Executive Impersonated in Request to Pay Fake New Contractor

In this email, the attacker impersonates an executive to inform the recipient that a new contractor needed to be added to the payroll. The email mentions the individual is a “1099” (a reference to an independent contractor) and no taxes needed to be withheld. If a recipient responds to this email, the attacker likely would follow-up with additional payment details to an account that can receive ACH payments due to the reference that the “contractor” needed to be paid by direct deposit. The email was sent from an account hosted on Hot.ee, an Estonian free webmail service, and the sender’s display name was changed to mirror the name of the impersonated executive.

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. This email is sent from a Hot.ee account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. 

Integration with Active Directory and processing the organizational chart allows the platform to know that the email is not associated with the executive being spoofed, and understand VIP emails to know when an executive is being impersonated via display name deception. Content analysis is required to detect the presence of payment-related requests, which can indicate when an email should undergo additional scrutiny. 

Because the sender’s display name has been spoofed to impersonate the company’s VIP, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss based on the amount of the “payment” instructed to be paid to the fake contractor.