There are a number of scams that go around the cyber world every day. Many are repeats of old efforts that are tried and true but updated with new technology and a new approach. We are seeing attacks like these now in the form of phony invoices that are being used to not only bilk people out of money but to also plant malware on a person’s computer. You might get an Invoice from Nicely Done Sites and we want you to be aware of this just so you don’t get scammed.

Fake Invoice Phishing

You may have gotten an email in your inbox with an invoice from a company that you have never heard of. If you examine it is coming from an email address you never heard of. Hopefully you are questioning it at this point and are ready to delete it and you should. If you delete this and move on you can save yourself a lot of hassle. These are the easy ones.

First in 2013

These kinds of attacks are not new. The first instance of a phishing scam like this began in 2013 when a Lithuanian created fake invoices and sent them to Facebook and Google employees. A lot of care went into it, the emails looked legitimate, the invoices looked legitimate and it looked like it was being sent by a real company that did business with those companies. In fact they did more than just business, they did multi-million dollar transactions with them so an invoice in the six figures was not out of the ordinary. 

All told at least one hundred million dollars was stolen. Eventually though the Lithuanian, Evaldas Rimašauskas, was caught and brought to trial in New York. He was forced to repay over $26 million and sentenced to 60 months in prison.

Crime Can Be Profitable

Rimašauskas’ arrest did not stop these attacks, in fact they have only become more refined. Scammers are figuring out when the best time to send an invoice is, who companies do business with and how to make their fake invoices look real. They have been so effective that in many cases the only way to detect that an invoice is a fake is by comparing the bank account information for where the payment is to be sent or by other minute details. By the time the real company contacts the victim wondering where payment has been it is too late. 

Attackers in some cases begin by stealing login credentials by redirecting users to spoofed versions of a webpage that will install malware on their computer. Once they have the credentials it is possible for them to forward all emails being sent to the victim so they know everything going on with them. This allows them to know who that person does business with and when the best time to send a fake invoice to them is. Considering most people do not clear out their trash in the email this can give them weeks or months worth of information.

At this point the scammer can then send one of their fake invoices at just the right time so that the victim will be expecting it and will think nothing of it. That is until the real invoice comes in. It is expected that the number of these attacks will increase in the future.

How To Avoid This?

So, how can you avoid this? There are some basic things that you can do like making sure that your computer and software is up to date with security patches. With something like this as well it may behoove you to wait to pay an invoice as well. If you expect an invoice from someone at a certain time waiting until that time to come and go might help ferret out fake invoices. By waiting, you might buy yourself something more than time. Or you could call the company and confirm that they did indeed send the invoice.

And don’t forget to check the email address from which the email was sent. The thieves anticipate that most people will overlook that but it is an easy way to spot a fake, perhaps the Achilles heel of this scheme. Oh, and if you weren’t anticipating an invoice do a Google search for the company. Chances are you won’t find much of anything.

An Example

Fake invoice notice

I have received a few of these over the past few months. The scammers do not know that I am the wrong person to send these to as I have no access to the NDS purse strings. That’s how I know that they are fake. In a recent example there are a few extra flags. First is an invoice from Bull Electronics. This is a company that has no website and the only mention on Google is about them being bought up all the way back in 2000 by a Canadian company

Next the email comes from an AOL email address. One would expect a professional invoice to come from an email address from that company, or at least from something other than an account that can be acquired anonymously and for no cost. As a third, a Google search of the name Kyler Costa produces nothing. Lots of links for Arizona Cardinals quarterback Kyler Murray but nothing for this “individual”.

All told, this email was immediately sent into the trash bin without the invoice being opened. For whatever reason I get one of these a month and I will give the crooks some credit since they keep coming up with new companies to try to get me to bite. I haven’t opened the invoices since I don’t want to risk malware but I am sure that they look convincing.

Comments are closed.

Scroll to Top