BEC Attackers Spoof CC'd Execs to Force Payment

Written by

Security researchers have uncovered another new development in business email compromise (BEC) designed to increase pressure on the recipient to pay a fake invoice.

Dubbed “VIP Invoice Authentication Fraud” by Armorblox, the tactic is used in classic fake emails designed to impersonate trusted vendors or other third parties that the victim organization regularly pays.

Read more on BEC trends: BEC Group Uses Open Source Tactics in Hundreds of Attacks.

The fraudster will send an invoice request to a target – potentially working in the finance team of the victim organization – but crucially also copies in (cc) the target’s boss, or rather a spoofed email domain resembling the boss’s email.

“Upon sending the initial email attack, the bad actor will then reply to the email thread, using the spoofed domain account to impersonate the victim’s boss and instruct them to pay the invoice as soon as possible,” Armorblox explained.

“Without proper hindsight, this email replay looks like a legitimate response coming from his or her trusted executive or manager. This only adds to the sense of urgency to pay the invoice, and increases the risk of financial loss for the organization upon compliance with this request.”

With both supplier and now their boss urging prompt payment, it’s more likely that the victim will go ahead and process the transfer, the security vendor argued.

However, there are still ways to mitigate the impact of such attacks. Armorblox pointed to several techniques which security teams should be able to use:

  • Detection of spoofed sender and executive domains
  • Use of large language models (LLMs) to detect a sense of urgency in the email and the payment request. When combined with the presence of spoofed domains, this should flag the email as fraudulent
  • Use of machine learning and deep learning models to detect characteristics indicating a combination of “VIP Impersonation Fraud” and “External Payment Fraud” attacks

What’s hot on Infosecurity Magazine?