Email threats, indexed.

An attacker impersonates a senior executive (CEO, CFO, or owner) and emails someone with wire authority (AP, finance, or an executive assistant). The email asks for an urgent wire to a "new vendor" or "acquisition" account. The timing is engineered to pressure speed: late Friday, before a holiday, or while the executive is traveling.

Example: A finance manager at a mid-sized firm receives a Friday-afternoon email from "the CEO" requesting a $250,000 wire for a confidential acquisition closing Monday. The sender domain is one letter different from the company domain.

An attacker compromises a vendor's email account and waits for an active invoice thread. They reply from the real address with a "banking update" that redirects the next payment. Because the email is from the genuine vendor mailbox, every authentication check passes.

Example: A construction firm receives an invoice from a long-time supplier with an updated wire instruction note. The supplier's mailbox has been compromised; the real supplier never sees the redirected payment until the project is over.

An attacker phishes employee credentials, takes over the inbox, and sends fraudulent messages from the real internal address. Because the email is from a real coworker mailbox, internal trust assumptions fail.

Example: An employee receives an email from a coworker's real address asking for help with a "quick payroll change." The coworker is on vacation; the attacker is reading their inbox.

An attacker spoofs an employee's email and contacts HR or payroll asking to update direct-deposit details to an attacker-controlled account. The next paycheck is redirected before anyone notices.

Example: An HR specialist receives a casual email from "an employee" asking to update direct-deposit because they switched banks. The employee's name and department match; the sender domain is a free-mail lookalike.

An attacker impersonates an executive or manager and asks an employee to "do them a quick favor" by buying gift cards (Amazon, Apple, Google Play) and sending the redemption codes. Lower individual loss than wire fraud, but high frequency.

Example: A new hire receives an email from "the CEO" asking if they are at their desk and could pick up gift cards for a client thank-you. The reply-to is a personal address.

An attacker impersonates an executive and asks HR or payroll to send all employee W-2 forms or a year-end PII roll-up. The data is then used for tax-refund fraud and identity theft.

Example: An HR director receives an email from "the CFO" near tax-filing season requesting a quick PDF of all W-2s for an audit. The sender domain has a single-letter substitution.

An attacker monitors a real-estate transaction by compromising one party's email (buyer, seller, agent, or escrow). Near closing, the attacker sends fake wire instructions from a real or lookalike address. The down-payment or sale proceeds wire to the attacker.

Example: A homebuyer receives "updated wire instructions" the day before closing from what appears to be the title company. The closing wire goes to the attacker; the title company never received it.

A variant of CEO and vendor BEC where the wire instructions specifically route through a foreign bank, often in a jurisdiction known for slow recovery cooperation. Attackers favor banks where fund-recovery requests take months.

Example: A nonprofit's CFO receives a wire request labeled as a vendor payment, but the routing number maps to a Hong Kong correspondent bank with no prior relationship to the vendor.

High-volume, low-customization phishing sent to thousands or millions of recipients. The lures are generic ("your package is delayed", "your account will be suspended"), the goal is credential harvest at low cost per attempt.

Example: A retail employee receives a "FedEx delivery exception" email with a tracking link that redirects to a credential-harvesting page mimicking the company's SSO portal.

Targeted phishing customized to a specific person using public information (LinkedIn, company website, news mentions). The message references real coworkers, real projects, or recent activity. Conversion rates are dramatically higher than mass phishing.

Example: A finance lead at a startup receives an email "from" the CEO referencing yesterday's board update and asking for a quick favor on a vendor payment.

Spear phishing aimed at C-suite executives, board members, or other high-authority targets. The attacker invests in research and a polished lure because a single successful compromise yields outsized access (signing authority, board email, M&A material).

Example: A CFO receives a meeting invite from an "investor relations partner" with an attached NDA. The NDA PDF includes a phishing link that harvests CFO credentials.

Phishing that uses a QR code in the email body or attached image. The recipient scans with a phone, the phone's browser opens, and the URL is a credential-harvesting page. QR codes evade email link-scanning because the URL is rendered as an image.

Example: An employee receives an email titled "Your Microsoft 365 password expires today" with a QR code labeled "scan to renew." The QR resolves to a credential-harvesting site mimicking the M365 login.

A multi-channel attack where the phisher calls first to build rapport ("this is the CEO's assistant calling about an urgent matter") and then sends a follow-up email with the actual lure. Or vice versa: an email primes the recipient and a call seals the social engineering.

Example: A finance assistant receives a phone call from someone claiming to be outside legal counsel about a confidential acquisition, followed by an email with wire instructions and an NDA attachment.

An attacker connects on LinkedIn first, builds a few exchanges to establish rapport, then asks the target to "continue by email." The email arrives in a context where the recipient is expecting it, bypassing skepticism.

Example: A founder accepts a LinkedIn connection from "an investor at a small firm." After two friendly messages, the investor asks to send a deck "to your email" and follows up with a phishing link disguised as a doc share.

An attacker registers a lookalike domain (typo, homoglyph, or alternate TLD) and sends mail that appears to come from a known sender. The recipient sees a familiar name and skims past the address detail.

Example: An employee receives an email from "support@rythn.xyz" (note the missing "m") that appears to be from the real company support. The lookalike domain mirrors fonts and signatures of real corporate mail.

The attacker invokes legitimate-sounding authority (CEO, lawyer, auditor, regulator, IRS) to short-circuit the recipient's skepticism. Authority figures are obeyed faster; the attack relies on that asymmetry.

Example: An accountant receives an email from "an outside auditor" requesting bulk client tax-ID exports for a "regulatory compliance check." The auditor name and firm sound real but the email domain is unfamiliar.

The attacker invents a deadline ("your account will be suspended in 24 hours", "wire required by 5pm or the deal is dead") to compress decision time and bypass deliberation. Most BEC variants use urgency as a co-factor.

Example: An employee receives a Friday-afternoon email demanding a same-day password reset to avoid being locked out over the weekend. The reset link points to an attacker-controlled site.

The attacker dangles a hook the recipient cannot resist clicking ("I found something on your social media you should see", "your boss is in this photo"). The bait exploits human pattern-completion to override caution.

Example: A hiring manager receives an email titled "found a problem in your candidate's background" with a PDF attachment. The PDF contains a phishing link disguised as a continuation page.

The attacker offers a "gift" (a free audit, a complimentary review, an unsolicited testimonial) to create a sense of obligation. The follow-up exploits the reciprocity instinct to ask for credentials, payment, or access.

Example: A small-business owner receives "a free SEO audit" email with a PDF attachment. The PDF prompts a login to "see the full report" and harvests Google Workspace credentials.

The attacker spoofs the display name of a real friend, family member, or colleague. The recipient sees a familiar name and skims the actual address. Common in the gift-card BEC variant and in personal-account compromise.

Example: A team member receives an email from "John Smith" (their real manager's display name) asking for a quick personal favor. The actual email address is johnsmith.contact@gmail.com, not the corporate domain.

A long-running social engineering attack where the attacker builds an emotional relationship over weeks or months, then asks for money, gift cards, or assistance routing funds. Email is often the channel that moves the relationship from a dating site or social media to direct contact.

Example: A target receives an email from "someone they met online" asking for help receiving a wire that has been stuck in customs. The message is written warmly and references private details from prior conversations.

An attacker poses as a recruiter from a real or invented firm offering a job opportunity. The "interview" or "next step" requires the candidate to download a document, log in to a portal, or share personal data. The lure is an attractive role at competitive comp.

Example: A software engineer receives an email from a "senior recruiter" at a known tech firm. The next step requires downloading a coding challenge from a custom portal that harvests login credentials.

An attacker registers a domain that visually resembles a real one (rythn.xyz vs rythm.xyz, or using Cyrillic characters that look like Latin ones). Mail from the lookalike domain passes SPF and DKIM for the lookalike, which lulls the recipient.

Example: An employee receives an email from "support@rythn.xyz" (no "m") that looks identical to real support email. The recipient skims and clicks the action button.

The From address is a real sender (often free-mail or attacker-controlled), but the display name is set to someone the recipient knows (the CEO, a known vendor). Many email clients show only the display name in compact view, hiding the real address.

Example: A user sees "From: Jane Smith CEO" in their mobile inbox. The actual address is jane.smith.exec@gmail.com, not the corporate domain.

The From address is legitimate-looking (or even spoofs a real sender), but the Reply-To is set to an attacker-controlled inbox. The recipient hits Reply, and the conversation continues with the attacker without the recipient noticing.

Example: An accountant receives a vendor invoice. The From appears to be the vendor; the Reply-To is a similar-looking domain. The follow-up "what's your routing number for next month's payment" goes to the attacker, not the vendor.

An attacker registers a domain using non-Latin characters that visually look like Latin ones (Cyrillic "а", Greek "ο", etc.). The Unicode-encoded domain (xn-- prefix in Punycode) renders identically to the real brand in many email clients.

Example: A user receives an email from a domain that displays as "rythm.xyz" but is actually rуthm.xyz (with a Cyrillic "у"). The link routes to a credential-harvesting site.

An attacker takes over an unused subdomain on a legitimate domain (often via a dangling DNS entry pointing to a deprovisioned cloud asset). Mail from the hijacked subdomain inherits the parent domain's reputation and passes most authentication checks.

Example: A retailer's old "campaigns.brand.com" subdomain points to a cloud asset that was deprovisioned a year ago. An attacker re-registers the cloud asset, points it to their own server, and sends authenticated email from "support@campaigns.brand.com."

A real corporate mailbox is compromised (via phishing, password reuse, or token theft) and used to send fraudulent mail from the legitimate domain. Every authentication check passes because the mail is real.

Example: A controller's mailbox is phished. The attacker sends a Friday wire request to AP from inside the controller's real address. AP processes the wire because it appears to be from a known internal account.

An organization removes a service (a cloud bucket, a SaaS tenant) but leaves the DNS record pointing to the abandoned resource. An attacker re-claims the resource and now controls a subdomain that DNS attests is legitimate.

Example: A defunct support portal subdomain points to an abandoned S3 bucket. An attacker creates a bucket with the same name, populates it with phishing pages, and sends mail referencing the trusted-looking subdomain.

An attacker compromises a legitimate SaaS tool used by the target (a CDN, a doc-share platform, a status-page service) and triggers notifications from the real platform domain. The mail passes authentication because it is genuinely from the SaaS vendor.

Example: A user receives a "document shared with you" notification from a real cloud-doc service. The doc was created and shared by an attacker who signed up for the service, and the link routes to a phishing page hosted on the same platform.

An attacker uses a large language model to write phishing copy that is grammatically clean, contextually plausible, and free of the obvious tells (broken English, awkward phrasing) that older filters relied on. The model can also localize the lure into native-sounding copy in any language.

Example: A small-business owner receives a perfectly written email referencing their recent LinkedIn post and asking for a brief partnership call. The email is a phishing lure for credential harvest. No grammar tells, no formatting issues.

An attacker uses an AI voice clone of an executive (sourced from podcast, interview, or earnings-call audio) to make a phone call, then sends a coordinating email. The voice and the email together create a multi-channel signal that overrides skepticism.

Example: A finance lead receives a phone call that sounds like the CEO requesting an urgent wire. Within minutes, the CEO's "assistant" sends an email with the wire details. The voice and the email match each other; only the channels are fake.

An attacker uses generative AI to build a complete fake persona: LinkedIn profile, headshot, employment history, posting cadence. The persona is then used to send spear-phishing or social-engineering email that has supporting "social proof" if the recipient checks LinkedIn.

Example: A founder receives an outreach email from a "VP of Partnerships" at a real-sounding firm. LinkedIn shows a polished profile with appropriate connections. The persona, the firm, and the relationship are all fabricated.

An attacker uses an LLM to handle the phishing dialog in real time, responding to the target's questions, adapting to their objections, and pulling context from earlier messages. The conversation feels like a real human interaction even though the attacker is automating responses.

Example: A target replies skeptically to a phishing outreach. The attacker's LLM-driven response addresses each objection, references the target's prior message in detail, and re-frames the ask into something less threatening. The target eventually engages.

An attacker sends a calendar invite (.ics file) that contains an embedded URL in the description or location field. The recipient may auto-accept the invite (depending on settings) and the URL is then trusted because it appears in their calendar rather than their inbox.

Example: A team member sees a calendar event titled "Q2 Planning Sync" with a description that includes a meeting link. The link routes to a credential-harvesting site mimicking the company SSO.

An attacker emails a target hoping to trigger an out-of-office auto-reply. The reply often contains valuable reconnaissance: the target's schedule, who is covering for them, alternate phone numbers, and direct contacts. The information feeds a follow-up phishing or BEC attempt.

Example: An attacker sends a benign email to a CFO and receives an auto-reply: "I'm out until April 15. For urgent matters, contact my assistant Mary Lee at mary@brand.com." The attacker now has a CFO-out-of-office window and a named target for the follow-up.

An attacker uses automated tooling to submit phishing-laden messages through a website's contact form. The submission triggers a notification email to a real corporate address, with the phishing link or content embedded in the form data. The notification appears legitimate (it is from the company's own form processor) and lands in an inbox that trusts internal notifications.

Example: A marketing manager receives a "new contact form submission" with a message that includes a malicious link disguised as a portfolio. The link harvests credentials when clicked.

An attacker triggers a SaaS password reset to an email address they've already compromised. The reset link arrives in the compromised mailbox, the attacker uses it to take over the SaaS account, and from there pivots to other linked services or stored data.

Example: An attacker compromises a small-business email account. They request password resets at every SaaS the business uses (banking, CRM, accounting). The reset emails go to the compromised mailbox, the attacker takes over each service in turn.

An attacker uses leaked PII (date of birth, last four of SSN, mother's maiden name from breach corpora) to answer security questions and recover a target's email account through the provider's recovery process. Once recovered, the account is theirs.

Example: A target's email is recovered by an attacker who answered "what is your mother's maiden name" using data from a 2017 breach. The recovery email goes to an attacker-controlled inbox; the target is locked out.