Mobile BEC Attacks on the Rise
A recent uptick in the reports of SMS-based business email compromise (BEC) messages may indicate a wider trend that has seen a surge of phishing scams via text messages.
“Phishing scams are prevalent in the SMS threat landscape, and now BEC attacks are also going mobile,” according to a Trustwave blog post that pointed to a tripling of unsolicited text messages reported to the FCC in 2022 over 2019.
“We have been seeing the trend of BEC steadily moving to mobile this year. We call it business text compromise,” said Sai Patrick Harr, CEO at SlashNext, which released a report showing a 50% increase in attacks on mobile devices, with scams and credential theft topping the list of payloads.
“Mobile devices are less protected, and it’s much easier to obfuscate the sender details on mobile devices. The most popular tactic we are seeing is cybercriminals sending these messages to new employees who are not as familiar with company processes and are eager to perform well in their job,” said Harr.
“BEC often works through social engineering, and the move to mobile devices is a natural evolution,” said Bud Broomhead, CEO at Viakoo. “Many organizations have comprehensive training on email phishing attacks and use automated solutions to stop spam; text messages can avoid both these defenses because of the inherent trust people have in their mobile devices.”
Noting that losses from BEC attacks type have surpassed $43 billion globally and that “scammers are becoming more cunning with their lures,” Trustwave researchers said, “The flow and nature of a BEC attack in SMS are similar to email where attackers usually impersonate company executives” with attackers making “a legitimate request, such as asking for a wire transfer, sending a copy of an aging report or changing a payroll account.”
“BEC attacks will always be here so long as they remain profitable. Remember, cybercrime and cybercrime-as-a-service is a trillion-dollar industry fueled by phishing, and BEC is the top dog of email-based attacks,” said Mika Aalto, co-founder and CEO at Hoxhunt.
The Anti-Phishing Working Group (APWG) said that gift card fraud dominated schemes during Q2 2022 and a December 2020 FTC report said that a quarter of the consumers who lost money in a scam paid with a gift card, most often from Target, Google Play, Apple, eBay and Walmart.
The attacks usually start with an email, with attackers asking for the victim’s mobile number—they also have numerous ways to get the number, including through a data breach, social media, people search sites and port-out scams. A port-out scam is fraud in which threat actors pose as victims and transfer or “port out” the victim’s phone number to a different service provider. “For this scam to work, attackers need to research and gather information about their target by using public records, social media platforms, data leaks or by snooping,” Trustwave said. “Once enough data has been collected on the target, attackers will contact the victim’s mobile phone service provider pretending to be the victim and will attempt to get the victim’s number transferred to a cell phone owned by the attacker.”
Then, with control of the phone number, scammers can “reset the target’s passwords on their services and platforms,” the researchers said. “All notifications and sign-in alerts typically received by the target’s phone will now be received by the attacker-controlled phone.”
By flipping from a BEC attack to an SMS attack, threat actors gain several advantages, the blog post posited, including limiting the information they provide that could be traced, increased interaction “that provides immediate communication between scammers and victims” and delivery as “in the case of a gift card scam, sending pictures of the gift cards is quick, making it easy for the attackers to obtain their goal.”
Smishing and mobile attacks failed to capture the attention of security professionals until a series of high-profile breaches—including those at Uber, Twilio and Cloudflare—jolted them into action, the SlashNext report noted. “Now mobile phishing attacks are on the rise, with 83 percent of organizations reporting mobile device threats growing more quickly than other device threats, according to Verizon Mobile Security Index 2022,” the report said. Those incidents, though, “demonstrate the rise in SMS phishing attacks” that successfully harvest credentials at the beginning of the attack chain to instigate a breach.
“These attacks were well-planned and executed,” the SlashNext report said. “They are hard to identify by users, meaning organizations can’t rely on employee training to stop SMS and other communication channel attacks.”
Broomhead contended that “SIM jacking is still way too easy; mobile network operators are still the weakest link as too many of their employees fall for social engineering methods that allow a mobile account to be transferred to another SIM.”
Despite users becoming better at using MFA, biometrics and other protections, he said, “without stopping SIM jacking, BEC attacks will continue to grow.”
BEC attacks’ “continued profitability proves that employee cybersecurity behavior is neglected and mismanaged by the compliance-based approach to security awareness,” said Aalto. “Security culture needs a reformation that begins with transforming the human layer into an asset which, when empowered by the right training and platform, augments the protect-detect-respond pillars of the NIST framework.”
