This week, the Proofpoint email security platform we deploy for our clients quarantined an outgoing message from one of those clients — an executive assistant about to wire payment for a conference attendee list. The system flagged it as fraud with Very High confidence, citing imposter and impersonation signals, and held the message before it could leave the network. By the time we finished verifying the thread, it was clear that the entire conversation, going back nearly three weeks, was a scam. No money moved. No data was lost. But the case is a textbook example of an attack we've been seeing more and more, and we think it's worth breaking down publicly so other businesses can recognize it.

The Setup

Our client's CEO had recently engaged with a professional conference. A few days after the engagement, an email arrived from someone claiming to work for the conference, asking whether he'd like the attendee list. He said yes. Within a few hours, a "vendor" jumped into the thread offering the list for sale at two price tiers — $650 or $700. The pricing felt reasonable. The branding was clean. The vendor sent a purchase order, the client signed it, an invoice came back, and three weeks later the executive assistant was preparing to send payment by check or wire.

That's when Proofpoint flagged the outbound message and held it. What we found, once we dug in, was that nothing about the conversation was real.

How the Scam Works

This pattern has a name in the events industry: the conference attendee list scam. It runs on a predictable script:

1. The scammer identifies the target. They scrape conference websites, sponsor pages, and LinkedIn for businesses attending or exhibiting at upcoming industry events.
2. They impersonate the conference organizer. A cold email arrives from someone using a name and signature that looks like staff at the conference, offering to share the attendee list.
3. A "vendor" takes over. Once the target replies with interest, a second persona — usually positioned as the conference's data partner — steps in with pricing, a purchase order, and an invoice.
4. They request payment by check or wire. ACH is usually refused. The mailing address points to a U.S. location to add credibility, but the operation is run from overseas.
5. The list never arrives, or what arrives is worthless scraped data. By the time the target follows up, the domain is gone.

Legitimate conferences do not sell their attendee lists this way. They never authorize unsolicited third parties to do it on their behalf.

The Red Flags We Saw

Every scam of this type leaves the same fingerprints. In this case:

• Fresh look-alike domains. The "vendor's" primary domain was registered three months ago. A CC'd "accounting" address on a near-identical but distinct domain had been registered 29 days ago — set up specifically for this campaign.
• Three different business names in the same transaction. The email signature said one thing, the email domain said another, and the check was made out to a third entity. Real companies are consistent across these.
• A mailing address and phone number that don't match. Pennsylvania address, Houston area code.
• No real web presence. No findable website, no LinkedIn footprint for the supposed staff, no business history.
• Distinctive language patterns. Phrases like "kindly share the confirmation receipt" and "drop us an email once the payment is processed" are consistent with operations run outside the U.S.
• Pressure tactics late in the thread. The "vendor" pushed for a tracking number on the check before the list would be released — a small urgency lever that's easy to dismiss but designed to keep the target moving.
• The original "conference contact" was unknown to anyone at the company. The person who supposedly started the conversation didn't actually work for the conference. Nobody checked, because the handoff to the "vendor" happened so quickly.

What To Do If You Receive One

If you get an email offering to sell you a conference attendee list, treat it as fraudulent until proven otherwise.

• Do not reply. Even a polite "no thanks" confirms your mailbox is active and invites more attempts.
• Verify the original contact. Look up the conference organizer's main phone number on their official website — not anything in the email — and call to confirm whether the named person works there and whether they've authorized any vendor to sell a list.
• Don't sign purchase orders or contracts. A signed PO is reusable. Scammers can lift your signature and your company letterhead and use them in other fraud.
• Don't send payment. Check, wire, ACH, gift card, crypto — all of it goes to the same place, and it's not coming back.
• Report it. The FTC accepts reports at ReportFraud.ftc.gov. If you exhibit at trade shows regularly, also let the actual conference organizer know so they can warn other exhibitors.

What To Do If You've Already Paid

Move fast. Time matters.

• Contact your bank immediately and request a recall on the wire or stop payment on the check. Recalls have a narrow window — usually 24 to 72 hours — and after that the money is gone.
• File a report at IC3.gov (the FBI's Internet Crime Complaint Center). For losses over $1,000, this is the right channel.
• Notify your insurer. Some cyber liability policies cover invoice and wire fraud, but only if reported quickly.
• Have your IT team audit your mailboxes for inbox rules, forwarders, and unusual sign-ins. Some versions of this scam are paired with a quiet mailbox compromise on the victim's side.

Credit Where It's Due

It's worth being clear about what actually saved this client: the Proofpoint email security platform we deploy as part of our managed security stack. The scammer wrote a convincing thread. The pricing was modest. The pacing felt normal. Three weeks of back-and-forth had built up enough familiarity that the client team had no reason to suspect anything by the time payment was being prepared.

What broke the chain was Proofpoint's classification engine reading the outbound reply and scoring it Very High on imposter and impersonation indicators — based not on the content of the message itself, but on the combination of fresh look-alike domains, mismatched entity identities in the thread, and financial language. That signal is what gave us the time to investigate before money moved.

Email security tools sometimes get a bad reputation because most of what they do is invisible — until the day they catch the one message that would have cost you. This was that day. We deploy Proofpoint for our managed clients precisely because this category of fraud doesn't look like fraud to a human reader anymore, and a properly tuned filter sees patterns that even experienced staff will miss.

The Bigger Pattern

This is one of a family of business email compromise scams that target finance and operations staff at small and mid-sized businesses. The dollar amounts are kept small — $500 to $2,000 — because that's below most internal approval thresholds and rarely triggers a second look. Multiplied across thousands of targeted businesses, it's a profitable operation.

The defense is straightforward but requires discipline: verify out of band, never trust a thread without confirming both endpoints, and treat any unfamiliar address copied into a financial conversation as suspicious until proven otherwise.

If your business attends or exhibits at industry conferences, your team should know what this scam looks like before it shows up in their inbox.

Boston Managed IT is a Boston-based managed services provider helping growing businesses stay secure, productive, and well-supported. If you'd like to talk about your organization's email security posture, book a call or reach us at (800) 899-3195.