Cyber-criminals are evolving their tactics with Business Email Compromise (BEC) attacks by transferring victims from email over to mobile communications channels early on in a scam, according to Agari.
Researcher James Linton described how such an attack typically takes place, with the initial spoofed CEO email containing a request for the recipient’s mobile phone number.
“By moving them over to their cell phone, the scammer is equipping their victim with all the functionality needed to complete the task that is to be given to them,” he explained.
“A mobile device offers instant and direct messaging, the ability (in most cases) to still access email, the ability to take pictures with the phone’s camera, and far greater portability than a laptop, which all increases the chances that the scammer will be successful in achieving their desired outcome once a victim is on the hook.”
If the victim hands over their number, the BEC scammer knows they have a great chance of success. In fact, the extra complexity of moving across two different comms channels may even add extra credibility to the scam, Linton claimed.
The instantaneous communication of mobile-based SMS or IM also makes it less likely that the victim will stop and think about what’s happening.
Temporary numbers can be relatively easily set up for the purpose, and can even be managed from a single desktop environment, making things easier for the scammer.
Linton explained how BEC scammers could use this tactic to trick workers into buying a set of gift cards on their behalf, scratching off the back and taking a photo of the redemption codes with the phone’s camera.
These are then swiftly laundered through online platforms, he added.
The best way of mitigating this new tactic is to check the domain on an incoming email for any red flags.
“If the email address checks out and a number is supplied, insist on a brief call before making purchases on behalf of someone else,” Linton concluded.
“As a final safety net, share concerns with a colleague or friend, especially if pressure is increased in unusual ways. As always, it’s better to be safe than sorry when dealing with these types of emails.”