Every scam tells a story. This one begins with a single email.
At first glance, it looks ordinary: a polite message about a missed payment sent on behalf of an executive. It carries the right tone, the right formatting, even a convincing chain of prior correspondence.
A PDF is attached: an invoice for professional services that is slightly overdue. The amount is just under $50,000. The forged email trail also makes it seem that the company authorized the payment, and it was sent to the intended victim’s accounting email to deceive the team.
Instead of ransomware or a breach, it’s clever persuasion.
The group behind this scheme, which Fortra has identified and named Scripted Sparrow, has spent the past year quietly targeting finance teams, CFOs, and small business owners with convincing, handcrafted phishing campaigns. What sets them apart isn’t their technology, but their mimicry.
Where other groups use malware and mass ‘mud-against-the-wall’ spam, Scripted Sparrow thrives on social engineering: emails that feel familiar, personal, and urgent, appealing to natural human instincts.
Who Is Scripted Sparrow?
Attribution in cybercrime is rarely simple, but Scripted Sparrow leaves a few hints in its wake.
Fortra’s researchers found that Scripted Sparrow hides behind VPNs and Remote Desktop connections, making it look like it’s in the U.S. But Fortra doesn’t take IPs at face value. Using browser fingerprinting and cunning geolocation tricks (like requiring scammers to turn on location services to view fake payment confirmations), researchers can see through the smoke. The trail leads to Nigeria, South Africa, and Turkey.
Unlike typical BEC crews, however, Scripted Sparrow’s operations demonstrate a higher degree of internal consistency. Their fake business identities persist across multiple campaigns. Their invoice templates evolve only slightly over time. Their language patterns remain steady, professional, and believable.
Far from a rotating cast of opportunists, Scripted Sparrow is an organized group with defined roles, divided into researching, crafting domains, writing emails, and managing the financial side.
Fortra’s analysis found repeated use of the same banking institutions (often through smaller intermediary banks), indicating a shared network of laundering channels. Each transaction is deliberately set below common red-flag thresholds, keeping them from immediate scrutiny.
One campaign may net them the equivalent of a year’s salary in their home country. For many, that’s more than enough incentive to keep the emails flowing.
How Scripted Sparrow Operates
Scripted Sparrow’s emails are designed to survive skepticism. Each campaign starts with a fake invoice from a fictitious consulting or coaching firm, with names including Teneo Strategy, Vistage Global, and Catalyst Executive Circle. The messages reference purported prior approvals from company leaders and contain fabricated threads that look like real internal discussions.
The aim is simple: trick Accounts Payable into wiring funds to a fraudulent account.
The mechanics are fairly low-tech, but the preparation is not. These bad actors study corporate communication styles. They copy signatures, subject lines, and tone. They set up lookalike domains that differ by a single character. They build entire fake identities, complete with websites, phone numbers, and professional bios.
They also fly below the radar. Unlike ransomware gangs, they don’t need to breach systems or steal data. One wrong click (or one unverified transfer) is enough.
Fortra analysts have tracked 147 variants of the same scam since early 2024. The campaigns are small, specific, and all too often successful.
The Scale of the Operation
Scripted Sparrow isn’t new, but its growth has been notable, with Fortra estimating anywhere from 10,000 to 50,000 emails daily.
The earliest traces date back to late 2023, when isolated incidents popped up on LinkedIn and Reddit. Victims described nearly identical scams: fake invoices for coaching services, authorized (supposedly) by senior leadership.
By mid-2024, a clear pattern emerged. The same invoice templates appeared again and again, tied to the same bank accounts, written in the same tone, and asking for the same amount, that hovered just under the $50,000 mark.
Each message had a consistent structure, which suggests a coordinated playbook instead of random opportunism.
Fortra’s telemetry shows the activity accelerating through 2025. What began as a handful of reports evolved into daily sightings across industries: manufacturing, finance, healthcare, technology.
It’s far from the scale of an automated botnet, more like a precision tool that is used often enough to make money for its authors, but seldom enough to stay unnoticed.
What Else We Know
Scripted Sparrow’s strength lies in psychology.
Their attacks exploit trust and routine: the expectation that internal emails are authentic, that an invoice matches an approval thread, that urgency justifies speed.
They are students of human behavior more than technology.
However, even the most subtle deceptions leave a digital trail. Fortra’s automated defenses began detecting anomalies, like mismatched headers, inconsistencies in metadata, and unusual routing paths. These clues led analysts to identify the connected incidents and map the infrastructure behind them.
With each discovery, the picture became clearer: domain clusters registered within hours of each other, shared hosting patterns, recurring linguistic markers, and repeated invoice templates.
These findings have now been consolidated into Fortra’s upcoming whitepaper, which will detail how Scripted Sparrow operates, how organizations can identify the signs early, and how automation can neutralize their tactics before damage occurs.
The goal is both exposure and prevention.
A Simple, Human Attack
Scripted Sparrow is far from an exotic cyber threat. It’s not the stuff of spy thrillers or zero-day exploits.
It’s a simple, human attack which is working.
Every company that processes invoices or relies on internal approvals is a potential target. Automation helps, but awareness matters just as much. Verification, even a quick one, can stop the scam in its tracks.
The case of Scripted Sparrow is a reminder that modern fraud hides in plain sight, in the everyday flow of business communication.
Fortra’s research team is continuing to trace the group’s evolution, their methods, language, and operational shifts, with one purpose: to make their success rate drop to zero.
That’s how you clip a Sparrow’s wings.
Stay Ahead of Scripted Sparrow
Fortra’s forthcoming whitepaper, “Scripted Sparrow: Anatomy of a Modern Phishing Operation,” will provide a full breakdown of the group’s tactics, infrastructure, and the safeguards that stopped them.
If your organization handles payments, approvals, or sensitive correspondence, this is research you can’t afford to overlook.
Stay informed. Stay alert. And never stop verifying. Read the full report today.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.