Email Security Blog

9:00 AM on a Tuesday: The BEC Sweet Spot

Crane Hassold September 10, 2019 Business Email Compromise

Business email compromise (BEC) scams continue to grow at an unprecedented rate, with more sent by cybercriminals every single day. While they often differ in approach, recent research from the Agari Cyber Intelligence Division (ACID) shows that these text-based phishing attacks possess some commonalities that make them easier to spot.

BEC was a $1.3 billion dollar problem in 2018, and if past trends are any indication, the dollars lost will be even larger this year. Unfortunately, attackers continue to grow more sophisticated in the ways they impersonate brands and individuals, inspiring their targets to act upon their requests before thinking to confirm legitimacy.

To further our understanding of what is changing in the email threat landscape, our researchers identified a few key characteristics common to a growing number of BEC emails over the last three months, which we’ve published in our latest Email Fraud and Identity Deception Trends report.

Gift Cards are King

When BEC attacks first emerged in large numbers approximately five years ago, the primary object was to persuade the target to wire money to a criminal’s bank account under the assumption that they were paying a legitimate vendor invoice. And while this tactic is still in the picture, Accounts Payable and Finance departments have grown aware of it—making it harder to pull off and decreasing revenues.

In response, cybercriminals have changed their tactics. Two other methods—gift cards and payroll diversions—have become the predominant requests from BEC con artists seeking to steal money.

So why gift cards? In comparison to wire transfers, they offer many advantages, the largest being that they are more anonymous, as there a few ways to trace the payment in the same way a bank account can. Making matters easier, they are non-reversible and do not require a money mule or middleman—ensuring that the cybercriminal receives the full payment. And unlike wire transfers, which typically target an employee directly related to the finance department, these emails can target employees in any department, often masquerading as an email requesting gift cards for staff presents or fundraisers.

Still, the approach does come with a downside. While gift cards afford obvious benefits to BEC scammers, one of the biggest drawbacks is that the amount of money an attacker can pilfer per attack is far less with gift cards than with wire transfers. During the past quarter, for instance, the average dollar amount for gift cards requested in BEC scams was just over $1,500.

The lesson here? If someone asks for gift cards (or any form of payment), it is always best to check with them for an extra layer of protection. Cybercriminals use Google Play, Apple iTunes, and other types of gift cards to run their scams on a near-daily basis.

Attacks Occur Early

Speaking of a daily basis, recent research shows that BEC scams are sent seven days a week. That said, the vast majority (97%) send attacks on weekdays, perhaps not surprisingly given their targets. What may be surprising to some is just how closely cybercriminals adhere to what are seen as best practices by legitimate email marketers. Despite sometimes conflicting research and variances between industries, a general rule of thumb is that the best day to send an email is Tuesday. During the last quarter, roughly one in every four of all BEC emails arrived on a Tuesday, with the rest tapering off Wednesday through Friday.

And as far as timing, scammers tend to follow conventional wisdom among many legitimate email marketers which states that it is best to send emails first thing in the morning. Most attacks are sent at the start of the day, with more than half of all BEC attacks distributed between 8 AM and 12 PM. There seems to be a notable preference for 9 AM, presumably aiming to arrive just as someone is sitting down to work in the morning.

With subject likes like “Request” and “Urgent,” these emails hit at the exact moment that employees are thinking about their commute and their morning coffee, and just when they may be distracted enough to make a critical mistake.

BEC Remains Big Business

As average losses from successful BEC attacks continue to grow, the way organizations respond to this growing threat is of critical importance. Unfortunately, secure email gateways and other legacy email security systems cannot detect these threats as they contain no malicious links or attachments. In contrast, the Agari Identity Graph leverages data science and real-time intelligence from trillions of emails to establish normative, trusted behaviors and signals between email sender and recipient—including devices, message volumes, locations, and more—to spot and neutralize advanced email threats.

Until organizations decide to take steps to protect themselves, BEC scams will continue to reach inboxes. And the eye-popping revenues criminals generate with so little effort will continue to increase by the millions.

Learn more about our recent BEC research in the Q3 2019 Email Fraud and Identity Deception Trends report. 

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

July 7, 2020 Crane Hassold

Cosmic Lynx: A Russian Threat Hits the BEC Scene

“At some point, Russian and Eastern European cybercriminals are going to start thinking to themselves,…

Agari Blog Image

June 30, 2020 Michael Paiko

Agari Summer '20 Release: CISOs Gain Unique Threat Intel to Their Organizations

With business email compromise (BEC) scams up sharply amid the coronavirus pandemic, CISOs have been…

Agari Blog Image

June 22, 2020 Michael Paiko

Forrester: Agari Phishing Defense™ Works a 97% ROI Over Three Years

A new Total Economic Impact (TEI) Study from Forrester finds that Agari Phishing Defense™ (APD)…

Agari Blog Image

May 29, 2020 Ronnie Tokazowski

Business Email Compromise (BEC): W2 Scams Make an Unexpected Comeback in 2020

After barely registering a pulse last year, W2-based business email compromise (BEC) scams are back…

Agari Blog Image

May 19, 2020 Crane Hassold

Scattered Canary Cybercrime Ring Exploits the COVID-19 Pandemic with Fraudulent Unemployment and CARES Act Claims

Recently, news broke about how a sophisticated Nigerian cybercriminal organization has been committing mass unemployment…

mobile image