This sneaky fraud attack looks like an email forwarded by your boss

Business email compromise scammers are getting savvier with their lures - and new attack groups are emerging.
Written by Danny Palmer, Senior Writer
Image: Getty

A business email compromise (BEC) campaign is using an email thread that pretends to have been forwarded by the boss in a bid to trick targets into handing over big sums of money.

Not only are BEC attacks one of the most lucrative forms of cybercrime – the FBI says they've cost victims a combined total of more than $43 billion in recent years – but they're also one of the simplest to carry out because all attackers really need is an internet connection, an email account and perhaps some background research into their targets. 

Often, BEC emails seem to be from a colleague or a boss, claiming that a wire transfer must be made quickly and quietly, with scammers hoping that generating a sense of urgency will be enough to trick the unfortunate target into making a bogus payment.

But with a little more nuance, BEC attacks have the potential to be more effective and harder for victims to spot – and that could prove very costly for businesses. 

Also: The biggest cybercrime threat is also the one that nobody wants to talk about

One of these more advanced BEC campaigns is designed to trick victims into thinking they've been forwarded an ongoing thread by their boss, asking them to deal with an invoice and make a payment – which is sent to an account run by the scammer. 

The campaign has been detailed by cybersecurity researchers at Abnormal Security, who describe it as a "a sophisticated new business email compromise attack" that combines vendor impersonation with executive impersonation. 

Attacks are even personalized, using email spoofing and a claim that they're from an actual executive of the company that the target victim works for. 

And to make the attack look more convincing, it's designed to look like it's part of an ongoing thread, with the "boss" asking the victim to set up a financial transaction related to a business payment that is referenced in the forwarded email. But like the message from the "boss", the forwarded request for an invoice is also fake, made up by scammers as part of the lure. 

By using an invoice request that looks like it's being paid to a real company, the attackers hope the target organisation might have a genuine business relationship with the victim and will follow the instructions and make the transfer without asking questions or alerting anyone else. 

And because there's no malware or malicious code used in BEC attacks, they often bypass email protections. 

"Like all BEC attacks, the reason traditional email defenses have a difficult time detecting them is because they don't contain any of the static indicators most defenses look out for, like malicious links or attachments. Most BEC attacks are nothing more than pure, text-based social engineering that traditional email defenses are not well-equipped to detect," Crane Hassold, director of threat intelligence at Abnormal Security, told ZDNET. 

According to analysis of the attacks, the campaign has been active since July 2022 and is believed to be the work of a group that researchers refer to as Cobalt Terrapin, which appears to operate out of Turkey. 

Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats

The nature of BEC campaigns makes them tricky to defend against, particularly when the attacks rely on social engineering, instead of relying on malware or other malicious activity that can be detected by anti-virus software. 

However, it's possible to take steps to help detect against BEC email threats – and those measures start with educating staff on how to identify scam emails. For example, by examining if the email is correct, or if an unexpected message has been sent with an unusually urgent request.  

Staff should also be advised to verify any suspect request through a different means of communication, such as instant messaging or a phone call. 

Taking the time to verify a request might sound unintuitive in a fast-paced business environment, but it could save you from losing hundreds of thousands of dollars in a BEC attack. 


Editorial standards