In this attack, the actor impersonated a company executive asking the recipient if they could purchase prepaid cards for company employees as a holiday gift. The message was signed with the executive’s full name and their title. The email was sent from a freely-available Hotmail account and the sender’s display name was spoofed to mirror the impersonated executive’s name.

Status Bar Dots
Christmas BEC Attack 1

Had the recipient responded to the initial email, the attacker would have written back asking them to purchase six Visa or Mastercard gift cards loaded with $250 on each ($1,500 total).

Status Bar Dots
Christmas BEC Attack 2

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. This email was sent from a Hotmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. 

How Can This Attack Be Detected?

Natural language processing enables cloud email security solutions to detect the presence of a gift card request. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception and allows the platform to know that the email is not associated with the executive being spoofed.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate the VIP, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Although the financial impact of a gift card BEC attack may be limited due to the small amount of this gift card request, these campaigns generally target many employees at once, meaning an attacker has more opportunities for success. In many cases, employees that fall victim to these attacks use their own money to purchase the cards, meaning the company would need to have a discussion about whether to reimburse the employee for the fraud.

Analysis Overview

Vector

Text-based

Goal

Gift Card Request

Tactic

Free Webmail Account
Spoofed Display Name

Theme

Holiday Gift

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo