Dutch Executive Impersonated in Invoice Fraud Attempt

While business email compromise attacks are most often seen in English, they do occur in other languages, like in the Dutch version seen here. In this attack, Dutch is the language of choice perhaps because the company has a presence in the Netherlands. Using display name deception to spoof the name of an executive, the attacker crafts a personalized and targeted message to a finance employee, asking to send a payment to a company in England. Translated to “What information do you need to pay now,” the attacker uses urgency in hopes that the target will respond back quickly and the payment will occur before they realize what is happening. 

Popular in China, the mail domain qq.com is valid and has proper MX records, much like Gmail is used in the United States. Since most accounts originating from this domain are valid and safe, and because there are no malicious links or attachments, this email easily bypasses traditional threat intelligence-based security solutions. 

Natural language processing with multi-language support enables cloud email security solutions to detect the presence of a payment request, even when the message is written in Dutch. With an Active Directory integration, the platform knows who VIPs are within the organization and can understand when domain name deception is being used to impersonate executives. 

If the target responded back with details and then paid the request, the organization would immediately lose €59.754,21. The attacker may also present that victim with another invoice, running the scam until the target realizes that they are paying malicious actors.