This likely AI-generated credential vishing attack features an impersonation of a United Nations delivery agent and an attack strategy similar to classic Nigerian Prince scams—well-known as some of the first mass spam emails. However, generative AI capabilities have enabled these scams to become more personalized, well-written, and importantly, more believable. In this attack, the email states that based on a United Nations investigation, the recipient has been identified as the victim of a scam and will be compensated $3.5 million to help with the financial losses they suffered. Using official-sounding language free of grammatical and spelling errors, the email concludes by suggesting the target reach out via the included phone number or email for more information and to get the payment process started. If the target calls the number or emails the listed address, they will likely be deceived into giving up bank account details, login credentials, or other sensitive information.

Older, legacy email security tools struggle to accurately detect this email as an attack because it contains no attachments or links, uses social engineering techniques, and comes from an unknown sender. Modern, AI-powered email security solutions detect the reply-to mismatch and analyze the content and unknown sender to correctly flag this email as an attack.

Status Bar Dots
Attack Library United Nations Impersonator Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Lack of Malicious Links or Attachments: The email does not contain any links or attachments, which are common triggers for legacy security tools. The absence of these elements can make the email appear harmless.
  • Social Engineering Tactics: The email uses social engineering tactics, such as promising compensation for being a scam victim. These tactics can be difficult for legacy security tools to detect as they require understanding the context and intent of the message.
  • Unknown Sender: The email is sent from an unknown email that the company has never sent emails to in the past. This can bypass legacy security tools as they may not have the capability to track and analyze the reputation of unknown senders.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Reply-To Email: The reply-to email is different from the sender's email. This can be a sign of email spoofing, which Abnormal detects.
  • Content Analysis: Abnormal analyzes the context and intent of the email content. The promise of a large sum of money as compensation for being a scam victim is a common tactic used in malicious emails.
  • Unknown Sender Analysis: The email is sent from an unknown email that the company has never sent emails to in the past. Abnormal analyzes this factor to help detect potential threats.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview


Credential Vishing




Credential Theft


Free Webmail Account
Spoofed Email Address
Spoofed Display Name


Financial Services

Impersonated Party

Government Agency

See How Abnormal Stops Emerging Attacks

See a Demo