In order for a scammer to mount a successful attack, they must first have a way to attract attention, and one of the easiest ways to fool unsuspecting victims is with an unpaid invoice.
Both scammers and cybercriminals often use unpaid invoices as a lure in their phishing emails. Whether you are an employee or a small business owner, having an unpaid invoice arrive in your inbox is like a reminder to you.
Phishing emails about unpaid invoices often create a sense of urgency to get users to open them. From here, the actual invoice may appear in the body of the email, but it is more likely to be attached as an attachment that may also contain malware. Even if the attachment itself is harmless, many of these fake invoices actually get paid.
To give you a little more insight into the fake invoice scam and its modus operandi, here is a suspicious PayPal invoice I recently received.
I was checking my email earlier this week and noticed an unpaid PayPal invoice in my inbox. Since I don't use PayPal for my work email, I knew immediately that this was a scam, but decided to look into it further.
The first thing I did was check the sender's email address to make sure the message really originated from PayPal. Although email addresses can be spoofed, when I hovered over the "View and Pay Bills" button and examined the link, I saw in the lower left corner of Google Chrome that clicking on it would take me to PayPal's official website, so I knew this was a legitimate message I knew it was a legitimate message.
I clicked on the link and was taken to PayPal's website. There I found a bill for $600 from someone whose name I had never seen before. A closer look at the contents of the invoice revealed that this $600 would get me 1 bitcoin. Unfortunately, someone else thought this was a great deal and decided to pay the invoice, but may later lose the $600 and realize that there were in fact no bitcoins.
Out of curiosity, I decided to check the invoice again after receiving an email reminder from PayPal that I still had one unpaid invoice. But to my surprise, the invoice itself had been deleted and was no longer viewable at all.
If you have ever received a similar unpaid invoice email from PayPal, the company explains at the end of the message that if you do not know the seller, "If you do not purchase anything from this seller, you can ignore this invoice. Similarly, PayPal does not "ask you to call or email the phone number listed on the invoice."
PayPal is one of the oldest and easiest ways to send money to friends and family. However, as the company's site's FAQ (opens in a new tab) states, all you need to send an invoice on this platform is an account. While certainly convenient, this makes it easy for scammers to send fake invoices through PayPal and hope that someone will actually pay. Even if only one person pays, the scammers behind this campaign, and others like it, are making a profit.
Like other online scams, fake invoice scams can be avoided by keeping a cool head when checking your inbox; email security firm Armorblox, in a blog post (opens in new tab), lists some things to watch out for.
In addition to creating a sense of urgency, scammers may ask for personally identifiable information (PII). At the same time, they may demand an exorbitant amount of money instead of a reasonable amount. However, the best way to tell that an invoice is a fake is if it is an invoice for something you did not purchase. Therefore, instead of replying to the email, clicking on a link, or opening an attachment, you should first check the services listed in the email.
From here, you should also watch out for poor spelling and grammar, as many scammers target users from other countries. Likewise, if you receive a bill from an unfamiliar online vendor, it is most likely a scam.
While the best antivirus software can protect you from malware and other online threats, it cannot prevent you from letting your emotions get the better of you and paying a bill for a product you do not remember purchasing. In the unlikely event that you do pay such a bill, you would be better off investing in the best identity theft protection, as scammers may try to steal your identity after fleecing you.
If in doubt, it is always best to delete, rather than communicate with, any email from an unknown sender claiming to have an unpaid bill. You also want to avoid calling the phone numbers listed in these emails, as scammers may try to convince you to pay over the phone or give out personal information.
.
Comments