Home M3AAWG Blog Understanding and Preventing SMS-based Business Email Compromise (BEC)

Author: Mobile Committee Chairs

Business email compromise, or BEC, has become an increasingly dangerous and widely used tool for an adversary to get access to a business email account to spoof the identity of an employee. Unfortunately, This technique has moved beyond email to SMS (Short Message Service) using cell phones, in which the attacker gets the target’s phone for attacks or compromises.

The technique is simple: an attacker gets the phone number and then uses the number to entice the user with offers of gift cards, wire transfers and the like. These transactions then trick the user into sharing passwords, PINs and other highly sensitive information. Even more concerning, these attacks also can spoof legitimate two-factor authentication (2FA) methods used by many commerce sites, financial institutions and others, thereby opening up accounts to theft and attack. Many users experienced a flood of these attempted attacks over the recent holidays.

According to a recent report, “…the trend of SMS-text phishing growing as a vector to attack mobile users and their devices. In the first half of 2021, global reports climbed by 270% compared to the same period in 2020.” Per the report, “…text messages have a 98% open rate, and 90% of messages are opened in the first three minutes…Further, the success rate — as measured by the proportion of users that click through to an attacker's page — is eight times that of email phishing.”

These SMS attacks also can involve an attacker requesting answers to common security questions used to secure accounts. This tactic is known as “smishing” and often conducted from a burner phone or online SMS service.

Another increasingly used attack involves an adversary using stolen Personal Identifiable Information (PII) to port a user’s phone number from their real cell phone carrier to another one. The attacker usually will have enough info by then to authenticate the account and trick customer service into handling the transaction. Then, the attackers can intercept authentication codes, and the victim’s real account is disconnected, leaving them little recourse to deal with the situation.

SIM cloning allows attackers to clone the victim’s SIM card and access the information stored there, offering access to messages, data and authentication information. Finally, another attack vector is SMS spoofing, in which the source of messages is not authenticated, allowing trusted senders to be impersonated.

Given all of these potential attacks, how can we prevent them? M3AAWG recommends employees avoid using SMS for business comms. Phone accounts should be set up to enable a PIN to prevent account takeovers. Networks should be segmented for BYOD and corporate devices, and we recommend the use of encrypted apps. M3AAWG also suggests the use of an authenticator app for 2FA, in lieu of SMS that shows a code in clear text.

Users can report smishing or suspicious SMS messages by forwarding the message to “#7726” or by using the abuse reporting feature on supported smart devices.

M3AAWG has published best practices for email authentication that offers a number of specific actions and guidance here, https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf. Additional email recommendations can be found in our Best Practices library here, https://www.m3aawg.org/published-documents

Learn more about these attacks and recommendations for mitigation in our video below. Members also can learn more in our Meeting 54 session. Registration and info available here, https://bit.ly/3kAryfM



The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.