A criminal gang is launching business email compromise (BEC) attacks by posing as “real attorneys, law firms, and debt recovery services.” The attackers send legitimate-looking invoices tailored to the targeted organization, asking for a payment of tens of thousands of dollars.

“These sophisticated invoices also list a bill number, account reference number, bank account details, and the company’s actual VAT ID. Some invoices even include a ‘notification of rights’ and information about who to contact with questions or concerns. Based on the complexity and detailed nature of the invoices we’ve observed, it’s possible that Crimson Kingsnake is using altered versions of legitimate invoices used by the impersonated firms.”

If the employee refuses to authorize the transaction, the attackers will sometimes pose as an executive at the organization and send the employee an email granting permission to make the payment.

“When the group meets resistance from a targeted employee, Crimson Kingsnake occasionally adapts their tactics to impersonate a second persona: an executive at the targeted company,” the researchers write. “When a Crimson Kingsnake actor is questioned about the purpose of an invoice payment, we’ve observed instances where the attacker sends a new email with a display name mimicking a company executive. In this email, the actor clarifies the purpose of the invoice, often referencing something that supposedly happened several months before, and ‘authorizes’ the employee to proceed with the payment.”

The researchers note that the user could recognize these emails as fake if they know where to look for the sender’s email address, but the attackers have included the executive’s real email in the display name.

Abnormal Security concludes that organizations should implement modern email security solutions, as well as providing training for employees to recognize these attacks.

“If these attacks do end up in an inbox, ensuring that there are robust procedures in place for outgoing payments is extremely important,” the researchers write. “Organizations should have a process for validating that money is getting sent to the correct recipient, particularly for these high-dollar invoices. And security awareness training is imperative, as employees should know to carefully consider sender addresses, especially when an email asks them to share sensitive information or send a payment.”

New-school security awareness training can give your organization an essential layer of security by teaching your employees how to thwart social engineering attacks.