Fake Invoice Campaign Caught Mid-Rollout, Exploits Psychological Scams
A new wave of fake invoice scams impersonating brands like PayPal and Amazon was discovered by researchers while still under development, highlighting a psychological attack vector.
Cybercriminals are actively staging a new fake invoice campaign, aiming to trick unsuspecting individuals into calling fraudulent support numbers. Researchers at Malwarebytes Labs observed this campaign in its nascent stages, noting that some email templates still contained placeholder fields, indicating it was caught mid-rollout. The scam emails impersonate well-known brands such as PayPal, Amazon, and Geek Squad, leveraging their credibility to instill fear and urgency in recipients.
The core of this "phantom invoice" or "refund" scam is psychological rather than technical. Unlike typical phishing attacks that rely on malicious links or attachments, these emails are designed to prompt a phone call. They present fabricated charges, often in the hundreds of dollars, and provide a phone number to "cancel" or "dispute" the non-existent transaction. The absence of technical payloads makes these emails more likely to bypass traditional spam filters.
Once a victim calls the provided number, they are met by a scammer posing as a support agent. The scammer's objective is to gain remote access to the victim's computer, steal sensitive financial information, or trick the victim into sending money for a "refund" that never materializes. Common tactics include convincing the victim to install remote access software, asking for credit card details to process a fake refund, or orchestrating an "over-refund" scenario where the victim is asked to send back the excess amount via gift cards or bank transfers.
The effectiveness of this scam relies on the psychological impact of seeing a significant, unrecognized charge. The carefully chosen amounts are large enough to cause alarm but plausible as a subscription renewal or purchase. The inclusion of familiar brands and the addition of fake urgency, such as "call within 12 hours," are designed to prevent victims from independently verifying the transaction, pushing them directly into the scammer's trap.
Malwarebytes Labs' discovery was unique because it provided a glimpse into the campaign's construction phase. By finding templates with placeholder text like "#TFN#" (for toll-free number) and "#PRICE#," researchers could confirm the operation was still being assembled. This contrasts with most scam investigations, which typically begin after the campaign has already caused damage.
While the scam relies on the victim calling the fraudulent number, simply receiving a fake invoice does not automatically put a user at risk. The attack chain is broken if the recipient recognizes the fraudulent nature of the email and deletes it. However, if a victim does call and follow the scammer's instructions, they are advised to immediately run antivirus scans, check bank accounts, change critical passwords, enable multi-factor authentication, and update their security software.
To avoid falling victim, users are advised to be wary of unexpected charges, fake urgency, and the use of trusted brands as a cover. It is crucial to independently verify any suspicious charges by contacting the company through official channels, not the phone number provided in a suspicious email. Real companies do not pressure customers into resolving unexpected charges via unsolicited phone numbers.