,453 in the first quarter of 2020,” states the APWG report.