Security experts have cautioned that Corporate Email Compromise (BEC) attacks, in which criminals pose as legitimate business officials through email to deceive employees into making a fraudulent wire transfer, are expanding to mobile platforms.

According to Trustwave’s research, business email compromise (BEC) attacks using SMS have been on the rise.

Almost exactly the same thing would happen: the attacker would contact the victim, posing as a corporate executive, and send them a copy of the firm’s ageing report. The victim would get a message in which they were instructed to alter a payroll account, conduct a wire transfer, or move corporate cash in some other fashion.

Powerful enough to rival email

According to the study’s authors, employing text messages rather than emails for BEC attacks has several advantages. The most obvious benefit is that the target is less likely to get suspicious. In contrast to emails, which always include the sender’s address and can be checked as a first line of defence against fraud, text messages only include the sender’s phone number, and many workers lack access to their managers’ personal cell phone numbers and therefore may not verify the authenticity of the sender.

Another tactic attackers might use is to ignore incoming calls by pretending to be in a conference or otherwise unavailable. Finally, Trustwave highlights a report from the Federal Communications Commission (FCC) that states the volume of unsolicited text messages tripled in 2022 compared to 2019; this highlights the fact that SMS communication is much faster than email, allowing threat actors to get the job done much more quickly.

Because initiating wire transfers is often suspicious, con artists often have their victims buy gift cards instead. They’d assure their victims that their money would be refunded if they made a transaction. Criminals frequently requested that their victims purchase gift cards from popular retailers including Target, Google Play, Apple, eBay, and Walmart.

According to Trustwave, firms may prevent SMS-based BEC attacks by raising security awareness among employees and mandating that all text message communications begin with a successful identity verification.

Additionally, businesses need to educate their staff about the dangers of social media data scraping and the need of using multi-factor authentication (MFA) wherever feasible to prevent malicious actors from gaining access to sensitive information.