Real-World Examples of Employees Engaging with Email Attacks

See just how convincing modern email attacks can be and how cybercriminals can leverage social engineering to trick employees with these two real attacks.
February 17, 2023

Many professionals are operating under the assumption that today’s email attacks are just as poorly-worded or obviously malicious as those from ten years ago. But modern threat actors have optimized their strategies and are launching attacks that not only bypass legacy security tools, but also trigger no alarm bells for the average employee.

Any time an employee has to assess whether an email is malicious is an opportunity for them to make a mistake—and for an attacker to capitalize. And the data shows that employees are notoriously bad at making that distinction.

Our latest threat report found that the median open rate for text-based business email compromise (BEC) attacks was nearly 28%. Further, of the malicious emails that were read, an average of 15% were replied to.

To help illustrate just how believable these attacks can be, we’re breaking down two examples of real email attacks in which cybercriminals successfully engaged with employees.

Note: The following attacks were observed during risk assessments in which the companies had implemented Abnormal Inbound Email Security in passive, read-only mode, which means the Abnormal platform was integrated with the organizations’ mail clients but not actively blocking attacks.

Threat Actor Impersonates Office Manager to Execute Invoice Fraud

In the first example, the attacker posed as the office manager of a small safety management business and emailed the facilities manager of a food distribution company. The threat actor first requested the status of payments for outstanding invoices and then informed the recipient that the company’s remittance information had recently changed.

Examples of Attack Engagement A1

To give the appearance of legitimacy, the attacker created a lookalike email address on a domain with a tiny misspelling that could easily be overlooked. For privacy purposes, all identifying information has been censored, but a comparable example would be if the real domain was and the threat actor’s email address was hosted on

As you can see, the messages contain no misspellings, no malicious links or attachments, and only minor grammar and punctuation issues. The attacker also used the office manager’s real email signature with the company’s contact information and logo. Simply put, to most employees, the email would raise zero red flags, which is likely why the target provided the requested information shortly after receiving the message.

Examples of Attack Engagement A2

The threat actor then quickly replied with the “new” bank information, asked that all future payments be sent to that account, and requested that the target confirm receipt of the email.

Examples of Attack Engagement A3

Understanding that the real office manager could email at any time and torpedo the attempted invoice fraud, the attacker turned up the pressure and sent two follow-up messages in short succession.

Examples of Attack Engagement A4
Examples of Attack Engagement A5

The technique was successful, and the facilities manager confirmed the new account and routing information would be forwarded to the company’s accounts payable department.

Examples of Attack Engagement A6

At this point, Abnormal stepped in to prevent the attack from moving forward, despite being in read-only mode.

Attacker Compromises Vendor Email Account to Divert Funds

In the next attack, the threat actor impersonated an accounting assistant. Similar to the example above, this attacker created a lookalike email address using a domain with a nearly unnoticeable misspelling. Again, all identifying information has been redacted, but to help illustrate how virtually imperceptible the difference is, imagine that the real company URL is and the domain in the threat actor’s email address is

However, in this attack, the threat actor didn’t initiate first contact with the target. Instead, the attacker replied to a message sent by the target to the accounting assistant’s actual email account.

Based on this, it would appear that the threat actor had compromised the account and had been waiting for an opportunity to hijack the conversation.

Examples of Attack Engagement B1

When the target emailed the accounting assistant to let her know he was having phone trouble but was working on transferring the funds his business owed, the attacker saw their chance. They replied to the email using the lookalike email address and informed the target that the company’s bank account was scheduled to be audited and all payments needed to be directed to a new account.

Examples of Attack Engagement B2

Just like the threat actor in the first example, this attacker used the impersonated party’s actual email signature with the company’s contact information and logo. They also didn’t utilize phishing links or malicious attachments to execute the attack, as these can be flagged by email security systems as indicators of compromise.

But rather than just copying and pasting the “new” bank information into the email, this threat actor added a bit more credibility by including the banking details in a modified document using the company’s actual letterhead. This further affirms the assumption that the attacker had compromised the accounting assistant's account and had browsed previous correspondence to locate an official document they could repurpose for this attack.

Examples of Attack Engagement Fake Account

None of the emails from the threat actor contain any misspellings or obvious grammar errors. The attacker is persistent but never rude and includes relevant pleasantries, including wishing the target a happy new year and telling him they’re happy he’s received a new phone.

Examples of Attack Engagement B3
Examples of Attack Engagement B4
Examples of Attack Engagement B5
Examples of Attack Engagement B6

Further, email clients on mobile devices don’t usually display full email headers, making it even easier for the attacker to hide their true identity.

In other words, just as with the first example, almost any employee at any level of an organization would believe the messages were legitimate—as the target in this attack did.

Examples of Attack Engagement B7

Once more, despite being in read-only mode, Abnormal stepped in at this point to prevent the attack from progressing.

Keep Your Workforce Safe by Proactively Blocking Threats

As long as companies use email, cybercriminals will launch email attacks. The above examples demonstrate just how convincing modern email attacks can be and how threat actors can expertly leverage social engineering to trick employees.

As attackers continue to upgrade and enhance their strategies, it will become increasingly difficult for your employees to differentiate these threats from legitimate emails. This means it’s crucial to minimize opportunities for your workforce to engage with malicious emails. Indeed, the most effective way to prevent your workforce from falling victim to an attack is to invest in an email security solution that ensures attacks are never delivered in the first place.

For even more insight into the risk that employees pose to cybersecurity, download our latest email threat report today.

Download the Report
Real-World Examples of Employees Engaging with Email Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More