natali_mis - stock.adobe.com

COVID, gift cards and phony acquisitions top BEC attack trends

New research from Cisco Talos shows cybercriminals are still using the COVID-19 pandemic for BEC attacks to steal millions, but in slightly different ways.

Business email compromise scams are becoming more common, with numerous tricks, including preying on confusion around the COVID-19 pandemic, used as popular lures by cybercriminals.

New research from Cisco Talos Intelligence Group found that one of the more popular cons for business email compromise (BEC) attacks in recent months is to pretend to be an employee out sick with the deadly virus. In some cases, the cybercriminal asks the target to send gift cards as a favor, promising to pay the target back once they return to work.

The BEC attack is a phishing trick in which a threat actor targets a company's employees by pretending to be a co-worker or business partner asking for money via a wire transfer or gift cards. It is a particularly devastating attack because the transfers can often involve millions of dollars and the technique requires little to no technical expertise.

Nick Biasini, outreach engineer with Cisco Talos, told SearchSecurity that while the pandemic was a popular lure for BEC attacks, it didn't seem to have much impact on overall attack levels; as a result, he said, the winding down of restrictions and lockdowns will probably not do much to stem the growing tide of attacks.

"Talos didn't see BEC attacks increasing during the pandemic. However, it did provide criminals with new lures," Biasini explained. "There are no signs of these attacks slowing anytime soon -- if anything they expect these attacks to increase as time goes on."

In one particularly nasty example, the crook pretended to be a CEO who told an employee the company was looking to donate gift cards to a local hospice care group.

The pandemic was one of many popular lures the Cisco Talos team has logged in recent months, according to the report. In one particularly nasty example, the crook pretended to be a CEO who told an employee the company was looking to donate gift cards to a local hospice care group. The cards would then be sent directly to the criminal or to a mule who would shift them to the phishing attack operator.

Gift cards are a popular form of currency with cybercriminals because they are difficult to trace and provide a fast and easy way to launder money by simply selling the cards individually or in bulk.

In another attack method, one with significantly higher stakes, the attacker spoofed the head of a company and told a targeted employee that a big merger was afoot and had to remain secret. In this case, the threat actor took things a step further and included a phone number in the phishing email. Had the target fallen for the phishing message and called the number, they presumably would have been connected to someone who would give them instructions for a wire transfer.

"We didn't find a wide array of companies -- small, medium and large -- receiving emails. Instead, these tended to hit larger companies, Cisco included," Biasini wrote in the report. "They also tended to be a bit more descriptive than what we typically see, but in some cases, it was rather short and direct."

In another variation on the scam, the attacker asked for payment as part of a "support contract," even going so far as to once again reference the pandemic by claiming the person who would normally handle the transaction was sick with the virus.

Because these techniques rely heavily on social engineering and personal communications to operate, automatic detection can be difficult. Cisco Talos recommended that companies help their employees to spot the fraudulent emails as soon as they appear.

"One simple step that some organizations can take is adding a tag to the subject line of the email. This can be extremely useful to help users realize the request came from an external source outside the organization and maybe question the incoming request with a little additional scrutiny," Biasini noted in the report. "This doesn't block the email outright, [it] just adds a little context by changing the subject and adding a tag like [External]."

Dig Deeper on Threats and vulnerabilities