Hackers Use Free Email Accounts from QuickBooks to Launch Spoofed Phishing Attacks

Hackers Use Free Email AccountsA new attack uses one brand email domain to increase the chances of reaching an Inbox, while spoofing another brand to trick users into transitioning to a vishing attack.

I’ve covered attacks involving the brand QuickBooks previously this year. An attack earlier this year impersonated the QuickBooks brand, targeted its’ users with an email informing potential victims that their account was being put on hold.

But a new attack identified by security researchers at Avanan takes a different approach while still taking advantage of the reputation of the QuickBooks brand. QuickBooks allows users to create free accounts that have been used to send emails spoofing the Norton and Microsoft 365 brands.

In their emails, a fake invoice is sent, inviting the recipient to call if there are questions.


Source: Avanan

Avanan researchers see this tactic as having two purposes:

  • The hackers get the phone number of the victim, which can potentially be used in future attacks likely using texting or WhatsApp communications.
  • The hackers get credit card information from the victims, which have obvious nefarious uses.

This attack demonstrates how the simple use of anything that establishes credibility can be used against unsuspecting users. Keeping them vigilant when interacting with email – particularly ones that deliver an unexpected message – should be treated with suspicion. This can be accomplished by maintaining that vigilance through continual Security Awareness Training designed to educate users to see these kinds of impersonation attacks for what they really are, before they fall prey to them.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Topics: Phishing

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews