Pay Stub Request Transitions to a Payroll Diversion BEC Attack

In this attack, a company executive was impersonated requesting their pay stubs for the previous four months. The email was sent from a Privatemail account, a free webmail service, and the sender’s display name was spoofed to match the executive’s name. 

Had the recipient responded to the initial email, the attacker would have followed up with a request to update the executive’s payroll banking information due to their current account being compromised.

Because the attack is text-based, without any other traditional indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The email was sent from a PrivateMail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

 Natural language processing enables cloud email security solutions to detect the presence of attacks that request changes to payroll accounts. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand when an executive is being impersonated via display name deception. The email address sending the message has not been previously associated with the impersonated executive.

The sender's display name has been spoofed to impersonate an executive, so an employee receiving the email may instinctively comply with it since it appears to come from someone of authority. Should the target comply with the attacker’s request, the executive’s future paychecks would be diverted to an account controlled by the attacker. Depending on how much the executive makes and how long it takes him to notice the error, the company (and the executive) could lose a significant amount of money.