Business Email Compromise (BEC) attacks – where cybercriminals impersonate company managers via email and try to trick employees into sending a bank transfer or something similar – are moving to mobile devices, security experts have warned.
AND report (opens in a new tab) from Trustwave found that the number of BEC attacks that use a short message service (SMS) instead of email is steadily increasing.
The process is almost identical – the attacker contacts the victim, introduces himself as one of the directors of the company, and provides a copy of the aging report. In the same message, they ask the victim to initiate a bank transfer, change their payroll account, or transfer company funds in some other way.
Stronger than email
Researchers say there are many advantages to using SMS for BEC attacks instead of email. It is obvious that there are fewer elements that can arouse the victim’s suspicions. While every e-mail contains the sender’s address, which may be the first way to check for potential fraud, an SMS only contains a phone number, and in many cases employees do not know their bosses’ numbers and may not check them.
In addition, attackers can reject a potential phone call by saying they are in a meeting or otherwise unable to answer the call. Finally, SMS communication is much faster than email, which allows cybercriminals to get the job done much faster. Trustwave also points to a report from the Federal Communications Commission (FCC) which found that unsolicited text messages increased three-fold in 2022 compared to 2019.
Initiating bank transfers can also be suspicious, which is why scammers usually ask victims to buy a gift card. They promised victims that their purchase would be returned. In most cases, scammers ask their victims to purchase gift cards from Target, Google Play, Apple, eBay or Walmart.
To protect against SMS-based BEC attacks, companies should educate their employees on security (opens in a new tab) awareness and have them always verify people’s identities when communicating via text messages, Trustwave said.
In addition, they should raise awareness among their employees that private data can be stolen from social media accounts and used in attacks, and finally, they should insist on multi-factor authentication (MFA) where possible to make it harder for cybercriminals to gain access to valuable systems.