In this attack, the threat actor attempts to execute a common malicious ploy known as a debt collection scam. The initial email is designed to mimic the characteristics of a final demand letter from a debt collection agency. The attacker's objective is to instill a sense of urgency and fear within the target by claiming they owe a substantial amount of money ($960.23) for services rendered and threatening imminent legal action unless the alleged debt is settled within an unreasonably brief timeframe of two hours. The email also includes a threat that the recipient's credit report will be adversely affected should the debt remain unpaid.

The attacker offers terms for a repayment plan but then explains the debt can be settled if the recipient pays a reduced amount immediately. These are all common tactics used to pressure the recipient into making a payment without first verifying the debt's legitimacy. To add one last bit of perceived authenticity, the threat actor signs the email with a legitimate-sounding sender and company name.

Older, legacy security tools have difficulty properly identifying this email as an attack because it contains no links or attachments, utilizes social engineering to compel the target to take action instead of exploiting technical vulnerabilities, and is sent from an unknown sender with whom the recipient has not previously interacted. Modern AI-powered security solutions analyze the sender and content in the email to accurately flag this email as an attack.

Status Bar Dots
Debt Collection AIUA IAP Malicious Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • No Malicious Links or Attachments: The email does not contain any malicious links or attachments, which are common triggers for traditional email security tools.
  • Social Engineering Tactics: The email uses social engineering tactics to pressure the recipient into making a payment. This type of psychological manipulation can be difficult for traditional security tools to detect.
  • Unknown Sender: The email was sent from an unknown email that the company has never sent emails to in the past. This can make it harder for legacy systems to identify it as a threat based on previous interactions.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sender Analysis: Abnormal can analyze the relationship between the sender and recipient. In this case, the sender is unknown to the recipient, which raises a red flag.
  • Detection of Social Engineering: The email uses social engineering tactics, such as urgency and fear, to manipulate the recipient. Abnormal is trained to detect these tactics, even when they are not part of a known scam pattern.
  • Mismatched Sender: The sender's email is "seftonyager509@hotmail[.]com", but the name listed in the email body is "Alan Cooper". This discrepancy could indicate that the sender is trying to impersonate someone else, which is a common tactic used in phishing and other types of email attacks.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview


Financial Services Scam




Payment Fraud


Free Webmail Account


Legal Matter
Debt Collection
Financial Services

Impersonated Party


See How Abnormal Stops Emerging Attacks

See a Demo