Skip to main content
Phishing

IT pros see shift to business email compromise ‘3.0’

An Avanan researcher predicts a wave of “3.0” phishing threats.
article cover

Francis Scialabba

3 min read

Even age-old enterprise security threats get an update—like iPhones, the Fast and Furious films, and podcast files labeled “V2_final_FINAL.”

Business email compromise (BEC), or defrauding a company via its inbox, has reached “3.0” status, according to Jeremy Fuchs, a researcher at the email-security company Avanan.

Some of today’s BEC phishing scams dodge filtering systems because they’re coming from legitimate email addresses—meaning a lot of the defenses will rely on employees being properly cautious and skeptical.

“I think what makes this challenging is that there’s so many services that these attacks can be launched from,” Fuchs told IT Brew. “It’s literally any site that you can send something from, which is pretty much any site on the internet.”

How it works:

  • BEC 3.0 uses a site’s legitimate services—say, PayPal—to share a file. A hacker creates an account and an invoice, maybe with a phone number to fire up some over-the-phone fraud. “The phone number is where the scam actually starts,” Fuchs said.
  • Another example, found and shared by Avanan in March, used the comments featured in Google Workspace to send malicious redirects.

While typical advice for business email compromise includes watching out for spoofed email domains, a 3.0 tactic uses familiar, legitimate, not-spoofed domains.

“They’re literally accounts that have been open, from things that you would have,” said Phil Quitugua, a director at tech advisory ISG, citing subscriptions or common invoice services.

BEC in time

In 2022, the FBI’s Internet Crime Complaint Center (IC3) received 21,832 BEC complaints with adjusted losses of more than $2.7 billion.

A “1.0” attack is all about user impersonation, maybe a CEO emailing from a Gmail address, according to Fuchs; a “2.0” tactic is defined by partner compromise.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Fuchs said he and his team at Avanan saw more than 20,000 “3.0”-style attacks in the first two months of 2023.

“Hackers have to evolve. And this is that evolution,” Fuchs told IT Brew.

Triple defenses PayPal offers tips on how to spot bogus invoices, and Google also lists common scams.

PayPal senior manager Zoe Mendes wrote in an email: “We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers. We are aware of this phishing scam, and encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”

Ross Richendrfer, Google’s head of security and privacy PR, said in a statement: “Google Workspace has built in protections to thwart these techniques, including click-time protection in Gmail, and link warnings across Drive and our other collaboration products.”

The 3.0 defense may be an update in vigilance—a boost in contextualizing and questioning. Quitugua recommends taking time to figure out the circumstances of shared notice: Who is the message coming from? Has the invoice already been paid? Is a login required?

Fuchs recommends researching any additional information in the share message—for example you can google an odd phone number, he said.

“Hackers are really smart,” Fuchs said. “And then the security people are really smart, and we’re obviously going back and forth, back and forth. We’ve been doing it since the internet was invented. Yeah. We’re gonna continue to do it. And this is just that next evolution.”.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.