Table of Contents
The email asked for one cent.
Not a wire, not a routing-number change, not a login. It landed in the accounts receivable and collections mailboxes of a multinational specialty-ingredients manufacturer with the subject ACH TEST CONFIRMATION, flagged high importance, and it made a small, reasonable request: please confirm receipt of a $0.01 ACH test deposit. It carried no links and no attachments. And it sailed through authentication clean, with SPF, DKIM, and DMARC all passing and a composite authentication score of 100.
That is exactly why it worked. A one-cent test deposit is one of the most boring things a finance team sees. It is also one of the most useful things an attacker can send. This was not a real bank micro-deposit verification. It was a dry run, a low-value ping designed to confirm that a bank account and routing pairing was live and monitored before anyone tried to move real money.
Why One Cent Is the Whole Attack
Micro-deposits are a legitimate banking mechanism. When you link a new account to a payment platform, the platform drops a few cents in and asks you to confirm the amounts. Fraudsters borrowed the pattern. A $0.01 ACH validation deposit tells an attacker two things at once: whether the account details they hold are valid and active, and whether a human on the other side will engage with an unsolicited payment message.
The moment a recipient replies to confirm, the attacker learns that the mailbox is live, that a real person is watching it, and that this person will act on ACH instructions without independent verification. That reply is the reconnaissance payload. The dollar amount is trivial on purpose, because the goal is not to steal a cent. It is to qualify a target for the fraudulent invoice or bank-detail change that comes next.
In this case, the recipients did reply. The follow-up messages in the Re: ACH TEST CONFIRMATION thread were caught and quarantined across the affected mailboxes over the following days, which cut the conversation off before it could escalate.
The Trap Was That It Was Real
The uncomfortable detail here is that the sending domain was legitimate. It was a long-established food-supplier domain registered more than two decades ago, actively used, with valid DKIM signing keys. The message authenticated because it genuinely originated on that domain's infrastructure. This is the signature of vendor email compromise, where an attacker operates from inside a trusted third party's real, authenticated mailbox rather than from a spoofed lookalike.
That distinction matters because it breaks the assumption most email defenses are built on. SPF, DKIM, and DMARC answer the question "did this message really come from the domain it claims?" They do not answer "should you trust what it is asking for?" A message sent through vendor email compromise passes all three checks by design. The 2024 Verizon Data Breach Investigations Report found that stolen credentials were involved in 38% of breaches, and once a real vendor mailbox is the launch point, authentication stops being a filter and starts being a credential the attacker gets to borrow.
The one behavioral fact authentication could not launder: this was a first-time sender to these mailboxes. A vendor that has never emailed your collections desk before, suddenly asking it to confirm an ACH test, is a contradiction. The message looked trustworthy and behaved like a stranger.
Reading the Signals a Gateway Missed
A traditional secure email gateway (SEG) grades on the artifacts it can see: bad links, malicious attachments, failed authentication, known-bad senders. This message had none of those. No URL to detonate, no file to sandbox, clean auth, and a domain with a spotless multi-year reputation. On paper it is indistinguishable from routine vendor correspondence.
Themis, the IRONSCALES agentic AI SOC analyst, scored it as phishing at 73% confidence by weighing behavior instead of artifacts. The combination that tipped it: a first-time external sender, an unusual payment-confirmation request, a high-importance flag, and a nominal test amount, arriving at finance role mailboxes. Adaptive AI models what normal looks like for each sender and recipient relationship, so the mismatch between "authenticated vendor domain" and "never contacted this team before, now wants an ACH confirmed" registered as anomalous even with every authentication check green.
See Your Risk: Calculate how many threats your SEG is missing
Mapped to MITRE ATT&CK, the technique is Phishing (T1566), specifically the link-and-reply reconnaissance style of Spearphishing via Service (T1566.002) adapted into a payment-confirmation pretext. The financial motive puts it squarely in business email compromise (BEC) territory, and the numbers there are not small. The FBI's 2023 Internet Crime Report attributes more than $2.9 billion in reported losses to BEC, and IBM's 2024 Cost of a Data Breach report continues to rank phishing among the costliest initial access vectors.
Indicators worth flagging
| Type | Indicator | Context |
|---|---|---|
| Subject | ACH TEST CONFIRMATION | Payment-confirmation lure, flagged high importance |
| Amount | $0.01 ACH test deposit | Account-validation ping, not a real transaction |
| Sender behavior | First-time external sender to finance mailboxes | Never-before-seen relationship |
| Authentication | SPF, DKIM, DMARC all pass, compauth=100 | Legitimate vendor domain, likely compromised |
| Payload | Zero links, zero attachments | No artifact for a gateway to detonate |
What Finance and Security Teams Should Change
The defense here is procedural first and technical second, because the attack targets a human decision.
Treat every payment confirmation as unverified until you verify it yourself. Do not confirm an ACH, a deposit, or a bank-detail change by replying to the email. Check the deposit directly in your banking or AP system, and reach the vendor through a phone number or portal from your own records, never from the message. A one-cent confirmation request should trigger the same out-of-band check as a six-figure wire.
Assume authentication can be borrowed. DKIM and DMARC are necessary, and you should still enforce them with active DMARC monitoring. But a passing result is not a trust decision. The 2024 Verizon DBIR identifies pretexting, most of it BEC, as the top social-engineering incident type, and vendor compromise is one of its cleanest delivery paths precisely because it authenticates.
Layer behavioral detection over the gateway. Artifact-based filtering cannot catch a payload-free message from a real domain. Anomaly detection that models sender, vendor, and payment behavior is what closes the gap on business email compromise and invoice fraud. The IRONSCALES platform pairs that Adaptive AI with a community of more than 35,000 security professionals, so a validation-ping pattern seen at one organization becomes a signal for the rest.
The attacker in this case spent one cent trying to learn whether your finance team would talk back. The cheapest control you have is a policy that says it never confirms money over email. The most durable one is a detection layer that reads intent, not just headers.
Related attacks
| Attack | What happened |
|---|---|
| The Zoho Invoice That Was Four Months Late (And Kept Its Receipts on Google Drive) | A Zoho Books invoice for $802.50 arrived four months past due, passed initial authentication checks. |
| The Domain Was 14 Days Old. Zoho Authenticated It Anyway. | A freshly registered domain used Zoho's transactional email service to pass SPF, DKIM, and DMARC checks. |
| The Audit Request That Passed Every Authentication Check: How a Compromised Nonprofit Account Weaponized URL Shorteners | A phishing campaign hijacked a legitimate nonprofit email account to send fraudulent audit requests with malicious URL shortener links. |
| Every Authentication Check Passed. The Display Name Was the Weapon. | An attacker impersonated a known contact's display name from an authenticated business domain, embedding a Google Form as the data-collection vehicle. |
| Mimecast SafeLinks Phishing: Wrapped URLs Hide Lookalike Domains | Attackers routed a credential-harvesting link through Mimecast SafeLinks so the recipient saw a Mimecast-rewritten URL. |
Explore More Articles
Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.