Threat Actor Impersonates Executive and Uses Fabricated Email Thread to Attempt Payment Fraud
In this fake billing scam, the attacker impersonates an executive and uses a fabricated email thread to attempt to convince the controller of an organization to pay a fraudulent invoice. The malicious email is crafted to appear as if the impersonated executive is forwarding a message sent by an Accounts Receivable Specialist from one of the organization’s vendors regarding an overdue invoice. The threat actor hopes that this technique will be more believable, instill a sense of urgency, and deceive the target into fulfilling the request. If the recipient does process the invoice, any transferred funds will be routed to a bank account owned by the attacker.
Older, legacy email security tools struggle to adequately flag this email as an attack because it contains no malicious attachments or links, uses social engineering techniques, and is sent from a newer domain. Modern, AI-powered email security solutions recognize the new domain, detect the unknown sender, and flag the social engineering techniques to correctly mark this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Lack of Malicious Attachments or Links: The email does not contain any attachments or links, which are often the focus of traditional security tools. The absence of these elements could allow the email to bypass such checks.
- Social Engineering: The email uses social engineering techniques, such as urgency in the subject line ("IMPORTANT NOTICE past due balance") and authority (appearing to come from an executive), to trick the recipient into taking action. Legacy security tools may not be equipped to detect such sophisticated tactics.
- New Domain: The sender's domain is relatively new (5 months old), which could allow the message to bypass security checks that only block known malicious domains.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- New Domain: The sender's domain is relatively new (5 months old). Abnormal recognizes that new domains are often used in phishing attacks, as attackers frequently create new domains to avoid detection.
- Unknown Sender: The email is from an unknown email address that the company has never received messages from in the past. Abnormal detects this as a potential sign of a phishing attack.
- Social Engineering Tactics: The email uses social engineering techniques, such as urgency in the subject line ("IMPORTANT NOTICE past due balance") and authority (appearing to come from a CEO), to trick the recipient into taking action. Abnormal detects such tactics as likely signs of an attack.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.