What is an Invoice Scam?
An invoice scam occurs when a threat actor sends you a fake invoice, attempting to trick you into seeking a refund for a product or service you never paid for. The scammer often impersonates a legitimate payment or document service to make the invoice appear credible.
How It Works
You receive an invoice or payment request through a legitimate service like PayPal, DocuSign, or Office 365, for a product or service you never ordered, which asks you to contact them to refund a payment. The invoice or request contains a note to pressure you to call their fake customer service number.
Once you call, the threat actor pressures you to give them sensitive payment info. Often, they will ask you to download and run remote access software so they can either steal credentials from your PC or leverage your logged-in browser to transfer money.
What to Watch Out For
- Technical support asking you to download software to help you solve a billing problem. Do not let unknown individuals, or anyone outside the ITS Service Center or U-M IT staff when it comes to U-M devices, install software on, or take control of, your device.
- Invoices for purchases you have not made. Ask yourself, “Did I make this purchase?” If this is the first time hearing about the order, there is a good chance it is a scam.
- Requests to act immediately to make payment or reverse payment. Check your bank or service account transactions to see if there is a chance of identity theft or stolen credit card data.
- The invoices for this scam are generated through a legitimate service like PayPal. While the purchase is fake, clicking on the links in the scam invoice may actually transfer payment via PayPal. This lends credibility to the scam.
How to Protect You and U-M
- Do not pay and do not respond using links or phone numbers in the email when you receive an invoice you suspect to be fake or for a purchase you don't recall making.
- Be wary of requests to download and install remote access software to allow a person claiming to be a help desk agent to assist you. Do not allow anyone other than U-M IT support staff to access a U-M owned computer remotely.
- Look directly at your bank or service account to verify you haven't been fraudulently billed. Do not use links in the email!
- If you have been fraudulently billed, report the fraud immediately through your service provider.
If You Get Caught
If you are concerned that you have given personal information or payment to someone attempting to scam you, take the following steps:
- As a precaution, change any passwords you entered after installing the remote access software. To do so, use a different device that did not install the software.
- Monitor your financial accounts for any unauthorized charges. Contact your financial institution if there are any issues.
- Uninstall the remote access software, if you know what it is.
If you are uncertain about what the threat actors did, consider the device compromised and then take the following steps:
- Is it a UM-owned device? Turn it off, report the incident, and get a loaner from your unit IT department.
- Is it a personally-owned device? Consider the Virus Scanning & Removal service offered by ITS Tech Repair.
- Individuals who have fallen victim to one of these scams, which resulted in loss of money, should contact the University of Michigan Police Department at 734-763-1131 or text 377911.
- If you believe that your U-M computer has been infected or compromised by viruses or malware, please contact IT support: For MiWorkspace computers, contact the ITS Service Center, and for other university-owned computers contact your unit IT department.
- See our Identity Theft page if your personal information was compromised.
- See What To Do if You Were Scammed from the FTC for information on what to do if you were scammed out of money or personal information.
Examples of Scam Emails
Text of first PayPal Invoice Scam Email
PayPal
Creatrix inc has updated their money request
Updated request details
Amount requested<
$1,369.55 USD
Note from Creatrix inc:
Don't recognize the seller? Please contact PayPal Support Team immediately at +1(888) 434-2883 (Toll Free). If you do not reach out, we will proceed with the transaction.
Transaction ID
U-3YP350079M3163310
Transaction date
December 5, 2024
Pay Now
Don't recognize this request?
Before paying, make sure you recognize this person. Don't engage with this request if you're unsure about it. PayPal won't contact you through a money request. Learn more about common security threats and how to spot them.
PayPal
Text of second PayPal Invoice Scam Email
PayPal
Creatrix inc has requested
$1,369.55 USD
We'll link
[email protected]
to your PayPal account when you log in.
"Don't recognize the seller? Please contact PayPa..."
[Form with two fields - Email and Password - and Log In to Pay button]
Pay as a Guest [button]
Text of second PayPal Invoice Scam Email
Docusign
Fakeali Locked sent you a document to review and sign.
REVIEW DOCUMENT
Fakeali Locked
Transaction Completed with DocuSign: fu7tp8PKOx.pdf
Payment Confirmation
TOTAL AV Premium
Dear Valued Customer,
We sincerely thank you for your payment of $359.25 towards your TOTAL AV Premium subscription. Your trust in us to safeguard your digital experience means a great deal. Below, you will find the details of your transaction:
Business Name: TOTAL AV Premium
Reference ID: 94XYZ8
Amount Paid: $359.25
Payment Date: November 26, 2024
Should you have any questions about your subscription or need help with the setup process, please don’t hesitate to contact our support team. We’re here to assist you.
Phone: +1 (866) 511-5248 / (866) 982-4913
Thank you for choosing TOTAL AV Premium!
Best regards,
TOTAL AV Support Team
(866) 613-3204