This fake billing scam and vendor email compromise features an impersonation of a legal executive vendor. To begin, the attacker creates a lookalike .cam domain and sends an email pretending to be the Senior Vice President & General Counsel from a company with which the target has a long-standing relationship. To add credibility, the attacker cc’s another lookalike domain they’ve created using the .cam suffix that mimics the domain for a well-known real estate company. The email uses professional-sounding language and includes an invoice and wiring instructions to attempt to redirect a $36 million loan payment. Given the nature of the target’s business, invoices and wire payments of this size are not uncommon. The two separate attachments also share the hallmarks of legitimate documentation and include official letterhead to seem more legitimate. The major discrepancy in the wiring instructions document comes in the form of the letterhead used, “Forever Home Title, LLC,” since that entity is not referenced in the other assets sent by the attacker. If the target completes the transaction, the significant sum of money requested will be deposited into an account controlled by the attacker.

Older, legacy email security tools cannot accurately flag this email as an attack because it uses lookalike domains, lacks malicious links or attachments, and utilizes sophisticated social engineering techniques. Modern, AI-powered email security tools detect the lookalike domains and social engineering techniques and analyze the content to mark this email as an attack correctly

Status Bar Dots
March 25th Screnshot 1
Status Bar Dots
March 25th Screenshot 2

The attacker creates a fake invoice with spoofed company letterhead and includes falsified loan information and other sensitive financial details.

Status Bar Dots
March 25th Screenshot 3

The attacker includes a wiring instructions document that references a likely fraudulent LLC, “Forever Home Title,” to which they want the money redirected.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Use of Lookalike Domains: The attackers used lookalike domains with a .cam extension instead of the expected .com. Legacy security tools might not flag these as suspicious if they only focus on exact domain matches or are not updated to consider newly registered domains as potential threats.
  • Lack of Malicious Attachments or Links: The email did not contain any traditional indicators of compromise, such as malicious attachments or links. Legacy security tools often rely on scanning for known malware signatures or malicious URLs, which would not be effective in this case.
  • Sophisticated Social Engineering: The attack exploited existing relationships and trust between the vendor and the customer, using personalization and social engineering. Legacy tools might not be equipped to analyze the context of communications and detect anomalies based on behavior or the nature of the request.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Lookalike Domain Detection: Abnormal identifies and flags lookalike domains, such as the .cam domains used in this attack, instead of the expected .com. This capability is crucial for spotting impersonation attempts that might not be obvious to recipients or legacy security tools.
  • Content Analysis: Because Abnormal analyzes email content, it recognizes these as common red flags for vendor fraud when an email involves high-value transactions and new billing instructions. This capability allowed Abnormal to identify the risk associated with the email's request to divert a significant payment to a new bank account.
  • Social Engineering Detection: The email uses social engineering techniques like urgency and familiarity to trick the recipient into taking action. Abnormal detects these manipulative tactics as signs of an attack.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Fake Attachment
Look-alike Domain


Account Update
Payment Inquiry
Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo