Text Messaging Latest Vector for BEC Attacks
Trustwave is reporting an increase in business email compromise (BEC) attacks via text messages. This seems to be part of a wider trend as phishing scams via text messages surge.
The Federal Communications Commission (FCC) observed an increase in unsolicited text messages, with 2022 nearly tripling the number of phishing texts reported to the FCC in 2019.
BEC remains one of the biggest cybersecurity threats today. Losses from this attack type have surpassed $43 billion globally, according to FBI. As time goes by, scammers are becoming more cunning with their lures.
The flow and nature of a BEC attack in text messaging is similar to email, where attackers usually impersonate company executives. Attackers make a legitimate request, such as asking for a wire transfer, sending a copy of an aging report, or changing a payroll account.
Among these requests, gift card fraud was the most common scheme in the second quarter of 2022, according to the Anti-Phishing Working Group (APWG). An Federal Trade Commission (FTC) report from December 2020 shows nearly one in four consumers who lost money due to fraud said they paid with a gift card. Target, Google Play, Apple, eBay and Walmart were the most reported gift card brands that consumers mentioned in fraud reports.
Maria Katrina Udquin is a security researcher at Trustwave.
“The threat landscape continues to change and BEC is evolving beyond email,” she said. “Whatever form a BEC attack takes, it is sure to have financial and reputational damage repercussions for many organizations. Combining awareness training, technical security and best practices training can help organizations in guarding against and possibly avoiding BEC attacks.”
Patrick Harr is CEO of SlashNext, an anti-phishing company.
“We have been seeing the trend of BEC steadily moving to mobile this year,” he said. “We call it business text compromise. Mobile devices are less protected and it’s much easier to obfuscate the sender details on mobile devices. The most popular tactic that we are seeing are cybercriminals sending these messages to new employees, who are not as familiar with company processes and are eager to perform well in their job. It’s essential to protect against these types of threat, that will most likely increase in 2023, by using mobile SMS/text protection against natural language-based attacks.”
Current defenses are not tuned to find BEC attacks, Harr said.
“These attacks are rising, via both email and mobile, and the gateway to ransomware and BEC continues to be phishing,” he said. “As phishing continues to grow as a vector for ransomware attacks, zero-hour, real-time threat prevention solutions are critical to prevent these threats. The ability to block employee web traffic to phishing sites, via malicious links and other vectors, and stop a ransomware attack at the start of the kill chain, is of the greatest importance.”
