Security & Privacy

Fake invoice scams: Norton, McAfee, PayPal, and more

Posted on by

Invoice e-mail scams are gaining prevalence. In April, we reported that scammers were using Intuit’s real QuickBooks invoicing service to send fake Best Buy Geek Squad invoices. Similar attacks have continued to ramp up in recent weeks; fraudulent Norton, McAfee, PayPal, and other invoices have been used as bait.

Meanwhile, Geek Squad invoices have continued strong as well. Not only have we continued to receive new samples, but also our article from April is the most viewed on The Mac Security Blog today.

Let’s break down the latest scams and explain how you can avoid this type of fraud.

In this article:

Fake Norton invoices

Much like the Geek Squad e-mails we reported on in April, some Norton scam invoice e-mails are being sent via a legitimate invoice service: Intuit QuickBooks.

Recently, this particular e-mail campaign has been using subject lines similar to the following:

  • “Your Invoice 56351 ~Payment Processed”

The body of the e-mail might look something like this:

Dear Customer:

Your invoice-56351 for 349.99 is attached towards renewal of 3 years Subscription.

For any queries you can reach us .

Thank you for your business – we appreciate it very much.

Sincerely,
Allen
Billing Dept.

The attached PDF file contains an alleged “customer service” phone number, but in reality, it’s actually a fraudulent call center. Such e-mails are sent by “Intuit E-Commerce Service” from the address [email protected]. (For more about how Intuit’s service is being abused, see our previous article about Geek Squad scam e-mails.)

A recent fake NortonLifeLock invoice, sent via Intuit’s QuickBooks invoicing service.

A variety of fictional invoices

Intuit isn’t sending all of the recent fake Norton invoices, however. We’ve also seen invoice attachments similar to the following:

[old “Norton SECURED | powered by Symantec” logo]

Thank you for choosing NORTON-PROTECTION

Your subscription of NORTON LIFE LOCK is activated today. This subscription will be Auto-Purchase as per plan selected . Please Review your purchased summary below-

Billed to
Customer id : NOR######
Order No : #########
Amount : $499.99

your subscription has been activated for 1 year with Norton LifeLock for $499.99 on 05-26-2023

This subscription will Auto-activated Every year unless you turn it off, No later than 24 hours of before the end of subscription period.

To Cancel this Subscription, Call: +1(888) 311-####

Regards,
Team Billing Norton

Following is a screenshot of this style of fake Norton invoice:

Another recent fake Norton invoice.

Norton renewal or purchase invoice scams are nothing new. Snopes published an article on the subject in January 2022. The fact-checking site said it was aware of similar Norton scams that had been ongoing since at least 2021.

Notably, Norton products no longer use Symantec branding or the old logos shown above. Nevertheless, these often appear in fraudulent e-mails, presumably because they may be more familiar to victims. Perhaps scammers use a variety of logos for A/B testing, to see which logos are most likely to deceive recipients.

Fake McAfee invoices

Antivirus industry veteran Graham Cluley wrote last week about his experience receiving a fake McAfee invoice. How did he know it was a deceptive e-mail? There were many clues, not the least of which was a bizarre McAfee signature comprised of Unicode lookalike characters. Presumably, the intent was to try to evade spam filters, which might catch an e-mail that purports to be from McAfee, but may not block an e-mail from “ᛖcA𝑓ee.”

Fake McAfee antivirus invoice e-mail. Image: Cluley

Like many other scammy messages, this e-mail’s goal is to trick nervous recipients into calling a supposed “cancellation department.” In reality, treacherous tricksters staff this call center.

Not all fraudulent McAfee e-mails necessarily contain a phone number for a malicious call center. A recently published article on Snopes claims that some fake McAfee invoice e-mails may instead link to phishing or malware sites.

Fraudulent PayPal invoices

MakeUseOf recently updated an article it first published in September 2022 about a PayPal Bitcoin scam. According to their research, PayPal servers are in fact sending some Bitcoin scam e-mails (similar to how Intuit QuickBooks servers are sending some Geek Squad scam e-mails).

The e-mail body says, in part, something similar to the following:

Hello, Invoice From Bitcoin Exchange

Here’s your invoice
Bitcoin Exchange sent you an invoice for $499.99 USD
Due on receipt
(View and Pay Invoice)

Seller note to customer
You have successfully made a transaction for your Bitcoin (BTC) Using Paypal, you Charged the amount mentioned in the INVOICE. This transaction may take 12 hours to appear in your Bank Statement. Do give us a Call for any dispute regarding the Payment and issue a Refund at +1(888) 524-####

Fraudulent Bitcoin invoice sent via PayPal. Image: MakeUseOf

How scam artists abuse the real PayPal system

PayPal allows account holders to send an invoice to anyone. So simply by knowing your e-mail address (which may have been obtained via a data breach), anyone can send you an invoice. PayPal intends for legitimate users to send invoices for goods and services, but fraudsters are finding it to be an effective tool, too.

Like many other scam e-mails discussed in this article, the primary goal is to trick victims into calling the phone number in the “Seller note to customer.” However, in the unlikely event that the victim doesn’t call the number, but instead views and pays the invoice, the scammer has just pilfered $500 from the victim’s pocketbook.

Amusingly, the fine print at the bottom (actually written by PayPal) says, “Emails from PayPal will always contain your full name.” The e-mail begins with “Hello, Invoice From Bitcoin Exchange,” meaning the scammer input the recipient’s name as “Invoice From Bitcoin Exchange.”

Other PayPal scams, not sent through PayPal’s service

Others report receiving scam e-mails that mimic PayPal, but that weren’t actually sent through PayPal servers. Instead, messages like the following rely on tricking a victim into calling a fraudulent call center for support.

Regardless of which style of scam you receive, don’t believe it, don’t call the number, and don’t attempt to pay it. Report the scam to PayPal if you wish (see below), or simply delete the e-mail.

Fake Geek Squad invoices

We recently did a thorough exposé on Best Buy Geek Squad scam invoices sent through Intuit’s QuickBooks service. Be sure to read that report for additional details about the scheme.

Over the past week, others have reached out to us about additional Geek Squad invoice scams that don’t originate from Intuit’s system. Nevertheless, their purpose is typically the same. The goal is to shock the recipient into thinking they would have to pay hundreds of dollars for a service they didn’t buy. Scammers hope to cause the recipient to panic and call for help, without stopping to consider that they may actually be calling a fraudster.

A recent fake Geek Squad invoice.

Interestingly, there has been a wide variety in appearance of these Geek Squad scam e-mails. Some use an old Geek Squad logo, while others use the current one. Some mention Best Buy (the store chain associated with Geek Squad services) and may include its logo, while others don’t.

Be sure to read our article about other recent Geek Squad scam e-mails for more information.

Fake “Geek Squad” emails: Call center scam leverages Intuit QuickBooks servers

Other fake invoice schemes: BEC, malware, and BBB

A new variation of the “business e-mail compromise” (BEC) category of mail fraud has recently become more common. Scammers may register a lookalike domain, and send an invoice to an employee, CCing “their boss.” Infosecurity Magazine reports that the trick is simple: the scammer has spoofed the boss’s e-mail address; it’s an intentional lookalike, designed to trick the employee. CNBC reports that similar schemes have even targeted the likes of a Shark Tank judge’s bookkeeper.

Ukraine’s Computer Emergency Response Team (CERT-UA) has recently warned about phishing and malware attacks associated with an anti-Ukrainian threat actor. Some of these e-mails may contain—yep, you guessed it—fake invoices, too. However, instead of being a simple call center scam, recent messages from this campaign contain attachments carrying Windows malware such as SmokeLoader, according to reports. CERT-UA says that more than 1,000 PCs were successfully infected following a fake-invoice e-mail attack on May 5.

The Better Business Bureau recently warned that some recent scam e-mails and phone calls fraudulently claim affiliation with the BBB, or a BBB Accredited Business.

How can I report these scammers?

For fake invoices that appear to have been sent through Intuit, you can forward them to [email protected]. However, as we noted in our previous article, Intuit’s invoicing service has been exploited to send scam invoices since at least December 2021, if not earlier. Given how long these scams have been ongoing, Intuit seems to only handle abusers on a case-by-case basis. The company does not appear to be doing much to proactively prevent scammers from abusing its system.

For fraudulent invoices that appear to come from PayPal, you can forward them to [email protected].

You can also report fake Norton invoices by forwarding them to [email protected]. Fake McAfee invoices can be forwarded to [email protected].

It’s also a good idea to forward scam and phishing e-mails to the U.S. Federal Trade Commission (FTC) at [email protected]. Additionally, you can CC the Anti-Phishing Working Group at [email protected]. The APWG is a coalition of international law enforcement agencies and tech companies that work together to take down identity thieves and fraudsters.

If you believe you’ve fallen victim to one of these scams, inform the FTC; go to ReportFraud.ftc.gov and fill out the form. You may also find it helpful to review Intego’s video about how to report scams before submitting your report.

How can I learn more?

For more details about recent fraudulent Geek Squad invoices, listen to (or read the transcript of) episode 287 of the Intego Mac Podcast; we discuss this scam from 15:26 to 20:27.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →