Fake Invoice Phishing Scams

The Cyber Security group is aware of many Berkeley Lab staff receiving fake invoices sent to their lbl.gov work email address. The goal of this phishing scam is to trick recipients into believing they have been charged for a service so they call the number and reveal sensitive personally identifiable information, such as full names, addresses, banking details, credit cards, and login credentials. Take a look at examples of real Lab incidents below and review tips for recognizing and responding to phishing. 

Invoice Phishing Examples

The recent phishing examples sent to Lab staff are deceptive attempts to emulate subscription renewal invoices from popular technology companies. The first example below is a request for payment of a subscription for computer support service by Geek Squad, a subsidiary of Best Buy consumer electronics. Similarly, the attacker in the second example uses the same fake subscription method to emulate Norton, another familiar tech company which offers antivirus and digital security software. 

Click the images to view details in a new tab.

Invoice phishing campaigns often impersonate well-known companies in order to create trust. Since subscription payments are commonly processed at the Lab, a quick scan may not raise any initial red flags. Attacks also tend to increase during busy times of the year when people are distracted. However, a closer examination reveals several indications that the messages are fake. 

• Suspicious sender address is used, as opposed to a vendor-specific domain, e.g., “Robetu Pata <robetupata9876vb@gmail.com>” as the sender for the Best Buy invoice notification.
• Random phone number is supplied and not the official contact information. Visit the real company website to help verify the validity of senders.
• Grammatical errors, incorrect spacing, missing punctuation, and generic format raises concerns about the legitimacy of the message. 
• Generic greetings with a lack of real names for the invoice point to a phishing attempt. 

Avoid identity theft and help keep the Lab’s computing environment safe by assessing and verifying the legitimacy of unexpected invoices before contacting the sender or making any payments.

Recommended Actions

The best way to avoid phishing scams is to stay alert and pay attention to current methods in use by attackers. 

Report any suspected or known breach of personal information to security@lbl.gov as soon as possible. Email help@lbl.gov to open a ticket for other IT related questions.

For lbl.gov Gmail accounts, it’s useful to report phishing emails to help Google tune their filters to prevent scams from reaching your inbox. 

1. On a computer, open Gmail in your web browser. 
2. Navigate to the phishing message and open it. 
3. Expand the 3 vertical dot menu in the top-right corner of the message window and select “Report phishing.”

Read more Cyber Security articles.