Vendor Impersonated in Invoice Fraud Attack

May 20, 2020

Vendor email compromise, in which a compromised vendor sends invoice or payment attacks to their customers, is growing in popularity. An easier to detect method of this attack happens when a vendor is impersonated, rather than compromised. In this attack, the threat actor is impersonating a known vendor in order to receive payment for a fraudulent invoice.

Summary of Attack Target

  • Platform: Office 365
  • Email Security Bypassed: Proofpoint
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Vendor Impersonation Attack

This organization communicates often with a known vendor. Recently, an employee from the accounting department received a message from what appeared to be the Assistant Controller / HR Administrator for this vendor. In the message, they were notified of an overdue invoice. In actuality, however, the attacker had registered a domain similar to that of the real vendor but changed the name slightly—for example, the real vendor might have been at, but the attacker registered, omitting the s in the domain.

The email states that there is an unpaid invoice, which must be paid to an updated bank account. The attacker alleges that their financial institution has changed as a result of the current pandemic and the suspicious sender then states they will send over the updated bank information once the recipient replies.

Should the recipient have fallen victim to this attack and made the payment, the organization would have had a significant financial loss and potentially opened itself up to more fraudulent exchanges in the future from the same attacker.

Why the Vendor Impersonation Attack is Effective

This attack leverages the COVID-19 pandemic as an excuse for the fraudulent payment update. The attacker injects urgency into the message by claiming there is an issue of a late unpaid invoice. The attack also impersonates a high-level employee and targets payroll and accounting employees who, because they expect legitimate invoices, may be less likely to scrutinize the sender information and attached invoices.

In addition, the attacker's email came from a domain that looked like the domain of the real company. The email domain the message was sent from was recently registered by the attackers with a slight difference. Further, the registrant information was not consistent with the real vendor, though anyone receiving the email would have had to spend a good deal of time digging into this information to discover it.

As an added element, the invoice attached to the email looked like a real invoice from the legitimate vendor, including their logo, their real address, and other real information.

Abnormal detected this fraudulent email due to to the unusual sender address and the suspicious financial request. Because the recipient had never interacted with this person, it was unusual for them to receive a financial request. Combined with the urgency of the email and the mention of the pandemic, it is clear that this email is malicious and Abnormal blocks it before it reaches inboxes.

To see how Abnormal can protect you from fraud in your supply chain, see a platform demo today.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 Types of Email Platform Attacks L1 R2
Discover the most common types of email platform attacks in your cloud network and how you can prevent them.
Read More
B 1500x1500 Lilac Wolverine L1 R1
Threat group Lilac Wolverine is fine-tuning the art of exploiting people’s willingness to help others in some of the largest gift card attacks we've seen.
Read More
B 1500x1500 Modern Email Attacks Webinar Series L4 R2
Our Modern Email Attacks series has wrapped! Here are some of the biggest takeaways from Chris Krebs, Troy Hunt, and Theresa Payton.
Read More
B 1500x1500 Gartner Insights L1 R1
See our commitment to providing our customers with the best possible solution and support with these reviews from Gartner® Peer Insights™.
Read More
B 11 14 22 SPM Launch Blog Graphics
Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.
Read More
B 11 14 22 SPM Launch Blog 2
Cloud email platforms enable better collaboration, but they also create new entry points, making sensitive data more accessible to attackers.
Read More
B 1500x1500 Q3 Ransomeware L1 R2
This post explores the continuation of the sharp decline in ransomware attacks as well as a few other notable data points from Q3 2022.
Read More
B 10 05 22 Cloud Email Security Platform Essentials
Learn the 7 key capabilities a cloud email security platform should have in order to address and resolve common email security challenges.
Read More
B 11 07 22 Valimail
Discover the benefits of a modern, best-of-breed solution to email security with Abnormal Security and Valimail’s New Partnership.
Read More