Attack Library
Threat Actor Uses Compromised Email to Target Internal Employees in Credential Phishing Attempt
After compromising an email address, an attacker sends a fake document notification to fellow employees linked to a fake Microsoft login page hosted by Webflow designed to steal credentials.
Attacker Impersonates Lawyer and Attempts Payment Fraud Using Compromised Email Account
After compromising a lawyer’s Gmail account, an attacker builds rapport with the target by asking for help with paying a client before pivoting to a request for a larger transfer.
Attacker Poses as Company Executive and Attempts to Establish Trust to Exploit for Future Financial Crimes
By discussing sensitive topics and establishing a rapport, an attacker hopes to convince a target to comply with fraudulent requests in the future.
Attacker Uses Compromised Vendor Account to Hijack Conversation and Attempt Payment Fraud
After breaking into a vendor’s email account, an attacker creates a look-alike domain to send a large invoice and discuss rerouting payments to a new bank account.
Threat Actor Launches Vendor Email Compromise Attack to Reroute Invoice Payments
After breaking into a vendor’s email account, an attacker uses official-sounding language to mimic legitimate communications and attempt payment fraud.
BEC Attack Requests New Payment Methods for Outstanding Invoices in Attempted Payment Fraud
After gaining access to a legitimate account, an attacker attempts payment fraud by requesting ACH transfers instead of payments via check.
Attacker Uses Lookalike Domain to Attempt Receipt of $621,000 Invoice
By removing a single letter in the sending domain to still appear legitimate, an attacker attempts to redirect a large invoice.
Attacker Follows Up On Unpaid $132,000 Invoice Using Compromised Vendor Account
After a vendor account is compromised, an attacker references unpaid invoices and utilizes lookalike domains to attempt payment fraud.
Multiple Employees Engage with a Compromised Vendor Account Requesting New Banking Details
An attacker hijacks an email account and communicates with two employees who are unaware the account has been compromised.
Attacker Requests £61,000 Using Compromised Vendor Account with Lookalike Email Cc'ed
Attackers hijack an ongoing thread and create a lookalike domain to continue the conversation as part of an invoice fraud attack.
Attacker Impersonates Partner at Venture Capital Firm to Execute Payroll Diversion
This payroll diversion attack impersonated a partner at a venture capital firm inquiring about how to update direct deposit information to a new bank.
Danish BEC Attack Impersonates CEO to Request Gift Cards
This Danish-language BEC attack impersonated a company CEO to request the purchase of iTunes gift cards.
BEC Attack Impersonates Vendor to Request Account Update Using Fake Bank Authorization Letter
This BEC attack impersonated a vendor using a lookalike domain and fake bank authorization letter to request an update to their payment account information.
Italian-Language Aging Report Theft BEC Attack Impersonates Company Executive
This Italian-language BEC attack impersonated a company executive to request a list of customers and their overdue balances.
BEC Attack Poses as a Factoring Company to Request Aging Report with Customer Payment Information
This BEC attack impersonated an external factoring company using a free webmail account with a customized impersonation username to request a copy of an updated aging report containing customer payment and contact information.
BEC Attack Targets Head of Human Resources to Request Copies of Employee W-2s
This BEC attack impersonated the company CEO using multiple free webmail accounts to request a copy of all employee W-2s.
Hungarian BEC Attack Impersonates Executive to Request a Payment to a Fake UK Company
This Hungarian-language BEC attack impersonated a company executive using a freely-available Gmail account to request a payment to be sent to a fictitious company located in the United Kingdom.
French-language BEC Attack Impersonates Executive Requesting Assistance in a Corporate Acquisition
This French-language BEC attack impersonated a company executive using a free webmail account created with a lookalike username to request assistance making a payment that was supposedly part of a corporate acquisition.
BEC Attack Impersonates a CEO Using a Combination of a Spoofed Email Address and Reply-to Address with a Mirrored Username
This BEC attack impersonated a company CEO using a combination of a spoofed email address and an account hosted on a malicious domain created with a username matching the CEO’s to request a fraudulent payment.
BEC Attack Impersonates Distribution Supplier and Offers Discount as an Incentive for Quick Payment
This BEC attack impersonated an external distribution partner using a compromised account and encrypted email service to inquire about outstanding payments, update payment account information, and offer a discount as a quick payment incentive.
Italian-language BEC Attack Attempts to Divert Executive's Paycheck
This Italian-language BEC attack impersonated a company executive to request an update to their payroll account information that would divert future paychecks to a fraudulent account.
Blind Third Party Attack Impersonates Eurocontrol to Solicit Fraudulent Payment
This BEC attack impersonated Eurocontrol using a spoofed email address and a lookalike domain to pressure a target into sending a fraudulent payment for a supposed overdue payment.
Impersonated CFO Requests Monero as a Payment for Debts Owed to a Creditor
This BEC attack impersonated a company CFO to request a payment to be made using Monero to fulfill supposed debts owed to a creditor.
Holiday-Themed BEC Attack Impersonates Executive Using Fake Email Thread to Request Overdue Payment to Third-Party Vendor
This holiday-themed BEC attack impersonated a company executive using a maliciously-registered domain to request a supposedly outstanding payment be made to a third-party vendor referenced in a fake email thread.
Vendor Impersonation BEC Attack Uses Modified Legitimate Invoice to Solicit Fraudulent Payment
This BEC attack impersonated a third-party vendor to request a fraudulent payment using modified legitimate invoice and a look-alike domain that was very similar to the vendor’s legitimate domain.
Spanish-language BEC Attack Solicits Million Dollar Payment Using an Acquisition Theme
This Spanish-language BEC attack impersonating a company executive used the pretext of an acquisition of a foreign company and the introduction of a second persona to attempt to coerce an employee into sending a nearly $1 million payment.
Gift Card BEC Attack Incorporates Christmas Gift Theme
This BEC attack impersonated an executive to ask the recipient to purchase prepaid cards for company employees as a holiday gift.
Third Party Reconnaissance Attack Targets Accounts Payable Team to Redirect Future Vendor Payments
This third party reconnaissance BEC attack impersonated a vendor’s accounting manager to request an update to the vendor’s bank account on file and redirect future payments to a fraudulent account.
Payroll Diversion BEC Attack Uses Foreign Character Substitution to Obfuscate Text
This BEC attack impersonated a team manager to attempt to divert the employee’s payroll direct deposit using an email that obfuscated its content using foreign character substitution.
Payroll Diversion BEC Attack Mixes a Lithuanian Subject with Dutch Body Content
This BEC attack impersonated a company executive to request an update to their payroll deposit account using a combination of a Lithuanian subject and Dutch body content.
Acquisition-Themed BEC Attack Attempts to Pivot to a Phone Conversation
This BEC attack impersonated an executive using a spoofed email address to request an employee’s assistance with the acquisition of a foreign company, asking for the employee’s phone number to pivot to a voice conversation.
BEC Attack Impersonates COO to Request Payment for Supposed Legal Fees
This BEC attack impersonated a company COO using a maliciously-registered domain and spoofed display name to request a fraudulent wire transfer to pay for supposed legal fees.
German-Language BEC Attack Requests Payment for Invoice via a Fake Email Chain
This German-language BEC attack impersonated a company executive to request payment for an outstanding invoice referenced in a fake email chain.
Vendor Email Compromise Attack Uses Hijacked Email Thread to Attempt to Redirect Invoice Payments
This BEC attack impersonated a vendor accounting specialist to try and redirect several invoice payments by incorporating contents from a hijacked email thread from a previously compromised account and sending the email from a lookalike domain.
Pay Stub Request Transitions to a Payroll Diversion BEC Attack
This BEC attack impersonating a company executive started with a request for the employee’s recent pay stubs, then pivoted into a request to update their direct deposit account.
CFO Email Address Spoofed to Request List of Outstanding Payments and Customer Contact Information
This BEC attack impersonated a company CFO using a spoofed email address and a free webmail reply-to account to request a spreadsheet of all outstanding payments and customer contact information in order to conduct future payment fraud.
Thanksgiving-Themed BEC Attack Spoofs Compromised Personal Account to Request Gift Cards
This BEC attack spoofs an external compromised account using a Thanksgiving-themed subject to request the purchase of an Amazon gift card for a supposedly sick family member.
Gift Card BEC Attack Impersonates COO to Encourage Employee Performance
This BEC attack impersonated a company COO using a free webmail account registered using the COO’s name to request an employee purchase gift cards to reward employee performance.
Executive Impersonated in Request to Pay Fake New Contractor
This BEC attack impersonated a company executive using a free Estonian email account to request that a payment be sent to a new independent contractor.
Vendor Accountant Impersonated to Divert Outstanding Payment Due to COVID-19/Monkeypox Outbreak
This attack impersonates an accountant at a third-party supplier to request an outstanding payment to an alternate account due to a supposed outbreak of COVID-19 and monkeypox.
German-Language Message From “CEO” Attempts to Coerce Fraudulent Payment from CFO
This German-language attack targets a CFO impersonating the company CEO to request internal bank account details and a large outgoing payment.
CEO Impersonated in BEC Attack Requesting List of Pending Legal Settlements
This attack impersonates a company CEO to request a file containing a list of legal settlements that are pending payments.
Swedish Language Attack Requests Payment for an Overdue Invoice via a Fake Email Chain
This Swedish-language BEC attack impersonates a company executive to request payment for an outstanding invoice referenced in a fake email chain.
BEC Gift Card Attack Leverages Foreign Character Substitution to Bypass Defenses
An attacker uses foreign character insertion in the email subject to send a request to connect via phone, likely for the purpose of purchasing gift cards.
Impersonation Bypasses Security Controls with a Lookalike Email Address
An attacker posing as a vendor attempts to solicit overdue payments by using a lookalike email address.
Payroll Diversion Attack Uses Spoofed Email Address
Attackers ask to update bank account details for an employee, using a spoofed email address to avoid detection.
Executive Impersonation Used to Elicit Secrecy in Employee Surprise
Attackers impersonate an executive and rely on human willingness to help in order to request a surprise appreciation gift for the team.
Executive Impersonated in LinkedIn Overdue Payment Request
Attackers impersonate an executive to bolster the validity of a fraudulent invoice in this double-phased attack that requests payment for an overdue invoice.
Dutch Executive Impersonated in Invoice Fraud Attempt
The attacker impersonates a Dutch executive and requests that payment be made now to a company in England.
Executive Impersonated in Payroll Diversion Scheme
Cybercriminals impersonate an executive and target the payroll administrator in an ask to update direct deposit information to a bank account owned by the attacker.
Executive Impersonation Used to Steal Aging Reports
Attackers impersonate a VIP within the organization to request an aging report of all outstanding vendor names and invoices.
Vendor Impersonation Used to Siphon Invoice Payments
Attackers impersonate a vendor by using a lookalike domain, stating that their banking details have changed and all new invoices should be directed to the new account.
Executive Impersonated in Hijacking of Mergers & Acquisitions Transaction
Attackers impersonate the CEO using a spoofed email address to ask the recipient if they have been contacted by an attorney to facilitate an acquisition as the first stage of an attack designed to intercept a transaction.