Beyond BEC: How Modern Phishing Has Evolved Past Email

Originally published by Lookout.

Written by Hank Schless, Lookout.

Business email compromise (BEC) is big business for malicious actors. According to the 2021 FBI Internet Crime Report, BEC was responsible for nearly $2.4 billion in cyber crime losses in 2021.

At its root, it’s a type of phishing attack. And with the rise of smartphones and tablets, attackers are expanding well beyond email. They now leverage other platforms such as SMS messages, messaging apps like Signal and WhatsApp, and social media apps to target and compromise their targets.

And with the countless SaaS apps that your workers use every day, a single, successful phishing attack could have a rippling effect across your entire organization. The cloud has made productivity easier, but it has also amplified the effects of phishing.

What is a business email compromise?

In more traditional BEC attacks, the threat actor will purchase or collect contact lists that include names, email addresses, and phone numbers of chief financial officers (CFOs), finance teams, and accounts payable. A targeted message is sent, impersonating a high-ranking executive (usually the CEO) with an urgent request for payment that needs to be made, such as a time-sensitive project. Attackers frequently send tens of thousands of phishing messages a year, and if just one person takes the bait, it can result in huge losses for your organization.

But as I’ll describe below, BEC has evolved well beyond these classic parameters. As these attacks become more popular, organizations need to evolve their defenses. As with any phishing attack, awareness and education are the first step toward prevention, but certainly not the only step.

Think beyond email to stay ahead of phishing risks

Mobile presents a greater challenge for targets of phishing attacks because cybersecurity training doesn’t often focus on mobile. Historically, phishing training asks users to look for indicators that can only be seen on a desktop computer. Unfortunately, many mobile email apps do not display the sender’s email address and limit the ability to easily preview hyperlinks to potentially fake websites.

The problem is compounded by the heavy reliance on mobile communication by organizations at all hours of the day — particularly now that most users are working remotely. Business leaders communicating with their teams via mobile email or messaging apps do so with an expectation of immediate attention, which primes employees to potentially fall for phishing scams.

There are also more channels for attackers to deliver their scams via mobile. Many people don’t expect phishing links to be delivered through platforms like SMS messages, Facebook messenger, WhatsApp, or Signal, but they are. The FBI even issued a public service announcement that attackers are now using virtual meeting platforms to conduct BEC scams.

Modern phishing is the gateway into your organization

It’s not just that mobile devices are much easier to phish, it’s also that they have just as much access to the apps and data that your organization's value. With work from anywhere, whether it’s a smartphone or a tablet, your users are increasingly relying on these endpoints to juggle work and personal responsibilities. As a result, any mistakes they make on those devices, even if they aren’t managed by your IT, will introduce risks that may ultimately compromise your infrastructure.

There is no one-size fits all approach to preventing BEC and phishing, but a good start is realizing that phishing attacks aren’t limited to email with updated training. Any strategy focused only on email will miss the methods used to attack mobile users. It also takes a unified platform approach that secures all endpoints, including mobile devices, against internet-based threats.