In this attack, the actor impersonated a team manager asking the recipient if they could change the bank account receiving their payroll direct deposits. Throughout the email subject and body, the attacker replaced multiple letters with similar-looking non-English characters.  The message was signed with the executive’s full name and their title. The email was sent from a freely-available Gmail account and the sender’s display name was spoofed to mimic the impersonated employee’s name.

Status Bar Dots
Payroll Diversion Foreign Character Substitution

How Does This Attack Bypass Email Defenses?

This attack replaces English letters with similar-looking foreign characters, which prevents threat detection tools relying on identifying known malicious text strings from identifying the email as a threat. Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. This email was sent from a Gmail account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.

How Can This Attack Be Detected?

Natural language processing enables cloud email security solutions to detect the presence of attacks that request changes to payroll accounts. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand when an employee is being impersonated via display name deception and allows the platform to know that the email is not associated with the employee being impersonated.

What are the Risks of This Attack?

Because the sender’s display name has been spoofed to impersonate another internal employee, the recipient may instinctively comply with the email since it appears to come from a familiar person of trust. Should the target comply with the attacker’s request, the executive’s future paychecks would be diverted to an account controlled by the attacker. Depending on how much the executive makes and how long it takes them to notice the error, the company (and the employee) could lose a significant amount of money.

Analysis Overview




Payroll Diversion


Foreign Character Substitution
Free Webmail Account
Spoofed Display Name

Impersonated Party

Employee - Other

See How Abnormal Stops Emerging Attacks

See a Demo