Fortra Warns Scripted Sparrow is Scaling Global BEC Attacks

A sprawling Business Email Compromise (BEC) collective known as Scripted Sparrow is distributing millions of targeted messages each month and rapidly refining its social-engineering playbook, according to new research from Fortra’s Intelligence and Research Experts (FIRE) team.

We spoke with researcher John Wilson about the report, what surprised the FIRE team during their investigation of the group, and how he advises businesses to avoid falling victim.

A scalable, automated BEC operation: what Scripted Sparrow brings to the threat landscape

First identified in mid-2024, Scripted Sparrow impersonates executive-coaching and leadership-development consultancies to deceive Accounts Payable personnel. While Fortra has logged 496 direct engagements, correlation with Cloud Email Protection data suggests the group sends millions of targeted emails each month, including an estimated 6.6 million in September 2025.

The group’s lures follow a consistent pattern built for automation. Attackers spoof reply chains between a fictitious consultancy and a real company executive, then send a fraudulent invoice—typically just under $50,000—to an Accounts Payable contact.

More recent campaigns introduce a defensive twist: attackers now intentionally omit the invoice and W-9 attachments, prompting victims to request them. That reply validates the target before the attackers expose mule banking details, reducing operational risk and improving success rates.

To Wilson and his fellow researchers, the sheer volume of would-be attacks and the shift in how they landed with victims was alarming.

“Typical BEC scams are usually someone pretending to be a CEO asking for payment of some sort, and many organizations now have training against that,” Wilson said. “Attackers have learned from that and adjusted.”

“What we saw here was actually the scammers creating fake email reply chains to make targets believe their executives were in conversation with the fake consultancies they were acting as, which almost flips the script on traditional attacks,” he continued.

How a decentralized global collective operates

Fortra analysts used controlled web interactions, browser fingerprinting, and a trust-score algorithm to determine the group’s operational footprint. 

Wilson says the group forced the FIRE team to innovate in how they identify locations, demonstrating a sophistication beyond the traditional invoicing scams the team encounters far more often.

“It was truly unique the ways they went to great pains to hide their locations,” Wilson said. “We had to develop additional tools and innovate to get this information.”

Despite widespread VPN and GPS spoofing—including documented cases of “impossible travel”—the researchers identified actors operating in Nigeria, South Africa, Türkiye, Canada, and the United States.

The collective’s infrastructure is extensive. Fortra identified:

• 119 registered domains 
• 245 attacker-controlled or webmail accounts
• 256 bank accounts used for laundering victim funds 

Network mapping shows that Scripted Sparrow behaves less like a hierarchical cybercriminal organization and more like a loosely connected ecosystem in which fraudsters share templates, infrastructure, and processes.

Why Wilson thinks US romance scam victims might be involved

Wilson told Channel Insider that the researchers have not ruled out the possibility that members of the scamming group are operating within the US. 

However, he says it’s likely that at least some of the activity identified within the US is not from attackers themselves but rather those operating, perhaps unknowingly, on their behalf.

“A lot of the US activity, I think, is likely mules. Specifically, I think many of them are romance scam victims, in which you fall for someone online, and they say they need your help, and maybe they need to use your bank account to transfer funds, or you have to send something for them,” said Wilson.

Wilson added that there is no way to know for sure. Still, a conversation Wilson says he had with one U.S. banking institution about the activity within one example suggests behavior in line with traditional romance scams.

Rapid evolution and new markets show group’s sophisticated tactics

Scripted Sparrow’s tactics have grown increasingly sophisticated. Early lures used generic salutations and minimal reply-chain content. 

Current examples include longer, more naturalistic threads, more realistic language, and instances in which attackers impersonate both the consultancy and the supposed executive to reinforce authenticity.

This fall, Fortra observed the group’s first non-English lure, a Swedish-language invoice for €9,905. The smaller amount may signal testing of new regional approaches before broader deployment.

Wilson says the team continues to see new activities from the group and doesn’t assume that Scripted Sparrow, or the many other attackers working on BEC scams, 

Implications for channel partners and their clients: human action remains paramount

For channel partners, Scripted Sparrow exemplifies the accelerating industrialization of BEC. Its automation, global distribution, and flexible infrastructure enable rapid scaling and constant adaptation—traits that complicate detection and user training.

Fortra recommends actions including the following:

• reinforcing out-of-band payment verification 
• educating customers on the ease of reply-chain spoofing 
• ensuring that Accounts Payable teams follow formal approval protocols for all invoices, regardless of the amount

Wilson emphasizes this last point in particular, saying that most companies have policies on the books but lag in consistent execution. Attackers, though, are counting on exactly that: small enough payment amounts that individual employees don’t find it necessary to confirm with an executive for risk of bothering them unnecessarily.

Also of note, Wilson says, is that these emails made it through basically every email security tool (including Fortra’s) to the end user.

“The stuff that we see as researchers of these attacks is the stuff that makes it through all of the filters,” Wilson said. “I don’t think anything is going to completely prevent these emails, and things like this, from getting through to people.”

How GenAI is fueling efficiencies for attackers

Metadata from 734 invoices shows 76% were generated using the Skia graphics engine, reinforcing that Scripted Sparrow likely uses automated tooling to mass-produce documents and increase campaign throughput.

With the group expected to adopt generative AI to further streamline content creation and multilingual targeting, Scripted Sparrow demonstrates how quickly BEC operators are evolving. 

Wilson says it is likely that GenAI will increase not just the volume of attacks in the future but the ability for attackers to personalize scams to targets at scale, worldwide.

In particular, he thinks the one example of Swedish in the Scripted Sparrow scam shows where attacks can go in the future: regional and just specific enough to things an individual would know about an executive to lull them into avoiding policies.

“There’s always going to be a new scam, and the tools and mediums scammers use will change,” Wilson said. “LLMs are absolutely going to enable attackers to create the messaging that makes targets comfortable enough to not pick up the phone and verify the message. That’s why policy enforcement is so important.”