Business email compromise (BEC) scams have been increasingly targeting mobile devices, particularly with SMS-focused attacks.
According to a new advisory by cybersecurity specialists at Trustwave, the trend indicates a broader shift towards phishing scams via text messages.
“Phishing scams are prevalent in the SMS threat landscape, and now, BEC attacks are also going mobile,” reads the report.
Trustwave further added that scammers typically obtain mobile numbers from data breaches, social media and data brokers, among other methods.
After that, attackers ask victims for a wire transfer, send a copy of an aging report or change a payroll account, luring them into paying for something that should be reimbursed later (but never will).
“BEC attacks will always be here so long as they remain profitable [...]. Their continued profitability proves that employee cybersecurity behavior is neglected and mismanaged by the compliance-based approach to security awareness,” explained Hoxhunt CEO Mika Aalto.
“Security culture needs a reformation that begins with transforming the human layer into an asset which, when empowered by the right training and platform, augments the protect-detect-respond pillars of the [National Institute of Standards and Technology] NIST framework.”
Trustwave’s findings were also confirmed in SlashNext’s State of Phishing 2022 report, which recently highlighted a 50% increase in attacks on mobile devices, with scams and credential theft at the top of the list of payloads.
The document also suggested 83% of organizations reported that mobile device threats had been growing more quickly than other device threats.
“We have been seeing the trend of BEC steadily moving to mobile this year. We call it business text compromise,” SlashNext CEO Patrick Harr told Infosecurity.
“Mobile devices are less protected, and it’s much easier to obfuscate the sender details on mobile devices [...]. It’s essential to protect against these types of threats, which will most likely increase in 2023, by using mobile SMS/text protection against natural language-based attacks.”
Bud Broomhead, Viakoo CEO, echoed Harr’s point, adding that SIM jacking is a widespread and easy-to-perform way of attacking mobile devices.
“Mobile network operators are still the weakest link as too many of their employees fall for social engineering methods that allow a mobile account to be transferred to another SIM,” Broomhead told Infosecurity.
“Despite users becoming better at MFA [multi-factor authentication], biometrics, and other protections, without stopping SIM jacking, BEC will continue to grow.”
Case in point, a recent Lookout report suggested mobile-based credential theft attacks against federal government employees increased by 47% from 2020 to 2021.