chat
expand_more

Executive Impersonated in Vendor Invoice Fraud Scheme

January 7, 2020

Executive impersonation is one of the most prevalent forms of business email compromise because it is typically easy to do. The attacker only needs to know the name and job type of a high-profile executive, and then they can use that name to prompt unsuspecting employees to send wire transfers, buy gift cards, or provide access to sensitive data. In this case, an executive was impersonated to commit vendor invoice fraud.

Summary of Attack

  • Platform: Office 365
  • Email Gateway Bypassed: IronPort
  • Victims: Accounting Employee
  • Payload: Invoice Attachment
  • Technique: Executive Impersonation

About the Executive Impersonation Attack

In this attack, the threat actor posed as an executive at the organization and asked an employee in accounting to pay an invoice, but failed to attach the invoice to the initial email. This may have been intentional in an effort to fool traditional email security systems and start the conversation. Once the employee in accounting responded to the initial email, they received the second email shown here.

The attached invoice looked legitimate but contained banking information that would've routed the wire transfer to an account that the cybercriminal owned.


While Abnormal caught the attack, had it been successful, the attacker would have stolen nearly $43,000 from the targeted organization.

Why the Invoice Fraud Attack Bypassed Existing Security

As part of the attack, the attacker posed as an executive communicating with a low-level employee. This is purposeful, as the low-level employee would have recognized the name and thus would have been more likely to engage with the attacker. In addition, the attacker asked his victim to pay the invoice immediately, and this urgency often causes employees to forego the scrutiny they should be giving these types of email requests.

The attacker was able to bypass Microsoft Exchange Online Protection and Defender for Office 365 by using new or existing domains that did not have a negative reputation. However, Abnormal was able to catch this email due to the mismatch between the display name and the email address, as well as an abnormal email response.

These factors, combined with the suspicious financial request, made it possible to understand that this attack was malicious.

Want to see how Abnormal can catch executive impersonation attacks at your organization? Request a demo to get started.

Executive Impersonated in Vendor Invoice Fraud Scheme

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
 
Integrates Insights Reporting 09 08 22

Related Posts

B Disney Attack Blog
This Disney+ scam email uses brand impersonation and personalization to send a convincing fake subscription charge notice.
Read More
B 2024 Cybersecurity Predictions
As AI becomes more prevalent in the new year, discover how our experts believe the world will change—for both good and bad.
Read More
B 11 27 23 ATO Stats
Account takeover allows threat actors to steal sign-in credentials and access an organization's network. Read some eye-popping stats about ATO cost and frequency.
Read More
B Unmasking Vendor Fraud
Learn about the techniques, tools, and technologies we use to train the models that form the backbone of our vendor fraud detection.
Read More
B ISC2
Get the latest insights from the 2023 ISC2 Cybersecurity Workforce Study, including which skills are most sought-after, how careers have changed, and how AI is affecting the industry.
Read More
B Good Bad Ugly Future of AI
Hear about positive and malicious use cases of AI and how to protect against novel threats in this recap from Chapter 3 of our Convergence of AI + Cybersecurity series.
Read More