Email Security Blog

Business Email Compromise (BEC) Report: 62% of Scams Target Gift Cards, False Positives Trip Up Phishing Response

Michael Paiko February 12, 2020 BEC, Business Email Compromise, Uncategorized

Gift cards topped cybercriminal wish lists in 62% of all business email compromise (BEC) scams last quarter, according to our Q1 2020 Email Fraud & Identity Deception Trends report.

Hardly a shock, given the holiday season. But that doesn’t mean there aren’t any surprises in the research.

The report, published by the Agari Cyber Intelligence Division (ACID), examines the current threat landscape for BEC, phishing attacks, and other advanced email threats from October through December 2019. Consistent with recent trends, it finds that the success of today’s most pernicious email scams is growing less dependent on technical prowess, and more on social engineering techniques that leverage human emotions like anxiety or curiosity.

This includes highly-personalized emails from a “senior executive” pressuring corporate employees into making wire transfers to pay fraudulent invoices or yes, buying gift cards to be awarded to colleagues. Because they forego malicious links or malware, these attacks are easily slipping past most security controls most organizations—and it shows.

According to the FBI, BEC scams account for more than $700 million in worldwide business losses each month, though other email attacks come with pretty big price tags of their own. Juniper Research estimates business losses from data breaches, which nearly always begin with a phishing email, led to more than $3 trillion in worldwide losses this past year.

BEC: Gift Cards Scams Do the Holiday Shuffle

For email fraudsters, gift cards are the grift that keeps on giving. Since the subterfuge involves asking an employee to purchase gift cards for colleagues, victims are much less likely to inform others about the request—especially during the holiday season. Perpetrators are free to phish multiple targets within the same organization, boosting the size of their potential bounty. And since gift card codes are easily resold online, they’re nearly impossible to track.

Despite being the number one cash-out method for BEC scams for the past year, Q4 2019 did see some seasonal patterns emerge—including changes to the specific mix of gift cards sought by cybercriminals.

Google Play remains the most requested gift card in BEC schemes, but its share dropped from 27% to 16% of all attacks in just 90 days. Meanwhile, gift cards from eBay (15%), Target (13%), Walmart (9%), and BestBuy (8%) all saw significant increases in demand. The holiday season, and the fact that these online retailers sell physical goods, suggests scammers may have been looking to launder proceeds from stolen gift cards through tangible merchandise, rather than through traditional channels such as cryptocurrency exchanges.

This wasn’t the only surprise. During the weeks leading up to Christmas and New Year’s, BEC attacks fell 63% from the average seen during the rest of the quarter. With many employee targets out of the office, scammers either sought out other avenues of attack, or took some holiday downtime of their own.

Phishing Response: 60% of Employee-Reported Attacks are False Positives

Not every email attack is meant to lead to immediate financial payouts, of course. Sometimes they’re designed to harvest login credentials so cybercriminals can hijack email accounts and work their way laterally within and across organizations in order to steal valuable corporate data and IP.

Over 90% all data breaches start this way, according to Verizon’s 2019 Data Breach Investigations Report. Worldwide, the costs associated with breaches average more nearly $4 million per incident—and more than $8 million per incident for US-based businesses. The longer it takes to identify and contain a breach, the higher the costs get.

To help blunt these attacks, most large organizations provide employees with tools for reporting suspect emails at the push of a button. But the resulting avalanche of incident reports sent to Security Operations Centers (SOCs) may be doing more harm than good.

According to data captured in the report, 6 in 10 employee-reported phishing attacks are false positives. In separate research, ACID analysts have found that it takes roughly 7 hours to investigate and remediate a false-positive report. With Ponemon estimating that companies have a 28% chance of suffering at least one data breach sometime during the next 24 months, every moment spent chasing false positives means less time to prevent a costly breach.

2020 Reality Czech: An Eastern European Onslaught Ahead?

There was another trend our researchers found interesting in the quarterly data. It’s long been true that most BEC scams are launched using free webmail services. Gmail ranks as most weaponized of these platforms, accounting for 35% of all attacks. But during the last three months of 2019, longtime #2 choice Roadrunner fell off a cliff—dropping from 23% of all BEC attacks to just 3%.

For the first time since launching our tracking index, Gmail, Roadrunner, and brands like Earthlink and Virgin Media have been joined by a booming number of email schemes launched from Czech-based webmail platforms with names like and, and

The importance of this finding remains to be seen. But we suspect that after watching the rise of BEC from the sidelines in recent years, a growing number of eastern European cybercriminal organizations will seek to bring their operational firepower to bear for email attacks of their own in the months ahead.

The Threat: Unabated

It’s also unclear how many organizations are deploying the defenses needed to fight back against BEC fraud, phishing rackets, and other email threats that attack sender identity, hack human psychology, and easily bypass most email security controls.

Stopping this larceny requires an identity-focused defense, one that understands relationships and established behaviors between email senders and receivers. Even the growing number of attacks launched from compromised email accounts belonging to trusted co-workers or outside suppliers can’t replicate that kind of shared history.

For organizations aiming to gain this kind of intelligence, one of the biggest hurdles is access to a sufficient and continuously refreshed data set. At Agari, for instance, we analyze trillions of emails annually to stop all kinds of phishing attacks, remove latent threats that evade early detection, and reduce the time it takes to identify and contain data breaches to just minutes.

Until organizations take steps to protect themselves, BEC scams and phishing-related data breaches will continue undeterred, making every day feel like Christmas to the perpetrators behind them.

To learn more about the latest trends in BEC, phishing and other advanced email threats, download our Q1 2020 Identity Deception and Email Fraud Trends Report.

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

Woman-shopping on cell phone

November 30, 2021 Mike Jones

It’s the Most Wonderful Time of the Year… for Cybercriminals

The holiday season is upon us, which means it’s also the busiest time of the…

laptop with envelope and security badge-secure email

November 24, 2021 John Wilson

TLS for Email: What is it & How to Check if an Email Uses it

Transport Layer Security (TLS) is encryption to secure email messages between sender and receiver to…

mobile image