In this multi-step credential vishing attack, the threat actor impersonates PayPal and emails the target a notification regarding an invoice for a three-year subscription to McAfee. Using a spoofed address of “service@paypal[.]com”, the attacker claims the recipient owes $391 and can either click the embedded button to pay the invoice or call the provided number to cancel the transaction and claim a refund. To further increase the sense of urgency around this unexpected charge, the perpetrator includes a message informing the target that fraudulent activity has been detected on their PayPal account and references the same toll-free number with another invitation to call to cancel the transaction. If the recipient calls the number to cancel the fraudulent McAfee renewal, they will speak with an attacker-controlled call center. During this conversation, the fraudulent call center agent will either steal sensitive information from the target or prompt them to unknowingly install malware under the guise of assisting with canceling this purchase.

Older, legacy email security tools struggle to properly flag this email as an attack because it appears to come from a legitimate sender, employs multi-step social engineering techniques, and lacks malicious attachments or links. Modern, AI-powered email security solutions analyze the content, unknown sender, and relationship of the sender to the recipient to correctly mark this email as an attack.

Status Bar Dots
AI Multi Step Vishing Pay Pal Mc Afee Impersonation Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate-Looking Email Address and Sender Identity: The use of an email address that appears to be from a legitimate source can easily bypass legacy security tools that rely on simple blacklist-based or domain reputation-based filtering. 
  • Social Engineering Tactics: The email uses social engineering techniques to trick the recipient into calling the provided number. These tactics are often difficult for legacy tools to detect as they require an ability to understand context and intent.
  • Lack of Malicious Links or Attachments: Traditional security tools often scan emails for malicious links or attachments. This attack bypasses those checks by not including any inherently malicious content in the email itself and instead using a phone call as the attack vector.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal analyzes the language used and detects the presence of urgency cues, impersonation of services, and other psychological manipulation techniques in the email. This comprehensive analysis helps detect phishing attempts that rely on deception rather than traditional malicious payloads.
  • Unknown Sender Analysis: Abnormal analyzes the sender's behavior, including the fact that this is the first time they have sent an email to the target, and identifies this as a potential sign of a phishing attempt.
  • Identity and Relationship Analysis: Abnormal analyzes the sender’s identity and their relationship with the recipient. Even if an email passes SPF and DKIM checks, if the sender's behavior or relationship with the recipient is unusual (e.g., a PayPal domain sending renewal notices for antivirus software), it can raise a red flag.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview


Credential Vishing




Malware Delivery
Credential Theft


Spoofed Email Address


Fake Payment Receipt
Fake Invoice

Impersonated Party


Impersonated Brands


AI Generated


See How Abnormal Stops Emerging Attacks

See a Demo