In this attack, the BEC actor impersonated a company executive to request a list of all customers with outstanding payments, including their overdue balances. The email was written in Italian, which has a better chance of blending in with other business communications without raising a red flag since both the impersonated executive and targeted employee were located in Italy. The email was sent from a likely compromised email account at a company unrelated to the target company and the sender’s display name was spoofed to match the name of the impersonated executive.

Status Bar Dots
Italian Aging Report Theft BEC Email

English Translation:

“Please send me a list of past due customers and their balances as a matter of urgency.”

How Does This Attack Bypass Email Defenses?

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. Some email defenses rely on training their detection models only using common languages, such as English, so attacks that are written in other languages may not be detected. Because this email was sent from a legitimate account that has been compromised without a history of abuse, there are no direct signals indicating the email’s origin is malicious.

How Can This Attack Be Detected?

Content analysis can detect the presence of suspicious requests for sensitive documents, such as aging reports, indicating when an email should undergo additional scrutiny. Natural language processing with multi-language support enables cloud email security solutions to detect the presence of a payment request, even when the message is written in Italian. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate a company executive, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. While this attack is not likely to have a direct impact on the organization receiving it in terms of financial loss, it could have dire implications on customer trust and brand perception. Once the attacker has access to outstanding payments, he can use that (accurate) information to email customers and request that payment be made immediately. And once those customers make the payment, their money is gone—not to the vendor they thought they were paying but to a bank account owned by the attacker.

Analysis Overview




Aging Report Theft


External Compromised Account
Spoofed Display Name

Impersonated Party

Employee - Executive



See How Abnormal Stops Emerging Attacks

See a Demo