Catch the fake invoice

Here we look at what invoice phishing is and what precautions you can take when you receive one to avoid sending money to the wrong people.

15-02-2023 - 6 minute read. Posted in: phishing.

Catch the fake invoice

You are often sent various invoices that need to be paid. This can be anything from a phone bill to rent - but you should check the invoices a second time before paying them. Here, we take a closer look at fake invoices and how they can be spotted.

The sneaky invoice-phishing

Invoice-phishing is a type of phishing where a hacker sends out fake invoices to people, who then fall into the trap of paying it - and the money goes straight into a hacker's pocket. It's an effective way for hackers to make money, as it's not easy to spot a fraudulent invoice.

Hackers can even get their hands on your money and your personal data, which means they get access to both your bank accounts and health information. They can furthermore hack into your computer more easily if they get hold of your personal data - they can thus get hold of any documents you have lying around, which can be both personal and work-related.

Often, a hacker will pose as someone else or a company that you will trust. Hackers will typically pose as a network provider, which you are more likely to trust since they offer different softwares that provides better security on your computer.

It can also be physical products that a hacker sends an invoice on - as long as they get your credit card details, personal data and money, the hacker has done a successful job. That's why you need to be more careful (than you might normally be) when it comes to paying invoices and bills.

Hidden behind a legitimate provider

Hackers have become so skilled at their scams, so it's not just suspicious bank names and accounts you need to watch out for. Messages that look legitimate are also often redirected to legitimate payment sites like PayPal - but this is where you need to be careful. Even if you are taken to a legitimate website, you still need to watch out for the name on the recipient.

The hacker can hide their domain by spoofing (where they are disguised as a legitimate person or company), thus fooling the user they have sent the fake invoice to. People are typically less suspicious of an invoice if it comes from a well-known source. Here, you will typically not think about the invoice any further and just deposit the money and get it out of the way.

But in this case, you should stop and think twice. First of all, consider whether it's a service you're subscribing to, and whether you've actually bought what the invoice claims you have.

Secondly, consider whether you have signed up to any payment services - if you do, all bank transfers are automatic hence you will not receive an invoice you have to pay.

If you do find - and discover - that a fraudster is impersonating a company, you should inform the company that their name is being used and exploited for phishing. This is because they need to carry out an in-depth investigation into the spoofing they are being exploited in. So make sure you include examples of invoices when you notify the company.

When companies are hit by invoice-phishing

One thing is when individuals are hit by invoice-phishing. Here, smaller amounts are charged, so you don't question the invoice you receive.

It's a different story with businesses. When someone in accounting, or any department, receives an invoice, the invoice will typically be for higher amounts than what we as individuals will receive. One will often not be surprised if your company receives a larger invoice, since there are more expenses for a company than for private people.

So when companies do business with other companies, it is easier for a hacker to track down which companies they can imitate. This increases the hacker's chances of convincing a company that the company the hacker is imitating is a legitimate sender.

Hackers can use convincing domains, which are designed to fool the recipient into thinking that the email is coming from a real address. It is also possible that a less experienced employee (such as an intern, new employee, etc.) is receiving the invoice. Here, the hacker may get lucky and, by using classic phishing methods such as social engineering, they can convince the employee that the fake invoice should be paid.

The classic method used in phishing

One of the elements a hacker will often add to a phishing email is either a link or a downloadable attachment. It is through links and attachments that an attacker can gain access to computers and software- and thus bank details and other personal data.

The problem with most invoices is that they typically consist of a standardised text with an attachment containing the details of the invoice. Therefore, most people will logically open the attachment to read more about what is to be paid.

However, this is how hackers install malware on your device and can access all the content on your computer.

Therefore, as already mentioned, it is also a good idea to be critical of the invoices you receive and consider the following:

  • Did I expect to receive this invoice? It is always a good idea to reconsider the invoices you receive, to avoid falling into the hacker's trap.
  • Always ask, if you have any doubts. This applies in many cases, but also if you receive an invoice that you are not sure should be paid.
  • Don't forward it. While this is the easiest thing to do when you receive an invoice, even if you have doubts about it - if you forward it you break down the security network and give the hacker better access to other people's emails.
  • What's attached? You should be careful about clicking on links and attachments if you're not quite sure what they lead you to. As a rule of thumb, hover over the link without tapping to see the website that's linked to. Then you can often tell if it's a legitimate site or not.
  • Domain names can be deceiving. It's good to remember that hackers are getting better at impersonating legitimate senders - so consider a sender's legitimacy when receiving emails from them.
Author Caroline Preisler

Caroline Preisler

Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.

View all posts by Caroline Preisler

Similar posts