In this email, the attacker impersonates an employee to request a change to their paycheck deposit account information on file. The goal of this attack is to persuade the recipient to update the direct deposit account to one controlled by the attacker, diverting future paychecks to the fraudulent account.

The From email address in this attack spoofs the impersonated employee’s actual email address. The Reply-To address—the account the attacker uses to communicate with the recipient—is hosted on a separate, maliciously-registered domain. Before sending the email, the attacker created a unique account on this domain with a username that mirrors the impersonated employee’s username in their legitimate email address, making it harder for the target to notice the discrepancy. To add further legitimacy, the attack includes a “Sent from my iPhone” footer to make the recipient believe that typos and other inconsistencies are a result of sending the email from a mobile device.

Status Bar Dots
Payroll diversion attack

Why It Bypassed Traditional Security

The initial wholesale spoof of the employee’s email address was able to pass SPF and failed DMARC, indicating that it was sent from an authorized email server, but did not pass the portion that verifies the cryptographic signature for this information. The email itself originates from a valid external email address that appears legitimate and includes only text—so there are no links or attachments to scan. Without other indicators of compromise, there is little information the newly-registered spoofed domain can offer for a secure email gateway to use to determine malicious intent.

Detecting the Attack

By using natural language processing to understand when a suspicious and urgent financial request is included in an email, cloud email security solutions can detect sensitive payroll requests like these. In addition, integration with Active Directory allows the platform to know that the email is not associated with the employee being spoofed.

Risk to Organization

When the target responds to the email, the attacker sends banking information for a new account—enabling them to receive the employee’s next direct deposit. Depending on how much the employee makes and how long it takes them to notice the error, the company (and the employee) could lose tens of thousands of dollars.

Analysis Overview




Payroll Diversion


Spoofed Email Address
Spoofed Display Name

Impersonated Party

Employee - Other

See How Abnormal Stops Emerging Attacks

See a Demo