Avanan spots Quickbooks domain being abused by malicious actors (Image Credit: Ivan Samkov on Pexels)Researchers from Avanan, a Check Point subsidiary, have spotted malicious actors misusing the Quickbooks domain. They are using the domain’s reputation to make their emails look legitimate. For some users, this may be enough to persuade them to interact with the attackers.

This research focuses on the abuse of the Quickbooks domain by creating a free email account. That account is then used to send malicious invoices and request payments. Interestingly, the emails use the Quickbooks domain, but the attackers double down by abusing other trusted brands.

Jeremy Fuchs, cybersecurity researcher/analyst at Avanan (Image Credit: LinkedIn)
Jeremy Fuchs, cybersecurity researcher/analyst at Avanan

According to Jeremy Fuchs, cybersecurity researcher/analyst at Avanan, “In this attack, hackers are presenting what looks like an invoice for Norton. The email comes from a Quickbooks domain. That is because the hackers have signed up for a Quickbooks account, and are sending an invoice from that account.

“It presents an invoice and encourages you to call if you think there are any questions. When calling the number provided, they will ask for credit card details to cancel the transaction. Note that the number is one associated with such scams, and the address doesn’t correlate with a real one.”

How does this work?

According to Fuchs, the problem starts with the attackers creating an email account on the Quickbooks domain. It is a feature that Quickbooks has made available to customers for free. As a highly trusted domain, emails that come from Quickbooks.com are not blocked by email filters or security software. It means that the email lands in the inbox of the intended target.

Fuchs describes the emails as “classic social engineering tactics, such as urgency and monetary damages.” The goal is to bully the recipient into thinking that they must act immediately to stop further action. This can be through the threat of court action or additional costs if invoices are not paid immediately.

To give the email legitimacy, a phone number is always included. It is a live number and will be answered by the attackers if called. Unless the caller withholds their number, the attackers can link the number to the victim. Fuchs calls this phone number harvesting. It allows the attackers to exploit it later via text message or WhatsApp.

For the attackers, there are two goals:

  1. Make the user call the listed telephone number
  2. Make the user pay the invoice

While either is a win, there will be people who call the number and then make the payment. They will potentially end up being victims of multiple scams.

Enterprise Times: What does this mean?

On the face of it, this is a pretty simple attack enabled by Quickbooks, allowing anonymous free email accounts that can be linked to its domains. Using the Quickbooks reputation to get through security gives the attackers an air of authenticity. That is important when launching attacks like this.

For the potential victims, there are some things to consider to stay safe:

  • Refer any invoices to accounting teams to ensure they are for valid purchases
  • Use online services such as Who Called Me. These do a reverse lookup on the number and allow people to comment on whether it is real or a number used for scams and hoaxes.
  • If unsure about the email, get IT to check the validity of the email address

All of the above makes sense for companies with separate accounts teams and IT departments. However, if you are a sole trader or small business with no dedicated teams, looking up the number is a quick way to see if it is potentially a scam. Also, talk to other people before making the call. If the invoice is for goods, even in a small business, someone will know if there was really an order placed.

Above all, do not get pressured into making payments without doing checks first. If you do, banks may not refund any monies once the scam is uncovered.


Please enter your comment!
Please enter your name here