Scam artists have always sought to profit when crisis strikes. That includes malicious actors who refine phishing attacks to leverage national or global events–
few as consequential to the whole of humanity as the coronavirus pandemic. The gravity of the situation, and the emotional levers it made available to cyberswindlers, are reflected in data captured during the first half
Rise in COVID-Themed Phishing Attacks Mid-March Through Early June
Starting the week of March 8, the volume of COVID-themed phishing attacks saw explosive growth over levels seen at the beginning of February, as corporate
employees grappling with remote working, homebound children, concerns over the virus, and financial uncertainties were targeted in an unprecedented number
of socially-engineered attacks. The trajectory of these schemes and its correlation with Google search data related to the outbreak is remarkable and consistent—
bringing the symbiosis between events-driven anxieties and actions to exploit them into sharp relief. These coinciding trendlines remained relatively steady from
mid-March until early June, before trailing off by quarter’s end.
Phishing Emails Employing Identity Deception Impersonating Well-Known Brands
Two-thirds of malicious emails employing identity deception techniques involved display names designed to dupe recipients into believing the messages came from a well-known brand. This includes a significant number of phishing attacks impersonating the World Health Organization (WHO), the Centers for Disease Control (CDC), Microsoft, and others in massive credentials harvesting campaigns launched early in the coronavirus outbreak.
Percentage of Impersonation Attacks Posing as Trusted Individuals
During H1 2020, just under a quarter of all impersonation attacks masqueraded as trusted individuals, usually a senior executive within the recipient’s company or an outside vendor. The fraud group we call Ancient Tortoise, for instance, used COVID-19 as the pretext for changes to payment details when targeting companies in aging accounts receivable scams by posing as members of a supplier’s accounts receivables team. Another, a criminal organization we call Cosmic Lynx, is the first-reported BEC group operating out of Eastern Europe—suggesting socially-engineered email impersonations are expanding beyond their roots among West African email fraudsters.
Ubiquitous and easy to sell for pennies on the dollar in online cryptocurrency exchanges, gift cards are the preferred payment method in more than 67% of all BEC plays—up from 62% during the fourth quarter of 2019. During the same period, the number of payroll diversion attacks decreasing to 13% of the total, compared to 25% at the end of last year.
Maximum Requested in Wire Transfer Ploys During the First Half of 2020
Amounts requested in gift card ruses retreated to $1,348 on average, compared to nearly $1,600 at the end of 2019. Meanwhile, amounts sought in wire transfer schemes rose to an average $66,790, from $55,395 six months earlier. The maximum requested in a wire transfer attack observed by ACID so far this year: $1,555,770—up from $680,456.
Popular online marketplace eBay has overtaken longtime fraudster favorite Google Play as the top gift card sought in BEC attacks. During the first half of the year, eBay accounted for 23% of all gift cards requested by email scammers—compared to just 5% last June. This change may reflect a glut in Google Play gift cards, or it could mark a shift toward cards for purchasing physical goods for direct use or for resale online.
Percentage of BEC Scams Using Free Webmail—Up More Than 10%
Our data shows that in the first half of 2020, nearly 70% of all BEC emails were sent from a free webmail account—a 10% increase in the last six months.
Gmail Remains The Most Weaponized Email Platform
Gmail accounts were used to launch 43% of all BEC scams, up from 35% since our last report.
BEC Emails Sent From Registered Lookalike Domains
Nearly 30% of BEC campaigns are launched from a domain registered by the attacker. Nearly two-thirds of these domains are registered with just three domain registrars: