Business Email Compromise (BEC) Attacks Go Mobile Using SMS to Increase Attack Success


Compromise-by-Text turns out to be an even better medium for cybercriminals to fool users into becoming victims. A new article from security vendor Asigra demonstrates how and why.

We’ve recently covered the increase in the use of mobile devices as an attack vector by cybercriminals. Examples of SMS-based attack tactics were recently covered in an article by researchers at Asigra, where they cover a mobile attack in detail, highlighting why using mobile messaging (SMS) is a great idea for a cybercriminal.

The BEC attack starts out with an email sent to the victim supposedly from someone higher up in the organization asking them for their personal cell number. This switching of mediums seems to lessen the likelihood of the victim realizing it’s a scam. Then the attack generally turns to either the CEO gift card scam or some kind of fraud activity.

Once provided with the mobile number, the medium switches to text only. This give the cybercriminal a few advantages:

  • Credibility – if the victim has given out their mobile number, they already believe the other person is the higher up. And since the only identification in the text is a mobile number, there’s no sender address to look at and realize it’s a bogus email.
  • Participation – since texting is a far more interactive medium, the scammer can be actively be involved with the victim. In the case of a gift card scam, the victim can communicate issues like not having the cards requested, etc. and get an immediate response from the scammer.
  • Delivery – in the case of a gift card scam, sending pics of the gift cards is now a simple task, making it easy for the scammer to obtain their payoff.

Users need to be wary of any kind of requests supposedly coming from the CEO or anyone else of authority. Proper Security Awareness Training will dictate that anytime requests involving money, banking details, etc. should require a phone call to the requestor. That same training will also educate users on these kinds of scams, empowering users to quickly identify and avoid them. We have dedicated training modules against these types of mobile attacks

Preview the World's Largest Security Awareness Training Library

Not a customer yet? You can get access to see our full library of security awareness content; you can browse, search by title, category, language or content topics. There are 850+ ways to educate your users with interactive modules, videos, games, posters, newsletters and more. Browse the world's largest library and see it for yourself:

Start Your Preview

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews