Going Mobile: BEC Attacks Are Moving Beyond Email
Recently, we’ve noticed an increase in user reports of SMS-based Business Email Compromise (BEC) messages. This seems to be part of a wider trend as phishing scams via text messages surge. The Federal Communications Commission (FCC) observed an increase in unsolicited text messages, with 2022 practically tripling the number of phishing texts reported to the FCC in 2019.
Phishing scams are prevalent in the SMS threat landscape, and now, BEC attacks are also going mobile. Business Email Compromise remains one of the biggest cybersecurity threats today. Losses from this attack type have surpassed $43 billion globally, according to the Federal Bureau of Investigation (FBI). As time goes by, scammers are becoming more cunning with their lures.
The flow and nature of a BEC attack in SMS is similar to email where attackers usually impersonate company executives. Attackers make a legitimate request, such as asking for a wire transfer, sending a copy of an aging report, or changing a payroll account. Among these requests, gift card fraud was the most common scheme in the second quarter of 2022, according to the Anti-Phishing Working Group (APWG). The Federal Trade Commission (FTC) has a report from December 2020 which shows that nearly 1-in-4 consumers who lost money due to fraud said that they paid with a gift card. Target, Google Play, Apple, eBay and Walmart were the most reported gift card brands that consumers mentioned in fraud reports.
Figure 1: Typical conversation in a BEC SMS attack
- Attackers send the first message to the chosen target. Their goal is to establish a relationship with the victim.
- Often, the attackers will mention that they are in a meeting or conference and can’t accept calls. This is a tactic employed to avoid the attacker and scam being discovered. The initial message is written with a sense of urgency to further lure the victim into the scam.
- Once the victim replies to the message, the attacker will ask the victim to purchase a gift card, with the promise of reimbursement for the purchase.
- Next, the attacker asks the victim to send the gift card codes back to them via text or by sending a picture of the codes on the scratched-off gift card.
Traditionally, attacks start with an email, like the one shown below, where the attackers ask for the victim’s mobile number. Once the attackers have the victim’s mobile number, they move on to the next phase, changing their mode of communication to SMS.
Figure 2: Scammers asking for the victim's number
As early as 2019, multiple reports of BEC messages being sent directly to personal mobile phone numbers began to surface.
Scammers have multiple ways in which they attempt to acquire the target’s phone number.
How Scammers Obtain Mobile Numbers:
- Data breach
Data breaches from telecommunications and social media platforms contain the users’ phone numbers, names, email addresses, and other Personally Identifiable Information (PII).
Data breaches not only damage a company’s reputation due to the perceived ‘betrayal of trust’, but companies can also face legal penalties. Finally, customers that are affected by the breach could potentially suffer identity theft or financial loss.
- Social Media
Phone numbers are spread across many social media platforms. These phone numbers can be used for multi-factor authentication and can be posted publicly for different purposes. To collect phone numbers from the web, scammers use various techniques, including web-scraping, which is the process of gathering data from a website. Data gathering can be done manually, or by using a bot.
- People Search Sites
Data brokers, also known as information resellers or information brokers, are individuals or companies that collect and sell personal information about consumers. They can gather information about their target group from a variety of public and private sources, such as web-scraped information, website cookies, government records, or purchase history. They can buy it from other data brokers as well.
People search sites are a type of data broker. These search sites aggregate information and build a report about the consumer.
According to the FTC, if a person has the target’s name, they can buy a report that contains the following details:
- Age, date of birth, and gender
- Contact number or email address
- Other names used
- Current and previous addresses
- Marital status
- Education and employment history
- Criminal and civil records
- The name and address of family members
This service is often used by telemarketers in creating and displaying advertisements for a certain demographic. However, it can also be used for social engineering attacks, doxing, or identity theft.
- Port-Out scam
A port-out scam is a type of fraud wherein threat actors pose as a victim and transfers (or “ports out”) the victim’s phone number to a different service provider. For this scam to work, attackers need to research and gather information about their target by using public records, social media platforms, data leaks, or by snooping. Once enough data has been collected on the target, attackers will contact the victim’s mobile phone service provider pretending to be the victim and will attempt to get the victim’s number transferred to a cell phone owned by the attacker. Once attackers have control of the phone number, they can use it to reset the target’s passwords on their services and platforms.
All notifications and sign-in alerts that typically would be received by the target’s phone will now be received by the attacker-controlled phone.
Once the threat actors get a hold of a victim’s number, they can use a reverse lookup service to gather more personal information on the target, such as full name, address, and even criminal records. They can use this to perform identity theft or craft a social engineering attack that the victim might fall for – such as a BEC attack. Compromised accounts through port-out scams can also be used to send out fraudulent messages to the victim’s contacts.
Switching from a BEC attack to an SMS attack provides several advantages for threat actors, such as:
Limited Information – Once the attacker has control of the victim’s phone number and has moved cellular service to a new provider, the only way to verify the identity of the person communicating from the mobile phone number, for example communicating by text message from the victim’s mobile phone, is to speak directly with the person communicating, via phone call. Unlike in email, there is no sender address or ‘Received’ headers to check. With so little information displayed in a text message, it can be difficult to tell whether a message is coming from a legitimate source or from an attacker.
Increased Interaction – BEC attacks sent using text messages give threat actors a greater ability to guide their victim throughout the entire process of buying a gift card. Texting is an interactive medium that provides immediate communication between scammers and victims, allowing victims to easily share issues, like not having the exact cards requested, to which the scammers can reply and guide the victim on next steps.
Delivery – In the case of a gift card scam, sending pictures of the gift cards is quick, making it easy for the attackers to obtain their goal.
How to Protect Against BEC attacks:
- Security Awareness Training
Proper training on how to identify and take action when encountering any type of malicious email or text message is the key to preventing BEC attacks. BEC messages can evade spam filters and exploit human vulnerabilities. Effective training should teach users how social engineering works in these attacks and provide the steps necessary to report suspected BEC attacks to the security team.
- Telephone or Personal Verification
BEC messages often ask for communication in written form via text messages instead of communicating by telephone in order to avoid the attacker’s unmasking. Employing a telephonic or in-person verification for any requested financial transactions or account changes can help in verifying the legitimacy of the request. The contact’s mobile number should be registered in the company’s official directory to aid in verifying the identity of the person sending messages, as email or a text message alone cannot be trusted to verify a legitimate source.
- Multi-factor Authentication (MFA)
Adding another layer of authentication when logging in to an account makes it difficult for threat actors to gain access to an email or social media platform. Activating MFA can be done through a dedicated application, One-Time Passwords (OTP), biometric or security questions.
- Social Media Awareness
Data posted publicly on the Internet can be scraped or collected. Avoid posting contact details, PII, and company related information, such as job responsibilities or organizational charts.
The threat landscape continues to change and BEC is evolving beyond email. Whatever form a BEC attack takes, it is sure to have financial and reputational damage repercussions for many organizations. Combining awareness training, technical security and best practices training can help organizations in guarding against and possibly avoiding BEC attacks.
As always, we recommend that everyone stay vigilant when receiving unsolicited messages and follow the organization’s procedures for reporting a suspected BEC attack.