The email subject line was a name. A specific name. The CEO of a cybersecurity company. The sender address was a Gmail account constructed to match that name. The message body was brief: the executive was tied up in a meeting, could not take calls, and needed a favor from a channel manager. Please reply by text.
That was the entire message. No link. No attachment. No urgency about money, at least not yet.
Business email compromise attacks that go straight to a wire transfer request in the first message fail at a high rate. Recipients are trained to be suspicious of sudden, out-of-character financial asks. The attacker knows this.
The channel-switch technique solves the problem. The first message is a low-stakes social engineering probe: establish that the target is available, willing to help the executive, and capable of receiving messages outside the corporate communication channel. Once that contact is established via SMS, the conversation is no longer visible to email security tools, IT logging, or organizational approval workflows. The attacker can escalate to gift cards, wire transfers, or credential requests on a channel where none of those controls exist.
The subject line carrying the executive's full name serves two purposes. It creates immediate familiarity, since most employees recognize their CEO's name. It also bypasses any keyword filters looking for generic BEC trigger words like "urgent wire" or "gift card purchase."
The sending address was tacticalreport80@gmail[.]com. The display name was set to match a real executive's name exactly. In most email clients, the display name is shown prominently while the actual address requires an extra click to inspect.
This is not spoofing in the technical sense. A spoofed sender forges a header to claim it comes from a domain it does not own. DMARC blocks that. This message was sent from a real Gmail account, meaning Google's infrastructure authenticated it correctly. SPF passed. DKIM passed. The message was entirely legitimate from the perspective of the sending infrastructure.
The only signal available was behavioral: a free webmail address had never previously communicated with this organization, the subject line contained an executive's name in a manner inconsistent with normal internal communication patterns, and the message requested an out-of-band reply. IRONSCALES Adaptive AI scored this at 88% confidence, flagging it under the VIP Recipient label, which fires when behavioral signals indicate an impersonation attempt targeting or invoking a senior executive.
See Your Risk: Calculate how many threats your SEG is missing
Channel managers occupy a specific position in the organizational trust hierarchy. They have relationships with external partners, authority to facilitate deal-related actions, and regular exposure to requests that arrive from unfamiliar email addresses. An executive asking a channel manager for a fast off-record favor is not implausible on its face.
The attacker chose the channel manager as the recipient, not an accounts-payable clerk, not a C-suite peer, not an executive assistant. This choice reflects an understanding of organizational structure: the channel manager is senior enough to act without extensive approval chains, but not so senior as to have a direct personal relationship with the CEO that would make an impersonation immediately suspicious.
DMARC does not stop this. DMARC enforces alignment between the sending domain and the header-from domain. A Gmail-sent message aligned on gmail.com, which is exactly what it claims to be. The protection DMARC provides is against domain spoofing; it provides no protection against impersonation via lookalike display names on legitimate webmail infrastructure.
What stops this attack is behavioral detection at the inbox level combined with employee recognition of the display-name trap.
On the technical side, any first-contact webmail message whose display name matches a known executive should be automatically flagged before it reaches the inbox. The detection logic does not require reading the message content. It requires matching the display name against a roster of protected identities and comparing the sending domain against the organizational domain. When those two things do not match, the message gets elevated scrutiny.
On the human side, the training question is simple: if your CEO is contacting you via a personal Gmail account, is that your company's normal communication pattern? For virtually every organization the answer is no, and employees who know to look at the address rather than the name will catch this immediately.
The FBI IC3 2024 report documented more than $2.9 billion in losses to email impersonation fraud in a single year. The Verizon DBIR 2026 attributes a portion of gateway attack volume to BEC, and notes that credentials and personal data together appear in 39% of breach kill chains. The channel-switch variant is particularly costly because the entire fraud escalation happens off-platform, often before IT is aware any engagement occurred.
MITRE ATT&CK classifies this as a phishing technique combining impersonation and pretexting. The Microsoft Digital Defense Report 2024 identifies executive impersonation as one of the most persistent and effective BEC vectors, noting that attacker ROI is high because the attack requires minimal infrastructure. A Gmail account is free. CISA guidance consistently recommends verifying unexpected requests through a separate known channel before acting, which is exactly the behavior a channel-switch attack is designed to pre-empt by creating urgency and asking the target to move to a different channel under attacker control.
The IBM Cost of a Data Breach 2024 report notes that social engineering attacks, which BEC falls under, carry some of the highest per-incident costs. For channel-switch BEC, the cost is especially high because the fraud is often not discovered until after the SMS conversation has concluded and a transfer has been made.
A display name is not a verified identity. That is the entire lesson.
---
| Type | Indicator | Context |
|---|---|---|
tacticalreport80@gmail[.]com | Attacker-controlled Gmail used for CEO impersonation |
| Attack | What happened |
|---|---|
| Three Domains, One Scam: The RFQ That Routed Replies to a Freshly Built Lookalike | An RFQ email passed SPF, DKIM, and DMARC through one domain, impersonated a construction supplier through a second. |
| The CEO's Name Was Real. The Mailjet Account Behind It Wasn't. | An attacker impersonated the CEO of an email security company using a legitimate Mailjet ESP account with full SPF/DKIM pass. |
| The LinkedIn Invoice That Passed Every Email Check | A recently registered LinkedIn lookalike domain passed SPF, DKIM, and DMARC, then sent a one-line invoice probe to an accounts payable mailbox. |
| Every Authentication Check Passed. There Was Nothing to Scan. The Attack Was the Reply. | A fully authenticated email with no links, no attachments, and no malicious content asked recipients to reply all. |
| The Zoho Invoice That Was Four Months Late (And Kept Its Receipts on Google Drive) | A Zoho Books invoice for $802.50 arrived four months past due, passed initial authentication checks. |