In this invoice fraud attack, a cybercriminal poses as a real LinkedIn employee and sends the target a fraudulent invoice. Using the look-alike domain financiallinkedin[.]com, the threat actor impersonates a representative from the “Accounts Dept” at LinkedIn and claims that the recipient’s company has an overdue invoice for recruiting and hiring services totaling $75,529. Attached to the email is a PDF that appears legitimate and contains payment instructions with bank account details. However, the account belongs to the threat actor, and any funds transferred to it will be stolen. By impersonating a real individual, crafting a genuine-looking invoice, and manufacturing a sense of urgency, the attacker increases the likelihood of the target believing the request is real and acting quickly without confirming its legitimacy.

Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a look-alike domain, does not employ the use of links in the content, and lacks malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect that the sending domain was recently created, and flag potentially malicious content in the PDF to correctly identify the email as an attack.

Status Bar Dots
SCR 20241025 mdik

Attempted invoice fraud attack from threat actor posing as real LinkedIn employee

Status Bar Dots
SCR 20241025 mkem

Fake invoice featuring LinkedIn branding and fraudulent banking details

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Look-alike Domain: The email is sent from a look-alike domain that resembles the legitimate domain, making it difficult for basic domain filters to detect the deception.
  • Lack of Links: The absence of links in the email body helps it avoid detection by legacy systems that typically rely on link scanning to identify malicious emails.
  • Lack of Malicious Attachments: By not including suspicious attachments such as HTML attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
  • Newly Created Domain: The identification of the newly created domain triggers Abnormal’s systems to scrutinize and flag the email for potential malicious activities, as this tactic is commonly used in attacks.
  • PDF Attachment Analysis: The PDF attachment containing alarming and urgent content was scrutinized and identified as potentially malicious through Natural Language Processing (NLP) and Natural Language Understanding (NLU).

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Text-based

Goal

Payment Fraud

Tactic

Fake Attachment
Look-alike Domain

Theme

Overdue Payment
Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo