The W-9 Was Real, the Company Was Fiction, and the Bank Account Was Waiting

The invoice was for $15,247.75. The email included a completed W-9 tax form with an Employer Identification Number. Bank routing details were listed in the body: account number, ABA routing number, SWIFT code. AP coding references matched internal financial formatting. For an accounts payable clerk processing vendor invoices, this was a complete payment package.

The domain that sent it, globaltradeaudit[.]org, had been registered ten days earlier. No public registrant. No website. No history. The company named on the W-9, "Synza, Inc.," had no verifiable presence outside the documents attached to this email.

This is invoice fraud built to survive the verification checklist, not to bypass email filters. Every document an AP team would request was already included.

The Documentation Package That Answered Every Question

The email arrived via Amazon SES from IP 54[.]240[.]8[.]242 with SPF and DKIM passing cleanly. It relayed through Mimecast infrastructure at 170[.]10[.]128[.]131 without triggering impersonation protections. The sending domain had no DMARC policy, which meant authentication results reflected the ESP's authorization, not the domain's intent.

The attachments did the heavy lifting. The W-9 listed Synza, Inc. with EIN 38-4378893 and a mailing address. The invoice referenced a specific engagement with a well-known energy research organization. Bank details in the body directed payment to Account 977923968802061, ABA 121145433, SWIFT CLNOUS66MER. Internal AP coding (GL 742000, Cost Center Enterprise Operations) mimicked the target organization's own financial formatting.

An AWS tracking pixel embedded in the email body loaded from awstrack[.]me when the message was opened. This gave the attacker real-time confirmation that the AP team had engaged with the invoice, enabling timed follow-up pressure if the initial payment was not processed.

Why the Age of the Domain Tells the Story

The most reliable signal in this attack was the domain registration date. globaltradeaudit[.]org was created on March 12, 2026. The phishing email was sent ten days later. Domains with no email history, no web presence, and privacy-shielded registration records that immediately begin sending invoices with bank routing details are a textbook pattern in business email compromise.

Adaptive AI flagged the convergence of signals: first-time sender, newly registered domain, financial request with embedded bank details, and the absence of any prior communication between the sender and the target organization. The message was quarantined before the AP team could initiate a payment.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping