Executive Impersonated in Payroll Diversion Scheme

While payroll diversion attacks are somewhat common, they are far more lucrative to attackers when they involve executives, as they are typically some of the most well-paid individuals within the organization. In this attack, threat actors first determine who the most likely candidates are for impersonation, and who should be the target of the attack—focusing on those employees who are most likely to deal with payroll.

The email itself originates from a valid external email address that has SPF enabled to bypass checks from legacy solutions. And because it is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. 

Natural language processing enables cloud email security solutions to detect the presence of a sensitive payroll request, and integration with Active Directory allows the platform to know that the email is not associated with the VIP being spoofed. 

Should the target engage with this email, the attacker is likely to send banking information for a new account—enabling him to receive the next direct deposit. Depending on how much the executive makes and how long it takes him to notice the error, the company (and the VIP) could lose tens of thousands of dollars.