Email Security Blog

Business Email Compromise (BEC) Report: 62% of Scams Target Gift Cards, False Positives Trip Up Phishing Response

Michael Paiko February 12, 2020 BEC, Business Email Compromise, Uncategorized

Gift cards topped cybercriminal wish lists in 62% of all business email compromise (BEC) scams last quarter, according to our Q1 2020 Email Fraud & Identity Deception Trends report.

Hardly a shock, given the holiday season. But that doesn’t mean there aren’t any surprises in the research.

The report, published by the Agari Cyber Intelligence Division (ACID), examines the current threat landscape for BEC, phishing attacks, and other advanced email threats from October through December 2019. Consistent with recent trends, it finds that the success of today’s most pernicious email scams is growing less dependent on technical prowess, and more on social engineering techniques that leverage human emotions like anxiety or curiosity.

This includes highly-personalized emails from a “senior executive” pressuring corporate employees into making wire transfers to pay fraudulent invoices or yes, buying gift cards to be awarded to colleagues. Because they forego malicious links or malware, these attacks are easily slipping past most security controls most organizations—and it shows.

According to the FBI, BEC scams account for more than $700 million in worldwide business losses each month, though other email attacks come with pretty big price tags of their own. Juniper Research estimates business losses from data breaches, which nearly always begin with a phishing email, led to more than $3 trillion in worldwide losses this past year.

BEC: Gift Cards Scams Do the Holiday Shuffle

For email fraudsters, gift cards are the grift that keeps on giving. Since the subterfuge involves asking an employee to purchase gift cards for colleagues, victims are much less likely to inform others about the request—especially during the holiday season. Perpetrators are free to phish multiple targets within the same organization, boosting the size of their potential bounty. And since gift card codes are easily resold online, they’re nearly impossible to track.

Despite being the number one cash-out method for BEC scams for the past year, Q4 2019 did see some seasonal patterns emerge—including changes to the specific mix of gift cards sought by cybercriminals.

Google Play remains the most requested gift card in BEC schemes, but its share dropped from 27% to 16% of all attacks in just 90 days. Meanwhile, gift cards from eBay (15%), Target (13%), Walmart (9%), and BestBuy (8%) all saw significant increases in demand. The holiday season, and the fact that these online retailers sell physical goods, suggests scammers may have been looking to launder proceeds from stolen gift cards through tangible merchandise, rather than through traditional channels such as cryptocurrency exchanges.

This wasn’t the only surprise. During the weeks leading up to Christmas and New Year’s, BEC attacks fell 63% from the average seen during the rest of the quarter. With many employee targets out of the office, scammers either sought out other avenues of attack, or took some holiday downtime of their own.

Phishing Response: 60% of Employee-Reported Attacks are False Positives

Not every email attack is meant to lead to immediate financial payouts, of course. Sometimes they’re designed to harvest login credentials so cybercriminals can hijack email accounts and work their way laterally within and across organizations in order to steal valuable corporate data and IP.

Over 90% all data breaches start this way, according to Verizon’s 2019 Data Breach Investigations Report. Worldwide, the costs associated with breaches average more nearly $4 million per incident—and more than $8 million per incident for US-based businesses. The longer it takes to identify and contain a breach, the higher the costs get.

To help blunt these attacks, most large organizations provide employees with tools for reporting suspect emails at the push of a button. But the resulting avalanche of incident reports sent to Security Operations Centers (SOCs) may be doing more harm than good.

According to data captured in the report, 6 in 10 employee-reported phishing attacks are false positives. In separate research, ACID analysts have found that it takes roughly 7 hours to investigate and remediate a false-positive report. With Ponemon estimating that companies have a 28% chance of suffering at least one data breach sometime during the next 24 months, every moment spent chasing false positives means less time to prevent a costly breach.

2020 Reality Czech: An Eastern European Onslaught Ahead?

There was another trend our researchers found interesting in the quarterly data. It’s long been true that most BEC scams are launched using free webmail services. Gmail ranks as most weaponized of these platforms, accounting for 35% of all attacks. But during the last three months of 2019, longtime #2 choice Roadrunner fell off a cliff—dropping from 23% of all BEC attacks to just 3%.

For the first time since launching our tracking index, Gmail, Roadrunner, and brands like Earthlink and Virgin Media have been joined by a booming number of email schemes launched from Czech-based webmail platforms with names like and, and

The importance of this finding remains to be seen. But we suspect that after watching the rise of BEC from the sidelines in recent years, a growing number of eastern European cybercriminal organizations will seek to bring their operational firepower to bear for email attacks of their own in the months ahead.

The Threat: Unabated

It’s also unclear how many organizations are deploying the defenses needed to fight back against BEC fraud, phishing rackets, and other email threats that attack sender identity, hack human psychology, and easily bypass most email security controls.

Stopping this larceny requires an identity-focused defense, one that understands relationships and established behaviors between email senders and receivers. Even the growing number of attacks launched from compromised email accounts belonging to trusted co-workers or outside suppliers can’t replicate that kind of shared history.

For organizations aiming to gain this kind of intelligence, one of the biggest hurdles is access to a sufficient and continuously refreshed data set. At Agari, for instance, we analyze trillions of emails annually to stop all kinds of phishing attacks, remove latent threats that evade early detection, and reduce the time it takes to identify and contain data breaches to just minutes.

Until organizations take steps to protect themselves, BEC scams and phishing-related data breaches will continue undeterred, making every day feel like Christmas to the perpetrators behind them.

To learn more about the latest trends in BEC, phishing and other advanced email threats, download our Q1 2020 Identity Deception and Email Fraud Trends Report.

Leave a Reply

Your email will not be published. All fields are required.

Night time satellite image of south eastern usa

October 13, 2020 Crane Hassold

The Global Reach of Business Email Compromise (BEC)

Over the last five years, Business Email Compromise (BEC) has evolved into the predominant cyber…

Agari Blog Image

August 5, 2020 Michael Paiko

Phishing & BEC Scams Soar 3000%: Agari H2 2020 Email Fraud and Identity Deception Trends Report

Coronavirus-related phishing attacks and business email compromise (BEC) scams skyrocketed 3,000% from mid-March through early…

Agari Blog Image

July 17, 2020 Patrick Peterson

Business Email Compromise: New Shift in BEC Threat Landscape Puts CISOs on Notice

A seismic shift in the email threat landscape has CISOs bracing for sophisticated new forms…

Agari Blog Image

July 7, 2020 Crane Hassold

Cosmic Lynx: A Russian Threat Hits the BEC Scene

“At some point, Russian and Eastern European cybercriminals are going to start thinking to themselves,…

Agari Blog Image

June 30, 2020 Michael Paiko

Agari Summer '20 Release: CISOs Gain Unique Threat Intel to Their Organizations

With business email compromise (BEC) scams up sharply amid the coronavirus pandemic, CISOs have been…

mobile image