Cybercriminals are posing as Intuit's popular accounting software package QuickBooks to target Google Workspace and Microsoft 365 small business users in a voice-phishing scam.
The campaign sends a false invoice via email containing a claim that a credit card has already been charged for an order. In order to dispute the charge, victims are directed to call the number included in the email, according to researchers with INKY. The scam was first uncovered in December 2021 and the frequency of attack has accelerated sharply, they said.
The threat actors have been leveraging QuickBooks' free 30-day trial offer to set up fake accounts from which to send fraudulent invoices, impersonating major IT companies including Amazon, Apple, PayPal, and McAfee. Once the victim calls, they are asked for bank account information, login credentials, or other personally identifiable information.
"These attacks were highly effective at evading detection because they were identical to non-fraudulent Quickbooks notifications, even when examining the emails' raw HTML files closely," the report noted. "All notifications originated from authentic Intuit IP addresses, passed email authentication (SPF and DKIM) tests for intuit[.]com, and only contained high-reputation intuit[.]com URLs."
One such scam in April impersonated an Amazon Prime shipping notification, which used the strings "amazn" and "amzn" to evade detection filters. By clicking on the "print or save" or "view invoice" buttons, the victim is then taken to Intuit's website and shown a fraudulent invoice, inducing the user to call the number and give up financial information.
"The natural response is to get right on the phone and try to back the order out, or, barring that, find a way to obtain a refund," the INKY report noted. "The phishers take advantage of this disrupted emotional state to extract personal or financial information before the victim realizes that something is off."
Defense Requires Vigilance
INKY recommends that recipients of these kinds of messages should refrain from calling any phone numbers they provide and be wary of requests for payment through the form of gift cards, a method unlikely to be used by businesses.
"If there is any doubt about a charge, it is best to contact the relevant credit card company to see if there really is a charge in that amount," the report noted. "Any real charge would be shown as 'pending'."
Small businesses are increasingly targets for cyberattacks, according to recent research; however, just 40% of small businesses have a cybersecurity policy. Among the key steps small businesses can take to improve their security posture is adopting strong security policies and training employees in best practices, along with tactical investments in cybersecurity software.
Plenty of Phishing in the Sea
Meanwhile, cybercriminals are deploying new vishing methods to defraud victims, according to a report from Kaspersky, including attacks carried out through popular social media sites or major IT service providers like PayPal. A recent vishing scam cited by Kaspersky was based on a widespread TikTok prank where friends use an automated answering-machine voice to warn them that a lot of money will soon be taken out of their bank account.
"When people are convinced to disclose their personal data during a phone call rather than on a phishing page, they often don't have the chance to consider that they are the target of a hoax — and the large number of TikTok videos with this prank is a prominent example of this," according to Kaspersky.
The security firm reports that the volume of vishing is on the rise, with 350,000 vishing emails between March and June 2022, with nearly 100,000 of these emails spotted in June alone.