A person receiving a fraud BEC message via SMS.
Image: panuwat/Adobe Stock

A business email compromise attack is a type of scam aimed at an organization’s employees in which the attacker impersonates a top executive or other trusted person associated with the business. The scammer typically tries to trick the victim into wiring money, changing a payroll account or taking another action that allows them to steal company funds. While BEC attacks usually occur via email, they’re now using SMS text messages to hit recipients. A recent report from cybersecurity firm Trustwave discusses the increase in SMS-based BEC attacks and offers advice on how to combat them.

SEE: Secure corporate emails with intent-based BEC detection (TechRepublic)

How SMS-based BEC attacks work

SMS-based BEC campaigns actually started surfacing in 2019 with reports of text messages being sent to mobile phones. Often the BEC attack begins with an email through which the scammer asks for the victim’s phone number. With that information, the cybercriminal then segues to SMS as the primary form of communication.

The first message is typically designed to establish a relationship with the recipient to gain their trust; the message may also convey a sense of urgency to prompt the victim to act quickly. To avoid being discovered, the attacker may say that they’re in a meeting or on a conference call and can’t accept phone calls.

After the victim replies to the message, the attacker launches the scam, usually centered around a financial transaction. In one popular type of fraud, the recipient is asked to buy a gift card with the promise that they’ll be reimbursed. If this ploy succeeds, the attacker tells the victim to send them the gift card codes through a picture of the scratched-off card.

How attackers obtain mobile phone numbers

Beyond using an initial email conversation, attackers can obtain mobile phone numbers through other means. Phone numbers are often leaked in data breaches along with a person’s name, email address and other associated personal information. Phone numbers shared on social media sites can be scraped by attackers either through manual processes or through the use of bots.

People search sites provide another way for cybercriminals to obtain phone numbers. Data brokers collect and sell personal information about consumers, which is then available on these search sites for free or a small price. Yet another method to capture a phone number is through a port-out scam, also known as SIM swapping. In this case, the attacker poses as the victim and arranges for the victim’s phone number to be transferred to a different provider and account used by that attacker.

Recommendations to guard against BEC attacks

To help protect organizations from BEC attacks, Trustwave offers the following tips to security professionals and users.

Offer security awareness training

BEC messages are designed to thwart spam filters and take advantage of human weaknesses; as such, IT and security pros should offer proper training to employees on how to identify suspicious or malicious emails and text messages. Users should know what steps to take and whom to contact if they believe a message may be fraudulent.

Require verification of financial transactions by telephone

BEC attackers typically limit their communications to text messages to avoid being uncovered in a phone call. To avoid this trap, insist that any requested financial transactions in your organization be confirmed through a phone call or in person. Any person with whom your company does business should be registered in an official directory to verify their identity.

Implement multi-factor authentication

Adding an MFA requirement means that even if account credentials are compromised, the attacker won’t be able to gain access without that secondary form of authentication. MFA can be achieved through a dedicated authenticator app, a one-time password, security questions or biometric technology such as facial or fingerprint recognition.

Advocate social media awareness

Make sure employees are aware that any data posted online can be scraped or collected. This means they need to avoid posting contact details, personal information or company information such as job responsibilities and organizational charts.

Save your company, especially the IT team, time by downloading this readymade Security Awareness and Training policy from TechRepublic Premium.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays