Invoice or payment fraud attacks that target group email boxes jump more than 200%

Workers prepare a presentation of advanced e-mail at the Deutsche Telekom stand the day before the CeBIT technology trade fair officially opens.  (Photo by Sean Gallup/Getty Images)

New research found that business email compromise (BEC) attacks focused on invoice or payment fraud and targeting group mailboxes increased 212 percent from second to third quarter.

While invoice and payment fraud attacks on the c-suite are still prevalent, the sharp rise in attacks on group email boxes was significant because it pointed to a new favorite attack vector.

“Sending to group email boxes is a great way for attackers to gain credibility,” said Ken Liao, vice president of cybersecurity strategy at Abnormal Security, which posted its third quarter BEC report today. “The attackers can send the email around and once colleagues see that one or two of their coworkers have responded they are more likely to click. It’s also a good line of attack because you don’t need to get to the CFO or c-suite to get an invoice approved."

The report also found that Q3 was marked by a 155 percent overall increase in invoice and payment fraud BEC attacks across the eight industries studied. Liao said while this trend was particularly notable for the retail-consumer goods and manufacturing sector, it was also strong in the other verticals Abnormal studied: energy/infrastructure, finance, hospitality. media/TV, medical, services, and technology. 

Colin Bastable, CEO of Lucy Security, agreed with Liao that attacks on group email boxes have a higher probability of being opened on receipt, or forwarded internally and then opened.

“Being forwarded internally adds legitimacy to phishing emails,” Bastable said.

“Access to group email boxes is also often delegated to valuable targets such as personal assistants, diary keepers, and gatekeepers: 'can-do' people who are likely to bring the email to the attention of the intended targets, or who will open files and initiate the fraud.”

Jamie Hart, cyber threat intelligence analyst at Digital Shadows, added that by targeting group mailboxes versus c-suite, cybercriminals are using the “spray and pray” method: The criminals send the same email to a larger group of individuals hoping that at least one of them will open the attachment or follow the link.

“With more employees working remotely, employees are less likely to verify the validity of an email or an attachment,” Hart said. “Additionally, targeting group mailboxes ensures that the email gets delivered to several employees using only one email address. This method requires the same amount of effort from a cybercriminal with the potential for higher success.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.