BEC Attacks Expand Beyond Email and Toward Mobile Devices - Infosecurity Magazine

Business email compromise (BEC) scams person been progressively targeting mobile devices, peculiarly with SMS-focused attacks.

According to a caller advisory by cybersecurity specialists astatine Trustwave, the inclination indicates a broader displacement towards phishing scams via substance messages.

“Phishing scams are prevalent successful the SMS menace landscape, and now, BEC attacks are besides going mobile,” reads the report.

Trustwave further added that scammers typically get mobile numbers from information breaches, societal media and information brokers, among different methods.

After that, attackers inquire victims for a ligament transfer, nonstop a transcript of an aging report or alteration a payroll account, luring them into paying for thing that should beryllium reimbursed aboriginal (but ne'er will).

“BEC attacks volition ever beryllium present truthful agelong arsenic they stay profitable [...]. Their continued profitability proves that worker cybersecurity behaviour is neglected and mismanaged by the compliance-based attack to information awareness,” explained Hoxhunt CEO Mika Aalto.

“Security civilization needs a reformation that begins with transforming the quality furniture into an plus which, erstwhile empowered by the close grooming and platform, augments the protect-detect-respond pillars of the [National Institute of Standards and Technology] NIST framework.”

Trustwave’s findings were besides confirmed successful SlashNext’s State of Phishing 2022 report, which precocious highlighted a 50% summation successful attacks connected mobile devices, with scams and credential theft astatine the apical of the database of payloads.

The papers besides suggested 83% of organizations reported that mobile instrumentality threats had been increasing much rapidly than different instrumentality threats.

“We person been seeing the inclination of BEC steadily moving to mobile this year. We telephone it concern substance compromise,” SlashNext CEO Patrick Harr told Infosecurity.

“Mobile devices are little protected, and it’s overmuch easier to obfuscate the sender details connected mobile devices [...]. It’s indispensable to support against these types of threats, which volition astir apt summation successful 2023, by utilizing mobile SMS/text extortion against earthy language-based attacks.”

Bud Broomhead, Viakoo CEO, echoed Harr’s point, adding that SIM jacking is simply a wide and easy-to-perform mode of attacking mobile devices.

“Mobile web operators are inactive the weakest nexus arsenic excessively galore of their employees autumn for societal engineering methods that let a mobile relationship to beryllium transferred to different SIM,” Broomhead told Infosecurity.

“Despite users becoming amended astatine MFA [multi-factor authentication], biometrics, and different protections, without stopping SIM jacking, BEC volition proceed to grow.”

Case successful point, a caller Lookout study suggested mobile-based credential theft attacks against national authorities employees increased by 47% from 2020 to 2021.