In December, Fortra Intelligence and Research Experts (FIRE) released a major report exposing Scripted Sparrow, one of the most active Business Email Compromise (BEC) collectives operating today. The group sends an estimated 6 million highly targeted scam emails each month, impersonating executive coaching firms and leveraging spoofed reply chains, missing attachment lures, and evolving multilingual campaigns. FIRE’s investigation links the collective to 119 domains, 245 webmail accounts, and 256 bank accounts, with members operating across three continents and continually refining their fraud techniques at scale.
Segment Resources:
https://www.fortra.com/resources/guides/scripted-sparrow-prolific-bec-threat-group
This segment is sponsored by Fortra. Visit https://securityweekly.com/fortrarsac to learn more about them!
Read the interview summary from SC Media here: Fortra’s John Wilson on the prolific BEC group Scripted Sparrow
- 0:00 - RSAC 2026 Interview – Email Security & BEC Threats
- 0:25 - What is Fortra? Cybersecurity Products & Services Overview
- 02:44 - Introducing Scripted Sparrow BEC Threat Group
- 03:04 - How Business Email Compromise (BEC) Attacks Work
- 03:30 - Targeting Accounts Payable Teams with Fake Invoices
- 04:27 - Why Attackers Use Executive Coaching Scams
- 05:24 - Global BEC Attacks: US, UK, Sweden & Beyond
- 06:20 - AI & Multilingual Phishing Attacks Explained
- 07:10 - Why International Targets Are More Vulnerable
- 07:37 - How Advanced Phishing Emails Bypass Detection
- 08:19 - Active Defense & Scam Baiting Explained
- 09:23 - What is Active Defense in Cybersecurity?
- 10:15 - Disrupting Scammers: Domains, Emails & Takedowns
- 11:20 - How Threat Intelligence Improves Security Products
- 12:08 - Sharing Cyber Threat Intelligence with Law Enforcement
- 13:15 - Why Social Engineering Still Works in 2026
- 14:07 - Human Risk in Cybersecurity & Phishing Awareness
- 14:58 - Using Real Phishing Simulations for Training
John Wilson has been combating email-based fraud since 2006, when he developed an authentication-based anti-phishing solution as CTO of Brandmail Solutions. John continued his mission to rid the world of email fraud at Agari. As part of their threat intelligence team, John assisted Microsoft and the FS-ISAC with the B54 Citadel botnet takedown by providing data related to Citadel botnet infections and by acting as a declarant in the civil forfeiture action filed in US District Court.
John joined Fortra through the acquisition of Agari in June 2021. In his current role at Fortra, he continues to research email scams and conduct experiments in “active defense”. In early 2023, John again worked with Microsoft, this time on a takedown effort aimed at curbing the illegal use of Fortra’s Cobalt Strike adversary simulation solution.
John holds a B.S. in Computer Science and Engineering from MIT. He has spoken at a variety of security conferences including RSA, FS-ISAC, Aviation ISAC, NCFTA Disruption, and the Microsoft Digital Crimes Consortium.
