The Art of Spotting Fake Invoice Scams

If you have an email address (which is safe to assume, considering you are reading this email), odds are you’ve received something similar to what showed up in my inbox the other morning - the infamous Invoice Scam:

Thankfully, Gmail is quick to warn about this. Their fraud detection has come a long way. Advanced Artificial Intelligence and Machine Learning models are used to scan every email and attachment sent using their services. There’s a lot of negative press out there about AI these days, but this is a great example of how AI can be used for good! If you’re interested, you can read more about this in the Gmail Help Article on Phishing Emails.

For the sake of argument though, let’s assume Google failed to detect the fraudulent content and none of the warnings messages were visible. The email would have looked something like this:

An unsuspecting person that doesn’t have the eye for catching these scams might then open - or worse, download - the attachment:

The way that this scam works is by convincing you that you’ve unknowingly sent a significant amount of money (in this case, $780.99) and must contact PayPal to have it resolved. I’ll let you in on a little secret: the phone number in this email is not PayPal’s, and will connect you directly with a scammer. If you call, they’ll start asking questions and acquiring as much personal information as possible.

This email absolutely reeks of scam - if you know what to look for, it is pretty obvious. Let’s go through some of the signs together:

Right off the bat, the subject line has a typo - there’s no space between order and the fake order number. Typos and improper grammar are a good indication that an email might not be what it seems.

The next thing to check for is the sending address. There’s no way PayPal would be sending an email from some random personal Gmail account. I would expect the email to end with paypal.com, for example:

• [email protected]

• [email protected]

• [email protected]

One quick thing to note here - just because an email ends in paypal.com does not necessarily make it legitimate. There are some crafty ways to “spoof” email addresses that appear correct, but upon further inspection are actually not real. You can read more about this in a Great Article by Proofpoint. If you’re using Gmail, the best way to confirm an email address isn’t spoofed is by looking for a blue checkmark:

Companies have to go through verification processes to obtain this. It’s similar to the check marks that you see on various social media sites. This is a sure-fire way to guarantee that an email is real. Keep in mind though, that not all companies do this!

The last thing that rubs me the wrong way is the signature. “Thanks - Bills Team”. I don’t know why, but something about this just seems off. Go with your gut - if something feels off, it’s better to be safe than sorry.

Ok, now let’s dive into this absolutely horrendous attachment…

Another typo! They have the phone number listed twice, once starting with -+1, and again as just +1. Why only include the minus sign in one of them? If a legitimate email is going to list a phone number, they should do it consistently.

A generic greeting is also a big red flag. A company like PayPal has your full name, and they will use that name to address you (they even mention this in their Help Article on Spotting Fake Emails). Another weird thing here is the plural “Customers” - isn’t this supposed to be an invoice just for me? Shouldn’t it say “Customer” if anything?

Another odd that I noticed is the styling. They go from middle alignment in the first section, to then left aligned in the last paragraph. Inconsistencies like this are a sign that not much design effort went in to an email. Large companies like PayPal have teams of talented designers whose job it is to make these emails look clean and professional.

This last one speaks for itself… “Best & Regards”? I don’t know anyone that talks like that… “Best”, “Regards” or “Best Regards” are all legitimate signoffs - but the & in the middle there just looks weird. Additionally, they identify themselves here as “Billing team”, when in the body of the email they self-identified as “Bills Team”. Yet another inconsistency that further reduces the legitimacy of the email.

OK, so we’ve been through all the warning signs. You are now equipped with some of the knowledge to spot fake invoice emails! Let’s say you encounter an email like this. You check everything out, but still aren’t completely sure it’s legit. Here are 3 good rules of thumb to follow if you’re suspicious:

1. Never download any attachments that you aren’t expecting. If it’s a something like a PDF, Word document, or Spreadsheet, services like Gmail will let you view it safely in the web browser, keeping your PC safe.

2. Never click links in suspicious emails. These might direct to scam/phishing sites. The safest option is to go to the company’s website yourself, login to your account, and look for the relevant information there. In the case of this PayPal email, I could have logged in, checked my history, and realized this transaction never happened.

3. Never use the phone number in a suspicious email. Search the company on Google, or find it on their website. Side note - this advice applies for phone calls as well. For example if you get an unexpected call from a bank or financial institution, politely hang up and call them directly using the phone number on their official website.

Wow - you’ve made it to the end! I’m glad you’ve stuck around, and hope you’ve learned something from all of this. If you’re interested, here are a few additional resources if you’d like to learn more about these types of scams:

• Gmail Help Article on Phishing Emails
• PayPal Help Article on Spotting Fake Emails

And if you have a moment, I would greatly appreciate your participation in this poll. I’m eager to hear about readers’ experiences, and hope to incorporate the results into future publications.

I encourage you to forward this along to anyone that might find it helpful. If you’ve received this via a forward, or are reading it on the website, you can signup for the newsletter here

Thanks for reading,
- Greg