Business entity compromise (BEC) financial fraud using a fake email thread, invoice, and W-9.

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected.

EMAIL PROVIDER: Google Workspace

ATTACK TYPE: Business Entity Compromise (BEC)

The attack

It’s normal to be cautious when receiving an email from someone you’ve never interacted with before. To overcome this natural skepticism, attackers often embed their scams within fabricated email threads. These threads will include the names of co-workers, trusted companies, industry lingo, and can even have legitimate-looking documents attached. In some cases, attackers will lift threads directly from compromised accounts.

By creating the illusion of an ongoing conversation, the messages appear legitimate, increasing the chances of the recipient taking action. In the case of BEC financial fraud, that means transferring money directly to the attacker’s account.

Anatomy of the attack

There are a different ways to deliver this type of BEC fraud scam, but they all have foundational steps:

  1. Gather intelligence and fabricate a fake thread: Attackers need detailed information to create a convincing thread, including names, email addresses, and the context of ongoing communications. To simulate an ongoing exchange, they’ll research the target and their vendors, leveraging publicly available information or previously compromised accounts. An advanced version of this attack involves directly compromising an account to lift a real thread.
  2. Craft a fake invoice with believable details: Attackers frequently use legitimate-looking invoice templates, often impersonating companies the target has worked with before. If they’ve compromised an account, they can pull an invoice directly from it. Alternatively, they may request a copy of an old invoice by impersonating a trusted third party, modifying it to include attacker-controlled banking details.
  3. Deliver the fabricated thread and invoice to the target: Using the fake thread as a backdrop, attackers send the invoice to create urgency and pressure for immediate payment. If the impersonated billing company already has invoices in the queue, the target may see no reason to question the authenticity of the request.

BEC financial fraud in the wild

In an attack recently detected by Sublime, we identified a sophisticated BEC financial fraud attempt hidden within a fake email thread sent to an employee in Accounts Payable at a major university. Here’s how the attack unfolded.

The thread begins with an email designed to look like an automatically generated invoice for $50,000. This initial message is crafted to appear as if it were sent 20 days earlier to a coworker of the target. It includes standard invoice details, a description of professional development services, and fake attachments like a W-9 and invoice, all containing information designed to facilitate a payment to an attacker-controlled account.

The fabricated thread then includes a follow-up email, supposedly sent 20 days after the initial invoice. This fake email, addressed to the same coworker, politely reminds the recipient about the overdue payment, adding a sense of urgency and reinforcing the illusion of an ongoing, legitimate conversation.

To make the scam even more convincing, the attacker inserts another fake response from the coworker. In this fabricated reply, the coworker explains that the invoice wasn’t paid because it was mistakenly sent to the wrong person and suggests forwarding it to the intended recipient – who is the actual target of the attack.

The thread culminates in a final email addressed to the target. This message emphasizes the urgency of the overdue payment, using the fabricated thread as evidence to pressure the recipient into transferring the funds immediately.

Here's the full thread along with the invoice and W-9 that were "attached" to the first message in the thread:

Detection signals

Sublime's AI-powered detection engine prevented this BEC attack. The top signals in these attacks are:

  • Fake message thread: Fake message threads or chain reuse is a common confidence technique exploited by threat actors to bolster credibility.
  • Unknown sender: The sender has never communicated with your organization.
  • Suspicious sender: The sender reply-to uses freemail or top-level domain (TLD) commonly abused in attacks. Additionally, the sender domain's TLD ends in ".jp", which is commonly abused to conduct attacks.
  • Engaging fraud language: The message contains a request using the word "kindly", which is commonly observed in BEC attacks. Learn more about Sublime’s use of natural language understanding (NLU) for message classification.

See the Message Query Language (MQL) of the publicly available Detection Rules that detected these attacks: BEC with unusual reply-to or return-path mismatch, Commonly abused sender TLD with engaging language, Fake message thread - Untrusted sender with a mismatched freemail reply-to address.

Sublime detects and prevents BEC and other email-based threats. Start your free account today, managed or self-managed, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.

Read more Attack Spotlights:

About the Author

About the Authors

Author headshot

Sam Scholten

Detection

Sam is the Head of Detection at Sublime. Prior to Sublime, he was a Staff Email Security Researcher at Proofpoint where he developed a business email compromise (BEC) taxonomy and formulated key detection methodologies and rules.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.