Vendor Impersonation Fake Email Chain BEC Attack

Initial Email Content

Subject

Re: PWC LP: INVOICE# 001691134 PAYMENT DUE

Body

Could you please advise when we can expect payment?

Thank you,

[Vendor Employee Name], CPA
Chief Financial Officer
PwC network.

PricewaterhouseCoopers LLP
411 Hamilton Boulevard
Peoria, Illinois 61602
United States

On Mon, May 2, 2022 at 8:23 AM [Target Company Executive Name] <send@omnicrosoft-sender-via-omnicrosoft-server.com> wrote:

[Recipient Name],

Could you please ACH arrange payment for this invoice today.
See below and attached.

---------- Forwarded message ---------

From: [Vendor Employee Name]<[Vendor Employee Username]@accounts-pwc.com>
Sent: Friday, April 29, 2022 10:14 AM
To: [Target Company Executive Name]
Cc: [Vendor Employee Name]<[Vendor Employee Username]@accounts-pwc.com>
Subject: PWC LLP: INVOICE# 001691134 PAYMENT DUE

A new invoice 001691134 has been generated and is attached for your
review and payment.

Please make payment via ACH (Automated clearing house). Bank
information is on the invoice.

If you are experiencing issues viewing the attached pdf via a mobile
device, please use your standard mail client or webmail.

Thank you,

[Vendor Employee Name], CPA
Chief Financial Officer
PwC network.

‍

Attack Screenshots

No items found.

Malicious Artifacts

Additional Indicators of Compromise

Type

Description

No items found.

Attack Description

This text-based BEC attack impersonates a vendor/supplier using a fake email chain, display name spoofing, and a look-alike domain to request a fraudulent payment.

Analysis Overview

Type

Business Email Compromise

Tactic

Fake Email Chain

Look-alike Domain

Spoofed Display Name

Goal

Payment Fraud

Impersonated Party

External Party - Vendor/Supplier

Vector

Text-based

Theme

Fake Email Chain

Language