In order for their attacks to be successful, scammers first need a way to get your attention and one of the easiest ways to dupe unsuspecting victims is with an unpaid invoice.
Scammers and cybercriminals alike often use unpaid invoices as a lure in their phishing emails due to how well they work. Whether you’re an employee or a small business owner, an unpaid invoice in your inbox is the kind of thing that demands your attention.
Phishing emails about unpaid invoices also often instill a sense of urgency to get users to open them. From here, the actual invoice may appear in the body of the email but it’s more likely to be included as an attachment which could also contain malware. Even if the attachment itself is harmless, many of these fake invoices do actually end up getting paid.
To give you a bit more insight into fake invoice scams and how they work, here’s a suspicious PayPal invoice I recently received in my own inbox.
Suspicious PayPal invoices
As I was checking my email earlier this week, I noticed there was an unpaid PayPal invoice in my inbox. Since I don’t use PayPal with my work email, I knew right off the bat that this was a scam but decided to investigate further.
The first thing I did was to check the sender’s email address to make sure that the message actually originated from PayPal. While email addresses can be spoofed, I knew that this was a legitimate message as I hovered over the “View and Pay Invoice” button to inspect the link and saw in the lower left corner of Google Chrome that clicking on it would take me to PayPal’s official website.
I clicked on the link, which brought me to PayPal’s website. Once there, I found an invoice for $600 from a person whose name I had never even seen before. Inspecting the contents of the invoice closer shows that this $600 would get me one Bitcoin when an actual Bitcoin cost $22,933 at the time of writing. Unfortunately, somebody else might think this is a great deal and decide to pay the invoice only to find out later that they’d lost $600 and there never really was a Bitcoin.
Out of curiosity, I decided to check on the invoice one more time after I received a reminder email from PayPal telling me that I still had one unpaid invoice. To my surprise though, the invoice itself had been deleted and was no longer available at all.
If you’ve received a similar unpaid invoice email from PayPal, the company explains at the bottom of the message that if you don’t know the seller, “You can safely ignore this invoice if you're not buying anything from this seller.” Likewise, PayPal won’t “ask you to call or send texts to phone numbers in an invoice.”
PayPal is one of the oldest and easiest ways to send money to friends and family. However, as it says in an FAQ on the company’s site, the only thing you need to send an invoice on the platform is an account. While certainly convenient, this makes it easy for scammers to send out fake invoices on PayPal with the hope that someone actually pays. Even if just one person does, the scammers behind this campaign — and others like it — have made a profit.
How to stay safe from fake invoice scams
Just like with other online scams, fake invoice scams can be avoided by keeping a cool head when checking your inbox. In a blog post, the email security company Armorblox lays out a few things to look out for.
Besides trying to instill a sense of urgency, the scammer responsible may ask for personally identifiable information (PII), which is another red flag. At the same time, they might ask for an outrageous sum of money instead of something more reasonable. However, the biggest tell that an invoice is fake is if it’s for something you didn’t purchase. This is why you should check the service mentioned in the email first instead of replying to the message, clicking on any links it may contain or opening any attachments.
From here, you also want to be on the lookout for poor spelling and grammar since many scammers target users in other countries. Likewise, if an invoice arrives from an online vendor you’re not familiar with, it’s likely a scam.
While the best antivirus software can keep you safe from malware and other online threats, it can’t protect you from letting your emotions get the best of you and paying an invoice for goods you didn’t purchase. If you do happen to pay such an invoice, you’ll be better off investing in the best identity theft protection as the scammers may also try to steal your identity now that they’ve ripped you off.
When in doubt, it’s always best to delete emails from unknown senders saying that you have an unpaid invoice as opposed to interacting with them. You also want to avoid calling any phone numbers in these emails as scammers could try to convince you to pay them or to give up your personal information over the phone.
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.