Business Email Compromise (BEC) attacks – in which threat actors assume the identities of business executives over email and try to trick employees into sending a wire transfer or something similar – are going mobile, security experts have warned.
A report (opens in new tab) from Trustwave found the number of BEC attacks that leverage the Short Message Service (SMS) instead of email has been steadily increasing.
The process is almost identical – the attacker would reach out to the victim, introduce themselves as one of the company’s executives, and share a copy of an aging report. In the same message, they’d ask the victim to initiate a wire transfer, change a payroll account, or have them transfer company funds in some other way.
More potent than email
There are many benefits to using SMS for BEC attacks instead of emails, the researchers say. The obvious one is that there are fewer elements that can make the target suspicious. While every email carries the sender’s address, which can be the first way to check for potential fraud, an SMS message only has the phone number and in many cases, employees don’t have their bosses’ numbers and might not double-check them.
Furthermore, the attackers can decline a potential phone call, saying they’re in a meeting or otherwise unable to answer the call. Finally, SMS communication is a lot faster than email, allowing threat actors to get the job done a lot quicker, with Trustwave also highlighting a Federal Communications Commission (FCC) report stating unsolicited text messages tripled in 2022, compared to 2019.
Initiating wire transfers is also something that might raise suspicions, which is why fraudsters usually ask the victims to purchase a gift card, instead. They would promise the victims that their purchase would be reimbursed. Most of the time, the crooks would ask their targets to purchase gift cards from Target, Google Play, Apple, eBay, or Walmart.
To protect against SMS-based BEC attacks, businesses should educate their workforce on security (opens in new tab) awareness, and have them always verify people’s identities when communicating via text messages, Trustwave said.
Furthermore, they should raise awareness among their employees that private data can be scraped from social media accounts and used in attacks, and finally – they should insist on multi-factor authentication (MFA) wherever possible, to make it harder for threat actors to gain access to valuable systems.