BEC Wire Transfers Average $80K Per Attack

BEC average transaction amount

That number represents a big uptick over Q1.

The average wire-transfer loss from business email compromise (BEC) attacks is significantly on the rise: In the second quarter of 2020 the average was $80,183, up from $54,000 in the first quarter.

That’s according to the recently released Anti-Phishing Working Group (APWG)’s Phishing Activity Trends Report [PDF], which pointed out that the rise in dollar amounts could be driven largely by one Russian BEC operation, which has been targeting companies for an average of $1.27 million per effort.

In a BEC attack, a scammer impersonates a company executive or other trusted party, and tries to trick an employee responsible for payments or other financial transactions into wiring money to a bogus account. Attackers usually conduct a fair amount of recon work, studying executive styles and uncovering the organization’s vendors, billing system practices and other information to help mount a convincing attack.

Such is the case with the aforementioned Russian BEC group, Cosmic Lynx, which was spotted prowling around earlier this summer by researchers at Agari.

“Cosmic Lynx employs a dual impersonation scheme,” the report noted. “The pretext of their attacks is that the target organization is preparing to close an acquisition with an Asian company as part of a corporate expansion. First Cosmic Lynx impersonates a company’s CEO, asking the target employee to work with ‘external legal counsel’ to coordinate the payments needed to close the acquisition. Then, Cosmic Lynx hijacks the identity of a legitimate attorney at a U.K.-based law firm, who’s supposed job it is to facilitate the transaction. The final stage of a Cosmic Lynx BEC attack is getting the target to send payments to mule accounts controlled by the group.”

The Cosmic Lynx cybercrime group has launched more than 200 BEC campaigns since July 2019, which have targeted individuals in 46 countries on six continents, according to Agari’s statistics. Favorite targets include Fortune 500 and Global 2,000 companies, which helps explain the large paydays.

Source: Agari

On other end of the scale, BEC fraudsters were found to request funds in the form of gift cards in 66 percent of BEC attacks (gift cards for eBay, Google Play, Apple iTunes and Steam Wallet made up 70 percent of gift card requests in the second quarter). This compares with about 16 percent of attacks being requests for payroll diversions, and 18 percent requesting direct bank transfers.

Phishing targets by vertical.

“The amount of money that an attacker can make by getting gift cards is significantly less than he can get with a wire transfer,” according to the report. “During the second quarter of 2020, the average amount of gift cards requested by BEC attackers was $1,213, down from $1,453 in the first quarter of 2020. Scam attempts around this dollar amount may have a decent chance of success, because they can be approved by multiple people in a medium-to-large company, and the amount is small enough to slip by some companies’ financial controls.”

BEC may be on the rise, but the number of phishing sites is declining, the report also found. There were 146,994 phishing sites detected in the second quarter of 2020, down from the 165,772 in Q1.

In terms of approach, the report found that phishing that targeted webmail and software-as-a-service (SaaS) users continued to be biggest category of phishing targets; however, targeted attacks against Facebook and WhatsApp users drove the social-media category up by 20 percent over Q1.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.