This likely AI-generated financial services scam features conversational language and extensive social engineering techniques. The attacker recounts past interactions with the recipient and apologizes for not being able to pay back money that was previously borrowed. In exchange for the recipient’s generosity, the attacker claims an $800,000 investment in Shell plc, the multinational oil and gas company, was made in their name. The attacker also informs the recipient of significant health issues they’re facing to garner sympathy and make the message more personalized. The goal of the attack is to build trust with the recipient before attempting to steal sensitive information. 

Older, legacy email security tools struggle to correctly identify this email as an attack because of the lack of attachments as well as an inability to detect the DMARC failure and social engineering tactics. Modern, AI-powered email security tools analyze the unknown sender and domain, suspicious content, and missing recipient address to flag this email as an attack accurately.

Status Bar Dots
Oct30 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Attachments or Links: Traditional email security tools often rely on scanning attachments or links to detect malicious content. This email does not contain any attachments or links, which could allow it to bypass these checks.
  • DMARC Failure: The email has a DMARC failure. This is an email authentication method that helps prevent spoofing and phishing. However, some legacy systems may not have robust checks for these failures, allowing such emails to pass.
  • Social Engineering Tactics: The email uses social engineering tactics, including apologizing for a debt and mentioning a serious illness, to gain the recipient's trust and sympathy. These tactics can be difficult for legacy systems to detect.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender and Domain Analysis: Abnormal flags that the email is from an unknown sender and domain that the company has never interacted with before. This is a strong signal that the message could be malicious.
  • Content Analysis: Abnormal analyzes the content of the email for signs of phishing or other attacks. This email's content, which includes an apology for a debt and a promise of a large sum of money, was flagged as suspicious.
  • Recipient Analysis: Abnormal identifies that the email has no recipients in the “To” field. This is a common tactic attackers use to bypass security measures, and Abnormal flags such emails as suspicious.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview


Financial Services Scam




Credential Theft


Spoofed Email Address


Fake Payment

Impersonated Party

External Party - Other

AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo