Business email risk attacks now targeting SMS messages

Trustwave says BEC attacks, no longer limited to email, hit users via text messages with the intent of stealing money or committing other forms of fraud.

Image: panuwat/Adobe Stock

A business email compromise attack is a type of scam that targets an organization’s employees, in which the attacker impersonates a senior executive or other trusted person associated with the business. The scammer will often try to trick the victim into sending money, changing their payroll account, or taking any other action that allows them to steal company funds. While BEC attacks usually occur via email, they now use SMS text messages to hit recipients. A recent report from cybersecurity firm Trustwave discusses the rise in SMS-based BEC attacks and offers advice on how to combat them.

TO SEE: Secure corporate email with intent-based BEC detection (TechRepublic)

How do SMS-based BEC attacks work?

SMS-based BEC campaigns actually started to surface in 2019 with reports of text messages being sent to mobile phones. Usually, a BEC attack starts with an email where the scammer asks for the victim’s phone number. The cybercriminal switches to SMS as the primary form of communication with this information.

The first message is usually designed to build a relationship with the recipient in order to gain their trust; The message may also convey a sense of urgency to encourage the victim to act quickly. To avoid being discovered, an attacker can say they are in a meeting or conference call and cannot accept phone calls.

After the victim replies to the message, the attacker initiates the scam, usually centered around a financial transaction. In a popular type of scam, the buyer is asked to receive a gift card with the promise that it will be refunded. If this trick is successful, the attacker tells the victim to send the gift card codes via a picture of the scratched card.

How do attackers obtain mobile phone numbers?

Beyond using the initial email conversation, attackers can also obtain mobile phone numbers in other ways. Phone numbers are often leaked in data breaches, along with a person’s name, email address, and other relevant personal information. Phone numbers shared on social media sites can be captured by attackers through manual actions or the use of bots.

Contact search sites provide another way for cybercriminals to obtain phone numbers. Data brokers collect and sell personal information about consumers; this information is then made available on these search sites for free or for a small price. Another method of hijacking a phone number is a port-out scam, also known as SIM swapping. In this case, the attacker presents himself as a victim and ensures that the victim’s phone number is transferred to a different provider and account used by that attacker.

Recommendations for protection against BEC attacks

To help protect organizations from BEC attacks, Trustwave offers the following tips to security experts and users.

Offer security awareness training

BEC messages are designed to block spam filters and exploit human weaknesses; therefore, IT and security professionals should provide employees with appropriate training on how to identify suspicious or malicious emails and text messages. Users should know what steps to take and whom to contact if they believe a message may be fake.

Require phone verification of financial transactions

BEC attackers often limit their communications to text messages to avoid being exposed in a phone call. To avoid falling into this trap, insist that requested financial transactions in your organization be confirmed over a phone call or in person. Any person your company does business with must be registered with an official directory to verify their identity.

Implement multi-factor authentication

Adding an MFA requirement means that even if account credentials are compromised, an attacker cannot gain access without this secondary form of authentication. MFA can be achieved through a custom authentication app, a one-time password, security questions, or biometric technology such as face or fingerprint recognition.

Advocate for social media awareness

Make sure employees know that any data posted online may be copied or collected. This means they should avoid posting contact information, personal information, or company information such as job responsibilities and organizational charts.

Save time for your company, especially the IT team, by downloading this ready made Security Awareness and Education policy From TechRepublic Premium.

Leave a Reply

Your email address will not be published. Required fields are marked *