In this fake billing scam, the attacker impersonates PayPal. To increase the appearance of legitimacy, the attacker uses an account created on the domain “paymentconfirmatiion[.]com” with the sender display name “Pay Pal”. The attacker claims the target is entitled to a refund payment in the amount of $600. However, in order to receive the refund, the recipient must first settle an outstanding balance on their PayPal business account totaling $130 as well as contact PayPal to confirm the payment has been sent. The goal of the email is to convince the target that they are eligible to receive several hundred dollars so that they are compelled to contact the attacker, who can then steal funds and/or sensitive information from the recipient.

Older, legacy email security tools struggle to accurately flag this email as an attack because it contains no malicious attachments or links, comes from an unknown sender, and uses social engineering techniques. Modern, AI-powered email security solutions analyze the unknown sender, detect social engineering techniques, and flag the mismatched sender information to correctly mark this email as an attack.

Status Bar Dots
AL Pay Pal Business Account Refund Email E

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malicious Attachments or Links: Traditional security tools often rely on detecting malicious attachments or links. Because the email does not contain any obvious malicious attachments or links, it is more challenging for these tools to detect the threat.
  • Unknown Sender: The email address used is an unknown email address that the recipient's company has never interacted with before. Legacy systems often lack the capability to track and analyze the historical behavior of incoming emails and flag emails from unknown or rarely contacted addresses. 
  • Social Engineering Tactics: The email relies heavily on social engineering tactics, such as creating a sense of urgency. The message implies that the recipient is about to receive a significant sum of money and needs to act quickly to access it. These tactics can often bypass traditional security filters that primarily focus on technical indicators of phishing.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender: Abnormal analyzes the behavior of the sender. In this case, the email address is unknown to the company, which is a strong sign of a potential threat.
  • Social Engineering Techniques: The email uses social engineering techniques like urgency and familiarity to trick the recipient into taking action. Abnormal detects these manipulative tactics as signs of an attack.
  • Mismatched Sender Information: Abnormal flags discrepancies between the sender's name and email address. In this case, the sender name was listed as "Pay Pal," while the email address belonged to a domain unrelated to PayPal—“service@paymentconfirmatiion[.]com.”

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Spoofed Display Name


Fake Payment

Impersonated Party


Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo