Phishing, BEC Scams Netting $80,000 On Average in 2020
A recap of recent phishing activity trends found a decrease in detected phishing sites but a big increase in Business Email Compromise attack losses, around $80 million per attack.
While the number of phishing sites are reportedly going down in the pandemic, losses associated with sophisticated attacks like Business Email Compromise (BEC) scams continue to rise.
According to the Anti-Phishing Working Group, a nonprofit group that works to analyze phishing actvity trends, there was a noticeable uptick in the average cost of a wire transfer via a BEC attack, from $54,000 in the first quarter of 2020 to $80,183 in the second quarter.
The higher demands run counter to fewer number of phishing websites uncovered by APWG's contributing members, 46,036 websites in June, compared to 48,951 in April and 52,007 in May. In fact, June marked the month the fewest number of phishing sites were found by APWG members.
The numbers are via the group’s Q2 report (.PDF) which summarizes activity from April to June, and was published last week.
BEC attacks can take a couple different forms but essentially involve an attacker tricking an executive into making a financial transaction or sending along sensitive data.
Agari, one of the companies that helps feed the AWPG statistics on phishing trends, said it saw BEC attackers request an average of $1,213 from gift cards during Q2 of 2020, adding that attackers usually request funds in the form of gift cards in 66 percent of BEC attacks; 16 percent are payroll diversions, 18 percent are direct bank transfers.
The numbers around gift cards makes sense, especially when you consider that $1,200 is not an earth-shattering amount. The attacks are not as profitable as say a wire transfer but have a "decent chance of success, because they can be approved by multiple people in a medium-to-large company, and the amount is small enough to slip by some companies’ financial controls,” the report points out.
As noted before, attacks involving wire transfers did jump though, from $54K to $80K, likely taking advantage of the fact that many executives are working from home now, something that could cause them to either not read an email fully or be easily distracted and follow through with an attackers’ demands.
The report also recaps which websites are the most targeted - SaaS and webmail sites accounted for 35% of all attacks but social media attacks also saw an increase (20 percent over Q1) due to attacks against Facebook and WhatsApp.
Other findings by the report include an increase over time in phishing sites protected by HTTPS, something that makes links to sites look legitimate. One of the companies cited in the report, PhishLabs, found that 77.6% of phishing sites in Q2 of 2020 used SSL/TLS certificates.