Email Security Blog

Business Email Compromise (BEC) Report: 62% of Scams Target Gift Cards, False Positives Trip Up Phishing Response

Michael Paiko February 12, 2020 BEC, Business Email Compromise, Uncategorized

Gift cards topped cybercriminal wish lists in 62% of all business email compromise (BEC) scams last quarter, according to our Q1 2020 Email Fraud & Identity Deception Trends report.

Hardly a shock, given the holiday season. But that doesn’t mean there aren’t any surprises in the research.

The report, published by the Agari Cyber Intelligence Division (ACID), examines the current threat landscape for BEC, phishing attacks, and other advanced email threats from October through December 2019. Consistent with recent trends, it finds that the success of today’s most pernicious email scams is growing less dependent on technical prowess, and more on social engineering techniques that leverage human emotions like anxiety or curiosity.

This includes highly-personalized emails from a “senior executive” pressuring corporate employees into making wire transfers to pay fraudulent invoices or yes, buying gift cards to be awarded to colleagues. Because they forego malicious links or malware, these attacks are easily slipping past most security controls most organizations—and it shows.

According to the FBI, BEC scams account for more than $700 million in worldwide business losses each month, though other email attacks come with pretty big price tags of their own. Juniper Research estimates business losses from data breaches, which nearly always begin with a phishing email, led to more than $3 trillion in worldwide losses this past year.

BEC: Gift Cards Scams Do the Holiday Shuffle

For email fraudsters, gift cards are the grift that keeps on giving. Since the subterfuge involves asking an employee to purchase gift cards for colleagues, victims are much less likely to inform others about the request—especially during the holiday season. Perpetrators are free to phish multiple targets within the same organization, boosting the size of their potential bounty. And since gift card codes are easily resold online, they’re nearly impossible to track.

Despite being the number one cash-out method for BEC scams for the past year, Q4 2019 did see some seasonal patterns emerge—including changes to the specific mix of gift cards sought by cybercriminals.

Google Play remains the most requested gift card in BEC schemes, but its share dropped from 27% to 16% of all attacks in just 90 days. Meanwhile, gift cards from eBay (15%), Target (13%), Walmart (9%), and BestBuy (8%) all saw significant increases in demand. The holiday season, and the fact that these online retailers sell physical goods, suggests scammers may have been looking to launder proceeds from stolen gift cards through tangible merchandise, rather than through traditional channels such as cryptocurrency exchanges.

This wasn’t the only surprise. During the weeks leading up to Christmas and New Year’s, BEC attacks fell 63% from the average seen during the rest of the quarter. With many employee targets out of the office, scammers either sought out other avenues of attack, or took some holiday downtime of their own.

Phishing Response: 60% of Employee-Reported Attacks are False Positives

Not every email attack is meant to lead to immediate financial payouts, of course. Sometimes they’re designed to harvest login credentials so cybercriminals can hijack email accounts and work their way laterally within and across organizations in order to steal valuable corporate data and IP.

Over 90% all data breaches start this way, according to Verizon’s 2019 Data Breach Investigations Report. Worldwide, the costs associated with breaches average more nearly $4 million per incident—and more than $8 million per incident for US-based businesses. The longer it takes to identify and contain a breach, the higher the costs get.

To help blunt these attacks, most large organizations provide employees with tools for reporting suspect emails at the push of a button. But the resulting avalanche of incident reports sent to Security Operations Centers (SOCs) may be doing more harm than good.

According to data captured in the report, 6 in 10 employee-reported phishing attacks are false positives. In separate research, ACID analysts have found that it takes roughly 7 hours to investigate and remediate a false-positive report. With Ponemon estimating that companies have a 28% chance of suffering at least one data breach sometime during the next 24 months, every moment spent chasing false positives means less time to prevent a costly breach.

2020 Reality Czech: An Eastern European Onslaught Ahead?

There was another trend our researchers found interesting in the quarterly data. It’s long been true that most BEC scams are launched using free webmail services. Gmail ranks as most weaponized of these platforms, accounting for 35% of all attacks. But during the last three months of 2019, longtime #2 choice Roadrunner fell off a cliff—dropping from 23% of all BEC attacks to just 3%.

For the first time since launching our tracking index, Gmail, Roadrunner, and brands like Earthlink and Virgin Media have been joined by a booming number of email schemes launched from Czech-based webmail platforms with names like and, and

The importance of this finding remains to be seen. But we suspect that after watching the rise of BEC from the sidelines in recent years, a growing number of eastern European cybercriminal organizations will seek to bring their operational firepower to bear for email attacks of their own in the months ahead.

The Threat: Unabated

It’s also unclear how many organizations are deploying the defenses needed to fight back against BEC fraud, phishing rackets, and other email threats that attack sender identity, hack human psychology, and easily bypass most email security controls.

Stopping this larceny requires an identity-focused defense, one that understands relationships and established behaviors between email senders and receivers. Even the growing number of attacks launched from compromised email accounts belonging to trusted co-workers or outside suppliers can’t replicate that kind of shared history.

For organizations aiming to gain this kind of intelligence, one of the biggest hurdles is access to a sufficient and continuously refreshed data set. At Agari, for instance, we analyze trillions of emails annually to stop all kinds of phishing attacks, remove latent threats that evade early detection, and reduce the time it takes to identify and contain data breaches to just minutes.

Until organizations take steps to protect themselves, BEC scams and phishing-related data breaches will continue undeterred, making every day feel like Christmas to the perpetrators behind them.

To learn more about the latest trends in BEC, phishing and other advanced email threats, download our Q1 2020 Identity Deception and Email Fraud Trends Report.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

May 29, 2020 Ronnie Tokazowski

Business Email Compromise (BEC): W2 Scams Make an Unexpected Comeback in 2020

After barely registering a pulse last year, W2-based business email compromise (BEC) scams are back…

Agari Blog Image

May 19, 2020 Crane Hassold

Scattered Canary Cybercrime Ring Exploits the COVID-19 Pandemic with Fraudulent Unemployment and CARES Act Claims

Recently, news broke about how a sophisticated Nigerian cybercriminal organization has been committing mass unemployment…

Agari Blog Image

April 30, 2020 Armen Najarian

Business Email Compromise (BEC) Scams: COVID-19 Related Email Attacks Top Threat to Financial Services

With billions of dollars in stimulus being earmarked for US companies and individuals reeling from…

Agari Blog Image

April 28, 2020 Crane Hassold

COVID-19 Credential Phishing Scams: Feeding Off Coronavirus Fears

Since the beginning of February, we have seen more than a 3,000% increase in Coronavirus-themed…

Agari Blog Image

April 22, 2020 Patrick Peterson

Phishing and BEC Scams Targeting Remote Workers are on the Rise

Government officials are issuing fresh warnings about COVID-19 related business email compromise (BEC) scams targeting…

mobile image