The NJCCIC identified a business email compromise campaign that impersonates ServiceNow to achieve financial gain. The email messages in this campaign seem to form a thread between a ServiceNow representative and the CEO of the targeted organization regarding an overdue invoice. The final message is sent to a person likely responsible for paying invoices within the organization. This is an example of multi-persona phishing and executive impersonation. The email domain service-now[.]ai, referenced in the message and attachments, was registered in March.

The messages include two Adobe PDF files. The first attachment appears to be an invoice from ServiceNow and contains instructions to pay into an attacker-controlled account; the second attachment is a W-9 form to make it seem legitimate. The threat actors try to trick their target into thinking they have received an email from their CEO and pay the invoice without questioning it.

Recommendations

• Confirm the source and instructions of any monetary transaction received via email through a separate means of communication, such as a phone call. Email replies are not an effective verification method, as they could be sent to the threat actors.
• While an email may appear to come from a known and trusted account, that account may have been compromised. Verify all requests for money transfers.
• Navigate directly to legitimate websites and verify them before providing sensitive information or wiring funds.
• If funds are unintentionally wired to a fraudulent account, immediately notify a supervisor, the banking institution, the FBI, and the US Secret Service to stop the wire transfer. Unless the fraudulent transaction is discovered quickly (typically within 48 hours), it can be difficult, if not impossible, to return the stolen funds.
• If personally identifiable information (PII) has been compromised, review the  Identity Theft and Compromised PII NJCCIC product for additional recommendations and resources, including credit freezes and enabling MFA on accounts.