Threat Alert: PAYMENT PROFILE SUSPENSION

• A threat actor specializing in credential harvesting and impostor/business email compromise (BEC) threats recently distributed well-constructed lures in attempts to steal money by tricking victims into sending payments to actor-controlled bank accounts.
• These lures spoofed Gordon Food Service, a prominent food distributor operating across the United States and Canada.

How is it used in the wild?

• The threat actor sent messages to recipients spoofing “GFS Accounts Payable” with high-quality lures purporting to alert recipients to the suspension of a payment profile pending recipient verification.
• Instructions ask recipients to either reply to the email, email an actor-controlled alias abusing Freshdesk (an AI-powered customer service platform), or call a phone number.
• After making contact, the threat actor will attempt to socially engineer the victim into providing multiple types of personally identifiable and financial information that will be used to facilitate financial fraud.
• If the target suspects the message or is uninterested, the “UNSUBSCRIBE” link at the bottom leads to a pixel tracker that verifies the recipient as a live account that should be targeted in future attacks.
  

Key Action: Stay Alert!

• Do not engage with spoofed emails by looking closely at headers and senders of suspicious or unsolicited emails.
• Be aware that threat actors have increased their scams that begin with telephone-oriented attack delivery (TOAD) social engineering attacks that trick victims into calling threat actors who steal or otherwise solicit information to be used in fraudulent activity or install malware.
• Report ANY suspicious emails via Phish Alarm.