Phishing - QuickBooks Invoices

Written By Beverly Geise

For my second post on phishing, let’s talk about invoices purported to come from QuickBooks. I have had three distinct phishing attacks that look like they come from QuickBooks or Intuit.  Generally, the “invoice” email will have an attached file, or a link to click in the email.  The text of the email is sometimes short and very vague, and does not always state a company it is from. For example:

Services <quickbooks@notification.intuit.com>

“Order will be delivered upon payment receipt. Thanks for your business! INVOICE 4748 DUE 05/21/2020 $1,600.00”

“Please find attached your April invoice. Thank you. If you have any questions or need to make changes; please contact us. Sincerely, XYZ, Inc. “

If you double check the “From” email address, it looks like the same one that QuickBooks Online uses to send invoices from a company to their customers (quickbooks@notification.intuit.com). I don’t claim to know how they spoof that email address, just seen it happen. In this particular instance the only difference was that the company name did not appear in the “From” section, just “Services”.  Some of these emails are not very authentic looking, being text based and brief. Hover over the link with your mouse to see if it is authentic (Windows 10). The link address will appear in the bottom left of the window.

Another time, I had an email from quickbooks@notification.intuit.com that had the “receipt” attached. However, instead of a PDF attachment it was a macro-enabled Excel file (.xlsm).  This would allow your computer to be infected by opening the file.  To block these, I have asked our IT guy to block all macro-enabled spreadsheets with our email spam blocker, since we never use these types of files. QuickBooks will only send PDFs as invoice attachments, if requested by the user.

On a third occasion, I had an invoice that looked EXACTLY like an invoice sent from QuickBooks Online.  Same wording, payment button, colors and graphics, and a warning about opening fraudulent invoices!

“The following invoice is ready for your review and processing.”

“If you receive an email that seems fraudulent, please check with the business owner before paying.”

So even if it looks right, if you don’t know who sent it and why, don’t trust it.  Again, hover over the payment button, and the link associated with it will appear at the bottom left of your window (Windows 10). If the link is not an intuit.com link, it is phishing. If you do not recognize the vendor or are not expecting an invoice, DO NOT CLICK on anything.  Vendors using QuickBooks can also send you an invoice payment link from their own email address, if that makes you more comfortable in paying online.

At any rate, I do not blame Intuit or QuickBooks for any of these phishings or scams.  I am sure they are working to shut down any such misuse of their name.  To help Quickbooks get a handle on these kind of emails, forward them to spoof@intuit.com, so they can have a record of this occurring, and maybe shutdown wherever they are coming from.  Always go through your known website channels, and never click on this kind of link if you are unsure. They are sneaky and we must be vigilant!

Beverly Geise
Previous

Phishing - Intuit Payroll Notices
Next

Phishing - Payroll Diversion Scam