This phishing attack targets employees at a construction company by impersonating another employee and sends details for wire payments totaling $94,000. By employing a look-alike domain with a single changed letter ( instead of the legitimate, the attacker attempts to redirect a large payment by providing detailed wiring instructions, including a bank account number and routing number. The style of the message closely imitates the company’s legitimate communications, making this attack sophisticated and difficult to detect. 

By recognizing the domain used in the email as recently registered, uncovering an unknown sender FQDN, and analyzing the language and tone, modern security solutions can accurately detect and block this email.

Status Bar Dots
94k fraud attempt

The attacker utilizes a look-alike domain and cc’s another account with the same domain in an attempt to stay connected to the thread.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Impersonation: The attacker impersonates a known employee, making the email seem legitimate and trustworthy.
  • Detailed wire instructions: The phishing email includes comprehensive wire payment instructions, including a bank account number and routing number, which may seem authentic to recipients who are not highly vigilant. Traditional systems might not recognize this as a red flag.
  • Close imitation of company communication: The email might closely resemble actual company communication in terms of formatting, style, and tone, making it harder for defenses to identify it as malicious.

How Can This Attack Be Detected?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Domain age: A recently registered domain may indicate lower trustworthiness. This domain was registered within the last 2 months. 
  • Unknown sender domain: The email was sent from an unknown domain the company has never interacted with before, raising suspicion.
  • Unusual content: If an email contains unusual or unexpected changes in sensitive information like bank account details, it can raise a red flag. In this case, the attacker includes wiring instructions.

Preventing this attack from reaching inboxes is possible with a modern email security solution that understands known normal behavior and detects abnormal indicators.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview




Payment Fraud


Look-alike Domain


Fake Invoice

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo