Businesses are being hit with a wave of emails pretending to be invoice follow-ups, according to a study by the security firm Barracuda Networks Inc.
Case in point: a so-called impersonation attack sent in September.
“I tried to reach you by phone but I couldn’t get through,” it says. “Please get back to me promptly with the payment status of this invoice below.”
The email has an invoice due number.
“The message itself doesn’t seem out of the ordinary, but the included link should raise a red flag,” writes Lior Gavish, VP of content security services at Barracuda. “The entire goal for this attempt is to get the recipient to click on the link, and the criminals have done a decent job of subtly placing the link within the message.”
This is a throwback to the old invoice scams sent by direct mail. An accountant in a company would get an invoice — usually for a modest amount — and pay it without questioning it.
But it represents a technological advance. Obviously, these modern scammers don’t expect people to pay the bill: They’re trying to get in and cause even greater damage.
“If the link actually gets clicked, it would typically download a doc. file (the so-called invoice), which would be an advanced threat of some type that could trigger ransomware or steal the recipients’ credentials from their browser,” Gavish continues.f
Another impersonation email, sent in October, states, “I’m providing you with my new address and an invoice details below.”
“As you can see, there’s nothing too unusual with this message, but the same warning signs are present as with the first example,” Gavish states, adding: “We’re still seeing a link in the body of the email that could be malicious, and it’s still asking about an invoice. Lastly, the link in this attempt would most likely have the same results — a malware download or credential theft that could lead to a compromised account.”
The study concludes that the emails rely on impersonation (usually, someone the recipient trusts) and urgency.
The best preventative? User training and awareness.
“Simulated attack training is by far the most effective form of training,” Gavish concludes. “Always check the domains on emails asking for things from you, including clicking and inputting information.”