New Business Email Compromise scam targets clients of victim companies

  • BEC scammers impersonate CEOs of targeted companies and request an aging report and clients’ email addresses from employees.
  • In this way, the scammers will obtain a company’s customer names, outstanding balances, and contact information.

Agari Cyber Intelligence Division observed a new Business email compromise (BEC) scam that targets a company's customers by asking for aging reports from employees.

How do the scammers operate?

BEC scammers impersonate CEOs of targeted companies and request information from employees on invoices that are overdue for payment in the form of an aging report.

Aging reports, also known as a schedule of accounts receivable, are sets of outstanding invoices that show which customers haven't yet paid services or goods that were purchased on credit.

These scammers use fake names and free email accounts to target employees in a BEC scam.

“I need you to email me the aging report from A/R, and also include customer payable contact email on this report. Looking forward to your reply,” the email read.

Response to the phishing email

  • Agari Cyber Intelligence Division responded to the email by sending a fake aging report.
  • The scammers then asked for the clients' email addresses.
  • In this way, the scammers will obtain a company’s customer names, outstanding balances, and contact information.
  • The scammers will also offer the customers a “good deal” such as having to pay less to get their debts settled.

“With this information, they can create a credible-looking email account alias, assume the identity of an employee on our finance team, and request that they pay the outstanding balance referenced on the aging report,” Agari said in a blog.

How to stay protected?

  • In order to protect employees and customers from becoming victims to such scams, organizations must implement strong email defenses against advanced email threats.
  • Organizations must periodically review internal processes for handling sensitive data, including aging reports.
  • Additionally, employees must be educated and trained to identify BEC scams.