Skip to main content
Let's Talk!

Tags:

Threat Research, Attack Analysis, BEC, Evasive Threats, Technical Leadership

Weaponizing Trust: Fake Email Threads Behind $47,000 Financial Fraud—and NACE’s Countermeasure

Shray Kapoor, Principal Research Scientist Engineer

Quick Read:

  • BEC Strategy: Invoice Scam
  • Tactics Observed:
    • Fabricated communication using fake email threads.
    • Impersonating a legitimate business to appear credible. 
    • Executive impersonation.
    • Fake invoice of High Dollar Value. 
  • Deployment: NACE™ deployed to analyze emails behind Microsoft 0-365
  • Detection Status
    • As of this writing, 0 out of 96 AntiVirus Vendors on VirusTotal were classifying the sender domain as SPAM.

Introduction

The FBI’s recent IC3 report [1] revealed that total losses from Business Email Compromise (BEC) scams in 2024 amounted to $2.7 billion USD. The success of these scams lies in their ability to exploit trust and instill a sense of urgency, making it difficult for recipients to question the legitimacy of the requests. For businesses, falling victim as seen from the FBI's report can lead to significant financial losses and severe reputational damage.

The BEC Attack Strategy: A Perfect Storm of Deception

In one of our deployments, NACE™ successfully intercepted an invoice scam that, if left undetected, would have resulted in a $47,706 USD loss. In this incident, a company received an email appearing to come from a senior executive, containing a fraudulent $47,706 invoice along with fabricated prior correspondence between the executive and the scammer.

This blog post delves into the intricate details of the scam and explains how NACE™ successfully detected and thwarted this attack—while shedding light on effective defense mechanisms to mitigate such threats.

Analyzing the Attack

The Business Email Compromise (BEC) attack described involves several strategic elements designed to deceive and manipulate the recipient into acting on a fraudulent request:

  1. The scammer sends an email to an employee in the finance department of the target company, claiming that one of their senior executives has availed services for which an outstanding invoice has to be paid.
  2. To make it look legitimate and bypass email filters, following tactics were used -
    1. Legitimate sender domain: Email is sent from a domain that belongs to legitimate business and has no prior malicious activity.
    2. Impersonation of High-Level Executive: The email claims to be forwarding a message from a senior executive of the target company. This impersonation leverages trust in leadership and authority within the organization.
    3. Fake Email Thread: A fabricated conversation between the senior executive and the scammer is included to create an illusion of prior internal communication. This fake thread adds credibility and urgency, pressuring the recipient to act quickly rather than verifying the request's legitimacy.

Fig. 1: Screenshot of Email

 

Fraudulent Invoice: The Final Touch

The email included a W-9 form and detailed invoice with Automated Clearing House (ACH) information. Both the invoice and W-9 contained details about a legitimate business that the scammers were trying to impersonate, further solidifying their deception.

         Fig 2: Attached Fraudulent Invoice

 

NACETM Detection Approach

This email was flagged as malicious by the Inception Cyber Neural Analysis and Correlation Engine (NACE™), which analyzes the text in the body and attachments of emails to understand their deeper meaning i.e. intent of an email. Instead of relying solely on static indicators like sender domain or URL reputation, NACE™ focuses on identifying the underlying purpose of an email, making intent recognition a core feature in its decision-making process.

Semantic Analysis: Unveiling Intent

The semantic analysis revealed several indicators that acted as a feature set in detecting this BEC attack:

  1. Call to Action: The email requested payment of the invoice.
  2. Sense of Urgency: Keywords and statements like "past-due bill" and "resolved by the end of today" induced a sense of urgency.
  3. Vendor Payment Semantic: NACE™ identified that the sender claimed to be a vendor asking for payment for services rendered.

Suspicious Indicators Extracted from Invoice

  1. ACH Information: The invoice included bank account number and routing information, a required feature to divert funds by threat actor. 
  2. Dollar Value of the Invoice: Typically high in financial scams.
  3. Metadata of PDF invoice including creation date, modification date, creator/producer of the pdf document. The invoice in question was created using an open source library.

Executive impersonation: The email was impersonating a C-Level Executive.  

The contextual relationship between the email headers and intent aided NACE™ in classifying the email as an invoice scam. 

Conclusion

Business Email Compromise (BEC) attacks are a growing concern for organizations of all sizes, as they exploit human trust and technological vulnerabilities with alarming success. The tactics used in these attacks, including fabricated email threads, impersonation of high-level executives, and fake invoices, can make it difficult to distinguish between legitimate and malicious requests.

The Inception Cyber Neural Analysis and Correlation Engine (NACE™) employs a comprehensive multimodal, semantic-aware zero-trust approach to detect BEC messages. It integrates multiple deep learning models to identify anomalous BEC signals from both the email body and any attachments. Additional features are extracted from SMTP headers, creating a rich, header-based feature set. The system processes the email body text through a suite of deep learning algorithms to determine topics, tone, sentiment, tactics, and the email’s intent or call-to-action. This is achieved using a combination of zero-shot classification with LLMs, semantic similarity analysis, and specialized pre-trained and fine-tuned transformer models for classification and natural language understanding—whether content is generated by a human threat actor or AI. The contextual relationship between the inferred intent and SMTP header signals further strengthens BEC detection.

Read more about how Inception Cyber stops BEC attacks 

Reference
Post by Shray Kapoor, Principal Research Scientist Engineer
May 5, 2025 12:23:26 PM