chat
expand_more

Vendor Impersonated in Invoice Fraud Attack

Vendor email compromise, in which a compromised vendor sends invoice or payment attacks to their customers, is growing in popularity. An easier to detect method of this attack happens when a vendor is impersonated, rather than compromised. In this attack, the...
May 20, 2020

Vendor email compromise, in which a compromised vendor sends invoice or payment attacks to their customers, is growing in popularity. An easier to detect method of this attack happens when a vendor is impersonated, rather than compromised. In this attack, the threat actor is impersonating a known vendor in order to receive payment for a fraudulent invoice.

Summary of Attack Target

  • Platform: Office 365
  • Email Security Bypassed: Proofpoint
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Vendor Impersonation Attack

This organization communicates often with a known vendor. Recently, an employee from the accounting department received a message from what appeared to be the Assistant Controller / HR Administrator for this vendor. In the message, they were notified of an overdue invoice. In actuality, however, the attacker had registered a domain similar to that of the real vendor but changed the name slightly—for example, the real vendor might have been at acmehomes.com, but the attacker registered acmehome.com, omitting the s in the domain.

The email states that there is an unpaid invoice, which must be paid to an updated bank account. The attacker alleges that their financial institution has changed as a result of the current pandemic and the suspicious sender then states they will send over the updated bank information once the recipient replies.

Should the recipient have fallen victim to this attack and made the payment, the organization would have had a significant financial loss and potentially opened itself up to more fraudulent exchanges in the future from the same attacker.

Why the Vendor Impersonation Attack is Effective

This attack leverages the COVID-19 pandemic as an excuse for the fraudulent payment update. The attacker injects urgency into the message by claiming there is an issue of a late unpaid invoice. The attack also impersonates a high-level employee and targets payroll and accounting employees who, because they expect legitimate invoices, may be less likely to scrutinize the sender information and attached invoices.

In addition, the attacker's email came from a domain that looked like the domain of the real company. The email domain the message was sent from was recently registered by the attackers with a slight difference. Further, the registrant information was not consistent with the real vendor, though anyone receiving the email would have had to spend a good deal of time digging into this information to discover it.

As an added element, the invoice attached to the email looked like a real invoice from the legitimate vendor, including their logo, their real address, and other real information.

Abnormal detected this fraudulent email due to to the unusual sender address and the suspicious financial request. Because the recipient had never interacted with this person, it was unusual for them to receive a financial request. Combined with the urgency of the email and the mention of the pandemic, it is clear that this email is malicious and Abnormal blocks it before it reaches inboxes.

To see how Abnormal can protect you from fraud in your supply chain, see a platform demo today.

Vendor Impersonated in Invoice Fraud Attack

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Discover How It All Works

See How Abnormal AI Protects Humans

Related Posts

B Evil Panel Blog
EvilPanel is a new phishing toolkit built on Evilginx that provides a full-featured web interface for launching MFA-bypassing attacks.
Read More
B SAT
Discover why traditional security awareness training isn’t reducing human risk and how AI-driven, personalized training can transform SAT effectiveness in 2025.
Read More
B 1500x1500 Through the Looking Glass RSAC 2026
What did RSAC 2025 reveal about the next wave of cyberthreats—and the AI-powered tools to stop them? Abnormal’s Field CISO shares her top takeaways.
Read More
B 5 8 25 AI Inn
Discover how Abnormal AI accelerates developer velocity with its secure, in-house Model Context Protocol (MCP), integrating tools like GitHub and Jira directly into local environments to streamline workflows without compromising security.
Read More
B SEGROI
Discover the measurable ROI of replacing your SEG with Abnormal—from 91% faster incident response to $703K in productivity savings.
Read More
B 4 24 25 Platform
Tool bloat is an easy win for hackers and a major integration headache for overstretched security teams. Platformisation could be the antidote to cyber complexity, closing the coverage gaps while dramatically easing the management of multiple security tools.
Read More