In this phone fraud scam, attackers use a generic Email Support Team persona and inform the recipient that a password reset has been attempted and they must verify their identity. The attacker includes a phone number and a verification code, telling the victim that they must call the number if they are not the ones who have requested the password reset. To add legitimacy, the email states that they will never ask for the password, and any suspicious emails with password reset links should be reported to technical support for investigation.  

This is a unique approach to these types of attacks, as the next phase is to ensure the victim calls the number included in the email. Upon doing so, they will likely be asked to download a document to verify their identity. That document, of course, contains malware.

Status Bar Dots
628d431cbf27f7072491b3ac 637471581

Why It Bypassed Traditional Security

The attack uses display name deception with a Gmail address, so there is no bad reputation associated with the domain, and no malicious links or files to check. Because it relies on recipient emotion and the use of a phone call, there are no malicious indicators for a secure email gateway to discover and block. 

Detecting the Attack

To detect the attack, an understanding of new threats is required alongside content analysis to detect the tone of the email and the included phone number. Lookalike content is also helpful to understanding how this attack relates to other phone-based text attacks, which have seen increased popularity in recent months due to their ability to bypass email gateways. 

Risk to Organization

While the email impersonates a generic support team, employees may be tricked into believing that it comes from their internal IT department. If this were the case and they called the number, they would be instructed to download a document containing malware onto the device. Once the malware is installed, attackers can perform a variety of nefarious actions, including escalating it into a ransomware attack.

Analysis Overview




Malware Delivery


Free Webmail Account


Suspicious Account Activity

See How Abnormal Stops Emerging Attacks

See a Demo