In this attack, the email impersonated a partner at a venture capital firm with an inquiry about how to update their direct deposit information. The sender's display name was set to match the impersonated employee's name but the reply-to address is hosted on a different domain that isn’t actually live.

Status Bar Dots
UA VIP Impersonation with Payroll Diversion Email Edited

Had the recipient replied to the email, the attacker would likely have provided fraudulent bank account details and requested that future paychecks be deposited into the account.

How Does This Attack Bypass Email Defenses?

The email did not contain any obvious red flags, such as suspicious links or file attachments, making it difficult for traditional email defenses to detect. Additionally, the domain offered a SoftFail message, indicating that the domain discourages the use of the sender's IP address as a permitted sender. This may cause some email security systems to overlook the email as it doesn't meet the criteria for a complete failure.

How Can This Attack Be Detected?

To identify and block these types of attacks, email security solutions with natural language processing can detect suspicious requests for personal or financial information. Integration with an employee database can also help catch display names being used deceptively. By staying vigilant and investing in advanced security technology, organizations can protect both their employees and their sensitive data.

What are the Risks of This Attack?

If an employee updates sensitive information, such as another employee’s bank account details, without independently confirming the request, paychecks can be diverted to the attacker’s account. Additionally, the individual being impersonated is a high-profile member of the organization, which means rerouting their paychecks could be particularly lucrative.

Analysis Overview




Payroll Diversion


Free Webmail Account


Direct Deposit Payment
Account Update

See How Abnormal Stops Emerging Attacks

See a Demo