Executive Impersonated in Vendor Invoice Fraud Scheme

January 7, 2020

Executive impersonation is one of the most prevalent forms of business email compromise because it is typically easy to do. The attacker only needs to know the name and job type of a high-profile executive, and then they can use that name to prompt unsuspecting employees to send wire transfers, buy gift cards, or provide access to sensitive data. In this case, an executive was impersonated to commit vendor invoice fraud.

Summary of Attack

  • Platform: Office 365
  • Email Gateway Bypassed: IronPort
  • Victims: Accounting Employee
  • Payload: Invoice Attachment
  • Technique: Executive Impersonation

About the Executive Impersonation Attack

In this attack, the threat actor posed as an executive at the organization and asked an employee in accounting to pay an invoice, but failed to attach the invoice to the initial email. This may have been intentional in an effort to fool traditional email security systems and start the conversation. Once the employee in accounting responded to the initial email, they received the second email shown here.

The attached invoice looked legitimate but contained banking information that would've routed the wire transfer to an account that the cybercriminal owned.


While Abnormal caught the attack, had it been successful, the attacker would have stolen nearly $43,000 from the targeted organization.

Why the Invoice Fraud Attack Bypassed Existing Security

As part of the attack, the attacker posed as an executive communicating with a low-level employee. This is purposeful, as the low-level employee would have recognized the name and thus would have been more likely to engage with the attacker. In addition, the attacker asked his victim to pay the invoice immediately, and this urgency often causes employees to forego the scrutiny they should be giving these types of email requests.

The attacker was able to bypass Microsoft Exchange Online Protection and Defender for Office 365 by using new or existing domains that did not have a negative reputation. However, Abnormal was able to catch this email due to the mismatch between the display name and the email address, as well as an abnormal email response.

These factors, combined with the suspicious financial request, made it possible to understand that this attack was malicious.

Want to see how Abnormal can catch executive impersonation attacks at your organization? Request a demo to get started.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More
B Podcast Engineering8
In episode 8 of Abnormal Engineering Stories, Kevin interviews Saminda Wijegunawardena, an engineering leader who is no stranger to fast-growing enterprise startups.
Read More