In this attack, the email was sent by an attacker impersonating the company’s CFO asking the recipient to send a payment for debts that had been transferred to a creditor. Instead of asking for the payment to be made using a normal electronic bank transfer, the attacker indicated the funds should be sent to the “creditor” using Monero and provided the information for the receiving Monero wallet. The creditor provided by the attacker is an actual debt buyer located in the United States, so if the recipient had searched for the name of the creditor provided, they would have found supporting information that made the request seem more legitimate. The attack was sent from an email address hosted on a domain registered by the attacker and the sender’s display name was set to match the name of the impersonated executive.

Status Bar Dots
Monero Payment BEC Attack Email

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The domain hosting the attacker’s email address was valid and had not been previously flagged as being used for malicious purposes.

How Can This Attack Be Detected?

Content analysis can detect the presence of suspicious payment-related requests, including the presence of cryptocurrency wallet information, indicating when an email should undergo additional scrutiny. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate the company’s CFO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss of $6,500.

Analysis Overview




Payment Fraud


Maliciously Registered Domain
Spoofed Display Name


Debt Collection

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

See a Demo