Business Email Compromise (BEC) attacks, in which threat actors assume the identities of corporate executives via email and attempt to trick employees into sending a bank transfer or the like, are going mobile, experts have warned in safety.
A report ( opens in a new tab ) from Trustwave has revealed that the number of BEC attacks that leverage short message service (SMS) instead of email has been steadily increasing.
The process is almost identical: the attacker would contact the victim, introduce himself as one of the company's executives, and share a copy of a seniority report. In the same message, they would ask the victim to initiate a bank transfer, set up a payroll account, or transfer company funds in some other way.
More powerful than email
According to the researchers, there are many advantages to using SMS for BEC attacks instead of emails. The most obvious is that there are fewer elements that could make the target suspicious. While every email contains the sender's address, which may be the first way to check for possible fraud, an SMS message only contains the phone number and, in many cases, employees do not have their bosses' numbers and it is possible don't check them.
Additionally, attackers can reject a potential phone call, saying they are in a meeting or unable to answer the call. Finally, SMS communication is much faster than email, allowing threat actors to get the job done much faster, and Trustwave also points to a Federal Communications Commission (FCC) report indicating that SMS Unrequestable text messages tripled in 2022 compared to 2019.
Initiating wire transfers is also something that can arouse suspicion, which is why scammers often ask victims to purchase a gift card. They promised the victims that their purchase would be refunded. Most of the time, the scammers asked their targets to buy gift cards from Target, Google Play, Apple, eBay, or Walmart.
To protect against SMS-based BEC attacks, companies should educate their staff on security (opens in a new tab) and instruct them to always verify people's identities when communicating via SMS, Trustwave said.
In addition, they should inform their employees that private data can be exfiltrated from social media accounts and used in attacks, and lastly, they should insist on Multi-Factor Authentication (MFA) wherever possible, to make it difficult for others to access. threat actors. valuable systems.