BEC Attackers Spoof CC'd Execs to Force Payment

Security experts have discovered a fresh advancement in business email compromise tactics aimed at intensifying the recipient's urgency to settle a counterfeit invoice. Referred to as "VIP Invoice Authentication Fraud" by Armorblox, this strategy involves deceptive emails that imitate reputable vendors or familiar third parties regularly receiving payments from the targeted organization. The scammer initiates an invoice request targeting an individual, often in the finance team of the targeted organization. What sets this tactic apart from others is that the scammer also includes the recipient's boss in the email thread, using a fake email domain that closely resembles the boss's actual email address.

After the initial email attack is sent, the malicious actor proceeds to reply to the email thread, employing the spoofed domain account to impersonate the victim's boss. They instruct the recipient to make immediate payment of the invoice. Armorblox, the security company explained that without proper scrutiny, this email exchange appears to be a genuine response from a trusted executive or manager. This adds a sense of urgency to settle the invoice, heightening the risk of financial loss for the organization if the request is complied with.

Security Officer Comments:
The emergence of VIP invoice Authentication Fraud introduces a troubling method for malicious actors to perpetrate financial fraud, particularly payment fraud, against targeted organizations. By assuming the identity of a trusted vendor or third-party contact, the perpetrators exploit the victim's trust, increasing the likelihood of persuading them to fulfill the payment request. Additionally, by impersonating the victim's boss within the email conversation, the attacker creates a sense of urgency, diminishing the victim's inclination to scrutinize the request's legitimacy or question the apparent authority behind it.

Suggested Correction(s):
BEC attacks are harder to defend against than traditional phishing because common indicators like bad domains are not used. Because communications are coming from trusted and expected partners, employees will be more likely to fall victim to attacks.

The only real prevention is to train employees to spot BEC attacks. Employees should understand that every email received could be malicious. If you receive a strange invoice, wire transfer request, or unexpected email from a trusted user, verification via phone is recommended. Never use email communications to verify a payment request, because the account may still be compromised by the threat actor.

Avoid requests that prey on emotions, have a sense of urgency, or just feel off. While emails may be coming from a trusted sender, spelling mistakes and bad grammar seen in normal phishing emails may still be present.

To avoid falling victim to BEC yourself, multifactor authentication is recommended on all email accounts. Users should monitor leak websites and leverage security tools that monitor for stolen or leaked credentials.

Link(s):
https://www.infosecurity-magazine.com/news/bec-attacks-spoof-ccd-execs-force/ https://www.armorblox.com/blog/armorblox-stops-vip-invoice-authorization-fraud-attack/