In this attack, the email posed as a message from a collection manager at a third-party factoring company requesting a copy of an up-to-date aging report, containing customers with outstanding balances and their contact details. A factoring company is a business that buys out other companies’ unpaid invoices in exchange for a fee and then takes responsibility for collecting the outstanding payments. The email states that the factoring company was in the process of conducting a year-end audit on behalf of its vendors, which is why the aging report is needed. The email was sent from an account created on Mail.com domain (accountant.com) with a username that mimicked the name of the impersonated factoring company. The display name was also spoofed to match the name of the factoring company.

Status Bar Dots
Factoring Company Aging Report BEC Email

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The email was sent from a Mail.com account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

How Can This Attack Be Detected?

Content analysis can detect the presence of suspicious requests for sensitive documents, such as aging reports, indicating when an email should undergo additional scrutiny. Understanding the ecosystem of third-parties an organization works with allows a cloud email security solution to flag incoming messages impersonating those companies as fraudulent and block the attack before it reaches users.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate a factoring company that the recipient may have a legitimate history of working with, they may instinctively comply with the email since it appears to come from a familiar sender. While this attack is not likely to have a direct impact on the organization receiving it in terms of financial loss, it could have dire implications on customer trust and brand perception. Once the attacker has access to outstanding payments, they can use that (accurate) information to email customers and request that payment be made immediately. And once those customers make the payment, their money's gone—not to the vendor they thought they were paying but to a bank account owned by the attacker.

Analysis Overview

Vector

Text-based

Goal

Aging Report Theft

Tactic

Matching Free Webmail Username
Free Webmail Account
Spoofed Display Name

Theme

Audit

Impersonated Party

External Party - Other

See How Abnormal Stops Emerging Attacks

See a Demo