All news with #business email compromise tag

⚠️ The UK's NCA, alongside the National Federation of Builders (NFB), has warned finance and accounts payable teams in construction about a rise in invoice fraud, a form of BEC that cost victims almost £4m in September 2025. Fraudsters impersonate or hijack supplier emails to change bank details on invoices, exploiting complex subcontractor networks and insecure email channels. The campaign urges staff to verify invoice changes by calling suppliers, delay payments until details are confirmed, and strengthen IT controls such as strong passwords, multi‑factor authentication and up‑to‑date anti‑malware.

🔒 Threat actors are abusing the no-code Bubble AI app builder to host phishing pages that harvest Microsoft account credentials. Because apps are hosted under *.bubble.io, email security tools often treat the links as legitimate and fail to flag them. Kaspersky researchers found attackers use obfuscated JavaScript and Shadow DOM structures to redirect victims to Microsoft-like login forms, sometimes behind Cloudflare checks, to exfiltrate entered credentials.

⚠️Microsoft reported large-scale IRS-themed phishing campaigns in February 2026 that targeted more than 29,000 users across 10,000 organizations, using tax refund, payroll and W‑2 lures to harvest credentials and deliver remote access tools. Attackers leveraged Phishing-as-a-Service kits (notably Energy365 and SneakyLog/Kratos) and abused legitimate RMM products such as ScreenConnect, Datto, and SimpleHelp to maintain persistent access. Microsoft advises enforcing 2FA, applying conditional access, and blocking malicious domains and payloads to reduce exposure.

🔒 CISA and the Federal Bureau of Investigation issued a joint Public Service Announcement warning of ongoing phishing campaigns by cyber actors associated with Russian intelligence services targeting commercial messaging applications (CMAs). The campaigns seek to bypass encryption by compromising individual user accounts rather than breaking application cryptography. Evidence indicates thousands of CMA accounts have been accessed to view messages and contact lists, send messages, and conduct follow-on phishing. CISA and FBI urge users to review the PSA, adopt recommended cybersecurity practices, and remain vigilant for suspicious activity.

📧 Customers of upscale retailer Nordstrom received fraudulent emails sent from a legitimate nordstrom@eml.nordstrom.com address that promoted a cryptocurrency doubling scheme disguised as a St Patrick's Day promotion. The messages used official-looking images and branding and pressured recipients with a two-hour deadline. A source told BleepingComputer the incident likely involved an Okta SSO compromise leading to abuse of Salesforce Experience Cloud. Nordstrom warned the messages were unauthorized and advised customers not to send funds.

⚠️ The FBI warns that criminals are impersonating city and county planning and zoning officials to phish businesses and individuals with active land-use or permit applications. Victims receive emails referencing permit details, zoning application numbers, or property addresses and are instructed to pay invoices via wire transfers, peer-to-peer platforms, or cryptocurrency, often pressured with urgency. The agency urges recipients to verify sender domains, call local government offices to confirm fees, and report incidents to the IC3.

🔒 A Ghanaian national, Derrick Van Yeboah, has pleaded guilty to conspiracy in a global fraud ring blamed for over $100 million in victim losses. Prosecutors say Van Yeboah impersonated romantic partners and corporate leaders to induce victims and orchestrated laundering of stolen funds, accounting for roughly 10% of the operation's take. He faces up to 20 years in prison and agreed to $10.1m in restitution and forfeiture; his plea follows extradition and indictment last year.

🔒 Derrick Van Yeboah, a 40-year-old Ghanaian national, pleaded guilty to conspiracy to commit wire fraud for his role in a transnational fraud ring that prosecutors say stole more than $100 million through romance scams and business email compromise attacks. Extradited to the U.S. in August 2025, he agreed to pay over $10 million in restitution and faces up to 20 years in prison. Prosecutors say he personally carried out many romance scams that targeted vulnerable Americans and worked with U.S. and West African accomplices to launder proceeds.

📧 Business email compromise (BEC) is a targeted fraud where attackers impersonate executives, vendors, or partners to trick employees into wiring funds or revealing sensitive data. Last year BEC caused $2.7 billion in losses and increasingly uses techniques like AI-based voice/text cloning, QR-code scams, and conversation hijacking. These attacks often require no malware, relying instead on reconnaissance and trust. Defenses include multi-factor verification, approval tiers, employee training, and advanced email authentication and detection.

🔒Business email compromise (BEC) is a high-impact social engineering threat that targets organizations' financial and identity workflows. The article outlines pragmatic defenses: enforce MFA, validate DMARC/DKIM/SPF, deploy advanced phishing and spoofing filters, and maintain continuous security awareness training with simulated attacks. It also recommends dual-approval for large transfers, stricter help-desk verification, and monitoring for anomalies such as mailbox forwarding rules, impossible-travel logins, and last-minute bank-detail changes to accelerate detection and response.

🔎 Business Email Compromise (BEC) exploits social engineering and subtle technical deception to manipulate employees and bypass controls. Attackers use domain tweaks, display-name spoofing, urgent off-hours requests, and impersonation to pressure finance, HR, or operations into transfers or data disclosure. Inspect headers and SPF/DKIM/DMARC, enforce MFA, run phishing simulations, and maintain a strict verification culture.

🔐 Researchers at KnowBe4 discovered a campaign aimed at North American businesses that tricks employees into entering a “Secure Authorization” code on a legitimate Microsoft 365 login page. Unknown to victims, the code actually authorizes an attacker-controlled device through the OAuth 2.0 Device Authorization Grant, issuing access and refresh tokens that grant persistent access to Outlook, Teams, OneDrive and other services. Recommended mitigations include allowlisting OAuth apps, disabling device-code flow in Entra conditional access where feasible, auditing integrations, and ongoing employee awareness training.

🔒 A Nigerian national, Matthew Abiodun Akande, was sentenced to eight years in prison after hacking multiple Massachusetts tax preparation firms and filing over 1,000 fraudulent tax returns seeking more than $8.1 million in refunds. Authorities say he stole clients' Social Security numbers and prior-year tax data by deploying the Warzone RAT masked with a crypter, and used convincing CEO-impersonation phishing messages with a Dropbox link to silently install malware. Akande was arrested in October 2024 at London’s Heathrow Airport, extradited to the U.S. in March 2025, and ordered to pay nearly $1.4 million in restitution plus three years of supervised release.

🔒 SOCRadar has uncovered a phishing campaign named Operation DoppelBrand that targeted Fortune 500 financial, insurance and technology firms between December 2025 and January 2026. The activity is attributed to financially motivated actor GS7 and relies on lookalike domains and cloned login portals to harvest credentials, which are forwarded to Telegram bots. Successful compromises often result in the deployment of legitimate remote access tools such as LogMeIn Resolve, delivered via MSI installers and supported by VBS loaders for privilege escalation and silent installation.

🔒 Kaspersky's anti-phishing systems blocked more than 554 million phishing-link attempts in 2025, while Mail Anti-Virus intercepted nearly 145 million malicious attachments and almost 45% of all email traffic was identified as spam. Scammers refined tactics across ticketing and streaming fraud, messaging-app account takeovers, government impersonation, and KYC harvesting, often using AI-generated content and deepfakes. Messaging platforms such as Telegram and WhatsApp were heavily abused to hijack accounts via phishing and malicious Mini Apps. Users are advised to check URLs carefully, never share verification codes, enable two-factor authentication, and run robust protection like Kaspersky solutions.

🔎 A detailed investigation by OCCRP traced a romance scammer who impersonated the Crown Prince of Dubai and defrauded a Romanian businesswoman of more than US $2.5 million. Over two years the con combined thousands of messages, staged in-person meetings, and an elaborate fake banking site showing a phantom £200 million balance. Photographs and bank-trace evidence led reporters and UK police to identify intermediaries and to locate the suspect at a mansion in Abuja, Nigeria. The case underscores the sophistication and international reach of modern romance and investment scams.

🔐 The Eye Security 2026 State of Incident Response Report finds that cyberattacks on companies are increasingly undetected and that attackers are shifting from technical exploitation to abusing existing access and credentials, with damage often occurring within minutes. The study reports passwords were involved in 97% of tracked incidents and that BEC accounted for over 70% of cases, with phishing initiating 40% of those intrusions. It also highlights the rise of Ransomware-as-a-Service, access broker marketplaces, and the commercialization of insider access, identifying industrial, construction, and transport firms as particularly affected based on 630 European incidents analyzed from 2023–2025.

🔒Forcepoint X-Labs has warned of a multi-stage phishing campaign that uses short, business-themed emails and PDF attachments to harvest corporate Dropbox credentials. The PDFs contain embedded AcroForm links that limit scanning by security tools and redirect victims to a legitimate cloud-hosted portal serving a spoofed login page. By leveraging reputable cloud infrastructure, the attackers reduce suspicion and bypass many automated reputation checks. Submitted credentials are exfiltrated to a Telegram channel, enabling account takeover and follow-on abuse.

🔒 Mandiant reports a recent wave of ShinyHunters attacks that combine targeted vishing and company‑branded phishing sites to capture SSO credentials and MFA codes. Attackers impersonate IT or helpdesk staff, guide victims through MFA approval or one‑time passcodes in real time, and enroll attacker-controlled MFA devices. With access to Okta, Microsoft Entra, or Google SSO dashboards they pivot into SaaS platforms (Salesforce, Microsoft 365, SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive) to steal and extort cloud data.

⚠️ NatWest and the UK's National Crime Agency (NCA) have launched a joint awareness campaign to highlight rising invoice fraud affecting businesses, including BEC and payment redirection. The initiative warns that fraudsters impersonate suppliers, intercept emails and pressure victims into urgent payments that are then diverted. Guidance urges businesses to Check, Verify, Never transfer funds until payment details are independently confirmed. The campaign also stresses that Accounts Payable and Finance teams are frequent targets of these schemes.