Security researchers have discovered a new development in business email compromise (BEC) designed to pressure recipients into paying bogus invoices.
This tactic, dubbed “VIP invoice verification scam” by Armorblox, is a classic fake email intended to impersonate a trusted vendor or other third party that the victim organization regularly pays. will be used.
For more information on BEC trends, see BEC Groups Use Open Source Tactics in Hundreds of Attacks.
The scammer sends an invoice request to the target (who may be working on the victim organization’s finance team), but importantly, the target’s boss, or a spoofed email that resembles the boss’s email. Copy (cc) the domain as well.
“After sending the initial email attack, the malicious actor would reply to that email thread, using a spoofed domain account to impersonate the victim’s boss and instruct them to pay the bill as soon as possible. explained Armorblox.
“Without proper hindsight, this email replay looks like a legitimate response from a trusted executive or manager. It increases the risk that an organization will suffer financial loss if it responds to
Victims are more likely to proceed with the money transfer, the security vendor argued, because both the supplier and his boss want prompt payment.
However, there are still ways to mitigate the impact of such attacks. Armorblox pointed out some techniques that security teams should be able to use.
- Spoofed sender and execution domain detection
- Detect the urgency of emails and payment requests using the Large Language Model (LLM). Combined with the presence of spoofed domains, the email should be flagged as fraudulent.
- Uses machine learning and deep learning models to detect features indicative of a combination of “VIP impersonation fraud” and “external payment fraud” attacks
