Table of Contents
Executive Summary
The findings in this report come from the results of active defense engagements with BEC threat actors. Every month, the Agari Cyber Intelligence Division (ACID) conducts hundreds of these engagements to collect comprehensive intelligence about BEC tactics and trends to help better understand how the BEC threat landscape is evolving.
The primary findings for November 2024 detailed in this report include the following:
During November 2024, the ACID team observed an increase of 10% in overall attack volume in comparison to the prior month.
Gift cards were the most common cash out method in November, totaling 30.9% of all cash out methods.
The average amount requested from BEC wire transfer attackers was $28,283 in November compared to $268,633 in October 2024.
During the month of November 2024, major US banks proved to be the most common institutions of choice for wire transfer scammers, making up 19% of the total.
During the month of November 2024, specialty banks were the most common institutions of choice for payroll diversion scammers, totaling to 30%.
61% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 39% of attacks sent from maliciously registered domains.
For November 2024, Google was the primary webmail provider used by actors to send BEC campaigns, comprising 85% of the 1,117 free webmail accounts used by scammers.
Nigeria was the primary location linked to BEC threat actors in November, with 42% of all BEC actors originating from Nigeria-based IP addresses.
BEC Attack Trends
During the month of November 2024, the ACID team observed an increase of 10% in overall attack volume in comparison to the prior month.
Gift cards were the most common cash out method (30.9%), followed by advanced fee frauds (20.8%), payroll diversions (5.4%), credential phishing (4.4%), vishing (1.4%), and wire transfers (1.3%). Thirty-six percent of the attacks in November 2024 requested other types of payment such as cryptocurrency.
BEC Wire Transfers
Wire transfer BEC attacks decreased by 21% in November (see Figure 2).
The average amount requested from BEC wire transfer attackers was $28,283 in November compared to $268,633 in October 2024, a decrease of 89%. During the month of November, 25% of wire transfer BEC attacks requested less than $10,000, while 70% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 5% of wire transfer BEC attacks, 5% requested between $50,000 and $100,000 and 0% requested more than $100,000.
During the month of November 2024, major US banks proved to be the most common institutions of choice for wire transfer scammers, comprising 19% of the total. This type of bank was followed by regional US banks (19%), online banks (19%), and international (non-US) banks (19%).
BEC Payroll Diversions
During the month of November 2024, specialty banks proved to be the most common institutions of choice for payroll diversion scammers, comprising 30% of the total. This type of bank was followed by regional US banks (25%), major US banks (16%), credit unions (16%), and international (non-US) banks (7%).
For the month of November, 110 banks were utilized in payroll diversion scams.
BEC Infrastructure
61% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 39% of attacks sent from maliciously registered domains. The percentage of free webmail providers used increased in November compared to 67% in October 2024.
For November 2024, Google was the primary webmail provider used by actors to send BEC campaigns, comprising 85% of the 1,117 free webmail accounts used by scammers. Other popular webmail providers included Microsoft and Verizon Media.
BEC Attack Locations
Nigeria was the primary location¹ linked to BEC threat actors in November, with nearly 42% of all BEC actors originating from Nigeria-based IP addresses. United States was next, with 36% of the total attackers located there.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.