In this Swedish-language attack, the actor impersonates the company CFO writing to ask if the recipient can pay an overdue invoice from PricewaterhouseCoopers (PwC). The email includes a supposedly forwarded message from a PwC executive inquiring about the status of the payment. The CFO explains in the email thread that the bill had erroneously ended up in their spam filter, and now that it was brought to their attention needed to be paid immediately. The PwC employee referenced in the fake email chain is an actual executive at the company and the contact information found in the email signature matches the address of PwC’s London office. 

The email was sent from an account hosted on a domain registered by the attacker and the sender’s display name was spoofed to match that of the impersonated CFO. The subject line of the email is personalized with the name of the recipient.

Status Bar Dots
Swedish Fake Email Chain attack

English Translation:

[Recipient First Name],

I just received a message from Kevin (PriceWaterHouseCoopers) I asked him to contact you regarding the unpaid invoice. It is about corporate finance and strategic planning that PricewaterhouseCoopers offered us.

I will provide you with more information about this event later after the Board's review

I understand that the previously sent invoice ended up in our spam folder. Can we pay the bill today?

Sincerely

[Impersonated CFO Name].

forwarded -------- -----------

From: Kevin [Last Name] <[username]@pwc.com>

To: [Impersonated CFO Name] <[Impersonated CFO Email Address]>

Published time: August 26, 2022 8:05 am

About us: PriceWaterHouseCoopers LLP

Hello

I am recasting the bill as a reminder. I want to inform you that this invoice is due today. Should we expect this payment soon?

Sincerely

Kevin [Last Name]

PriceWaterHouseCoopers

Address: 7 More London, Riverside,

London SE1 2RT,

UK.

[username]@pwc.com

Why It Bypassed Traditional Security

It is difficult for a secure email gateway to determine malicious intent due to the text-based attack, without any other indicators of compromise. Some email defenses rely on training their detection models only using common languages, such as English, so attacks that are written in other languages may not be detected. The domain hosting the attacker’s email address is valid and had not been previously flagged as being used for malicious purposes.

Detecting the Attack

Natural language processing with multi-language support enables cloud email security solutions to detect the presence of a payment request, even when the message is written in Swedish. Content analysis is required to detect the presence of invoice-related requests, which can indicate when an email should undergo additional scrutiny. Integration with Active Directory allows the platform to know that the email is not associated with the executive being spoofed. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes.

Risk to Organization

Payment diversion attacks can add up to cost companies tens of thousands of dollars, and invoice fraud is one of the most expensive forms it can take due to its high success rate. The fake email chain included in the attack provides a layer of legitimacy to the message, which may result in a higher success rate. Because the sender’s display name has been spoofed to impersonate the company’s CFO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority. A personalized email subject adds a personal touch to the attack, which may lead the recipient to believe the sender knows who they are.

Analysis Overview

Vector

Text-based

Goal

Payment Fraud

Tactic

Fake Email Chain
Personalized Email Subject
Maliciously Registered Domain
Spoofed Display Name

Theme

Overdue Payment

Impersonated Party

Employee - Executive

Language

Swedish