Hackers Using Free QuickBooks Account to Create, Send Fake Invoices

A new phishing scheme has surfaced during the 2023 tax season in which hackers are creating a free QuickBooks account and using it to send fake invoices.

That’s according to Avanan, a Check Point Software Technologies company. It refers to the scheme as business email compromise (BEC) 3.0. It already uncovered this scheme in PayPal, Google and more.

QuickBooks is an accounting software package developed and marketed by Intuit.

In this attack, hackers send a fake invoice from a legitimate QuickBooks domain. This email comes directly from QuickBooks and has a QuickBooks email address. It will pass all standard email authentication checks, domain checks and more. There’s nothing inherently wrong with the text and no malicious links.

Avanan’s Jeremy Fuchs

Jeremy Fuchs, Avanan‘s marketing content manager, said in BEC 3.0, “all the typical phishing hygiene tricks are thrown out the window.” He provided as an example a fake invoice for Norton Lifelock.

“You can’t see a discrepancy in the sender’s address,” he said. “The links are legitimate. The spelling and grammar are on point. You may question why they’re asking for a Norton Lifelock payment, but plenty of people use Norton Lifelock. And that goes for both consumers and businesses. In short, users have to scrutinize this email incredibly carefully. And let’s be honest, how many end-users do that? This requires a new wave of education for users. Hovering over links isn’t as helpful. Now users have to be wary of all links. This requires a whole new approach.”

It’s “super easy” to create and send an invoice using a free account in QuickBooks, Fuchs said.

Scroll through our slideshow above for more about this QuickBooks invoice phishing scheme.