In a large increase, 48% of all advanced email attacks involved brand impersonation this quarter.
Compromised accounts, a category that had seen double-digit growth in the previous two quarters, took a 33% plunge.
Cybercriminals are increasingly requesting gift cards in 65% of cash-out requests, supplanting wire transfers and other methods used in previous quarters.
Trendlines for phishing, business email compromise (BEC) scams, and other advanced email threats have once again shifted, as cybercriminal organizations continue to refine their methods. This summer, brand impersonations are in style and gift cards are the new money mule. The risks to businesses grow worse by the minute.
A sudden spike in phishing attacks impersonating trusted brands is rapidly reshaping the email threat landscape. Today, 60% of phishing campaigns employing identity deception tactics use display names designed to fool recipients into believing they’re being sent from a known and trusted individual or brand. Over the last quarter however, nearly half impersonated prominent brands in the initial email—a sharp rise from 34% seen in the previous quarter. Just 12% of identity-deception attacks impersonated individuals.
Nearly one-quarter of identity deception emails employed look-alike domains to send malicious content, the second most frequent type of deception tactic observed during the quarter. While some of these domains can be simply spoofed and sent using basic mailing tools, many are registered by phishing threat actors. The cost associated with registering a domain reduces the total possible ROI for scammers, which is likely why this tactic is not used more readily.
When BEC attacks first emerged in large numbers four to five years ago, the primary objective was to persuade a target—usually an employee in Accounts Payable or Finance—to wire money to a mule account under the mistaken belief that they were paying a legitimate vendor invoice.
Considering the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) reports BEC has led to $9 billion in business losses since 2016, the wire transfer angle seems to have worked out pretty well for the perpetrators.
But while this tactic is still in the picture, only 15% of BEC attacks seen over the last quarter used it as a cash-out method. Instead, two other methods—gift cards and payroll diversions—have become the predominant requests from BEC con artists seeking to steal money.
Indeed, far and away the most frequent cash-out mechanism in BEC scams today is gift cards. Nearly two-thirds (65%) of all BEC attacks observed by the ACID team requested that the target purchase gift cards and then send them to the attacker.
Amount Requested per BEC Attack Type
Because they’re more anonymous, less reversible, and far less cumbersome than using a mule as an intermediary, gift cards have quickly emerged as the most popular cash-out option for scammers over the past year. Still, the approach does come with a downside. While gift cards afford obvious benefits to BEC scammers, one of the biggest drawbacks is that the amount of money an attacker can pilfer per attack is far less with gift cards than with wire transfers. During the past quarter, for instance, the average dollar amount for gift cards requested in BEC scams was just over $1,500.
By comparison, the average proceeds from attacks leveraging wire transfers was nearly $65,000. But don’t cry for the cybercrooks just yet. While there is a massive disparity in the amount of money that can be swiped between these two approaches, the rising volume and frequency of gift card-based BEC scams suggests the returns are well worth the effort.
The gift cards requested by fraudsters in BEC scams tend to share some key attributes. Over the last quarter, these attackers requested fourteen different types of gift cards. But 75% of them belonged to five brands—Google Play, Steam Wallet, Amazon, Apple iTunes, and Walmart. In our report on the cybercriminal group Scarlet Widow, we discuss this trend in more detail—including how gift cards obtained by BEC scammers are laundered through online cryptocurrency exchanges.
Example Gift Card Request Email
The second most common form of BEC attack seen was the payroll diversion scam. These cons primarily target employees in Human Resources, and comprised one in every five BEC attacks observed in this period. The objective of these attacks is to fool someone in HR into changing the direct deposit details for an employee, usually a prominent executive, to a bank account controlled by the fraudster.
As it happens, this form of BEC is the current preferred modus operandi for the Scattered Canary criminal group. And it has steadily increased as an attack modality for other organizations over the past year, driven by the ability to use prepaid cards to obtain temporary checking accounts from which to receive diverted funds.
Example Direct Deposit Request Email
BEC scams share other characteristics as well. Perhaps not surprisingly given their targets, the vast majority (97%) send attacks on weekdays. What may be surprising to some is just how closely cybercriminals adhere to what are seen as best practices by legitimate email marketers. Despite sometimes conflicting research and variances between industries, a general rule of thumb is that the best day to send an email is Tuesday. During the last quarter, roughly one in every four of all BEC emails arrived on a Tuesday, with the rest tapering off Wednesday through Friday.
Likewise, the conventional wisdom among many legitimate email marketers is that it’s best to send emails first thing in the morning. Sure enough, BEC scammers also tend to send their email campaigns at the start of the day, with more than half of all BEC attacks distributed between 8 AM and 12 PM, with a notable preference for 9 AM, presumably aiming to arrive just as someone is sitting down to work in the morning.
In the vast majority of cases, BEC attackers use free and temporary email accounts to launch their campaigns. During the last quarter, 62% of BEC emails were sent from an easily-acquired webmail account.
Consistent with previous trends, the email provider of choice for most attacks was Roadrunner (rr.com), accounting for 18.1% of all BEC campaigns. Gmail was a close second as the webmail provider used for sending 13.2% of BEC emails, followed by AOL at a distant third.
In contrast to attacks launched from free webmail accounts, a third of BEC attacks were sent from email accounts hosted on a domain that was registered by the perpetrators.
While there is usually a cost associated with registering a domain, this approach does allow a scammer to create a more credible-looking email address, thus increasing the perceived legitimacy of the bogus email.
It’s likely the remaining five percent of BEC emails were sent from compromised accounts. It should be noted that regardless of the email account of origin, the display name associated with the email is almost always changed to impersonate a senior executive at the target organization, or a person at a partner or vendor company.
Top 10 Email Providers Used to Send BEC Emails
Short and not-so-sweet. If you’ve ever wondered what a BEC email looks like, that pretty much sums it up. The message itself is usually brief, and is crafted to prompt an immediate response from the recipient. The subject lines are typically generic enough to avoid suspicion, but contain certain key words sure to garner attention.
Chief among them are “request,” “urgent,” and “task.” But it’s also worth noting that four of the top ten BEC subject lines leverage one of the simplest and most irresistible words in the English language—the recipient’s first name.
Top Ten Most Common Subject Lines in BEC Emails
The use of the target’s first name in BEC attacks is quickly becoming less trend and more status quo. Nearly a fifth of BEC emails in the last quarter were personalized to include the recipient in the subject line. This level of personalization is meant to make the email seem more legitimate and lower the recipient’s guard.
It also shows the level of reconnaissance work some cybercriminals conduct prior to launching their malicious campaigns. Instead of simply scraping email addresses from company websites, some BEC groups meticulously curate target lists of specific executives and then use this data to construct personalized messages.
In fact, as our previous research has demonstrated, many BEC groups use commercial business intelligence services to construct tailored queries and collect comprehensive contact information for executives around the world—especially within financial services.
Some groups even appear to be using artificial intelligence to create fake emails that mimic the banter and writing style of trusted senders. According to news reports in the UK, a former MI5 agent is claiming that cybercriminal organizations are compromising email accounts using pilfered login credentials, and then deploying bots to scan the owner’s email archive to learn their personal writing style. They then launch phishing and BEC attacks from these trusted accounts, replicating the trusted sender’s own voice, and made all the more relevant by leveraging information specific to the target’s exchanges with the true account owner.
Personalized Subject Line Example Email