New data from email security vendor Agari shows Business Email Compromise (BEC) attacks shifting tactics last quarter, in favor of scams resulting in larger payouts.
BEC scams are one of the easiest scams to initiate, as they only involve an email list, a way to send an email, and some good social engineering skills. And, according to Agari’s Q4 2019: Email Fraud & Identity Deception Trends report, cybercriminals are changing the focus towards those scams that pay out bigger returns.
According to the report, gift card scams – which reign as the undisputed leader in BEC scam quantity, saw a 9% decrease in Q3, from 65% of all BEC scams to 56%. In contrast, those decreases created increases in both payroll diversion (at 25%, up from 20% last quarter), and direct transfer scams (at 19%, up from 15% last quarter).
The report points out one of the possible reasons is the payout. According to the report, the average take for a gift card scam is around $1,571. In contrast, the average take for a wire transfer is over $52,000!
Regardless of the payout, organisations need to ensure employees don’t fall for these scams. Some of the common telltale signs are:
- Use of free webmail accounts – according to Agari, 54% of BEC attacks used from these accounts.
- Use of lookalike domains – 40% of all BEC attacks used domains made to look similar to known and established domain names.
- Targeting of specific roles – HR employees are the obvious target for payroll diversion scams. Direct transfer scams target members of Finance or Accounting. And Gift Card scams tend to focus on individuals with lower roles that directly interact with a member of the executive team.
Users need to be educated on these kinds of scams vis continual Security Awareness Training so they can easily spot suspicious content in email and on the web, and be able to navigate around a scam without falling for it.
Free Social Media Phishing Test
Would your users fall for a phishing email that looks like it originated from a credible social media site such as Facebook, LinkedIn or Twitter? Attackers use social media to target both your brand, your users, and even your customers by distributing malware or using social engineering to phish for credentials. These platforms have become a goldmine for the bad guys to carry out social media phishing attacks against your organization. Don’t get hacked by social media phishing attacks!
Here’s How the Social Media Phishing Test works:
- Immediately start your test with your choice of three social media phishing templates
- Choose the corresponding landing page your users see after they click
- Show users which red flags they missed or send them to a fake login page
- Get a PDF emailed to you in 24 hours with your percentage of clicks and data entered
Don’t like to click on redirected buttons? Copy & paste this link into your browser: https://info.knowbe4.com/social-media-phishing-test-partner?partnerid=001a000001lWEoJAAW