Cybercriminals Target Renters in French-Speaking Regions with Sophisticated Email Scam
A well-coordinated business email compromise (BEC) campaign is deceiving tenants into rerouting their rent payments to bank accounts controlled by cybercriminals. The scheme primarily targets French-speaking individuals in France and, to a lesser extent, in Canada.
Attackers exploit fear of missed payments by sending professional-looking emails claiming the property manager’s banking details have changed. Victims are instructed to use new account information for future rent payments. These emails often mimic official formats, using familiar letterheads and terms like “Relevé d’Identité Bancaire” (Bank Identity Statement) to increase authenticity.
Cybersecurity firm Proofpoint attributes the campaign to a threat group it tracks as TA2900. Over 50 separate campaigns have been observed, using around two dozen different bank accounts (IBANs). The group typically uses each bank account in two or three campaigns before switching, indicating a strategic effort to avoid detection.
The attackers distribute their emails using compromised email accounts—often from educational institutions—which adds an air of legitimacy to their communications. Email subjects are typically simple, like “Loyer” (Rent) or “Nouveau RIB” (New bank details), and the attachments often include logos and terminology common in real estate management.
TA2900’s success largely stems from its strong social engineering tactics. By leveraging urgency and fear—implying tenants risk losing their homes—they bypass rational decision-making and encourage hasty actions. The emails are crafted with accurate rental industry terminology such as “Garantie des loyers” (Rent guarantee) and “Gestion immobilier comptabilité” (Real estate management accounting). Victims are often asked to confirm payments or set up automatic transfers, opening multiple avenues for financial theft.
The bank accounts used are registered with legitimate financial institutions in France, often low-cost branches of larger banks, making the transactions appear credible.
While TA2900’s exact location remains unknown, Proofpoint strongly believes the group is financially motivated. Despite the campaigns being in French, the use of translation software suggests the actors may be operating from outside the targeted regions.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
