logo

A Free Gmail Account Impersonating an Internal Employee Asked Payroll to Change a Bank Account

ID: 4f790c4a-0292-552a-ac12-e9258cdb614e

STIX ID: report--4f790c4a-0292-552a-ac12-e9258cdb614e

Feed Name: IRONSCALES

Threat Score
70/100

Date Published: 2026-06-24

Date Updated: 2026-06-24

Author: [email protected] (Audian Paxson)

...
...

**Executive summary:** An attacker impersonated an internal employee by matching the display name while sending from a consumer Gmail address ([email protected]) to request a payroll direct-deposit change; the message contained no links or attachments and passed SPF/DKIM/DMARC, allowing it to bypass technical controls. The report emphasizes this as a high-risk payroll-redirect BEC, and recommends mandatory out-of-band verification for banking changes and training finance/payroll staff to inspect underlying From addresses.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.