9:00 AM on a Tuesday: The BEC Sweet Spot

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By Crane Hassold

Business email compromise (BEC) scams continue to grow at an unprecedented rate, with more sent by cybercriminals every single day. While they often differ in approach, recent research from the Agari Cyber Intelligence Division (ACID) shows that these text-based phishing attacks possess some commonalities that make them easier to spot.

BEC was a $1.3 billion dollar problem in 2018, and if past trends are any indication, the dollars lost will be even larger this year. Unfortunately, attackers continue to grow more sophisticated in the ways they impersonate brands and individuals, inspiring their targets to act upon their requests before thinking to confirm legitimacy.

To further our understanding of what is changing in the email threat landscape, our researchers identified a few key characteristics common to a growing number of BEC emails over the last three months, which we’ve published in our latest Email Fraud and Identity Deception Trends report.

Gift Cards are King

In response, cybercriminals have changed their tactics. Two other methods — gift cards and payroll diversions — have become the predominant requests from BEC con artists seeking to steal money.

So why gift cards? In comparison to wire transfers, they offer many advantages, the largest being that they are more anonymous, as there a few ways to trace the payment in the same way a bank account can. Making matters easier, they are non-reversible and do not require a money mule or middleman — ensuring that the cybercriminal receives the full payment. And unlike wire transfers, which typically target an employee directly related to the finance department, these emails can target employees in any department, often masquerading as an email requesting gift cards for staff presents or fundraisers.

Still, the approach does come with a downside. While gift cards afford obvious benefits to BEC scammers, one of the biggest drawbacks is that the amount of money an attacker can pilfer per attack is far less with gift cards than with wire transfers. During the past quarter, for instance, the average dollar amount for gift cards requested in BEC scams was just over $1,500.

The lesson here? If someone asks for gift cards (or any form of payment), it is always best to check with them for an extra layer of protection. Cybercriminals use Google Play, Apple iTunes, and other types of gift cards to run their scams on a near-daily basis.

Attacks Occur Early

And as far as timing, scammers tend to follow conventional wisdom among many legitimate email marketers which states that it is best to send emails first thing in the morning. Most attacks are sent at the start of the day, with more than half of all BEC attacks distributed between 8 AM and 12 PM. There seems to be a notable preference for 9 AM, presumably aiming to arrive just as someone is sitting down to work in the morning.

With subject likes like “Request” and “Urgent,” these emails hit at the exact moment that employees are thinking about their commute and their morning coffee, and just when they may be distracted enough to make a critical mistake.

BEC Remains Big Business

Until organizations decide to take steps to protect themselves, BEC scams will continue to reach inboxes. And the eye-popping revenues criminals generate with so little effort will continue to increase by the millions.

Learn more about our recent BEC research in the Q3 2019 Email Fraud and Identity Deception Trends report.

Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store