Fake MYOB invoices land in thousands of email inboxes, as business owners warned “never click on the link”

SmartCompany, April 11, 2017

Business owners have once again been reminded to be on the lookout for suspicious emails, after thousands of fake invoices impersonating accounting company MYOB started hitting inboxes this week.

Antivirus software company Mailguard alerted users to the scam, which involves a legitimate-looking invoice being sent to email accounts that appears to come from accounting software provider MYOB.

Upon clicking the “view invoice” button, unsuspecting users are directed to a compromised Microsoft SharePoint website, which downloads malicious software. This software sets itself to run automatically as soon as Windows launches, and attempts to steal sensitive information from web browsers.

The email has been hitting “thousands” of email accounts per minute, with multiple variations featuring different company names and invoice amounts to attempt to fool antivirus software.

Between $6300-6400 is requested from business owners, with the invoices marked with a due date of April 10. Founder of IT support company Combo David Markus says this is a technique to catch people “snoozing after lunch”.

“They’re trying to get people to click now, knowing that if it’s left a few days it’ll be buried under a pile of emails,” Markus told SmartCompany.

“For the attackers, it’s a numbers game. If they get one person out of 1000 clicking on it, that’s a great result. They’re looking for someone who isn’t quite awake.”

 

Markus believes the best tactic in dealing with dodgy looking emails is to “never click on the link”, saying most emails that involve invoice reminders will tell you to visit a website rather than provide a link itself.

Deleting the email altogether is also a good move, says Markus, as he believes if it’s important it’ll be sent again.

“Googling the subject line of the email can also work, as that should bring up any notices online about the scam. Also, hover over any links in the email to make sure it’s sending you to a genuine location, not some foreign website,” he says.

The fraudulent MYOB email is well formatted and appears similar to a legitimate invoice, even linking to the real MYOB website in the body of the invoice.

However, keen eyes will notice the sender of the email is not MYOB itself, instead coming from a newly registered domain “myob-australia.com”.

A similar email asking for an invoice payment went out to thousands of recipients in early March, claiming to be a company name renewal letter from the Australian Securities and Investments Commission. Last year, the largest Australian data breach to date hit the Red Cross, with 1.3 million records leaking online.

Experts say the long-term impacts of cyber attacks across the country is significant: a report by Cambridge University and global insurance giant Lloyd’s released in November 2016 suggests cyber attacks over the next 10 years could cost the overall Australian economy $16 billion, with Sydney and Melbourne being pinned at the two cities with the most cyber risk.

Despite most email scams loading ransomware onto users computers and holding their files hostage, Markus believes the information-stealing malware included in this attempt can have even worse results.

“Collecting personal data can be even more malicious than ransomware because they could get control of your banking details,” he says.

“The easiest thing to teach people to protect themselves is to not click on links in emails.”

In a statement provided to SmartCompany, MYOB said its clients should be aware legitimate invoice emails would only come from the addresses “accountright [at] apps.myob.com” or “noreply [at] apps.myob.com”.

“We strongly recommend not clicking on links in messages that come from strange or unrecognised email addresses,” says Andrew Birch, General Manager Industry Solutions at MYOB.

“We’d also like to remind people to ensure they have good anti-virus protection installed, make sure their software is up-to-date and they have firewalls in place.”