Fake Apple and Amazon invoices are flooding inboxes


As holiday shopping hits underway, fake invoices are flooding inboxes worldwide. After getting a high-dollar invoice, users panic and are likely to call a given number to cancel an order they never placed. That's when scammers roll up their sleeves and do their best to extract personal and financial information from their victims.

The number of scams has only been increasing going to the holidays. Anti-phishing technology has become more effective at warding off even the most sophisticated attacks, so scammers have moved to low-tech phone scams. Because these malicious emails don't contain any links, they bypass the security filters.

CyberNews already wrote about many different scammer tactics - threat actors spoof and impersonate popular brands like Amazon, the US Postal Service, Verizon, DocuSign, etc. They are sending out fake purchase notifications to make you call them so that they can extort from you as many personal details as possible.

ADVERTISEMENT

Recently, email security company Vade noticed fake Amazon and Apple invoices popping up in inboxes. They follow the same pattern - they say you've successfully purchased an expensive item, and because you actually didn't, there's a phone number in the email body for you to call to cancel the order.

Here's an email example. It says you've purchased an expensive MacBook Pro for $1,999. When such a high-dollar invoice pops up in someone's inbox, an anxious person will likely call the given number to revoke the purchase. A scammer at the other end of the cord will pretend to be an Apple or Amazon employee and will try to trick you into giving your personal and credit card information, which will later be used for fraud.

Apple invoice

According to Nicolas Joffre, Threat Intelligence and Response Center (TIRC) America Manager at Vade, the goal is to panic the victims into believing that someone has ordered an expensive item with their debit or credit card.

"It's pretty much the same process as the tech support scam. The scammers use fear techniques and confusion to trick the victims into calling a toll-free number," he said.

The Amazon invoice fraud scheme features two purchases, one for a subwoofer and another for a wireless headset. As with the Apple scam, the email includes a contact number but no other identifying features typical in phishing emails, such as URLs.

Amazon Invoice

Vade started tracking this scam in October 2021. By mid-November, less than two weeks before Black Friday, the scam surged to more than 60,000 emails in one day. The company noted that the total amount of emails is probably even higher.

ADVERTISEMENT

"Because of the low numbers in mid-October and spike in mid-November, it is probable that scammers were testing their emails in advance of the holiday season. Black Friday, of course, kicks off the holiday shopping season in many countries throughout the world. Users receive receipt confirmations and invoices constantly throughout the holiday season, and they are likely keeping an eye on both purchases and shipping confirmations," Vade said.

Malicious cyber actors switched to phone scams for several reasons. As mentioned above, these emails don't contain any malicious links and easily bypass security filters. There's no need for threat actors to build a phishing page. And third, scammers can verbally manipulate and possibly threaten a person over the phone.

Creating a sense of urgency

Social engineering is an emotional game. Criminals manipulate our perceptions and feelings to trick us into doing something for their benefit. They are trying to disturb our thinking process - the OODA loop. OODA is a model for decision-making and stands for observing, orienting, deciding, and acting.

When scammers call you or send you an email, they always want you to take immediate action. You will not hear them say, 'reply whenever it's convenient to you' or 'at your earliest convenience.'

Probably the best advice here is to step back and take a moment to think so that you can make an informed decision. You can still make a mistake, but at least it will be an 'informed mistake."

There are several simple things recipients can do to stay safe.

"It's easy enough to take a closer look at a sender's email address to confirm that the message comes from the branded company that seems to be sending it. Particularly when an email triggers a sense of dread and urgency, looking at the sender's address can quickly put those fears to rest," INKY said.

Even if a recipient makes the phone call to a fake sender, it is critical not to give sensitive personal information (e.g., banking information, social security number, date of birth) over the phone.

"And just thinking for a minute before responding can reveal that the pitch makes no real sense. For example, one doesn't resolve an accidental or fraudulent charge by buying a gift card," mail protection company INKY said.

ADVERTISEMENT

Another simple remedy is going straight to the website and checking your order history, which will likely not include the one referenced in the fraudulent email.


More from CyberNews:

70 countries have restricted social media in the last six years

Here’s why ransomware gangs are now rebranding themselves as ‘white hat’

Hackers could use OneDrive permissions to read company documents

Got a job without an interview? It’s probably a scam

IKEA hit by ongoing email cyberattack campaign

Subscribe to our newsletter

ADVERTISEMENT