Business email compromise (BEC) scammers are now targeting a company's customers using a new indirect attack method designed to collect information on future scam targets by asking for aging reports from collections personnel.
Aging reports, also known as a schedule of accounts receivable, are sets of outstanding invoices which allow a company's financial department to keep track of customers who haven't yet paid services or goods they were allowed to buy on credit.
"It’s an essential tool for both accounts and management to maintain an overview of their credit and collection processes, and breaks down outstanding debts into thirty-day increments, culminating with payments that are more than ninety days overdue," says Agari threat researcher James Linton.
BEC (also known as Email Account Compromise - EAC) fraud schemes are scams through which crooks trick organizations' employees into wiring money to entities they trust but whose bank accounts were swapped with ones controlled by the crooks.
The attackers have been intercepted by Agari Cyber Intelligence Division (ACID) while posing as CEOs of targeted companies and requesting information from employees on invoices that are overdue for payment in the form of an aging report.
Name deception and free email accounts were used by the crooks in their attempt to deceive company employees to follow up to their demand for company records.
Not asking for payments straight out is exactly what makes this new BEC attack so unusual seeing that, in most other similar scams, financial department employees are asked to send payments to attacker-controlled bank accounts.
ACID responded to the scammers by sending in a fake aging report which prompted the cybercriminals to ask for a list of customers coupled with any debts they might have to extinguish. To have all the info at hand, the crooks also requested to be sent the clients' email addresses.
"Armed with this intelligence—customer names, their outstanding balances, and contact information—the scammers’ next targets would be our fake company’s customers," says Agari.
"With this information, they can create a credible-looking email account alias, assume the identity of an employee on our finance team, and request that they pay the outstanding balance referenced on the aging report."
To make sure that their targets would fall for their scam, the attackers will most likely also offer them a "good deal" such as having to pay less to have their debts settled, immediately followed by a quick swap of the banking account with the one the scammers use for collecting their bounty.
The fact that scammers have now switched their targets from companies to their customers makes their attacks a lot more dangerous seeing that training employees to detect BEC attempts will no longer be enough to stop the attackers.
Moreover, this new type of scam leads to established payment communication channels being contaminated, with employees and customers no longer trusting them
This will require "proactively contacting all exposed customers to alert them to the possible threat," as well as having all possible targeted employees aware of this type of threat as measures designed to block BEC attacks.
BEC scams were the cybercrime with the highest reported total losses during 2018, with victims losing over $1,2 billion according to FBI's Internet Crime Complaint Center (IC3) Internet Crime report published in April.
"Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector," IC3 explains in the report.
BEC attacks have also seen an explosive 476% growth between Q4 2017 and Q4 2018, with the total number of email fraud attempts against organizations increasing by 226% QoQ as detailed in a Proofpoint report from January.