In this German-language message addressed to the CFO of the targeted company, the attacker impersonates the company’s CEO, inquiring about the current balance of the company’s account and asks if they can make a €40,000 payment. The email is sent from an address hosted on a domain registered by the attacker to look like a generic email-related service and the sender’s display name is spoofed with the name of the impersonated CEO.

Status Bar Dots
German Payment Fraud BEC Email

English Translation:

Hello,

What is our account balance?

Can we pay 40.243,51 Euros today?

Respectfully,

[Impersonated CEO Name]

Why It Bypassed Traditional Security

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The domain hosting the attacker’s email address is valid and had not been previously flagged as being used for malicious purposes. Some email defenses rely on training their detection models only using common languages, such as English, so attacks that are written in other languages may not be detected. 

Detecting the Attack

Natural language processing enables cloud email security solutions to detect the presence of a payment request. Cloud email security solutions use natural language processing with multi-language support to detect payment requests, even when the message is written in German. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart, understand VIP emails to know when an executive is being impersonated via display name deception, and know that the email is not associated with the executive being spoofed. 

Risk to Organization

Because the sender’s display name has been spoofed to impersonate the company’s CEO, an employee receiving the email may instinctively comply with the email since it appears to come from another person of authority. Should the targeted employee comply with the attacker’s request, the company would see a direct financial loss of more than €40,000.

Analysis Overview

Vector

Text-based

Goal

Payment Fraud

Tactic

Maliciously Registered Domain
Spoofed Display Name

Impersonated Party

Employee - Executive

Language

German