Israel now a major location for lethal business email compromise attackers

Abnormal Security, the behavioral AI-based email security platform, released its threat report that reveals a number of business email compromise (BEC) attacks linked to a threat group based in Israel—a historically unlikely location for BEC threat actors. The report is based on Abnormal research surrounding over 350 BEC campaigns dating back to February 2021.

How is the threat group carrying out attacks?

Most BEC attacks have historically originated in West Africa, with 74% of all attacks analyzed by Abnormal over the past year based in Nigeria. And while many BEC actors found in other countries are connected to Nigeria, there are no indications that the threat group examined in this report has any direct Nigerian ties—making it a notable outlier in the threat landscape.

The report provides a view into how the Israel-based group executes an attack across two phases, each employing a different persona—one internal and one external. The primary pretext is that the firm is working through the confidential acquisition of another company, and the targeted employee is asked to help with the initial payment required for the merger.

The attackers start by impersonating the targeted employee’s CEO before handing off the correspondence to a second external persona, typically a mergers and acquisitions attorney, whose job it is to coordinate the payment. In some BEC campaigns, once the attack has reached this second stage, the group asks to transition the conversation from email to a voice call via WhatsApp, both to expedite the attack and to minimize the trail of evidence.

Mike Britton, Chief Information Security Officer at Abnormal
Mike Britton, Chief Information Security Officer at Abnormal

Commenting on the report, Mike Britton, Chief Information Security Officer at Abnormal, said, “Ultimately, the motivation here is no different from any other business email compromise attack: to make money as quickly and as easily as possible. What is interesting is that these attackers are based in Israel, which is not a country historically connected to cybercrime, and which has traditionally been a location where cybersecurity innovation is prevalent.”

What were the findings of Abnormal Security’s report?

Key findings from the report include:

  • Targets are primarily large and multinational enterprises with more than $10 billion in average annual revenue. Across these targeted organizations, employees from 61 countries across six continents received emails.
  • The average amount requested in an attack by this group is $712,000, more than ten times the average BEC attack.
  • Most emails from this threat group are written in English, but they are also translated into Spanish, French, Italian, and Japanese.
  • The frequency of campaigns follows a cyclical pattern, with 80% of attacks occurring during three periods of the year: March, June-July, and October-December.

The report shows how BEC is continuing to spread, and how attackers are employing more sophisticated, multi-phase attack tactics as they set their sights on massively larger sums of money. To prevent these attacks, enterprises will need an intelligent cloud email security solution that can precisely detect and block attacks before they reach email inboxes.

How Abnormal Security’s tech can help clients stay safe

The Abnormal platform uses behavioral artificial intelligence (AI) to baseline known-good behavior across employees, vendors, applications, and tenants in the email environment. By understanding what is normal, Abnormal can then detect anomalies and remediate malicious emails in seconds, before employees ever have an opportunity to engage with them.

This risk-adaptive approach enables Abnormal to prevent emails sent from attackers like this Israel-based group and others, so organizations can stay safe from evolving email attacks.

To learn more about this Israel-based threat group, download the full report here.