Weaponizing Accounts Receivable: How Scammers Use Aging Reports to Target Your Customers

Asking for the Aging Report

During some recent engagements, we directly observed BEC scammers trying to obtain a copy of an aging report by leveraging the identity of criminals’ favorite persona: the organization’s CEO. Using free and temporary email accounts and employing display name deception, these scammers made a straightforward request for the document.

Moving Beyond the Report and Into Customer Inboxes

After sending the scammers a copy of a fake aging report, their next request made their intentions a little more clear. In addition to providing a list of our customers and their outstanding debts, the scammers also wanted the email addresses for those customers on our aging report.

Your Customers Become the Victim

The full impact of being tricked into handing over sensitive information such as this cannot be understated. It pollutes established payment communication channels and requires proactively contacting all exposed customers to alert them to the possible threat. Beyond this initial danger, there are also latent risks, such as the inclusion of contact details for customer accounting personnel will increase the likelihood they will be targeted with future BEC attacks.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.