In this likely AI-generated phishing attack, the threat actor impersonates the mobile payment app Venmo and emails the recipient regarding a recent account upgrade. The attacker uses a free webmail address registered on Yandex, a Russia-based web services provider, and sets the account name as “pay.venm” and the sender display name as “Venmo Pay” to increase the appearance of legitimacy. The message claims that, as part of the account upgrade process, the target received an additional payment of $200 to “cover the upgrade fee,” which must now be refunded to verify the recipient’s identity. The email outlines a step-by-step process to send the refund and requests a screenshot of the refund as confirmation. The perpetrator does not include any malicious links or attachments in the email; rather, the goal of this initial message is simply to convince the target to engage so that they can initiate the next step of the attack. This attack demonstrates the sophisticated social engineering tactics used by cybercriminals to exploit trusted brands and compel targets to interact with them.

Older, legacy email security tools struggle to accurately identify this email as an attack because it employs sophisticated social engineering techniques and does not include malicious links or attachments. Modern, AI-powered email security solutions detect anomalies in the content, recognize when sender addresses are unknown, and analyze the suspicious reputation of the sending domain to correctly mark this email as an attack.

Status Bar Dots
SCR 20240712 mhzv 2

Attacker posing as Venmo employs social engineering tactic in attempt to compel target to engage

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Social Engineering Tactic: The email leverages urgency by claiming financial activity and requiring immediate action, prompting recipients to act swiftly without carefully scrutinizing the message.
  • Lack of Malicious Links: The absence of direct malicious links in the email body helps it avoid detection by legacy systems that typically rely on link scanning to identify phishing emails.
  • Lack of Malicious Attachments: The email does not include suspicious attachments, which often trigger traditional anti-virus or anti-malware scans in legacy systems.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: Abnormal’s advanced content analysis algorithms flag the email's urgent message about an additional payment and request for a refund of $200.00 as a phishing tactic.
  • Reputation Analysis: The suspicious nature of the sender's domain “yandex[.]com” and the context of the email raise red flags during reputation checks.
  • Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Type

Financial Services Scam

Vector

Text-based

Goal

Payment Fraud

Tactic

Matching Free Webmail Username
Free Webmail Account

Theme

Account Verification
Fake Payment

Impersonated Party

Brand

Impersonated Brands

Venmo

AI Generated

Likely

See How Abnormal Stops Emerging Attacks

See a Demo