On this page:
Attack Spotlight
January 7, 2025
Business entity compromise (BEC) financial fraud using a fake email thread, invoice, and W-9.
Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected.
EMAIL PROVIDER: Google Workspace
ATTACK TYPE: Business Entity Compromise (BEC)
It’s normal to be cautious when receiving an email from someone you’ve never interacted with before. To overcome this natural skepticism, attackers often embed their scams within fabricated email threads. These threads will include the names of co-workers, trusted companies, industry lingo, and can even have legitimate-looking documents attached. In some cases, attackers will lift threads directly from compromised accounts.
By creating the illusion of an ongoing conversation, the messages appear legitimate, increasing the chances of the recipient taking action. In the case of BEC financial fraud, that means transferring money directly to the attacker’s account.
There are a different ways to deliver this type of BEC fraud scam, but they all have foundational steps:
In an attack recently detected by Sublime, we identified a sophisticated BEC financial fraud attempt hidden within a fake email thread sent to an employee in Accounts Payable at a major university. Here’s how the attack unfolded.
The thread begins with an email designed to look like an automatically generated invoice for $50,000. This initial message is crafted to appear as if it were sent 20 days earlier to a coworker of the target. It includes standard invoice details, a description of professional development services, and fake attachments like a W-9 and invoice, all containing information designed to facilitate a payment to an attacker-controlled account.
The fabricated thread then includes a follow-up email, supposedly sent 20 days after the initial invoice. This fake email, addressed to the same coworker, politely reminds the recipient about the overdue payment, adding a sense of urgency and reinforcing the illusion of an ongoing, legitimate conversation.
To make the scam even more convincing, the attacker inserts another fake response from the coworker. In this fabricated reply, the coworker explains that the invoice wasn’t paid because it was mistakenly sent to the wrong person and suggests forwarding it to the intended recipient – who is the actual target of the attack.
The thread culminates in a final email addressed to the target. This message emphasizes the urgency of the overdue payment, using the fabricated thread as evidence to pressure the recipient into transferring the funds immediately.
Here's the full thread along with the invoice and W-9 that were "attached" to the first message in the thread:
Sublime's AI-powered detection engine prevented this BEC attack. The top signals in these attacks are:
See the Message Query Language (MQL) of the publicly available Detection Rules that detected these attacks: BEC with unusual reply-to or return-path mismatch, Commonly abused sender TLD with engaging language, Fake message thread - Untrusted sender with a mismatched freemail reply-to address.
Sublime detects and prevents BEC and other email-based threats. Start your free account today, managed or self-managed, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.
Read more Attack Spotlights:
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.