{“lastseen”:”2026-06-03T20:05:07″,”description”:”A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together. The emails impersonate PayPal, Amazon, and Geek Squad, and others, and they all share one goal: to scare you into calling a phone number where a fake \\”support agent\\” is waiting.\\n\\nWhat makes this wave unusual is that some of the templates we recovered still contained blank fields where the phone number and price should have been, while others were already complete and in circulation. We caught the campaign mid-rollout.\\n\\n## What’s the scam?\\n\\nIf you receive an email that looks like a receipt\u2014\u201cYour subscription renewed for $349,\u201d \u201cYou sent a payment of $598.96\u201d\u2014and it tells you to call a number to cancel or dispute the charge, stop.\\n\\nThere is no charge. The email exists to get you on the phone with a scammer who will then try to talk you into handing over remote access to your computer, your card details, or a \u201crefund\u201d that somehow requires you to send them money.\\n\\n * \\n * \\n * \\n * \\n\\n\\n\\nThis particular flavor is called a \u201cphantom invoice\u201d or \u201crefund\u201d scam, and the trick is psychological, not technical. That’s why these emails can often slip past spam filters: there\u2019s often no malicious attachment or link for security systems to analyze. The scam is in the phone number you’re urged to call.\\n\\nIf you didn\u2019t make the purchase, there\u2019s no need to call the number in the email to cancel it. Real companies don\u2019t pressure customers into resolving unexpected charges through unsolicited phone numbers.\\n\\nThe goal is simple: create enough concern to get you to call. You see a significant charge you don’t recognize, say $499, and your first instinct is to stop it. The invoice helpfully provides a number to call \\”if this wasn’t you.\\” So you call, and now you’re talking to the scammer.\\n\\nFrom there, the conversation usually leads to one of a few outcomes. They may ask you to install software so they can \\”fix\\” the charge, giving them access to your computer. They may ask for your card or bank details to \\”process the refund.\\” Or they may \\”accidentally\\” refund too much and ask you to send the difference back, usually by gift card or bank transfer.\\n\\nThe invoice is just the bait, while the phone call is the trap.\\n\\nThese emails are convincing, and some are already reaching inboxes. The good news is that simply receiving one doesn\u2019t put you at risk. The scam only works if it succeeds in getting you to call the number provided. If you recognize the message as fraudulent and delete it, the attack stops there.\\n\\nIf you did call the number and followed instructions from a scammer, run a virus scan and check your bank accounts. Change your critical passwords, enable multi-factor authentication (MFA), and make sure your security software is up to date.\\n\\n## How we caught it half-built\\n\\nMost scam investigations start after the damage is done. This one was different. We came across a cluster of nearly identical invoice templates that were clearly part of the same kit, and several of them were incomplete.\\n\\nWhere a finished scam email would show a phone number, some of these showed the literal text `#TFN#` instead, which is just a placeholder. (\\”TFN\\” is the scammers’ shorthand for toll-free number, the callback line they route victims to.) Others left the price as `#PRICE#`, the date as `#DATE#`, and the recipient as `#EMAIL#`. These are merge fields\u2014the blanks a bulk-sending tool fills in automatically before a campaign goes out.\\n\\nFinding those placeholders still in place told us that the operation was still being assembled. Some templates were still half-finished, while others were already complete and carrying live callback numbers. We’d caught the campaign mid-rollout, between being built and fully launched.\\n\\n## Why these invoices look believable\\n\\nThe scammers use familiar brands such as PayPal, Amazon, and Geek Squad. They’re companies people expect to receive receipts and renewal notices from, which lowers suspicion.\\n\\nThe charges are also carefully chosen. Amounts in the few-hundred-dollar range are large enough to cause concern but still seem plausible as a subscription renewal or online purchase.\\n\\nMany messages add urgency, telling recipients to call quickly to dispute or cancel the charge. This pressure is designed to stop people from verifying the transaction independently.\\n\\nSome invoices even combine trusted brands, such as claiming a payment was sent through PayPal to Amazon. Referencing multiple well-known companies makes the message appear more credible.\\n\\n## **How to spot a fake invoice**\\n\\nThe good news is that these scams share warning signs. Once you know what to look for, they get a lot easier to catch. Watch for any of these:\\n\\n * **A charge you don\u2019t remember making.** If you don’t recognize the charge, verify it independently through your account or bank. If there’s no record of it, the invoice is likely a lure designed to get you to call.\\n * **A ticking clock.** \u201cCall within 12 hours,\u201d \u201ccancel before it renews,\u201d or \u201cact immediately\u201d provide fake urgency designed to stop you thinking. Real billing problems can wait while you check.\\n * **Brands you trust, used as cover.** The more familiar the logo, the less carefully people read. Scammers borrow trust they didn\u2019t earn.\\n * **Odd details that don\u2019t quite fit.** A PayPal email \u201cfrom\u201d Amazon, a stray address that belongs to no one, or slightly off wording. Trust the small things that feel wrong.\\n * **Pressure to keep you on the phone.** Once you call, a real company would never stop you from hanging up to verify, but a scammer will.\\n\\n\\n\\nIf even one of these is present, treat the whole message as suspicious.\\n\\nRemember the single rule that defeats this entire scam: A genuine company will never rush you onto a call to undo a payment you never made. If you\u2019re not sure whether a charge is real, close the email and check your account the normal way: by typing the company\u2019s website into your browser yourself, or calling the number on the back of your bank card.\\n\\n**Pro tip:**Malwarebytes Scam Guard can help spot scams like these and guide you in what to do next, while Browser Guard will block you from accessing scam websites. \\n\\n## What to do if one of these lands in your inbox\\n\\nIf you receive a suspicious invoice like the ones described here, take a few simple precautions:\\n\\n * **Don ‘t call the number. **That’s the core of the scam. Legitimate refunds or cancellations don’t require you to call a number from an unsolicited receipt.\\n * **Don ‘t reply or click anything. **Treat the message as suspicious, even if it looks legitimate.\\n * **Verify charges independently.** If you’re concerned a charge might be real, log in directly to PayPal, your bank, or the retailer by typing the address yourself and reviewing your transaction history.\\n * **Report it.** Forward suspected phishing emails to the impersonated company’s abuse address and, in the US, report them to the FTC at `reportfraud.ftc.gov`. Reporting helps disrupt scam operations.\\n * **If you already called, end the conversation.** Don’t install any software they recommend. If you granted remote access or shared payment information, contact your bank immediately and run a trusted security scan on your device.\\n * **Be wary of urgency.** Phrases like \\”within 12 hours\\” or \\”cancel now\\” are designed to pressure you into acting before you think. Take the time to verify the claim independently.\\n\\n\\n\\nScammers are increasingly shifting to tactics that software can’t easily inspect. A phone number in an email is difficult for security tools to evaluate, and the actual scam happens over a phone call instead of through a malicious link or attachment.\\n\\nThat’s why finding this campaign during rollout matters. Instead of seeing the damage afterward, we got a look at the preparation: unfinished templates, incomplete details, and the scam kit before it was fully deployed.\\n\\nThe best defense is simple: if an unexpected invoice tells you to call a number immediately, stop and verify the charge independently first.\\n\\n## Indicators of compromise\\n\\n### Domains\\n\\n`invoicepdfin[.]xyz`\\n\\n`invoicepdfus[.]xyz`\\n\\n`invoicepdfusa[.]xyz`\\n\\n`invoicerep[.]xyz`\\n\\n`invoicestatement[.]xyz`\\n\\n`invoicestm[.]xyz`\\n\\n### Callback numbers\\n\\n`804-392-2793`\\n\\n`801-640-8589`\\n\\n* * *\\n\\n### **Something feel off? Check it before you click. ** \\n\\n**Malwarebytes Scam Guard** helps you analyze suspicious links, texts, and screenshots instantly. \\n\\nAvailable with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android. \\n\\nTry it free \u2192”,”published”:”2026-06-03T18:05:19″,”modified”:”2026-06-03T18:05:19″,”type”:”malwarebytes”,”title”:”We found this fake-invoice campaign while scammers were still building it”,”source”:””,”references”:””,”id”:”MALWAREBYTES:25837C9966B4BAC9D5751BE5031B9FC8″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/06\/we-found-this-fake-invoice-campaign-while-scammers-were-still-building-it”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-03T20:05:07″,”description”:”A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together. The…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-59553","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n