A major cloud-accounting provider is being impersonated in a malicious new email scam.

The email, delivered to thousands of inboxes in a sustained attack, attempts to imitate an Intuit QuickBooks invoice. Its aim is to trick recipients into clicking a malware-laden link.

The email asks the recipient to download and view an invoice. Clicking the link directs users to a malicious website which downloads a JavaScript file.

Three variants of the scam have used slightly different sending addresses to bombard inboxes in the past 24 hours in an unusually persistent and evolving attack.

The scam trades on the recognisable name and trusted reputation of QuickBooks, used by small and medium businesses around the world.

MailGuard CEO Craig McDonald said this type of malware had the potential to be crippling.

“Scams of this nature typically attempt to steal valuable data like usernames and passwords, sensitive banking and financial information, or in some cases a Trojan will lay dormant allowing the attacker access to data at a future date,” he said.

“As accountants, bookkeepers and financial professionals, Intuit QuickBooks users and their customers are particularly attractive to cybercriminals who know that they hold access to valuable financial information for company payrolls, invoicing, and the like.”

This latest scam appears as an invoice from a company that uses Intuit QuickBooks to generate its invoices, and features the software company’s logo. The sending address is  quickbooks@notificationintuit.com, which is similar to the company’s real invoicing address, but the domain used was only registered yesterday.

The email has an invoice number, the date, an amount owing and a link to download the invoice. Clicking the link directs users to a malicious website that downloads a Trojan to their computer.

Here’s what the fake invoice looks like:


The danger of this type of scam is that it’s not just customers of the impersonated company who might fall victim.

This is because similar emails are sent out thousands of times a day by companies that use QuickBooks for invoice generation.

Here’s how a legitimate invoice generated by QuickBooks appears:


Note the PDF attachment rather than a link away from the email. Housing the malicious content away from the email body makes it easier for the cybercriminals to evade scam detection.


An easy way to check potentially-suspicious emails is to hover your mouse over the sender’s address. This will reveal more about the real sending domain. The most realistic scams register a domain very similar to the correct one.

Why Trojans pose a massive risk to businesses large and small

Trojans sit quietly in the background, and will take actions not authorised by the user, such as modifying, stealing, copying or even deleting data.

This type of malware is most dangerous because the user may not notice it running in the background until such time they are made aware – this can sometimes be weeks or even months after the event.

For a few dollars per staff member per month, add MailGuard’s cloud-based email and web filtering solution to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.

Our benchmarking shows that MailGuard is consistently two to 48 hours ahead of the market in preventing new attacks.

Find more tips on identifying email scams by subscribing to MailGuard’s blog.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

Breaking: Cybercriminals impersonate Intuit QuickBooks client in invoice scam