Phishing gangs mounting high-ticket BEC attacks, average loss now $80,000

Companies are losing money to criminals who are launching Business Email Compromise (BEC) attacks as a more remunerative line of business than retail-accounts phishing, APWG reveals.

High-ticket BEC attacks

Agari reported average wire transfer loss from BEC attacks smashed all previous frontiers, spiking from $54,000 in the first quarter to $80,183 in Q2 2020 as spearphishing gangs reached for bigger returns. Scammers also requested funds in 66 percent of BEC attack in the form of gift cards, which are easier to cash out.

During the second quarter of 2020, the average amount of gift cards requested by BEC attackers was $1,213, down from $1,453 in the first quarter of 2020.

The number of phishing sites detected in the second quarter of 2020 was 146,994, down from the 165,772 observed in the first quarter. Phishing that targeted webmail and SaaS users continued to be biggest category of phishing.

Social media and web security attacks

Attacks targeting the social media sector increased in Q2 about 20 percent over Q1, primarily driven by targeted attacks against Facebook and WhatsApp. After an explosion in 2019 and into the first quarter of 2020, phishing in Brazil dropped back slightly.

Abuse of web security infrastructure reached a grim new plateau in Q2 2020, as well, with PhishLabs reporting that nearly 78 percent of all phishing websites employ SSL/TLS certificates as part of the deceptive schemes they use to lure in users and gain their confidence.

In addition, PhishLabs founder and CTO John LaCour observed, “The vast majority of certificates used in phishing attacks — 91 percent — are Domain Validated (“DV”) certificates. Interestingly, we found 27 web sites that were using Extended Validation (“EV”) certificates” – by hacking websites that already had them legitimately installed.