BEC Scammers Trick Employees into Giving Away Customer Information

Business email compromise (BEC) scammers are now targeting company customers using a new indirect attack method designed to collect information on future scam targets by asking for aging reports from collections personnel. Aging reports, also known as a schedule of accounts receivable, are sets of outstanding invoices which allow a company’s financial department to keep track of customers who haven’t yet paid services or goods. The attackers have been observed by cybersecurity researchers impersonating the CEOs of targeted companies and requesting information from employees on invoices that are overdue for payment in the form of an aging report. Not asking for payments straight out is exactly what makes this new BEC attack so unusual seeing that, in most other similar scams, financial department employees are asked to send payments to attacker-controlled bank accounts. The fact that scammers have now switched their targets from companies to their customers is concerning given that employee training for BEC attempts typically does not address such a tactic. Moreover, this new type of scam leads to established payment communication channels being contaminated, with employees and customers no longer trusting them. Read the article at Bleeping Computer.