BEC Incidents Intent on Invoice or Payment Fraud Increase 155% Across All Industries

Business Email Compromise appears to be back in the saddle again, as attackers use simple social engineering and domain impersonation to trick victims into paying up.

In the midst of adjusting to working-while-COVID, ransomware seemed to be at the forefront of attacks. But new data from Abnormal Security’s Q3 Quarterly BEC Report shows that business email compromise has recently grown in interest over the last quarter.

According to the report:

It’s evident that the cybercriminals behind these attacks are thinking organizations are doing better financially, and have shifted their tactics to try to find an unwitting internal accomplice within the victim organization to assist with the fraudulent inquiries.

The rise in interest in invoice/payment fraud scams is likely due to its ease of execution. Take a look at the example below from the report:

By sending this to a group mailbox assigned to Accounts Payable, it’s far less necessary to appear credible to an individual, as it’s reasonable that not everyone in your AP department knows every one of their counterparts at a partner organization.

Throw in a dash of good old fashioned domain impersonation to make the email appear real, and you can see how it would be easy to convince someone in AP to change the bank accounts used for payment.

Users within your AP department need to be instructed to use a verification protocol anytime a request to change banking details is made. This should be done using a communications medium other than the one the request was made through, and should use known contact details rather than any provided within the request. Additionally, users involved with any form of managing the organization’s finances should be enrolled in Security Awareness Training to help increase their alertness when it comes to potentially-harmful emails like this.


Principal Owner, Marketing Firm

Bringing IT360 on as our technology services “department” was one of the smartest business decisions we’ve made. Over the years, we’ve tried various similar services and have also hired internal IT staff, and we’ve never felt confident that we were adequately supported. IT360 has changed all that. They not only provide proactive, comprehensive technical support and consulting, they engage with us in a way that feels like they are part of our company…a true business partner.

Principal Owner, Marketing Firm

Technology News

IT360 News
Vaccine Research Companies are the Target of New Ransomware Attacks

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) warns financial organizations to be aware of campaigns actively targeting vaccine companies If you’re a ransomware gang and you want to maximize your ransom, who do you attack? An organization working feverishly to potentially make billions of dollars via a desperately needed vaccine, of course! Take […]

Read more
IT360 News
[HEADS UP] Allowing Site Notifications Can be Very Costly

Krebs on Security reported that there have been an increasing number of websites asking visitors to approve ‘notifications’. In most cases these notifications are not malicious, but several firms are paying site owners to install notification scripts to sell to scammers. Normally, a website will ask permission to send notifications (as long as you approve […]

Read more