This multi-layered fake billing scam attack features an impersonation of an accountant from Air Pro, Inc. named Jessica Froning, who inquires about an outstanding invoice payment and attaches a large invoice with official-looking Air Pro, Inc. branding. The $114,000 invoice includes new banking details. The attacker creates a sending domain similar to real Air Pro, Inc. addresses, "," and sends the fake invoice and fraudulent banking details to several recipients in a finance department. They also CC a fake colleague, Kevin Tucker, using the same free sending domain ( to stay connected to the thread. The same day, one of the recipients of the original attack email responds, inquiring why banking details are different. A week later, the attacker replies again, asking for at least 50% of the value of the invoice. 

Legacy tools struggle to detect this attack because of the legitimate-looking content, the lack of malicious links, and the social engineering techniques that do not explicitly ask the recipient for sensitive information. AI-powered security tools analyze the email's attachments and language and look at the sender's reputation to identify this email as an attack correctly.

Status Bar Dots
Aug24 Screenshot
Status Bar Dots
Aug24 Screenshot 2

The attacker attaches an Air Pro, Inc. branded invoice to the initial email, totaling over $114,000 and including fraudulent banking details.

Status Bar Dots
Aug24 Screenshot 3

One of the recipients to the initial attacker email responds and inquires about the change in banking details.

Status Bar Dots
Aug24 Screenshot 4

A week later, the attacker replies to further embed themselves to attempt the payment fraud.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Looking Content: The email content mimics typical business communications, making it less likely to be flagged as suspicious by basic content filters.
  • Lack of Malicious Links: The email contains no obvious malicious links that normal security checks would flag. 
  • No Direct Request for Sensitive Information: The email does not directly ask for sensitive information, such as passwords or credit card numbers, which are commonly flagged by traditional security tools. 

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Attachment Analysis: Abnormal's AI analyzes the content of attachments and detects suspicious elements in the attached invoice.
  • Language Analysis: Abnormal's AI analyzes the language used in the email and may have detected subtle signs of a phishing attempt, such as urgency or pressure to pay the outstanding invoice.
  • Sender Reputation: The sender's email address was not recognized as a known contact for the recipient, raising suspicions.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Free Webmail Account


Account Update

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo