Money for Nothing

During the pre-holiday period, attackers are sending invoices to companies for the delivery of non-existent documents.

Invoices for delivery of non-existent correspondence

At the end of the year, before the Christmas and New Year holidays, the accounting departments of many companies are busy — to put it mildly; especially in countries where the fiscal year is aligned with calendar year. Accountants are busy with financial reporting, planning budgets for the next financial period, and so on. And all that despite the pre-holiday fever where corporate parties are common and colleagues are often not so much in the mood for work. So, of course, cybercriminals can’t ignore this situation: they’re actively sending fake invoices to random employees of companies, in the hope that someone will approve payment in the midst of document flood.

Fraudulent email red-flags

Firstly, the very fact that an email was sent to a random employee, and not directly to the accounting department, should get alarm bells ringing. Criminals usually have no means to obtain the real email addresses of corporate accountants; they use spam mailing databases, consisting primarily of publicly available contacts — so those emails are usually received by employees in HR, PR, technical support, and so on.

Sometimes the senders of the fraudulent emails write that they’ve lost the correct address, or made a typo while writing it down, so they ask to forward the invoice to accounting, or sometimes they don’t bother themselves with explanations. Anyway, this cannot be an excuse for sending an email to a random address. If the invoice is really needed by one of the company’s employees, they would contact the sender themselves, find out the reasons for the delay in delivery and, if necessary, clarify the email address of the accounting department.

Forwarding unexpected emails to colleagues may do more harm than good, for a fraudulent email forwarded by a co-worker is more likely to work. If you forward an invoice to accountants, they may think that you want it to be paid. And in general, an email from an employee of the same company arouses less suspicion than external correspondence.

Secondly, criminals understand that demanding a large amount of money is a bad idea. It’s less likely that such an invoice will be paid without additional enquiries. That’s why they issue invoices for relatively small amounts — insignificant by the standards of a large company.

Thirdly, in the vast majority of cases these kinds of invoices are for correspondence delivery services. Moreover, the accompanying email is written as vaguely as possible so that it’s not always clear whether the invoice was issued directly by the sender of some documents or by the delivery company.

What are the scammers counting on?

As mentioned earlier, criminals count on the year-end’s heavy workload, folks’ general inattention, and non-specialists “help” in forwarding such emails to the accounting department. But the main reason why such schemes work is impunity. By and large, they’re not afraid of legal consequences. Fraudsters register a real company and send out invoices. Legally, this is a service that was paid for but not provided. Yet if someone were to take this to court, they’d probably be found guilty. But will anyone go to court over such trifling amounts of money?

If you try to search the internet by the name of the company that issued the invoice, you’ll probably find a whole host of indignant comments from businesses that were deceived in a similar way. Presumably, from time to time, criminals change the legal entity trifling amounts — closing one company through bankruptcy and opening another one.

How to stay safe?

To begin with, we highly recommend using security solutions with effective anti-spam technologies at the corporate mail gateway level. As a rule, attackers send such emails in large quantities, which allows us timely classify such emails as spam.

In addition, you should inform employees that an email received unexpectedly from someone unknown demanding a payment or personal data is a definitely a suspicious email. And if they want to forward it somewhere, they should send it only to the information security department with the comment “possible fraud”.

Ideally, it’s a good idea to periodically increase employee security awareness; for example, using the automated online Kaspersky Automated Security Awareness Platform. This would allow employees to be prepared for unexpected emails from attackers, be they simple fraudulent spam emails or sophisticated spearphishing.