Real-World Examples of Employees Engaging with Email Attacks

See just how convincing modern email attacks can be and how cybercriminals can leverage social engineering to trick employees with these two real attacks.
February 17, 2023

Many professionals are operating under the assumption that today’s email attacks are just as poorly-worded or obviously malicious as those from ten years ago. But modern threat actors have optimized their strategies and are launching attacks that not only bypass legacy security tools, but also trigger no alarm bells for the average employee.

Any time an employee has to assess whether an email is malicious is an opportunity for them to make a mistake—and for an attacker to capitalize. And the data shows that employees are notoriously bad at making that distinction.

Our latest threat report found that the median open rate for text-based business email compromise (BEC) attacks was nearly 28%. Further, of the malicious emails that were read, an average of 15% were replied to.

To help illustrate just how believable these attacks can be, we’re breaking down two examples of real email attacks in which cybercriminals successfully engaged with employees.

Note: The following attacks were observed during risk assessments in which the companies had implemented Abnormal Inbound Email Security in passive, read-only mode, which means the Abnormal platform was integrated with the organizations’ mail clients but not actively blocking attacks.

Threat Actor Impersonates Office Manager to Execute Invoice Fraud

In the first example, the attacker posed as the office manager of a small safety management business and emailed the facilities manager of a food distribution company. The threat actor first requested the status of payments for outstanding invoices and then informed the recipient that the company’s remittance information had recently changed.

Examples of Attack Engagement A1

To give the appearance of legitimacy, the attacker created a lookalike email address on a domain with a tiny misspelling that could easily be overlooked. For privacy purposes, all identifying information has been censored, but a comparable example would be if the real domain was and the threat actor’s email address was hosted on

As you can see, the messages contain no misspellings, no malicious links or attachments, and only minor grammar and punctuation issues. The attacker also used the office manager’s real email signature with the company’s contact information and logo. Simply put, to most employees, the email would raise zero red flags, which is likely why the target provided the requested information shortly after receiving the message.

Examples of Attack Engagement A2

The threat actor then quickly replied with the “new” bank information, asked that all future payments be sent to that account, and requested that the target confirm receipt of the email.

Examples of Attack Engagement A3

Understanding that the real office manager could email at any time and torpedo the attempted invoice fraud, the attacker turned up the pressure and sent two follow-up messages in short succession.

Examples of Attack Engagement A4
Examples of Attack Engagement A5

The technique was successful, and the facilities manager confirmed the new account and routing information would be forwarded to the company’s accounts payable department.

Examples of Attack Engagement A6

At this point, Abnormal stepped in to prevent the attack from moving forward, despite being in read-only mode.

Attacker Compromises Vendor Email Account to Divert Funds

In the next attack, the threat actor impersonated an accounting assistant. Similar to the example above, this attacker created a lookalike email address using a domain with a nearly unnoticeable misspelling. Again, all identifying information has been redacted, but to help illustrate how virtually imperceptible the difference is, imagine that the real company URL is and the domain in the threat actor’s email address is

However, in this attack, the threat actor didn’t initiate first contact with the target. Instead, the attacker replied to a message sent by the target to the accounting assistant’s actual email account.

Based on this, it would appear that the threat actor had compromised the account and had been waiting for an opportunity to hijack the conversation.

Examples of Attack Engagement B1

When the target emailed the accounting assistant to let her know he was having phone trouble but was working on transferring the funds his business owed, the attacker saw their chance. They replied to the email using the lookalike email address and informed the target that the company’s bank account was scheduled to be audited and all payments needed to be directed to a new account.

Examples of Attack Engagement B2

Just like the threat actor in the first example, this attacker used the impersonated party’s actual email signature with the company’s contact information and logo. They also didn’t utilize phishing links or malicious attachments to execute the attack, as these can be flagged by email security systems as indicators of compromise.

But rather than just copying and pasting the “new” bank information into the email, this threat actor added a bit more credibility by including the banking details in a modified document using the company’s actual letterhead. This further affirms the assumption that the attacker had compromised the accounting assistant's account and had browsed previous correspondence to locate an official document they could repurpose for this attack.

Examples of Attack Engagement Fake Account

None of the emails from the threat actor contain any misspellings or obvious grammar errors. The attacker is persistent but never rude and includes relevant pleasantries, including wishing the target a happy new year and telling him they’re happy he’s received a new phone.

Examples of Attack Engagement B3
Examples of Attack Engagement B4
Examples of Attack Engagement B5
Examples of Attack Engagement B6

Further, email clients on mobile devices don’t usually display full email headers, making it even easier for the attacker to hide their true identity.

In other words, just as with the first example, almost any employee at any level of an organization would believe the messages were legitimate—as the target in this attack did.

Examples of Attack Engagement B7

Once more, despite being in read-only mode, Abnormal stepped in at this point to prevent the attack from progressing.

Keep Your Workforce Safe by Proactively Blocking Threats

As long as companies use email, cybercriminals will launch email attacks. The above examples demonstrate just how convincing modern email attacks can be and how threat actors can expertly leverage social engineering to trick employees.

As attackers continue to upgrade and enhance their strategies, it will become increasingly difficult for your employees to differentiate these threats from legitimate emails. This means it’s crucial to minimize opportunities for your workforce to engage with malicious emails. Indeed, the most effective way to prevent your workforce from falling victim to an attack is to invest in an email security solution that ensures attacks are never delivered in the first place.

For even more insight into the risk that employees pose to cybersecurity, download our latest email threat report today.

Download the Report
Real-World Examples of Employees Engaging with Email Attacks

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

B AI Series
Discover how Abnormal's advanced AI models are used to detect abnormalities in email behavior and protect organizations from the most sophisticated email attacks.
Read More
B Insights from Clemson University CISO
John Hoyt, CISO at Clemson University, shares his take on the unique cybersecurity challenges of higher education and how Abnormal Security can help.
Read More
B Nigerian Prince
Scams about the Nigerian Prince that promise millions have been around for decades. But they are transitioning, now using ChatGPT and similar tools to seem more convincing.
Read More
B 9 12 23 ATO
Learn why account takeovers are successful, how to detect and remediate them, and how to better protect yourself from cybercriminals in the future.
Read More
B 9 8 23 Incident Response
An effective incident response plan is crucial to minimizing the effects of an email attack and preventing future breaches.
Read More
B MKT006 09 05 23 Site and Social Images for MDC Blog v02
This company has the best cybersecurity product I’ve ever seen, and we’re primed for a future where AI is the focus. Here’s my thoughts on why.
Read More