{"id":3976,"date":"2025-12-26T18:39:39","date_gmt":"2025-12-26T18:39:39","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/12\/26\/scripted-sparrow-sends-millions-of-bec-emails-each-month\/"},"modified":"2025-12-26T18:39:39","modified_gmt":"2025-12-26T18:39:39","slug":"scripted-sparrow-sends-millions-of-bec-emails-each-month","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/12\/26\/scripted-sparrow-sends-millions-of-bec-emails-each-month\/","title":{"rendered":"Scripted Sparrow Sends Millions of BEC Emails Each Month"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Security researchers have uncovered a global business email compromise (BEC) gang that is sending millions of customized messages each month to targets.<\/p>\n<p>Fortra said the \u201cScripted Sparrow\u201d collective spans three continents and at least five countries, with fraudsters posing as executive coaching firms to send an estimated 4-6 million \u201chighly targeted\u201d emails to victims each month.<\/p>\n<p>The group has also registered at least 119 domains and 245 webmail addresses to further its schemes, and uses 256 bank accounts, according to Fortra\u2019s report, <em>Scripted Sparrow: A Prolific BEC Threat Group.<\/em><\/p>\n<p>\u201cThe group operates by posing as various executive coaching and leadership training consultancies,\u201d the report explained.<\/p>\n<p>\u201cThey send a message to a member of the victim organization\u2019s Accounts Payable team, typically with two PDF attachments: an invoice, containing ACH or wire transfer instructions, and a completed W-9 form. The body of their initial message contains a spoofed reply chain between the fictitious consultancy and an executive of the victim organization.\u201d<\/p>\n<p><em>Read more on BEC: BEC Attacks Surge 20% Annually Thanks to AI Tooling<\/em><\/p>\n<p>In some recent attacks, the group has intentionally omitted the two attachments it claims to include with the email, in order to avoid exposing its money mule bank account until it has a victim gullible enough to ask for the attached invoice to be resent.<\/p>\n<p>The group has been active since at least June 2024, with Fortra having recorded 496 unique engagements<\/p>\n<p>\u201cTo better gauge the scope of the group\u2019s operations, we looked at the domain kornferry.ws, which was used in one of our 496 engagements, to see if any of our Cloud Email Protection (CEP) customers saw activity from that domain. Looking at CEP data, we found that 23 organizations had been sent mail from that domain, with 70 users targeted,\u201d Fortra continued.<\/p>\n<p>\u201cWhile I wish that every company in the world was protected by Fortra CEP, a more realistic estimate would be that one out of every 1,000 companies worldwide uses CEP. In other words, a conservative estimate would be that for each message seen by our team, Scripted Sparrow likely sent 70,000 messages. The 94 engagements we conducted in September likely represent about 6.6 million targeted messages sent by the group.\u201d<\/p>\n<h2>Scripted Sparrow\u2019s Infrastructure<\/h2>\n<p>Digging deeper, Fortra noticed that most interactions it had with the BEC actors were with Windows computers running Remote Desktop Protocol (RDP). As well as RDP, Scripted Sparrow appears to use location spoofing and browser plugins to throw investigators off the scent.<\/p>\n<p>\u201cAfter running our algorithm against the raw data, we mapped only the high-confidence locations,\u201d the report noted.<\/p>\n<p>\u201cBased on our analysis, we believe the Scripted Sparrow group has members located in Nigeria, South Africa, T\u00fcrkiye, Canada, and the US.\u201d<\/p>\n<p>The group mainly uses a combination of webmail (55%) and email addresses on domains it controls (43%), with preferred registrars NameSilo and Dynadot. It uses mainly Skia to create its PDFs and some members use Telegram for comms, Fortra explained.<\/p>\n<p>Analyzing the group\u2019s shared browser fingerprints, bank accounts\u00a0and email addresses, Fortra concluded that Scripted Sparrow is a \u201cloose collective of fraudsters, all working off the same basic playbook.\u201d<\/p>\n<p>The vast majority of observed BEC attacks have been conducted in English, although Fortra has also seen some in Swedish. It\u2019s unclear whether the group is already using generative AI (GenAI), although if it is not, this won\u2019t be the case for long as it continues to evolve and refine tactics, the report noted.<\/p>\n<p>\u201cOrganizations should ensure that standard payment approval protocols are followed, regardless of the invoice amount involved. Never trust a reply chain contained in an email from an external source, as this is easily spoofed,\u201d Fortra concluded.<\/p>\n<p>\u201cAlways verify expenses with the employee who allegedly purchased a product or service, and make sure you use the official communication channel(s) for that employee, rather than simply replying to the original message you received.\u201d<\/p>\n<p>BEC fraudsters made nearly $2.8bn off their victims in 2024, according to the FBI.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers have uncovered a global business email compromise (BEC) gang that is sending millions of customized messages each month to targets. Fortra said the \u201cScripted Sparrow\u201d collective spans three continents and at least five countries, with fraudsters posing as executive coaching firms to send an estimated 4-6 million \u201chighly targeted\u201d emails to victims each<\/p>\n","protected":false},"author":2,"featured_media":3977,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3976","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3976-68522f29-5c0f-428d-8529-5063ab4a598d-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3976","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3976"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3976\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3977"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3976"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}