Vendor Impersonation Account Update BEC Attack

Initial Email Content

Subject

Outstanding invoices

Body

Good Afternoon,

We trust you have what is needed to process these invoices for payment.

Please note: We have recently changed banks and the previous account which you have on file has been closed, hence, all payments effective immediately will be made directly to our (Updated) ACH revised bank account in compliance with the policy of the company.

Please confirm if payment will be going out today or sometimes this week so we can forward the revised bank account details.

If you have any further queries, please don’t hesitate to contact me.

Please share acknowledgement in return email. Thank you!

[Impersonated Vendor Employee Signature]

From: [Impersonated Vendor Employee Name]

Sent: Monday, June 13, 2022 1:20 PM

To: [Hijacked thread recipients]

Cc: [Hijacked thread recipients]

Subject: [Hijacked thread original subject]

[Hijacked thread content]

Attack Screenshots

No items found.

Malicious Artifacts

Additional Indicators of Compromise

Type

Description

No items found.

Attack Description

This text-based BEC attack impersonates a vendor/supplier using a hijacked email thread, a look-alike domain, a spoofed display name, and an account update theme to request a fraudulent payment.

Analysis Overview

Type

Business Email Compromise

Tactic

Hijacked Email Thread

Look-alike Domain

Spoofed Display Name

Goal

Payment Fraud

Impersonated Party

External Party - Vendor/Supplier

Vector

Text-based

Theme

Account Update

Language