Table of Contents
Executive Summary
The findings in this report come from the results of active defense engagements with BEC threat actors. Every month, the Agari Cyber Intelligence Division (ACID) conducts hundreds of these engagements to collect comprehensive intelligence about BEC tactics and trends to help better understand how the BEC threat landscape is evolving.
The primary findings for October 2024 detailed in this report include the following:
During October 2024, the ACID team observed a decrease of 11% in overall attack volume in comparison to the prior month.
Gift cards were the most common cash out method in October, totaling 25.7% of all cash out methods.
The average amount requested from BEC wire transfer attackers was $268,633 in October compared to $43,398 in September 2024.
During the month of October 2024, major US banks proved to be the most common institutions of choice for wire transfer scammers, making up 48% of the total.
During the month of October 2024, specialty banks were the most common institutions of choice for payroll diversion scammers, totaling to 34%.
67% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 33% of attacks sent from maliciously registered domains.
For October 2024, Google was the primary webmail provider used by actors to send BEC campaigns, comprising 81% of the 1,084 free webmail accounts used by scammers.
United States was the primary location linked to BEC threat actors in October, with 43% of all BEC actors originating from United States-based IP addresses.
BEC Attack Trends
During the month of October 2024, the ACID team observed a decrease of 11% in overall attack volume in comparison to the prior month.
Gift cards were the most common cash out method (25.7%), followed by advanced fee frauds (17.2%), credential phishing (12.2%), payroll diversions (5.8%), wire transfers (1.8%), and vishing (1.2%). Thirty-six percent of the attacks in October 2024 requested other types of payment such as cryptocurrency.
BEC Wire Transfers
Wire transfer BEC attacks increased by 136% in October (see Figure 2).
The average amount requested from BEC wire transfer attackers was $268,633 in October compared to $43,398 in September 2024, an increase of 519%. During the month of October, 19% of wire transfer BEC attacks requested less than $10,000, while 42% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 39% of wire transfer BEC attacks, 12% requested between $50,000 and $100,000 and 27% requested more than $100,000.
During the month of October 2024, major US banks proved to be the most common institutions of choice for wire transfer scammers, comprising 48% of the total. This type of bank was followed by regional US banks (15%), international (non-US) banks (15%), and credit unions (9%).
BEC Payroll Diversions
During the month of October 2024, specialty banks proved to be the most common institutions of choice for payroll diversion scammers, comprising 34% of the total. This type of bank was followed by major US banks (22%), regional US banks (21%), credit unions (9%), and online banks (8%).
For the month of October, 106 banks were utilized in payroll diversion scams.
BEC Infrastructure
67% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 33% of attacks sent from maliciously registered domains. The percentage of free webmail providers used decreased in October compared to 65% in September 2024.
For October 2024, Google was the primary webmail provider used by actors to send BEC campaigns, comprising of 81% of the 1,084 free webmail accounts used by scammers. Other popular webmail providers included Microsoft and Verizon Media.
BEC Attack Locations
United States was the primary location¹ linked to BEC threat actors in October, with nearly 43% of all BEC actors originating from United States-based IP addresses. Nigeria was next, with 41% of the total attackers located there
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.