Here's how to check to make sure you're not being scammed.
Ever received an unexpected invoice? It's a harrowing feeling. Your palms are sweaty, knees weak, arms are heavy. There's an invoice in your inbox. It says you owe money that you've spent(y). Look, reader, the Eminem satire can't go on forever. But it seems this kind of phishing scheme can.
Invoice phishing is very common, yet unfortunately, it is also quite tricky to spot. If you mistake the legitimacy of an invoice it can mean that scammers are ready to cash in on not just your cash, but your personal information and potentially infect your computer, also. There are two types of invoices that usually arrive in your work email inbox: they are either aimed at the company you work for, or for you personally. For now, let's concentrate on what happens when you receive one addressed to you.
Invoice scams targeting the recipient specifically usually come in the form of service provider impersonations. Ever use software for work? That's a service provider because they (stick with me here) provide a service. Phishers often pretend to be a service providers because a lot of people use them; the bigger the net, the more (ph)fish you're going to catch, right? Fake invoices for physical products are relatively common, but despite what is allegedly being billed for, the goals are the same: the attackers want your credentials, personal information and money.
Invoice phishing cannot be avoided by merely not making payments to dubious bank account numbers when told to. Legitimate seeming messages often lead to truly legitimate services, such as PayPal and QuickBooks, but the sum is not directed to whom it should be. The malicious actor might hide their domain behind spoofing, and if everything looks as it should, typing out your Office365 credentials might not cause that much harm, right?
(Dramatic music) Wrong.
The first thing to do when receiving an invoice is to stop and think - Hey, I'm a pretty smart person. Do I use this service? As with any email, carefully considering "Gee whiz, did I expect this email?" is an important self-protection tool against cybercrime; You'd be amazed at how many people just pay an invoice when they see it in their inbox.
So! You've deduced that you do not use the service. It is therefore quite probable you are dealing with a phishing attempt. Something funky is going on. One thing you can do in this situation is let the (real, genuine) service provider's customer support team know that a scam is being sent out and they're using their name. Never forward the actual email to them, though, as forwarding spreads both the danger and the damage even if you've successfully detected a scam. When you send out a scammer's email to another person, regardless of intent, you're literally doing their work for them and making their job easier.
But what if you do use the service? Well, things just got more complicated. Let’s dive into a real invoice phish to get a better idea. Here's one from Norton. We see variations on this particular one all the time (All. The. Time. It's one of the most common ones out there).
There's a reason these are somewhat an invoice phishing classic and have been prevalent for a good while: Norton software is widely used, making the company a convenient impersonation target. If the scammers got lucky or did their homework right, the recipient of the above email is indeed a Norton customer. Taking a quick glance in a hurry, the invoice seems rather real, and seeing the nearing due date, one might just go and pay in fear of overdue payments. Looking closer though, phishing indicators can be found; one of them being the short notice as electronic invoices tend to be sent well in advance of the due dates. Also, the recipient is addressed as “Customer”, not by their actual name, even though not having a name connected to a subscription is unlikely. We all have names in this world, bub.
Furthermore, chances of having such a simple invoice number (here it's "1001") are low, and the product name and pricing do not quite match what can be found on the company website.
The “Print or save” buttons lead to a QuickBooks page, where the invoice can be paid. The site itself is legitimate, and as the invoice was sent through their service, it also comes from their email address. This leads to more probability of these types of emails passing through spam filters. The landing page, however, also contains the most glaring anomaly: merchant details. The merchant email - to whom payment will be sent - has nothing to do with Norton. Even if Norton did use QuickBooks for billing, they would not use completely unrelated domain (a few days old one at that) to do so. We've doctored the above screenshot here to not give the scammer any undue credit.
Invoice phishing using document sharing (on the left) and service impersonation (on the right):
Making use of real document sharing and e-signing services, such as Adobe or PandaDoc here, is very popular in phishing regardless of scam type. The email once again comes from a legitimate service and link clicking is required to see what the invoice is about. This makes discerning its relevance more difficult and it takes the recipient further down the rabbit hole.
On the other hand, the payload of the above Standard Notes impersonation (on the right) is actually vishing — meaning, they want you to call them. This means you'll interact with them more, which means you'll trust them more, which means you're more likely to pay up. It includes similar signs of phishing as the Norton impersonation topped with some more detail, but also some bad English. The scammers claim payment details were already received to give incentive to call the (very emphasized) phone number so that you, the unsuspecting person, will start the scam call yourself. Additionally, invoice phishes frequently lead to a credential harvesting. Making sure site asking for login information is legitimate is essential, just like not typing credentials into opened attachments is.