Businesses are being hit with a wave of emails pretending to be invoice follow-ups, according to a study by the security firm Barracuda Networks Inc.
Case in point: a so-called
impersonation attack sent in September.
“I tried to reach you by phone but I couldn’t get through,” it says. “Please get back to me promptly with
the payment status of this invoice below.”
The email has an invoice due number.
“The message itself doesn’t seem out of the ordinary, but the
included link should raise a red flag,” writes Lior Gavish, VP of content security services at Barracuda. “The entire goal for this attempt is to get the recipient to
click on the link, and the criminals have done a decent job of subtly placing the link within the message.”
This is a throwback to the old invoice scams sent by direct mail. An
accountant in a company would get an invoice — usually for a modest amount — and pay it without questioning it.
But it represents a technological advance. Obviously, these modern
scammers don’t expect people to pay the bill: They’re trying to get in and cause even greater damage.
“If the link actually gets clicked, it would typically
download a doc. file (the so-called invoice), which would be an advanced threat of some type that could trigger ransomware or steal the recipients’ credentials from their browser,” Gavish
continues.f
Another impersonation email, sent in October, states, “I’m providing you with my new address and an invoice details below.”
“As
you can see, there’s nothing too unusual with this message, but the same warning signs are present as with the first example,” Gavish states, adding: “We’re still seeing a link
in the body of the email that could be malicious, and it’s still asking about an invoice. Lastly, the link in this attempt would most likely have the same results — a malware download or
credential theft that could lead to a compromised account.”
The study concludes that the emails rely on impersonation (usually, someone the recipient trusts) and urgency.
The
best preventative? User training and awareness.
“Simulated attack training is by far the most effective form of training,” Gavish concludes. “Always check the domains on
emails asking for things from you, including clicking and inputting information.”