UPDATED 06:00 EDT / JULY 13 2022

SECURITY

Phone scam variant uses QuickBooks to trick victims into handing over details

Researchers at INKY Technology Corp. today detailed a new phone scam variant that uses QuickBooks to trick victims into handing over personal information.

The scam involves scammers setting up free 30-day trial QuickBook accounts to send invoices to potential victims. The scammers send invoices claiming that the victims had purchased an item and their credit cards have already been charged. The text in the invoice states that if the targeted victims wish to dispute the charges, they should contact the phone number in the email.

The first-stage trick here is that the scammers are using legitimate QuickBook accounts and the invoices are made in and sent from Quickbooks, meaning that they appear legitimate. The invoices were found to impersonate brands, including Amazon.com Inc., Apple Inc., Best Buy Co. Inc., PayPal Holdings Inc. and other providers in an effort to make the invoices appear even more legitimate.

Although the emails are sent from Quickbooks, there are some giveaways that all is not as it should be. In various examples, Quickbook emails referred to Amazon as “Amazn” or “Amzn” to evade detection filters. If victims clicked on a link, they were taken to intuit.com (the parent company of Quickbooks) where the bad actors had created the fraudulent invoice, further adding to the invoice’s apparent legitimacy.

If the targeted victim calls the number in the email to dispute the alleged charge, the scammer attempts to extract information from the victim. The information extracted includes login credentials, credit card information and other personally identifiable information. In some circumstances, the victim is directed to a spoof website that then extracts the same sensitive information.

In one particular case, a victim was told on the phone to purchase an Amazon security card to have money refunded. The purchase was made over the phone, with the victim handing over credit card details.

“The effectiveness of these techniques relies on the panic a victim might feel if they received an invoice for goods or services that they did not purchase,” the researchers explained. “The emotional reaction to a notification of this sort can be strong and may impair judgment.”

The natural response, the researchers added, is to get right on the phone and try to back the order out or find a way to obtain a refund. “The phishers take advantage of this disrupted emotional state to extract personal or financial information before the victim realizes that something is off,” they said.

Image: INKY

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU