woman sitting at desk working on computer

Beware This Business Email Compromise Scam: Invoice Fraud with Malware

Business Email Compromise (BEC) scams are a sophisticated cybercrime that targets businesses and individuals by exploiting trusted communication channels. One particularly insidious variation involves the cybercriminal sending an email urging immediate payment of an invoice to avoid penalties. A particularly damaging scam involves and email that includes an Excel spreadsheet.

The Excel sheet confronts the target user with a popup that says, “Click to edit.” If the recipient clicks that link, it downloads advanced malware. The malware installs on the user’s computer, allowing the cybercriminal to steal the user’s credentials and capture other personal information. The insidious part is that the malware eludes detection by antivirus software. Furthermore, once the malware gets onto a computer, it is difficult to remove.

Consequences of Falling Victim

The consequences of falling victim to this type of BEC scam can be severe, including:

  • Financial Loss: Immediate financial loss due to unauthorized transfers and payments.
  • Data Breach: Loss of sensitive company information, including financial and personal employee information.
  • Operational Disruption: Malware can disrupt business operations by encrypting files, disabling systems, and causing widespread chaos.
  • Reputation Damage: A breach can lead to a loss of trust from customers, partners, and stakeholders.
  • Legal Repercussions: Companies may face legal action for failing to protect sensitive information adequately.


Organizations should take a broad, multi-faceted approach to prevent BEC scams, including technology, policies, and employee awareness. Core recommended steps include:

Email Security Measures: Implement robust filtering to detect and block phishing emails. Organizations should use email authentication protocols like SPF, DKIM, and DMARC to verify the legitimacy of incoming emails.

Multi-Factor Authentication (MFA): To add an extra layer of security, require MFA for accessing email accounts and other sensitive systems.

Regular Software Updates: Ensure all systems, including antivirus and anti-malware software, are regularly updated with the latest security patches.

Network Segmentation: Segment your network to limit the spread of malware and restrict access to sensitive information.

Incident Response Plan: Develop and regularly update an incident response plan to address and mitigate the effects of a security breach quickly.

The Critical AP Step: Staff Training

Conduct regular training sessions on recognizing phishing attempts and the dangers of clicking on unknown links or attachments. Accounts payable personnel must be wary of emails that create a sense of urgency or fear. Urgency and confidentiality are red flags that should always give a staffer pause. Watch out for phrases like “as soon as possible,” “penalties,” and other alarming language. Scammers commonly use such language to induce action before thought.

Also, never select “Enable Editing” or “Enable Content” on attachments from untrusted or unexpected sources. These are a common way malware infects a computer.

Finally, verify the legitimacy of any unexpected invoice or urgent payment request by directly contacting the company using known contact information. Establish and follow strict verification protocols for approving and processing payment transactions. Consider including dual authorization requirements for significant payments.

Forewarned Is Forearmed

Business Email Compromise scams, particularly those involving urgent, apparently internal payment requests or fake vendor invoices with malware-laden attachments, pose a serious threat to businesses of all sizes. Understanding how these scams work and implementing robust preventative measures can help protect your organization from financial loss, data breaches, and operational disruptions. Regular employee training, advanced security technologies, and rigorous verification processes are vital in defending against these sophisticated cyber threats.

Contact us to learn how to avoid the use of emails in vendor onboarding and communication.

Lets Talk!

Please enable JavaScript in your browser to complete this form.