A Free Gmail Account Impersonating an Internal Employee Asked Payroll to Change a Bank Account
ID: 4f790c4a-0292-552a-ac12-e9258cdb614e
STIX ID: report--4f790c4a-0292-552a-ac12-e9258cdb614e
Feed Name: IRONSCALES
**Executive summary:** An attacker impersonated an internal employee by matching the display name while sending from a consumer Gmail address ([email protected]) to request a payroll direct-deposit change; the message contained no links or attachments and passed SPF/DKIM/DMARC, allowing it to bypass technical controls. The report emphasizes this as a high-risk payroll-redirect BEC, and recommends mandatory out-of-band verification for banking changes and training finance/payroll staff to inspect underlying From addresses.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
