Beware the fake invoice

It’s raining invoices, both at home and at the office. Turns out that it might be raining phishes, too.

Post hero image

Table of contents

It’s raining invoices, both at home and at the office. Receiving them doesn’t necessarily ring any alarm bells and the payment process is usually done hastily out of habit – one of “let’s just get them off the table before they accumulate” rather than “let’s take some time and read all of these.” Later, suspicion might crawl into your mind: did I truly check the invoice well enough, was it truly legitimate? Turns out that it might be raining phishes, too.

We discussed how to avoid getting personally invoice phished in a previous blog post (Here it is: How to check for fake invoices), so let’s dive into the deep end of the pool: company invoices. As the bait for these types of phishes is bigger, these scams include some added stakes. For example, large sums of money don’t look nearly as off in them as they do in personal invoices, and they aim for a more complex emotional response.

How payment slips into the wrong hands

Emails posing as invoices issued by one company to another can be especially hard to recognize as phishing. They tend to include a tricky combination of elements that creates favourable conditions for the scam to succeed. For example, exploiting compromised email addresses is a good way to send fake invoices. Because a real address is used, the phish will likely reach the recipient and seem quite real - more so if the breached company happens to do business with the target. Luck, or research, is a big factor in phishing in general. Impersonating a real business partner is more likely to yield results. Furthermore, flash attacks have been on the rise lately. This means the attackers register a brand-new fake domain, which is then used for sending emails and hosting phishing websites. These domains are created to impersonate domains of real entities, often by substituting or appending characters or switching the top-level domain (the “.com” or such ending after domain name). In short, flash attacks refer to using domains very similar to those of legitimate companies in phishing. And of course, being part of the phishing fundamentals, spoofing is ever prevailing.

In addition to malicious links, attachments are naturally very popular in invoice scams as it is normal to send an invoice as an attachment. Malware and credential harvesters are often delivered in attachments, which adds to the threat. Invoice emails tend to have quite general text in the body, which, again, eases impersonation.

If the phish is sent to the correct person — perhaps a new employee, an intern, or maybe an interim employee whose job role isn’t invoicing related — the emotional aspects of phishing may become much more effective. The urgency of an approaching due date and the will to perform well and satisfy clients might get to you, especially so when you want to show your capabilities. Fear of failure can lead to a lack of asking for help because you don’t want to feel awkward, which will only benefit the phishers. Carefully considering whether the invoice is expected and as it should be is crucial in preventing phishing. Consulting others, whether it is asking a knowledgeable co-worker or contacting the claimed sender of the invoice through another verified channel, is detecting phishing indicators in the context of increased related information. So, asking for help is important when in doubt. After all, the consequences of company invoice scams can be grave: they can cause large finance cuts, loss of reputation, escalate to other scams or perhaps even affect one’s employment.

Breakdown of a fake invoice

Now, how about dissecting a real company invoice phishing attempt? The email below impersonates an actual law firm and claims an invoice is still unpaid despite reminders.

Seems rather legitimate, doesn’t it? If you’re reading it in a hurry, it’s hard to spot anything off about this email and this is exactly what the phishers are counting on - spare time is (usually) rare while at work, after all. But we’re here to implement an inbox surfing best practise: let’s take a closer look. The most obvious sign of phishing in this case is the email being a flash attack. It was sent from a domain very similar to the impersonated company’s actual domain. To boot, the domain had even been added to Microsoft 365 and the most common email authentication standards (SPF, DKIM, and DMARC) had been configured. This allowed the phish to pass inbox filters with flying colours.

Apart from the vagueness, the text itself doesn’t give away much. There are no distinct spelling mistakes nor commands to act upon the email this very second. The signature is professional — even though the job title is a bit off (“Head of Debt Recovery” is… hastily written, let’s face it) and the only link leads to the company’s real website. Thus, the most important question to consider, “Is this a service we use?” is highlighted. If the attackers have luck on their side or if this were a thoroughly prepared spear phish, the impersonated and the recipient’s companies may well work together. Assuming the fabricated domain went unnoticed, we are down to just one warning sign: the invoice number. If the number mirrors standard practises, well, the days of being unphished might be due.

Here’s another example with a smart inconspicuous domain (check out the signature).

On the contrary, the phishing attempt below has not deployed the domain technique but pretends to be a forwarded email. The phishers have first typed up an impersonation of a real accounting firm and then pretend to be the recipient’s co-worker forwarding this inquiry to them.

Staying off the hook

  • Did you expect this? As always, think it over once more. Is this actually something relevant for the company? If not, the phishing bells are ringing. Even if the email happened to be an honest mistake, it does not require opening of links or attachments.
  • Ask when in doubt. People who should be familiar with the invoice through verified channels, us using the Hoxhunt button. Going forward with a transaction for the sake of “out of sight, out of mind” won’t pay the bills - except maybe for the phishers.
  • Do not forward. Although forwarding the email to a co-worker might seem like a great idea, be careful, doing so might make them think invoice is real and you are asking for them to take care of it. Potential malware and malicious links are also being spread when forwarding.
  • What is included? Does the email have links or attachments? Heed carefully. Do the claimed invoice details match the company standards? The attackers can always do research or contrive details, think carefully if things match what you expect.
  • Domains can be deceitful. Email addresses are constantly compromised, new domains pop up all the time, spoofing is going steady. A domain appearing legitimate is no guarantee.
Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this