Table of Contents
Executive Summary
The findings in this report come from the results of active defense engagements with BEC threat actors. Every month, the Agari Cyber Intelligence Division (ACID) conducts hundreds of these engagements to collect comprehensive intelligence about BEC tactics and trends to help better understand how the BEC threat landscape is evolving.
The primary findings for September 2024 detailed in this report include the following:
During September 2024, the ACID team observed a decrease of 12% in overall attack volume in comparison to the prior month.
Gift cards were the most common cash out method in September, totaling 29.9% of all cash out methods.
The average amount requested from BEC wire transfer attackers was $43,398 in September compared to $72,857 in August 2024.
During the month of September 2024, regional US banks proved to be the most common institutions of choice for wire transfer scammers, making up 36% of the total.
During the month of September 2024, specialty banks were the most common institutions of choice for payroll diversion scammers, totaling to 40%.
65% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 35% of attacks sent from maliciously registered domains.
For September 2024, Google was the primary webmail provider used by actors to send BEC campaigns, comprising 79% of the 1,272 free webmail accounts used by scammers.
Nigeria was the primary location linked to BEC threat actors in September, with 41% of all BEC actors originating from Nigeria-based IP addresses.
BEC Attack Trends
During the month of September 2024, the ACID team observed a decrease of 12% in overall attack volume in comparison to the prior month.
Gift cards were the most common cash out method (29.9%), followed by advanced fee frauds (22.8%), credential phishing (6.0%), payroll diversions (4.2%), wire transfers (0.7%), and vishing (0.5%). Thirty-six percent of the attacks in September 2024 requested other types of payment such as cryptocurrency.
BEC Wire Transfers
Wire transfer BEC attacks decreased by 39% in September (see Figure 2).
The average amount requested from BEC wire transfer attackers was $43,398 in September compared to $72,857 in August 2024, a decrease of 40%. During the month of September, 58% of wire transfer BEC attacks requested less than $10,000, while 17% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 25% of wire transfer BEC attacks, 0% requested between $50,000 and $100,000 and 25% requested more than $100,000.
During the month of September 2024, regional US banks proved to be the most common institutions of choice for wire transfer scammers, comprising 36% of the total. This type of bank was followed by major US banks (29%), online banks (14%), and international (non-US) banks (14%).
BEC Payroll Diversions
During the month of September 2024, specialty banks proved to be the most common institutions of choice for payroll diversion scammers, comprising 40% of the total. This type of bank was followed by regional US banks (21%), major US banks (16%), online banks (8%), and international (non-US) banks (8%).
For the month of September, 84 banks were utilized in payroll diversion scams.
BEC Infrastructure
65% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 35% of attacks sent from maliciously registered domains. The percentage of free webmail providers used decreased in September compared to 71% in August 2024.
For September 2024, Google was the primary webmail provider used by actors to send BEC campaigns, comprising of 79% of the 1,272 free webmail accounts used by scammers. Other popular webmail providers included Microsoft and Verizon Media.
BEC Attack Locations
Nigeria was the primary location¹ linked to BEC threat actors in September, with nearly 41% of all BEC actors originating from Nigeria-based IP addresses. United States was next, with 35% of the total attackers located there.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
