BEC Gangs Abandon C-Suite Executives in Favor of Attacks on Finance Employees

A recent report from Abnormal Security suggests business email compromise gangs have changed tactics and have new targets in their sights. BEC gangs have historically targeted C-Suite executives using phishing emails to obtain their credentials to access their email accounts in what is often referred to as whaling attacks. C-Suite email accounts are valuable as they can be used to target other individuals in the organization. These attacks are highly targeted, often aimed at the CEO or CFO.

Abnormal Security’s data suggests in Q1, 2020, the targets have changed. BEC attacks targeting the C-Suite dropped by 37%, with BEC gangs now favoring less targeted attacks involving messages that are sent to 10 or more participants. These larger 10+ campaigns increased by 17% in Q1, 2020 and were up 27% on Q1, 2019.

The larger number of messages adds legitimacy to the campaigns and increases the chance of a single individual responding. These campaigns are conducted on multiple organizations with some degree of customization for each target. BEC gangs are now increasingly targeting finance employees rather than the C-Suite. Abnormal Security recorded an 87% weekly increase in attacks on employees with a finance role. Employees in the finance department are now at greatest risk of being targeted in a BEC attack.

The number of BEC attacks per campaign increased by 9% and individual attacks increased by 14% over the same period.  However, individual attacks are down on Q1, 2019, which has led to a decrease in engagement and paycheck fraud. BEC gangs now seem to be focusing on payment fraud attacks where they pose as vendors and attempt to re-direct payments. Invoice fraud attacks increased by 75% in Q1, 2020. Abnormal Security notes that attacks on the supply chain make it easier to attack organizations with best-in-class security. Suppliers and vendors are a weak link that can easily be exploited in payment fraud attacks.

In the BEC Report for Q1, 2020, Abnormal Security includes data on COVID-19 related cyberattacks, noting a massive increase in COVID-19 campaigns between the second and third weeks in March, when the number of attacks increased by 436%. Overall, there was a 171% increase in COVID-19 themed attacks in Q1, 2020, as cybercriminals took advantage of public interest in the 2019 novel coronavirus and COVID-19.

There was considerable variety in the email campaigns. 2.34% were related to finance or stimulus relief, 2.28% of attacks related to PPE, and 0.34% of attacks related to vaccines, treatments, and potential cures. These attacks were largely concerned with credential phishing, followed by extortion and other scams, with only a relatively small percentage of COVID-19 campaigns involving BEC attacks and malware campaigns.

“The email security trends we witnessed during Q1 are most certainly related to the COVID-19 pandemic and the shift to work from home, but they also reflect greater sophistication and attack strategy by threat actors,” said Abnormal Security CEO and co-founder, Evan Reiser.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of