Table of Contents
Executive Summary
The findings in this report come from the results of active defense engagements with BEC threat actors. Every month, the Agari Cyber Intelligence Division (ACID) conducts hundreds of these engagements to collect comprehensive intelligence about BEC tactics and trends to help better understand how the BEC threat landscape is evolving.
The primary findings for December 2024 detailed in this report include the following:
During December 2024, the ACID team observed a decrease of 17% in overall attack volume in comparison to the prior month.
Gift cards were the most common cash out method in December, totaling 26.7% of all cash out methods.
The average amount requested from BEC wire transfer attackers was $16,799 in December compared to $28,283 in November 2024.
During the month of December 2024, international (non-US) banks proved to be the most common institutions of choice for wire transfer scammers, making up 39% of the total.
During the month of December 2024, specialty banks were the most common institutions of choice for payroll diversion scammers, totaling to 39%.
67% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 33% of attacks sent from maliciously registered domains.
For December 2024, Google was the primary webmail provider used by actors to send BEC campaigns, comprising 75% of the 1,034 free webmail accounts used by scammers.
Nigeria was the primary location linked to BEC threat actors in December, with 46% of all BEC actors originating from Nigeria-based IP addresses.
BEC Attack Trends
During the month of December 2024, the ACID team observed a decrease of 17% in overall attack volume in comparison to the prior month.
Gift cards were the most common cash out method (26.7%), followed by advanced fee frauds (19.5%), payroll diversions (5.6%), credential phishing (5.4%), wire transfers (1.4%), and vishing (0.7%). Forty-one percent of the attacks in December 2024 requested other types of payment such as cryptocurrency.
BEC Wire Transfers
Wire transfer BEC attacks decreased by 12% in December (see Figure 2).
The average amount requested from BEC wire transfer attackers was $16,799 in December compared to $28,283 in November 2024, a decrease of 41%. During the month of December, 44% of wire transfer BEC attacks requested less than $10,000, while 50% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 6% of wire transfer BEC attacks, 6% requested between $50,000 and $100,000 and 0% requested more than $100,000.
During the month of December 2024, international (non-US) banks proved to be the most common institutions of choice for wire transfer scammers, comprising 39% of the total. This type of bank was followed by regional US banks (30%), major US banks (13%), and online banks (13%).
BEC Payroll Diversions
During the month of December 2024, specialty banks proved to be the most common institutions of choice for payroll diversion scammers, comprising 39% of the total. This type of bank was followed by regional US banks (23%), major US banks (14%), online banks (14%), and credit unions (6%).
BEC Infrastructure
67% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 33% of attacks sent from maliciously registered domains. The percentage of free webmail providers used decreased in December compared to 61% in November 2024.
For December 2024, Google was the primary webmail provider used by actors to send BEC campaigns, comprising of 75% of the 1,034 free webmail accounts used by scammers. Other popular webmail providers included Microsoft and Verizon Media.
BEC Attack Locations
Nigeria was the primary location¹ linked to BEC threat actors in December, with nearly 46% of all BEC actors originating from Nigeria-based IP addresses. United States was next, with 37% of the total attackers located there.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.