By: Ronnie Tokazowski, Principal Threat Advisor & Brad Haas, Cyber Threat Intelligence Analyst
How many phish does it take to get to the sugary story of the BEC (Business Email Compromise) attack? That’s exactly what we wanted to find out.
Contrary to many other types of cybercrime, BEC is a conversational-based phishing attack. Scammers simply ask users to do a favor or run that errand, and the person on the other end does just that. BEC actors can use many different pretexts to phish end users. It can be anything from pretending to be the CEO in an organization to asking someone to update payroll or even asking for gift cards for an employee. While many of these tactics are already publicly known, there’s still some confusion about how all these different pieces work together.
Do people become victims after the first email or do the scammers need to have a conversation with the victim?
That’s what we set out to discover in our most recent BEC study.
Phishing The Phishers: What We Found
We wanted to engage with the scammers and understand how these conversations worked. In hundreds of email threads, we did just that. We responded to the scammers, tracked all of our responses, and tried to gauge just how many conversations it would take to draw different conclusions.
How likely were the scammers to respond back and how many emails did it take to illicit the final pretext?
Based on the hundreds of responses to the scammers, we received responses in 58% of attacks. Many email accounts were taken down by service providers prior to engagement or we simply just didn’t receive a response from the scammers.
Of those 58% of responses, 89% of the phishers told us what they needed after our first response. In many cases this was gift card requests with the initial pretext of “I need you to run this urgent task” or “can you send me your phone number” with no other information. Once we responded back, the scammers came back and said the task was to go to the grocery store and pick up a gift card.
There is a lot more to this study than we could fit in this blog. So, for the rest of our insights from this study, here is a detailed Threat Intelligence analysis breaking down everything we discovered including examples of emails we received from BEC threat actors and percentage of webmail providers utilized.