Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

BEC Trends: Payroll Diversion Dominates and Sneaky Multi-Persona Attacks Emerge

Business Email Compromise (BEC) remains a lucrative threat vector for attackers. The FBI’s IC3 reported that in 2022, they received 21,832 complaints with adjusted losses of over $2.7 billion. When it comes to targeted attacks, threat actor sophistication is evident in their ever-evolving tactics, even as detection capabilities and preventative measures improve. Let’s take a look at the current BEC landscape for the first half of 2023.


BECTrendsPayrollDiversionPicture1Figure 1 Monthly Volume of BEC Emails Intercepted by Trustwave


On average, Trustwave’s MailMarshal Cloud intercepts over 2000 BEC messages per month. For the first quarter of the year, we saw a 25% increase in unique attacks compared to the last quarter of 2022. February accounted for the highest volume of BEC emails in the first half of the year. January is the second most active month for BEC. Based on our historical data, BEC emails appear to increase during the first quarter after the December holiday slump. As the year begins, people are gearing up for the tax season and the start of new endeavours. Fraudsters are sure to take advantage of this.

There’s a noticeable 31% decrease in attacks for the second quarter of the year. June is the least active month currently and attacks decreased by 39% compared to January.


Free Email Services Used in BEC

The vast majority of BEC messages are sent from free email services. Below are the top 10 webmail services used by threat actors:


Google was the free email service provider of choice for BEC spammers in H1 2023, with a whopping 84% of all the free webmail addresses used. Other webmail services observed include: iCloud, VK (, and Optimum (

Aside from free email services, new-born domains that were created to mimic legitimate company domains in the From and Reply-to header fields were also used by spammers. 35% of newly registered BEC domains also use Google as their registrar, followed by NameCheap Inc. with 25%.


Lures and Themes

BEC uses different bait topics to gain the attention of their victims. We delved into our data to determine what the most popular lures and themes were.

  • Payroll Diversion - Asks to change their bank account, payroll, or direct deposit information.
  • Request for Contact - Asks for the recipient’s mobile number or personal email address.
  • Task – Requesting assistance for urgent tasks or favours.
  • Availability - Very short emails asking if the victim is available, at the desk or at the office.
  • Invoice Transaction – Fraudulent emails about overdue invoice statements.
  • Gift Purchase - Talks about surprising employees with a gift, usually asks the recipient to buy a gift card.
  • Wire Transfer - Orders the recipient to prepare a certain amount of money for wire transfer.
  • Request for Document – Requests for a copy of aging report, w2, or vendor list.


Figure 2 Breakdown of the top BEC lures for H1 2023


Almost half of the total amount of observed attacks is using the Payroll Diversion tactic, where attackers pretend to be employees of the targeted company and try to redirect the payroll to their own bank account. It is no surprise to see that this lure is popular among fraudsters as changing payroll account is not an uncommon work practice.

Inquiry emails for requesting personal contact information is still widely used, coming in at second place. The social engineering technique used in this campaign utilizes email as the first point of contact. Once they successfully deceive and get the recipients’ contact information, like phone number or WhatsApp, they move the conversation to mobile where it is more likely to evade detection.

Fourth on the list is asking for the recipient’s availability, typically a one-liner email. Yes, spammers still use the good old “Are you available?” phrase in their attacks.


Gift Card Fraud

BEC attacks using a gift card lure is unique. Threat actors typically leverage the sense of urgency in their BEC messages like payroll diversion or task-related requests. Gift card fraud tugs at the heartstrings of the victims. Fraudsters impersonate the company’s executive and relay a message to their victims that they want to show appreciation for the employees’ hard work and efforts. They then ask them to purchase a gift card that supposedly will be sent out to the employees of the company.

For the first half of the year, Amazon is the most sought-after brand of gift card, with 64% of requests for gift card purchases. Apple’s iTunes gift card is the second most popular brand with 18%. Liquid cards, such as Visa and Amex, were also solicited by scammers and made up 11% of gift card fraud. Google Play card, which is typically used for apps and games, is also observed at 7%


Rise of Invoice Fraud and Multi-Persona BEC Spam

An interesting type of BEC has surfaced recently, which involves the impersonation of at least two entities. This BEC scam uses an “Invoice Transaction” lure to gain the attention of the recipient.

In this scheme, the threat actors disguise as both a company executive and a representative of the vendor company, typically from financial institutions. In the example shown below, the representative is supposedly from MHA MacIntyre Hudson, an accounting firm based in the United Kingdom.


BECTrendsPayrollDiversionPicture3Figure 3 First Email of Invoice Fraud Attack


The first email sent by the supposed executive tells the victim that a representative from the financial company is requesting payment for an unpaid invoice. Using the social engineering technique called Pretexting, the victim is given the background of the situation so the second email that will come from the vendor representative is not unusual.


BECTrendsPayrollDiversionPicture4Figure 4 Second Email of Invoice Fraud Attack


The second email is then sent by the alleged vendor official where they reiterate the request for payment of the overdue invoice.

We also observed a new variant of the invoice fraud scheme with a different method of correspondence. The first example discussed previously shows a classic tactic where fraudsters disguising as a vendor representative approach their victim. With this new variant, the supposed company executive orders the victim to initiate contact with the fake vendor representative.


BECTrendsPayrollDiversionPicture5Figure 5 New variant of Invoice Fraud BEC


To make the scam appear legitimate, these emails contain specific information such as an invoice number and date of scheduled payment. They are also longer in content and written in a professional manner unlike traditional BEC emails. The vendor representative names are real employees of the financial institutions that the scammers use in their invoice fraud scheme.. By impersonating a company executive and vendor, and using Pretexting, the threat actors put on a remarkably convincing front.



To summarize our findings, BEC messages increased in the first half of 2023. There was a spike in the number of observed messages in the first quarter followed by a sharp decline in the second quarter. Free email services were heavily used to send malicious emails and Gmail is the most abused webmail service. Payroll diversion, Request for Contact and Task requests were the top lures used by threat actors. And lastly, Multi-Persona Impersonation where fraudsters impersonate company executives and third-party vendors and uses Invoice Transaction lure is growing in numbers.

The BEC and spam landscape is constantly shifting and evolving. Historically, BEC messages are short and impersonate one executive. As time goes on, we are seeing even more sophisticated social engineering techniques being used in these attacks. In order to face these ever-changing malicious schemes, organizations need to strengthen their technological and human cybersecurity defenses.

As always, we urge everyone to exercise caution and stay up to date with the latest threats to avoid falling for these schemes.



Latest SpiderLabs Blogs

Cloudy with a Chance of Hackers: Protecting Critical Cloud Workloads

If you've been following along with David's posts, you'll have noticed a structure to the topics: Part I: The Plan, Part II: The Execution and now we move into Part III: Security Operations. Things...

Read More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More