Business email compromise attacks going mobile via SMS and social media apps

Researchers reported that while phishing scams are prevalent in the SMS threat landscape, business email compromise (BEC) attacks are now going mobile.

In a Dec. 8 blog post, researchers at Trustwave’s SpiderLabs said the flow and nature of a BEC attack in short messaging services (SMS) is similar to email in which attackers impersonate company executives.

The researchers said attackers make a legitimate request, such as asking for a wire transfer, sending a copy of an aging report, or changing a payroll account. The Anti-Phishing Working Group reports that among these requests, gift card fraud was the most common scheme in the second quarter of 2022.

BECs remain one of the biggest cybersecurity threats today. The FBI has reported that losses from BECs have surpassed $43 billion globally and as time goes by, scammers are becoming more cunning with their lures.  

We are certainly seeing an increase in attackers leveraging mobile platforms, including SMS messages, Signal, WhatsApp, and social media apps to carry out BEC attacks, said Hank Schless, senior manager of security solutions at Lookout.

What’s worse, Schless said, is that one successful phishing attack on an employee’s mobile device can quickly spread laterally and have a major impact on an organization.

“There’s no shortage of email security solutions that are effective at blocking phishing — the problem is that the bad guys have long since realized this and are adapting their tactics accordingly,” Schless said. “Any organization still narrowly focusing on email to identify and thwart phishing attacks have a huge gap in their security strategy. A unified approach to protecting all endpoints that includes mobile is now essential.”