This likely AI-generated fake billing scam and credential vishing attack features an impersonation of Walmart. The email mimics a payment confirmation email, thanking the recipient for their recent iPhone 13 Pro Max purchase. Using official-sounding language, the attacker shares details about the purchase and includes two customer service phone numbers that the recipient can call for inquiries about the order.

The attack aims to create a sense of urgency so that the recipient calls one of the listed numbers as they likely will not recognize the purchase. Since the attacker controls the phone numbers, if the recipient does call, it’s likely that login credentials, credit card numbers, or other sensitive information will be at risk.

Older, legacy email security tools have difficulty accurately flagging this email as an attack because of the legitimate-looking content, the lack of links or attachments, and the subtle social engineering techniques employed—e.g., not directly asking for sensitive information. Modern, AI-powered email security solutions analyze the sender, domain, and content to correctly identify this email as an attack.

Status Bar Dots
Nov13 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-Looking Content: The email content is a typical order confirmation, a common type of email many people receive daily. This makes it difficult for legacy systems to flag it as suspicious.
  • No Malicious Links or Attachments: The email does not contain any malicious links or attachments, which are common triggers for traditional email security tools.
  • No Direct Request for Sensitive Information: The email does not directly ask for sensitive information like passwords or credit card numbers, which are common red flags for traditional email security tools.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sender Analysis: The email comes from an unknown address that the company has never received emails from in the past. This is a strong signal that the email might be suspicious.
  • Domain Analysis: The email comes from a domain not associated with Walmart, the company being impersonated in the email. Abnormal checks the “From” domain against a list of known domains associated with each company. In this case, the domain “proton[.]me” does not match any known Walmart domains.
  • Content Analysis: The email includes a purchase confirmation for a high-value item the recipient may not have ordered. This is a common tactic used in phishing emails to create a sense of urgency and prompt the recipient to take action.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Free Webmail Account


Fake Payment Receipt

Impersonated Party


Impersonated Brands


AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo