Report Reveals BEC Cryptocurrency Scams Rose by 344%

APWG’s Q4 2024 Phishing Activity Trends Report, published March 19^th, revealed that more than eight in ten Business Email Compromise (BEC) attacks last quarter were sent by attackers favoring Google’s free webmail service. By comparison, only 10% used Microsoft’s free email web app, Outlook.com.

The report, published quarterly, is a product of the phishing incidents reported to the APWG annually by its Global Research Partners and aligns with the APWG’s goal of measuring the “evolution, proliferation, and propagation of crimeware.”

Highlights from the APWG’s Q4 2024 Report include:

• A 13% increase in phishing attacks from Q2.
• A new trend of Chinese SMS phishers flooding US residents’ cell phones with SMiShing attacks.
• More phishing attacks on the SaaS/Webmail sector than on Finance and eCommerce combined.
• Attackers doubled the amount requested in BEC wire transfers from the previous quarter.

And of course, the fact that BEC cryptocurrency scams – hardly on the map the previous quarter – skyrocketed by 344%.

Phishing Attacks Push to Nearly One Million Per Quarter

In the report, APWG noted that the number of quarterly phishing attacks had risen from 877,537 in Q2 to 989,123 in Q4, an increase of 12.7%. Following a first half decline, phishing attacks caught their momentum and rose in the second half, with an average of roughly 300,000 per month.

US Toll Road Scams from China

APWG’s report revealed that a massive Chinese SMiShing campaign is behind the record number of fake toll payment texts received by people all over the US. The Transportation Corridor Agencies (TCA) issued a warning about this floodgate of scams back in December of last year, cautioning individuals against “a text message-based scam designed to deceive drivers into entering banking or credit card information into a website, fraudulently claiming to represent tolling agencies and requesting payment of unpaid tolls.” As cited in APWG’s Q4 report, this SMiShing scam is enabled by an upgraded phishing toolkit (made in China) which creates word-perfect texts and convincing phishing websites.

SaaS/Webmail the Most Targeted Sector

Step aside Finance, Shipping, eCommerce, and even Social Media; in Q4 of last year, SaaS/Webmail was the most highly targeted industry by phishers worldwide, taking home 23.3% of attacks. Following was Social Media (22.5%), Financial (11.9%), eCommerce/Retail (10.9%), and Payment (7%), with Telecom, Shipping, Travel, and Crypto all trailing behind.

Additionally, there was a 30% increase in new brands targeted between Q3 and Q4 of last year, another interesting development.

BEC Wire Transfer Demand Amounts Double: Even as Demands Themselves Drop

APWG member Fortra was a major contributor to this report’s segment on Business Email Compromise (BEC). The findings reveal that the total number of Q4 BEC wire transfer attacks dropped 21% from Q3; however, the amount requested in each one increased significantly. In Q3, the average wire transfer BEC demand was $67,145. Three months later it was $128,980, reflecting an increase of 92%.

In One Quarter, BEC Cryptocurrency Scams Rose by 344%

How are these scams being landed? As usual, most were attributed to gift card scams (49%), but Q4 saw a notable increase in another area as well; cryptocurrency ploys. While cryptocurrency scams only made up 12% of total BEC attacks (second after gift card scams, actually), this technique only accounted for a mere 2.7% of all BEC activity the quarter before. In one quarter, cryptocurrency scams rose by 344%.

Notes John Wilson, Senior Fellow, Threat Research at Forta: “The big increase in extortion scams that demand cryptocurrency is likely due in part to record-high Bitcoin prices.” Crypto index fund leader Bitwise notes that “Nearly 60 charts reveal a quarter that will go down as one of the most important in crypto’s history” and that “Years from now, we’ll look back at Q4 2024 and say, ‘That’s when crypto went fully mainstream.’” Phishers are opportunists if they’re anything.

81% of BEC Scammers Use Gmail – 10% Use Microsoft

Another interesting trend to note is the prevalent (almost ubiquitous) use of Google’s free webmail offering, Gmail, to send malicious BEC messages. By comparison, Microsoft (Outlook) came in second with a modest 10%, and Verizon, Comcast, World Media and Other accounted for the remaining 9%.

Cloudflare Makes the List of Top BEC Registrars for the First Time

A plurality of BEC scammers in Q4 registered their fraudulent domain(s) with Squarespace, says the report, to the tune of 25%. NameCheap, listed by Domain Name Wire as the third largest registrar, was used by 22%, and Cloudflare came out of (seemingly) nowhere to scoop up another 13%. In last September’s Domain Name Wire list, Cloudflare didn’t even show up.

It was apparently historic for Fortra, too. “Fortra notes that Cloudflare was the third-most-popular domain name registrar used by BEC scammers in Q4 2024,” observes Wilson. “This is the first time Cloudflare made Fortra’s list of top BEC domain registrars.”

Concluding Thoughts

BEC scams have certainly been pegged as the more lucrative, when compared with phishing. It’s no surprise that attackers are leaning into high-value payouts like cryptocurrency and seeking to jump to domain registrars that have previously gone unused; reporting malicious sites to the registrars already in use may have caught up to them. Who knows?

One thing is clear: APWG’s report shows troubling signs of cybercriminal ingenuity and growth that will keep security teams searching for new anti-phishing solutions for the year to come. Fortra’s Integrated Cloud Email Security (ICES) solution goes further than even advanced email security solutions like Secure Email Gateways (SEGs) in defending against malware-less social engineering attacks like phishing and BEC scams. 

Find out how.