<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

Invoice Scams - The New Emerging Threat in Cybersecurity


Phishing scams have long been an effective social engineering technique used by criminals to adversely affect individuals and businesses.  These phishing schemes typically target individuals by disguising emails to look legitimate, while in reality they are seeking to gain personal information or to infect the individual’s personal device.  The recent direction of phishing attacks is to target larger organizations and businesses, rather than individuals, as the data held by organizations can be more valuable to the scammer.  Invoice Scams are the emerging trend among phishing attacks, and can have a costly impact on your business if successfully operated. 


 Invoice Scams typically work in the following order: 

  1. A scammer targets an individual within an organization by seeking out specific information about that person on either a corporate website or a social media site where a job description might be posted (like LinkedIn).  The scammer can use information pulled from these sites to target employees who may work in the accounting or procurement departments. 
  2. The scammer composes an email with an attached invoice that is disguising malware or ransomware.  In some instances, the body of the email might even include specific details or vendor information, making it look like a work-related document. 
  3. An employee receives the email and downloads the attachment, thinking it is legitimate.  The spyware/ransomware is now installed on that user’s workstation and can corrupt the business IT environment. 
  4. The scammer can now perform multiple nefarious activities, such as encrypting files and demanding ransom or logging keystrokes to capture personal or confidential data. 
  5. The business suffers reputation damage and/or financial harm as a result of the successful attack.   

Request a VCISO Today


Take these steps to protect your staff:

Invoice scams are more successful than other phishing attacks because they target specific individuals within an organization who are known to process payments as part of their everyday job duties.  While these attacks can be hard to defend against, there are some steps that can be taken:  

  • Train all workforce members on the importance of phishing attacks.  Employees should be taught on an annual basis how to identify and report any email that looks to be suspicious.  You can conduct phishing tests to validate the effectiveness of your training methods.
  • Exercise vigilance.  Since these scams are becoming a common issue, employees in departments that deal with invoices should exercise extra caution in reviewing any email.  If any unexpected invoice comes in from a current vendor or partner, always confirm the source of the email before opening any attachment.  
  • Ensure that anti-virus and anti-malware software is installed and routinely updated on all office workstations.  For larger organizations, it may be best to implement a separate email security software to provide an extra layer of security.  

Phishing scams have proven to be extremely costly to businesses in the past.  Hackers are continuing to evolve their efforts into gaining access to sensitive data.  Ensure your business is staying ahead of these threats by implementing strong cybersecurity practices. 

Explore our training options here



Anirudh Nadkarni
Anirudh Nadkarni

Anirudh Nadkarni holds a Bachelor of Arts degree with a major in History from the University of Florida. As a Senior Security Analyst at 24By7 Security, Inc., his main focus in on compliance. Anirudh’s role includes performing on-site Security Risk Assessments, assisting in the development of Privacy and Security Policies & Procedures, and conducting HIPAA training for healthcare providers and their staff. Anirudh is certified as a Health Care Information Security and Privacy Practitioner (HCISPP) from ISC2, HITRUST Certified CSF Practitioner (CCSFP) and as a Certified Data Privacy Professional (CDPP) from Network Intelligence. Sign up for the 24By7Security blog and follow Anirudh’s musings.

Related posts

June, 4 2024
May, 28 2024
May, 21 2024

Comments are closed.

MACRA/MIPS and the Annual Security Risk Assessment!
Do I Need Encryption and Multi-factor Authentication for GLBA Compliance?
Subscribe to our Blog!