A new scam to watch for: QuickBooks Invoices

As scammers are always looking for new ways to trick us, they have come upon a new idea that seems to evade spam filters: Illegitimate invoices via a legitimate system. I've been seeing this a lot in the past couple of weeks. I'm not sure if the scammers are setting up new QuickBooks accounts or if they are hijacking existing accounts, but they are using QuickBooks to send out invoices to people hoping that you will either pay or call the number listed in the invoice to talk to their "fraud department", where they will lead you onto another con.

Why is this so effective? By using an actual QuickBooks account, their email invoices are being sent by QuickBooks so spam filters have no way of knowing that the content of the invoice is not legitimate. The mechanism by which the email is being sent completely checks out and isn't coming from anywhere suspicious.

Whenever you receive an email invoice that seems suspicious, look to see what the sending email address is. If you are using Apple Mail click the small down arrow at the end of the sender's name. A large company like Apple, Norton, or Amazon would never use a personal style email address that ends in something like aol.com, outlook.com, or gmail.com, and a big company like Amazon wouldn't send you an invoice via QuickBooks. Even if it does appear to come from a legitimate address that's not proof-positive that it's legitimate; those can be spoofed but it's more difficult to do. You should be very suspicious of any unexpected invoices from any source.

What do you do? Just delete the email. If you block the sender you won't receive legitimate emails in the future from anyone using QuickBooks Invoicing which is very commonly used by small businesses. But whatever you do, DO NOT CALL the number listed on the invoice. That is not the Fraud Department at QuickBooks, that is the phone number of the scammer. I'm not sure how effective it will be but you can also forward the scam invoice to security@intuit.com. Intuit is the company that owns QuickBooks.

Honestly, I'm a little disappointed that QuickBooks doesn't seem to be on top of this. They could be doing several things to help such as adding a "report fraudulent invoice" button or stripping out any phone numbers or email addresses so that they can only be inserted in a field of the email that is clearly labeled so you know who you are calling.