The NJCCIC observed several business email compromise (BEC) campaigns featuring a message chain targeting Accounts Payable departments. The messages appear to be a previous conversation thread from an impersonated executive at the targeted organization regarding an overdue invoice. One of the messages from the impersonated executive directs the sender to the organization’s Accounts Payable contact. The messages include an invoice with instructions to pay an attacker-controlled account, and in some instances, a W-9 form. The attachments may include a unique reference code in the filename, which the threat actor likely uses to track victim payments.

Recommendations

Regularly train staff to recognize and report signs of CEO fraud, focusing on emotional triggers and urgent and unusual requests. Also, include multi-channel simulated phishing exercises (e.g., email, SMS, voice, or QR code).

Enforce robust email authentication protocols (SPF, DMARC, and DKIM) at a “reject” policy to prevent simple, exact-domain spoofing.
Establish internal, physical “codewords” or “safe words” known only to executives for high-risk employees to verify high-stakes requests.

Implement mandatory, multi-step verification policies for all wire transfers (over a certain threshold) or sensitive data requests, including direct, out-of-band confirmation from the requesting executive.

If funds are unintentionally wired to a fraudulent account, immediately notify a supervisor, internal IT team, the banking institution, the FBI, and the US Secret Service to stop the wire transfer. Unless the fraudulent transaction is discovered quickly (typically within 48 hours), it can be difficult, if not impossible, to return the stolen funds.

Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.

Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

Originally published in the NJCCIC Weekly Bulletin – May 21, 2026