For more than a year a group of scammers has been conducting email-based campaigns against Fortune 500 and Global 2000 companies attempting to steal hundreds of thousands of dollars fr om their victims.

The group, dubbed “Cosmic Lynx” by Agari researchers who uncovered the operation, has been active since July 2019 and has targeted individuals in 46 countries across the globe, often victimizing senior-level executives from large multinational corporations. The researchers said they observed more than 200 BEC (business email compromise) campaigns conducted by this group since July last year.

The group is typically impersonating the CEO of the target company, sending a senior-level executive - in three quarters of the cases the titles are Vice President, General Manager, or Managing Director - an email request to close an acquisition with an Asian company as part of corporate expansion.

The target employee is asked to work with “external legal counsel” in order to coordinate the payments for closing the acquisition. The group then hijacks the identity of the a legitimate attorney at a UK-based law firm whose job it is to facilitate the transaction.

“While the average amount requested in most executive impersonation BEC attacks is $55,000, the average Cosmic Lynx attack requests is $1.27 million,” the researchers said.

If the attack is successful, Cosmic Lynx directs money to accounts in Hong Kong, Hungary, Portugal, and Romania, wh ere it is withdrawn by so-called money mules.

Agari believes that Cosmic Lynx could be operating from Russia based on several findings, such as metadata from email headers delivered to victims, which contained time and date stamps set to Moscow Standard Time, and some IP addresses used by Cosmic Lynx overlapped with infrastructure that hosted websites providing fake documents in Russian language (diplomas, birth certificates and death certificates).

“Most email-based threats today, like BEC attacks, are very simple social engineering attacks that are technically unsophisticated. To effectively protect against these threats, companies need to make sure they have defenses in place that are equipped to detect identity deception attacks that traditional inbound filters are not accustomed to handling. Additionally, organizations should have good internal processes in place, so payment requests, regardless of source, are verified before they are processed,” the researchers advised.