This likely AI-generated fake billing scam attack features an impersonation of a business development manager at Australian cosmetics company LYCON. The attacker explains that during a mid-year audit, several issues arose, requiring immediate attention. They mention irregularities in the recipient's balance sheet and that a system crash led to difficulties retrieving account statements. The attacker then requests the recipient to send any pending or outstanding invoices and instructs them to halt any payments to previous bank account details. They promise to provide new bank account details for future remittances. This scam aims to trick the recipient into disclosing sensitive financial information and redirect payments to the attacker's bank account. No links or attachments are present, and the email is written in an official tone, utilizing several social engineering techniques to scam the recipient. 

Legacy email security tools have trouble detecting this attack because of the spoofed email address, the lack of malicious links or attachments, and the sophisticated social engineering tactics employed. Modern, AI-powered email security solutions recognize the email's unusual origin and analyze the contents of the email to identify this as an attack correctly.

Status Bar Dots
Aug16 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Spoofed Email Address: The email appears to be sent from an iCloud account, a legitimate email service provider. Emails from legitimate sources can bypass legacy security tools as they may not consider emails from such providers suspicious.
  • Lack of Malicious Links or Attachments: The email does not contain links or attachments, which are common indicators of phishing or malware attacks. Legacy security tools often rely on these indicators to flag suspicious emails.
  • Social Engineering Tactics: The email uses social engineering tactics, such as urgency and authority, to persuade the recipient to take action. These tactics can be challenging for legacy security tools to detect as they require understanding the context and intent of the message.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Email Origin: The email originates from an iCloud account, which is not a typical business email domain. Abnormal's AI can recognize this as a potential red flag, primarily when the email discusses business matters like audits and invoices.
  • Unusual Request: The email asks the recipient to halt payments to a previous bank account and promises to provide new bank account details. This is an unusual request flagged as a potential attack tactic by Abnormal's AI.
  • Content Analysis: Abnormal's AI can analyze the content of the email and recognize the social engineering tactics used, such as urgency and authority, which are common in phishing attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here

Analysis Overview




Payment Fraud


Free Webmail Account



Impersonated Party

External Party - Vendor/Supplier

AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo