In phone fraud scams, attackers use real brands to send fake receipts to their targets and then encourage them to call a number to dispute the charge. In this instance, attackers use display name spoofing and pretend to be Team Billing from Norton by Symantec. The body of the email states that the recipient has been charged $439.99 for their one year subscription of Norton 360 Deluxe, but they can call a number included in the email if they did not make that transaction. These numbers look similar to real 1-800 toll numbers to add extra legitimacy. 

As part of the attack, cybercriminals set up call centers around the world with phone agents who are given a script to read. As part of this script, the victim is asked to download a document in order to cancel the order. Unknown to them, that document contains malware. 

Status Bar Dots
62bcc0999eed4e9ab8b1658a 910249626

Why It Bypassed Traditional Security

The attack uses a Gmail address, so there is no bad reputation associated with the domain, and no malicious links or files to check. Because it relies on recipient emotion and the use of a phone call, there are no malicious indicators for a secure email gateway to discover and block. 

Detecting the Attack

To detect the attack, an understanding of new threats is required alongside content analysis to detect the receipt and phone number. Lookalike content is also helpful to understanding how this attack relates to other phone-based text attacks, which typically impersonate a variety of brands including Best Buy, Amazon, and others. 

Risk to Organization

While this email typically relies on individuals for success rather than organizations, there is a chance that an employee may receive it and believe that they have been charged to their company credit card. In an effort to fix the mistake, the target would unknowingly download malware onto the company device, from which the threat actor can perform a variety of nefarious actions.

Analysis Overview




Content Obfuscation via Image


Fake Payment Receipt

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo