That cannot be done. The transaction will not look valid to any clients no matter if it is in the longest chain or not. The attacker cannot send coins from a public address that he does not have the private key for. The way this attack works is that a legitament spend happens in, say, block 105000. After the merchant acknowledges it the attacker releases a new 105000 and as many blocks after it as needed to make it the longest chain. Now the network knows the attacker holds the coin because there is no record of the transaction.