A global AI-driven business e-mail compromise (BEC) campaign, which leverages automated fake e-mail threads to execute invoice fraud at scale, is locked in on South African businesses and, according to cyber security firm Mimecast, is expected to surge.
The threat has been identified by Hiwot Mendahun, threat research engineer at Mimecast, together with the cyber security company’s threat research team.
They explain the campaign represents a significant evolution in BEC tactics, combining traditional social engineering with advanced automation, using AI to create convincing fabricated conversations between executives and external service providers.
"Organisations would be well advised to educate finance and accounting teams on the latest BEC tactics, particularly the use of fake e-mail threads with executive impersonation. Also train employees to identify suspicious technical indicators such as unusual reply-to addresses and sender domain inconsistencies," says Mendahun.
Mimecast notes the threat actors construct fake e-mail chains that appear to show legitimate business correspondence, with each thread carefully crafted to include CEO or senior executive approval for urgent invoice payments.
The campaigns demonstrate clear signs of automation, from AI-generated e-mail content to programmatically created PDF attachments that are generated using headless browser technology immediately before e-mail transmission.
The company says invoice fraud accounts for over 40% of BEC.
It explains that BEC attacks are often more sophisticated and personalised, relying on social engineering rather than malicious links or attachments.
It adds that while the US is currently the most heavily targeted country, going by the growth curve in the US, there’s little doubt that it will emerge as a growing threat in SA.
The cyber security company adds that over the past month, SA’s banking, healthcare and retail sectors have been the most targeted sectors.
Technical analysis of the campaign reveals several indicators of automated deployment, Mimecast warns.
“Linguistic and structural analysis of the e-mail body revealed characteristics such as highly fluent language, coherent context and lack of typical grammatical errors – that are strongly indicative of content generated by a large language model rather than crafted manually,” the company states.
The fake e-mail threads typically follow a predictable pattern: an initial invoice from a purported vendor, followed by executive confirmation and concluding with urgent payment instructions.
Common subject lines include: "Invoice for Ad Spend", "INV #[numbers]" and "Final Reminder Your Payment", designed to create urgency and legitimacy.
The campaigns impersonate well-known brands and services, with examples including LinkedIn, various consulting firms and advertising platforms. Each fabricated thread is customised to the target organisation, incorporating actual employee names and business contexts to enhance credibility.
The e-mail HTML contains several embedded comments, which illustrates what should go in each section of the e-mail.
Complex recovery
Mimecast adds that in addition to significant financial loss and disrupted business relationships, recovery can be complex.
This is due in part to the extent to which SA's courts have adapted to cyber crime challenges – including e-mail fraud and payment verification, according to the Law Society of South Africa.
Moreover, it is difficult to determine legal responsibility in invoice fraud – which party must shoulder the blame within a compromised business interaction channel.
Mimecast recommends that companies:
- Deploy advanced BEC protection to identify fake e-mail thread construction and non-standard HTML formatting patterns.
- Implement attachment analysis to detect programmatically generated PDFs with suspicious metadata signatures.
- Configure content examination policies to flag e-mails containing urgent payment requests with executive impersonation.
Mendahun adds that as cyber criminals increasingly target the human layer in organisations for exploitation, there's no substitute for real-time, adaptive, context-aware human risk management.
Share