Cybercriminals Trick Tenants into Sending Rent to Fraudulent Accounts

Proofpoint, a leading cybersecurity firm, has identified and named a new financially motivated Business Email Compromise (BEC) threat actor, dubbed TA2900, actively targeting individuals in France and occasionally Canada.

This actor employs sophisticated social engineering tactics, sending French-language emails centered around rental payment scams to deceive victims into transferring funds to attacker-controlled accounts.

These campaigns typically involve messages claiming that a rental installment for the recipient’s property has not been received, urging immediate payment to a new bank account provided via International Bank Account Number (IBAN) details.

- Advertisement -

According to the Report, Proofpoint researchers have tracked nearly two dozen unique IBANs across more than 50 campaigns, noting that the actor frequently switches accounts after two to three uses to evade detection.

Sophisticated Tactics and Social Engineering Exploits

TA2900’s emails often originate from compromised mailboxes, primarily from educational institutions worldwide, adding a veneer of legitimacy to their fraudulent communications.

Subject lines such as “Loyer” (Rent) or “Nouveau RIB” (New Bank Identity Statement) are commonly used to prompt urgency.

The messages either include IBAN details directly in the email body or attachments, or instruct victims to reply for updated banking information, thus initiating direct communication with the attacker via freemail services like Gmail or Outlook.

Early campaigns featured PDF attachments with branding like “Gestion locative de bien immobilier” (Rental Property Management) to mimic legitimate correspondence, though their use has decreased since late 2024.

The bank accounts tied to these scams are often associated with low-cost branches of major French financial institutions, further enhancing the illusion of authenticity.

Proofpoint suggests that the unusual phrasing in some emails may indicate the use of generative AI or translation tools, hinting that the actor might not be fluent in French or based in a French-speaking region.

The core of TA2900’s strategy lies in exploiting human emotion through social engineering, crafting messages that induce anxiety over unpaid rent to provoke hasty responses.

This tactic often leads recipients to overlook red flags, such as verifying the sender’s identity or the legitimacy of the provided bank details.

Proofpoint assesses with high confidence that TA2900’s primary goal is financial theft, leveraging knowledge of France’s rental payment processes and possibly specific property details to target victims effectively.

This underscores the importance of pausing to evaluate any urgent financial request received via email or other messaging platforms, as emotional manipulation remains a cornerstone of BEC fraud.

Below is a table of Indicators of Compromise (IOCs) associated with TA2900’s reply-to email addresses, providing critical data for organizations to bolster their defenses against this emerging threat.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!