Uh oh! Do you owe? When invoices strike back

Here's how to check to make sure you're not being scammed.

Post hero image

Table of contents

Ever received an unexpected invoice? It's a harrowing feeling. Your palms are sweaty, knees weak, arms are heavy. There's an invoice in your inbox. It says you owe money that you've spent(y). Look, reader, the Eminem satire can't go on forever. But it seems this kind of phishing scheme can.

Invoice phishing is very common, yet unfortunately, it is also quite tricky to spot. If you mistake the legitimacy of an invoice it can mean that scammers are ready to cash in on not just your cash, but your personal information and potentially infect your computer, also. There are two types of invoices that usually arrive in your work email inbox: they are either aimed at the company you work for, or for you personally. For now, let's concentrate on what happens when you receive one addressed to you.

Invoice scams targeting the recipient specifically usually come in the form of service provider impersonations. Ever use software for work? That's a service provider because they (stick with me here) provide a service. Phishers often pretend to be a service providers because a lot of people use them; the bigger the net, the more (ph)fish you're going to catch, right? Fake invoices for physical products are relatively common, but despite what is allegedly being billed for, the goals are the same: the attackers want your credentials, personal information and money.

Invoice phishing cannot be avoided by merely not making payments to dubious bank account numbers when told to. Legitimate seeming messages often lead to truly legitimate services, such as PayPal and QuickBooks, but the sum is not directed to whom it should be. The malicious actor might hide their domain behind spoofing, and if everything looks as it should, typing out your Office365 credentials might not cause that much harm, right?

(Dramatic music) Wrong.

Do not throw your precious pennies into a phish pond

The first thing to do when receiving an invoice is to stop and think - Hey, I'm a pretty smart person. Do I use this service? As with any email, carefully considering "Gee whiz, did I expect this email?" is an important self-protection tool against cybercrime; You'd be amazed at how many people just pay an invoice when they see it in their inbox.

So! You've deduced that you do not use the service. It is therefore quite probable you are dealing with a phishing attempt. Something funky is going on. One thing you can do in this situation is let the (real, genuine) service provider's customer support team know that a scam is being sent out and they're using their name. Never forward the actual email to them, though, as forwarding spreads both the danger and the damage even if you've successfully detected a scam. When you send out a scammer's email to another person, regardless of intent, you're literally doing their work for them and making their job easier.

But what if you do use the service? Well, things just got more complicated. Let’s dive into a real invoice phish to get a better idea. Here's one from Norton. We see variations on this particular one all the time (All. The. Time. It's one of the most common ones out there).

There's a reason these are somewhat an invoice phishing classic and have been prevalent for a good while: Norton software is widely used, making the company a convenient impersonation target. If the scammers got lucky or did their homework right, the recipient of the above email is indeed a Norton customer. Taking a quick glance in a hurry, the invoice seems rather real, and seeing the nearing due date, one might just go and pay in fear of overdue payments. Looking closer though, phishing indicators can be found; one of them being the short notice as electronic invoices tend to be sent well in advance of the due dates. Also, the recipient is addressed as “Customer”, not by their actual name, even though not having a name connected to a subscription is unlikely. We all have names in this world, bub.

Furthermore, chances of having such a simple invoice number (here it's "1001") are low, and the product name and pricing do not quite match what can be found on the company website.

The “Print or save” buttons lead to a QuickBooks page, where the invoice can be paid. The site itself is legitimate, and as the invoice was sent through their service, it also comes from their email address. This leads to more probability of these types of emails passing through spam filters. The landing page, however, also contains the most glaring anomaly: merchant details. The merchant email - to whom payment will be sent - has nothing to do with Norton. Even if Norton did use QuickBooks for billing, they would not use completely unrelated domain (a few days old one at that) to do so. We've doctored the above screenshot here to not give the scammer any undue credit.

More common attack styles

Invoice phishing using document sharing (on the left) and service impersonation (on the right): 

Making use of real document sharing and e-signing services, such as Adobe or PandaDoc here, is very popular in phishing regardless of scam type. The email once again comes from a legitimate service and link clicking is required to see what the invoice is about. This makes discerning its relevance more difficult and it takes the recipient further down the rabbit hole.

On the other hand, the payload of the above Standard Notes impersonation (on the right) is actually vishing — meaning, they want you to call them. This means you'll interact with them more, which means you'll trust them more, which means you're more likely to pay up. It includes similar signs of phishing as the Norton impersonation topped with some more detail, but also some bad English. The scammers claim payment details were already received to give incentive to call the (very emphasized) phone number so that you, the unsuspecting person, will start the scam call yourself. Additionally, invoice phishes frequently lead to a credential harvesting. Making sure site asking for login information is legitimate is essential, just like not typing credentials into opened attachments is.

Staying off the hook

  • Did you expect this? Thinking about whether you do use the service (or did buy those badass whale slippers) blocks many invoice phishing attempts. If your answer is no, you should also not open the invoice. If you think the invoice was meant for your co-worker, for example, ask directly, do not forward the email.
  • Does it seem too urgent? No one wants marks on their credit reports for late payments nor have their credit rating downgraded. Malicious actors know this too and make use of it by making you feel you must rush with the payment. Hurry makes people careless, so pay extra attention.
  • Look out for weird numbers. (And not just in the Severance way... great show, check it out - Editor's note). Unusually high payment requests should raise suspicion, but so should unusually low (as often seen with parcel phishes).
  • Check from who and to where. Does the email come from someone real, and do the links lead to where they should? If you decide on clicking the links, check again. Were you directed where you should, are the biller’s details what they should?
  • Be careful with attachments. Invoice emails often contain attachments and attachments often contain malware and credential harvesters. Check the file format for telltale signs, and never open them if you're unsure.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this