chat
expand_more

Bypassing SEGs with Invoice and Payment Fraud Email Attacks: Real-World Examples

Discover how Abnormal detects and remediates payment fraud and invoice email attacks that bypass secure email gateways (SEGs).
March 14, 2023

Email-based invoice and payment fraud are some of the most costly and insidious forms of phishing attacks. In contrast to standard email scams, these attacks are highly targeted and require a great deal of research and personalization to convince the victim to wire funds. Unsuspecting employees are regularly targeted with fake invoices and payment requests by attackers who compromise vendor accounts or spoof trusted identities. Conventional email security solutions are insufficient to combat these types of fraud.

In the latest entry of our blog series focusing on attacks that bypass secure email gateways (SEGs), we will look at invoice/payment fraud. This type of threat leads to direct financial losses by exploiting trust; and does not carry a payload—just a request to update bank account details prior to a payment event. Let’s take a look at some real-world examples of invoice/payment fraud attacks bypassing SEGs and how the Abnormal solution stepped in to detect and remediate them.

How Invoice/Payment Fraud Attacks Bypass the SEG

In the examples below, we will see messages that touch many, if not all of these SEG bypass factors:

  • Attackers compromise a legitimate email account.

  • The compromised account is used to send malicious emails.

  • Social engineering tactics are used to elicit user engagement, leading to financial loss.

In the first example, we see an email originating from a legitimate external email account (lisa@domain.com). In this case, the threat actor has also CC’d an email address (user@domein.com) on a look-alike domain to ensure that they can track this conversation–and even continue the conversation if necessary in the event they can no longer control the compromised account:

Invoice Fraud1

This email bypasses traditional checks by the SEG because it is sent from prod.outlook.com and passes SPF, DKIM, and DMARC authentication for the sending domain:

Invoice Fraud2

The CC’d look-alike domain was registered the same day this message was sent through Wild West Domains for one year, as seen below:

Invoice Fraud3

If we investigate the attached PDF, we see that it is a flat file (no actual threat), impersonating a letter from KeyBank, as seen below:

Invoice Fraud4

Abnormal Security sees many different iterations of these attacks that involve spoofing, CC and Reply-To manipulation, and look-alike domains.

Next, we will explore a BEC threat that similar to our last example, originates from a compromised email account. However, in this instance, the compromised email account is a Gmail account that is seeking a relatively small payment via PayPal, Apple Pay, or Zelle:

Invoice Fraud5

This email bypasses traditional checks by the SEG because it is sent from google.com and passes SPF, DKIM, and DMARC authentication for the sending domain:

Invoice Fraud6

In this case, the recipient of the message engaged and was ultimately prompted to pay $900.00 via Venmo to a seemingly-unrelated Venmo account:

Invoice Fraud7

What’s more interesting, is the Venmo account seems to be similarly compromised, based on the threat actor’s request that the recipient send payment to a different Venmo account after the first attempted payment was not completed in a timely manner. The threat actor explains that the original Venmo account is no longer valid, and a new Venmo tag will be provided when the recipient is ready to pay:

Invoice Fraud8

Threat Actors, abusing legitimate email accounts, are able to misdirect and collect real payments from victim organizations. Since June 2016, the FBI has tracked over 200,000 incidents that have collectively resulted in over $43B in losses. Business Email Compromise, especially attacks concerning compromised supply chain partners, has become an extremely expensive problem, averaging over $170,000 per incident. Further, Abnormal Security research shows that 28% of BEC attacks are opened/read by employees.

How Abnormal Protects You From Invoice/Payment Fraud Attacks:

Abnormal uses advanced behavioral AI to detect threats that bypass traditional SEGs. With our API architecture, Abnormal is uniquely positioned to ingest signals —establishing a known baseline from which to detect anomalies.

In the first example, we identified a number of anomalies, a summary of a few of them is seen below:

Invoice Fraud9

In the second example, we also identified a number of anomalies, a summary of which are seen below:

Invoice Fraud10

See a video overview of these attacks below:

Prevent the Most Advanced Attacks with the Most Advanced Solution

Throughout the series, we’ve showcased how Abnormal detects and remediates advanced zero-day attacks and why organizations worldwide are seeing 278% ROI with Abnormal. You can also check out other attack overviews in the series by visiting our overviews of multi-step phishing attacks, OAuth app authentication attacks, and payload-less attacks outside of the email.

Interested in learning more about how Abnormal can supplement or replace your SEG to stop invoice/payment fraud attacks and other advanced threats?

Schedule a Demo
Bypassing SEGs with Invoice and Payment Fraud Email Attacks: Real-World Examples

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More