In this byline for Help Net Security, John Wilson details how Fortra analysts tracked and dismantled a persistent global business email compromise operation known as Scripted Sparrow. Drawing on activity observed between June 2024 and December 2025, Wilson explains how the group uses disciplined workflows, consistent language, and carefully chosen payment amounts to deceive finance teams. The piece outlines the group’s tactics, infrastructure, and behavioral markers, in addition to highlighting why their BEC campaigns stand out.
Originally published in Help Net Security.
Excerpt: “Unlike conventional BEC actors, Scripted Sparrow uses a structured, consistent, and disciplined approach. Each campaign shows how they have conducted research, used consistent language with a familiar tone, and chosen payment amounts that hover just below approval limits.”
Help Net Security: Clipping Scripted Sparrow’s wings: Tracking a global phishing ring
Published on December 19, 2025
