Executive Impersonation Overdue Payment Payment Fraud BEC Attack
Initial Email Content
This is Ok to pay. See below and attached.
Please set up ACH for the attached invoice today.
---------- Forwarded message ---------
From: LinkedIn Receivables Team <david.hoffman[@]receivables-linkedin[.]com>
Sent: Friday, June 10, 2022 12:27 PM
Subject: Reference Number(s):CS48155550-18 LinkedIn Invoice(s)
To: [Executive Name]
Dear Customer,
Invoices on your LinkedIn account are past due.
This is a friendly reminder that you currently owe:
Please send payment via ACH only using the bank details provided on the invoice.
Please note: You may notice some improvements to your invoice. As part of our ongoing commitment to deliver a better billing experience, we have introduced several changes. To learn more about your new invoice, check on our website.
For payment related questions please reply to this email without changing the subject line.
Sincerely,
David Hoffman
LinkedIn Collections
Attack Screenshots
Malicious Artifacts
Additional Indicators of Compromise
Type
Description
Attack Description
This text-based BEC attack impersonates an executive using a fake email chain, a maliciously registered domain, a spoofed display name, and an overdue payment theme to request a fraudulent payment.