Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

COVID-19 Fuels Phishing and Scams While BEC Attacks Evolve and Increase

Between the second and third weeks of March 2020, email scams and phishing attacks spiked by an unprecedented 436%. Such was the effect of the COVID-19 pandemic. Meanwhile, business email compromise (BEC) attacks have been less affected by the pandemic, but have also increased and evolved.

Between the second and third weeks of March 2020, email scams and phishing attacks spiked by an unprecedented 436%. Such was the effect of the COVID-19 pandemic. Meanwhile, business email compromise (BEC) attacks have been less affected by the pandemic, but have also increased and evolved.

BEC attacks represent a low percentage of email attacks by volume, but a disproportionally high percentage of overall loss to business. According to the 2019 FBI IC3 report, BEC was responsible for more than 50% of all cybercrime-related financial loss.

According to Abnormal Security’s Quarterly BEC Report Q1 2020 (PDF), there have been several major shifts in BEC attack patterns. The first is a move away from targeting individual C-Suite leaders towards targeting finance employees. The former has decreased by 37% between Q4 2019 and Q1 2020, while the latter has increased by 87% over the same period.

Linked to this has been a discernible shift away from individual targets towards attacks against groups of ten or more targets. “By targeting a group within an organization,” say the Abnormal researchers, “the attacker increases the likelihood of a response from one individual, creating legitimacy across the other targets.” Such attacks increased by 17%.

Another development has been a movement away from paycheck and engagement fraud towards invoice fraud. The former has declined by 50% since the previous quarter, while the latter has increased by more than 75%. The criminals are exploiting the generally high level of trust in the supply chain combined with less well-established communication channels, most usually conducted by email, between the companies.

Overall, BEC attacks per thousand mailboxes (a measure used to normalize figures for comparative purposes) increased by 28% from Q4 2019 to Q1 2020. However, despite warnings from other organizations, there is little evidence to suggest that criminals are using pandemic-related themes to fuel new BEC variants.

Similarly, there is yet no evidence of the predicted surge in the use of deepfake technology in BEC attacks. “Deepfakes certainly represent a looming tactic to socially engineered attacks such as BEC,” Ken Liao, Abnormal’s VP of cybersecurity strategy, told SecurityWeek. “However, deepfake voice or video may not be as effective as simple email. When the goal of a BEC attack is to change the bank routing number for a payment or paycheck, or deliver a fraudulent invoice, voice and video aren’t the ideal mechanisms in which to deliver this information.”

BEC attacks do not get the media coverage given to phishing/scam attacks, which are more widespread, frequent, and noisy. Statistically, they have been swamped by the huge surge in phishing attacks riding the fear and uncertainty of the pandemic. But they haven’t gone away, are still increasing, and continuously evolving, and continue to be a major threat to business. “By volume, BEC attacks represent a small percentage of the total number of email attacks in general. BEC attacks are targeted attempts, done after the targets have been identified and researched.” The cost to business remains disproportionately high.

Advertisement. Scroll to continue reading.

San Francisco, California-based Abnormal Security was founded in 2018 by Evan Reiser (CEO), and Sanjay Jeyakumar (CTO). It emerged from stealth in November 2019 with a $24 million funding round led by Greylock Partners.

Related: Tax Phishing Campaign Reminds of DMARC Limitations 

Related: Nigerian Threat Actors Specializing in BEC Attacks Continue to Evolve 

Related: Healthcare, Government Organizations Targeted in BEC Attacks With COVID-19 Lures 

Related: FBI Expects Increase in COVID-19-Themed BEC Scams 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.