In this sophisticated fake billing scam, the attacker poses as the accounts receivable administrator at a small, specialized construction company and emails the accounts payable department at a large construction firm. In the message, the attacker requests confirmation of an attached invoice totaling more than $962,000. While the attached invoice seems legitimate and even includes the impersonated company's branding, it is, in fact, fraudulent. In addition to the realistic-looking invoice, the attacker takes several steps to increase the perceived authenticity of the email. For example, at first glance, the sender email appears to be genuine; however, upon closer inspection, it is clear that the perpetrator has registered a look-alike domain with a slight misspelling of the actual URL. The attacker also uses the impersonated party's authentic email signature and "replies" to a fake thread so that they seem to be following up on an existing request. The attack aims to either gain trust and begin a conversation with the target or trick the target into immediately paying the large invoice.

Older, legacy security tools struggle to accurately identify this email as an attack because it comes from a newly registered domain, contains no executable malicious attachments, and includes social engineering.

Status Bar Dots
Jan15 Screenshot 1
Status Bar Dots
Jan15 Screenshot 2

The attacker includes a fake PDF invoice for nearly $1,000,000.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Newly Registered Domain: The sender's domain is only 44 days old and newly registered. Legacy security tools may not have this domain on their list of malicious domains yet, allowing the email to slip through.
  • No Known Malicious Attachments: The email contains an attachment, but it's a PDF file—a standard and typically harmless file type. Legacy security tools often look for specific types of malicious attachments, such as executable files or documents with macros, which means this email may not be flagged.
  • Use of Social Engineering: The email creates a sense of urgency by presenting a large invoice that needs to be paid. This social engineering tactic can trick the recipient into taking action but may not be detected by legacy security tools.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain Analysis: Abnormal detects that the sender's domain is only 44 days old and newly registered, a common characteristic of malicious domains.
  • Content Analysis: Abnormal analyzes the content of the email and detects the use of social engineering tactics, including creating a sense of urgency with a large invoice.
  • Unusual Sender Behavior: Abnormal detects that the sender's email was not known to the recipient, which is a strong signal of a potential threat.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Fake Attachment
Maliciously Registered Domain
Look-alike Domain


Payment Inquiry
Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo