In this business email compromise attack, a threat actor compromises the Gmail account of a real attorney and sends the target an email requesting assistance with paying a client. The attacker claims they need to make a $520 payment to their client via PayPal but are unable to because PayPal has closed their two accounts. The goal of the initial email is simply to connect with the target, establish trust by posing as a known individual, and encourage them to reply so the attacker can move on to the next phase of the attack. Once the target engages with the attacker, the threat actor changes the request to a Venmo transfer for $900. When the target attempts to send the $900 to what is presumably the attorney’s actual Venmo account, the attacker tells them to send it to a different account, claiming the other Venmo username is no longer valid. If the target completes the request, $900 will be stolen by the attacker.

Older, legacy email security tools lack the capability to properly identify this email as an attack because it contains no malicious links or attachments, harnesses social engineering tactics, and compromises a trusted identity. Modern, AI-powered email security solutions flag the unknown sender, analyze the email context, and detect social engineering tactics, enabling the accurate classification of this email as an attack.

Status Bar Dots
AL BEC Lawyer Impersonation Payment Fraud Email 1
Status Bar Dots
AL BEC Lawyer Impersonation Payment Fraud Email 2

After the target responds to the initial email, the attacker continues the conversation.

Status Bar Dots
AL BEC Lawyer Impersonation Payment Fraud Email 3

Once the attacker feels trust is established, they make another ask of the target—this time for a transaction via Venmo.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malicious Links or Attachments: Legacy security tools often scan for malicious links, attachments, or known malware signatures. This email does not contain any overtly malicious content that would typically trigger security alerts, allowing it to slip through filters designed to catch these threats.
  • Social Engineering Tactics: The attack leverages social engineering rather than technical vulnerabilities. It manipulates the recipient's emotions and trust, which legacy tools are not designed to detect. These tools focus on technical indicators of compromise rather than the nuanced and context-dependent cues of social manipulation.
  • Compromised Trusted Identities: The attacker impersonates a known individual, which can bypass security measures that rely on blacklists or reputation scoring. Unless the specific email address has been previously reported and blacklisted, legacy tools might not recognize the email as a threat.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Analysis: Abnormal analyzes the sender's behavior, including the fact that this is the first time they have sent an email to the recipient, and identifies this as a potential sign of a phishing attempt.
  • Contextual Analysis: By performing a contextual analysis of emails, Abnormal can understand the context behind requests, such as asking for financial transactions via unusual methods. This helps in identifying requests that are out of the ordinary for the supposed sender or the recipient.
  • Social Engineering Techniques: The email uses social engineering techniques like urgency and familiarity to trick the recipient into taking action. Abnormal detects these manipulative tactics as signs of an attack.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Free Webmail Account


Legal Matter

Impersonated Party

External Party - Other

See How Abnormal Stops Emerging Attacks

See a Demo