SolarWinds was just a warm-up act. According to industry studies, 80% of firms⁵ report a sharp rise in cyberattacks during 2020—the vast majority of them phishing attacks and other advanced email threats. Business email compromise (BEC) alone has led to nearly $30 billion⁶ in direct financial losses since 2016, and it’s getting worse. During the second half of 2020, ACID researchers uncovered a troubling rise in well-funded eastern European crime syndicates piloting new forms of BEC. With 57% of US employees still working from home and hamstrung by housebound children, frustrating vaccine rollouts, and an endless number of other distractions, threat actors appear to be finding plentiful targets for a new wave of socially-engineered email threats that could cost companies plenty.
In November, a dramatic increase in the average amount of money targeted in BEC attacks was tracked back to two primary causes. The first was the resurgence of the BEC threat group we’ve dubbed Cosmic Lynx⁷, which switched up its pandemic-related tactics to include references to COVID-19 vaccines. More worrisome: The group has also started requesting recipients’ phone numbers in its emails to redirect the conversation to phone communications. The second driver behind the surge in the amounts sought in BEC scams is a potent new pretext used by threat actors— capital call investment payments. Generally speaking, capital calls are transactions that occur when an investment or insurance firm seeks a portion of money promised by an investor for a specific investment vehicle. In emails to targets, BEC actors masquerade as a firm requesting funds to be transferred in accordance to an investment commitment. Because of the nature of such transactions, the payments requested are significantly higher than these sought in most wire transfer scams. The average payout targeted in capital call schemes: $809,000.
During this same period, our researchers also noted a significant increase in the number of BEC attacks requesting aging accounts receivable reports from targeted employees. While this particular form of BEC has been around for more than a year, it has represented a mere fraction of the total. In November, however, nearly 1 in 12 (7%) of all BEC scams our researchers observed requested an aging report. More disconcerting: While a large percentage of this increase can be attributed to the BEC group we call Ancient Tortoise⁸, we identified a growing number of other email campaigns coming from actors employing markedly different tactics— suggesting the exploitation of aging financial reports is being more widely adopted within the BEC ecosystem.
Like Vendor Email Compromise (VEC), aging reports scams use compromised information from one organization in order to defraud another. Unlike VEC, however, they do not require the actual infiltration of an employee’s email account. Instead, the attacker impersonates a senior executive in emails requesting a copy of a recent aging accounts receivable report, which typically contains a list of all unpaid invoices and the names and email addresses of associated customer contacts. With this information in hand, attackers will then target the victim’s customers with requests for payment on overdue invoices to a new bank account.
Taken together, renewed activity from these two organizations is an ominous sign that highly-sophisticated threat actors are moving into an arena once dominated by loosely affiliated West African email crime rings. All while BEC groups of every stripe continue to establish new beachheads⁹ worldwide.
More than 6 in 10 malicious emails (62.6%) employing identity deception techniques involved display names designed to impersonate a wellknown brand during the second half of 2020. This includes a significant number of phishing attacks impersonating Microsoft10, Amazon, Google, Facebook and others. In the majority of cases, these were coordinated campaigns designed to harvest login credentials from their targets.
Just under a quarter (22%) of all impersonation attacks pose as a trusted individual, usually a senior executive within the recipient’s company or an outside vendor. As mentioned, a cunning new impersonation tactic involves posing as specific individuals conducting “capital calls” in emails requesting payment from recipients on funds committed toward an investment vehicle. In the case of the group we call Ancient Tortoise, ACID researchers have confirmed the threat actors are acquiring aging accounts receivable reports in order to target companies with requests for payment on legitimate overdue invoices.
Gift cards continue to rank as the #1 choice for cash-outs in BEC scams, though they lost some altitude during the second half of 2020. In Q3, gift cards were requested in 71% of all BEC attacks. But in Q4, that figure dropped to 60%. Meanwhile, wire transfers continue to appeal to BEC actors, accounting for 22% of BEC schemes in H2 2020. The average amount sought in these attacks rose 8%—boosted by those six-figure capital call scams, as well as a minimum request amount of $2,600.
While payroll diversion ruses made up just 10% of all BEC scams throughout the last half of 2020, we saw some notable upward movement in these attacks throughout this six month period. In fact, the number of fraudulent requests to change the employee bank accounts used for direct deposit has increased for six straight months. With 7 in 10 corporate employees working remotely—including more than 15 million11 who have moved across town, to nearby cities, or to far-flung Zoom towns during the first six months of the pandemic—may have given this pretext added believability. The steady increase in incidents suggests it’s working.
Maybe we should blame it on Pokémon12. Online marketplace eBay continues to be the most favored gift card sought in BEC attacks. During the second half of 2020, eBay accounted for nearly 1 in 4 (24.1%) gift cards requested by email scammers, followed most closely by Google Play (15.5%), iTunes (11.7%), and Amazon (10.8%). But during the fourth quarter, ACID researchers saw a significant increase in the number of scams seeking American Express, Visa, and OneVanilla gift cards. Generally BEC actors have traditionally requested brand-specific gift cards with an eye toward the online cryptocurrency exchange market, where the cards can be sold at some portion of their face value. This new shift may suggest cybercriminals are gravitating toward cash equivalents that can be used to place purchases of virtually any kind, online and off, at full face value/
During the second half of 2020, more than three-quarters (77%) of all BEC attacks were sent from a free webmail account—up 17% from January 2020.
Google’s Gmail remains the most weaponized email platform, accounting for 61% of BEC emails sent via free webmail accounts. That’s up from 43% in June 2020, nearly double the number seen last January (35%).
Meanwhile, 23%, or nearly 1 in 4, BEC attacks are sent from a domain registered by the attackers. Nearly two-thirds of these domains are registered with just three public domain registrars: