Search the repository of unique attacks observed by the Abnormal Intelligence team.
Attacker Uses Compromised Vendor Account to Hijack Conversation and Attempt Payment Fraud

After breaking into a vendor’s email account, an attacker creates a look-alike domain to send a large invoice and discuss rerouting payments to a new bank account.

Vendor Impersonator Uses Cleverly-Designed Fake Microsoft Excel Spreadsheet to Attempt Credential Theft

After spoofing a legitimate domain, an attacker uses a fake password-protected financial document to steal sensitive information.

Threat Actor Launches Vendor Email Compromise Attack to Reroute Invoice Payments

After breaking into a vendor’s email account, an attacker uses official-sounding language to mimic legitimate communications and attempt payment fraud.

Fake Billing Scam Leverages Look-alike Domain to Send Fraudulent $1,000,000 Invoice

Using a look-alike domain, an attacker impersonates a vendor and sends a remittance request for a fake invoice totaling nearly $1,000,000.

Vendor Impersonator Uses Fake Invoice Notification In Credential Theft Attempt

By compromising a legitimate domain, an attacker hopes to entice the target to a credential phishing website where sensitive information like payment details can be stolen.

Disney+ Impersonator Creates Multi-Stage Vishing and Fake Billing Scam Attack Using Personalized Attachments

An attacker uses a look-alike domain and Disney+ branding to trick a target into calling a fake customer service phone number related to a new Disney+ subscription.

Threat Actor Spoofs Legitimate Domain in Dual Credential Phishing Attack and Fake Billing Scam

An attacker attempts to steal login credentials and also reroute payments by sharing a fraudulent invoice behind a fake Adobe Acrobat login screen.

Attacker Exploits Trusted Brands and Impersonates Financial Services Provider to Attempt Credential Phishing

In this credential phishing attack, the threat actor sends a fake invoice payment confirmation with a phishing link obscured using a URL shortener.

Likely AI-Generated Credential Vishing Attack Features Impersonation of Walmart

An attacker attempts to create a sense of urgency and compel the target to call a fake customer service number by sending a bogus receipt for a recent iPhone purchase.

UPS Impersonator Uses Compromised Account in Credential Phishing Attempt

After compromising a legitimate domain, an attacker impersonates UPS and asks the recipient to verify shipping information via a phishing link.

Attacker Uses Adobe Acrobat’s File Sharing System in Cleverly Designed Credential Theft Attempt

After compromising the email account of a Vanguard Cleaning Systems employee, an attacker creates a legitimate-looking PDF with a masked phishing link to steal credentials.

Chatham Financial Impersonator Utilizes Masked Phishing Link in Fake Billing Scam

After compromising a domain, an attacker creates a fake Microsoft SharePoint attachment viewer in an attempt to steal money and sensitive information.

Salesforce Impersonator Utilizes Look-Alike Domain in Fake Billing Scam

An attacker creates a domain visually similar to Salesforce [.]com, engages the target, and then forwards the thread to another colleague, heightening the chances of a successful scam.

Multi-Layer Payment Fraud Attack Attempts Redirect of $13.5 Million Invoice

After compromising a construction company, an attacker circumvents typical security protocols and creates a look-alike domain in a fake billing scam.

Fake Billing Scam Attempts Payment Fraud for $114,000 with New Banking Details

An attacker impersonates an accountant using a free webmail account to request payment of a $114,000 invoice.

Cosmetics Brand Impersonator Attempts Payment Fraud in Fake Billing Scam

An attacker uses generative AI to attempt payment fraud by impersonating an Australian cosmetics brand.

LinkedIn Spoofer Uses News of Silicon Valley Bank Closure to Attempt Payment Fraud

Attacker impersonates the LinkedIn billing department and references the recent closure of SVB in this likely AI-generated attack.

Compromised Account Used in Attempt to Siphon Nearly $4M Worth of Invoices

An attacker gains access to a compromised account and attempts to redirect large invoices to a new offshore bank.

Lookalike Domain with Single Letter Change Used for $82,000 Invoice Fraud

An attacker changes one letter of a domain to a similar-looking letter in an attempt to redirect a large invoice.

Attacker Posing as Vendor Requests Early Payment of $240,000 Invoice

Using a lookalike domain, an attacker uses conversational language in a fake billing scam.

$45,000 Wire Transfer Fraud Attempt from Compromised Vendor Account

This attack uses a compromised vendor account and cc’s lookalike domains in an attempted wire transfer fraud.

Sophisticated Attacker Targets Employees for $94,000 Fraud Attempt

By employing a look-alike domain name, an attacker attempts to redirect a large invoice totaling nearly $100k.

Attack Spoofs Debt Relief Agency and Impersonates Attorney

This attack features an impersonation of an attorney on behalf of a debt relief agency in an attempt to receive a $1,000 payment.

Fake Billing Scam Poses as a Receipt for a Quickbooks License Upgrade

This fake billing scam posed as a receipt for an upgraded Quickbooks license to get the recipient to reach out via phone and likely coerce them into installing malware.

Fake Billing Scam Poses as a PayPal Receipt for an Expensive Mirror TV to Manipulate Phone Contact

A fake billing scam impersonating PayPal posed as a payment receipt for an expensive bathroom mirror TV that was used as a lure to get a recipient to reach out via phone and likely coerce them to download malware.

Fake PayPal Cryptocurrency Payment Receipt Coerces Victims to Make Contact Via Phone

Fake invoice for a cryptocurrency purchase through PayPal is used to get email recipients to reach out via phone and likely download malware.

Call Center Phone Fraud Uses Fake Norton Invoice to Encourage Malware Installation

Increasingly popular, this phone fraud scam tricks recipients into believing that a payment has been made and encourages them to call a number to fix the problem.


Attack Type

Impersonated Party

Impersonated Brand

Attack Goal

Attack Vector

Attack Tactic

Attack Theme

Attack Language


See How Abnormal Stops Emerging Attacks

See a Demo