New data from email security vendor Agari shows Business Email Compromise (BEC) attacks shifting tactics last quarter, in favor of scams resulting in larger payouts.
BEC scams are one of the easiest scams to initiate, as they only involve an email list, a way to send an email, and some good social engineering skills. And, according to Agari’s Q4 2019: Email Fraud & Identity Deception Trends report, cybercriminals are changing the focus towards those scams that pay out bigger returns.
According to the report, gift card scams – which reign as the undisputed leader in BEC scam quantity, saw a 9% decrease in Q3, from 65% of all BEC scams to 56%. In contrast, those decreases created increases in both payroll diversion (at 25%, up from 20% last quarter), and direct transfer scams (at 19%, up from 15% last quarter).
The report points out one of the possible reasons is the payout. According to the report, the average take for a gift card scam is around $1,571. In contrast, the average take for a wire transfer is over $52,000!
Regardless of the payout, organizations need to ensure employees don’t fall for these scams. Some of the common telltale signs are:
- Use of free webmail accounts – according to Agari, 54% of BEC attacks used from these accounts.
- Use of lookalike domains – 40% of all BEC attacks used domains made to look similar to known and established domain names.
- Targeting of specific roles – HR employees are the obvious target for payroll diversion scams. Direct transfer scams target members of Finance or Accounting. And Gift Card scams tend to focus on individuals with lower roles that directly interact with a member of the executive team.
Users need to be educated on these kinds of scams vis continual Security Awareness Training so they can easily spot suspicious content in email and on the web, and be able to navigate around a scam without falling for it.