While business email compromise attacks are most often seen in English, they do occur in other languages, like in the Dutch version seen here. In this attack, Dutch is the language of choice perhaps because the company has a presence in the Netherlands. Using display name deception to spoof the name of an executive, the attacker crafts a personalized and targeted message to a finance employee, asking to send a payment to a company in England. Translated to “What information do you need to pay now,” the attacker uses urgency in hopes that the target will respond back quickly and the payment will occur before they realize what is happening. 

Status Bar Dots
62bf4b57f4c29c2a2b91a051 1478931077

Why It Bypassed Traditional Security

Popular in China, the mail domain qq.com is valid and has proper MX records, much like Gmail is used in the United States. Since most accounts originating from this domain are valid and safe, and because there are no malicious links or attachments, this email easily bypasses traditional threat intelligence-based security solutions. 

Detecting the Attack

Natural language processing with multi-language support enables cloud email security solutions to detect the presence of a payment request, even when the message is written in Dutch. With an Active Directory integration, the platform knows who VIPs are within the organization and can understand when domain name deception is being used to impersonate executives. 

Risk to Organization

If the target responded back with details and then paid the request, the organization would immediately lose €59.754,21. The attacker may also present that victim with another invoice, running the scam until the target realizes that they are paying malicious actors.

Analysis Overview

Vector

Text-based

Goal

Payment Fraud

Tactic

Personalized Email Subject
Free Webmail Account
Spoofed Display Name

Impersonated Party

Employee - Executive