The 3-Million Email Siege: Inside Scripted Sparrow’s Global Industrialized BEC Machine
Ddos 
A massive, globally distributed cybercriminal collective is aggressively targeting corporate finance departments with a highly automated Business Email Compromise (BEC) campaign. A new report by Fortra Intelligence and Research Experts (FIRE) has unmasked “Scripted Sparrow,” a group that uses sophisticated social engineering and sheer volume to steal millions.
Unlike typical scammers who rely on lucky shots, Scripted Sparrow operates with industrial efficiency. Researchers estimate the group “sends upwards of 3 million highly targeted email messages each month”.
The group’s modus operandi is distinct and highly specific. They don’t just send a generic demand for payment; they weave a narrative.
“The group operates by posing as various executive coaching and leadership training consultancies,” the report explains.
They target Accounts Payable teams with what appears to be a mundane invoice for professional development services. To make the request look authentic, they include a “spoofed reply chain between the fictious consultancy and an executive of the victim organization”. This fake history tricks the finance employee into believing the CEO or another high-ranking official has already approved the expense.
Scripted Sparrow is evolving its tactics to bypass email security filters. While early attacks included the malicious invoice and W-9 form as attachments, the group has recently started sending emails with no attachments, claiming they are included.
This is a psychological trap. “If the message is successfully delivered to the intended recipient, and the recipient falls for the ruse, the recipient will reply to the group asking for the ‘forgotten’ attachment”.
By forcing the victim to initiate a reply, the attackers turn the conversation into a “trusted” dialogue. “In this way, the group avoids exposing their mule account until they have a potential victim gullible enough to respond to their initial message”.
The investigation revealed that Scripted Sparrow is not a small cell, but a “prolific Business Email Compromise (BEC) collective with members spanning three continents”.
Using browser fingerprinting and geolocation tracking, researchers pinpointed members operating from Nigeria, South Africa, Türkiye, Canada, and the United States.
Despite their global reach, the group attempts to hide its tracks using location spoofing tools. Researchers observed attackers changing their GPS location from San Francisco to Toronto “in less than 5 seconds,” exposing their use of browser plug-ins to mask their true whereabouts.
The sheer volume of attacks—peaking in September 2025—suggests heavy reliance on automation. “The scale of the group’s operation strongly suggests the use of automation to generate and send their attack messages”.
Forensic analysis of the fake invoices reveals that 76% were generated using the Skia/PDF graphics library, indicating a scripted, programmatic approach to document creation rather than manual forgery.
With over 256 identified bank accounts and hundreds of registered domains, Scripted Sparrow represents a mature and persistent threat .
Fortra advises organizations to strictly verify expenses. “Never trust a reply chain contained in an email from an external source, as this is easily spoofed”. Instead, finance teams should verify expenses directly with the employee through an official internal channel.
Donate