QuickBooks Scams. PHOTO: Cybercrime Magazine.

How To Protect Against QuickBooks Scammers

Financial stakes are high. Strict policies are essential.

David Braue

Melbourne, Australia – Feb. 18, 2022

As a well-regarded cybersecurity expert, Roger Grimes likely has a better-developed sense of risk than most people — yet when he received an unexpected invoice sent by a service provider’s QuickBooks invoicing system, he still had to pause long enough to confirm its veracity before paying it.

“It was from a vendor that I knew and they had done some work for me,” he recently told Cybercrime Magazine, “but they hadn’t told me to expect an invoice from QuickBooks in your email — so I was dubious, and I did my due diligence.”

That due diligence involved, for example, checking the destination URL of the Pay button — which went to QuickBooks provider Intuit Software, and not to his own vendor — and closely examining the email header to ensure it was coming from a legitimate domain.

Confirming the domain’s legitimacy is now possible through use of the SPF, DKIM and DMARC anti-phishing standards — which provide attestation that an email is actually coming from the domain it claims to be coming from.

In this case, confirming the origin domain was important because Grimes could verify that the reply email address, although different from the vendor that sent him the invoice, was in fact Intuit’s correct domain.

“That’s really the ultimate check,” he said, “Because I was able to say ‘OK, it’s from a vendor.’”

Also reassuring was the fact that the invoice correctly referenced work that had been done for Grimes — in this case, washing his boat — and that it was not using any methods to pressure him into paying sooner.


Cybercrime Radio: How To Cyber Protect QuickBooks

Don’t expose your accounting system


“If it was a spam phishing email, they would have some generic description of work performed for Roger,” he said. “But it did arrive unexpectedly. The vendor was asking me to do something they’d never done before, which is to pay this invoice to QuickBooks. And while I was really caught up thinking this might be a phishing email, I did my due diligence.”

Everyone has a weakness

As data-driven defense evangelist with security firm KnowBe4, Grimes — who offers a one-hour webinar detailing how to examine an email header for deception — is more aware than most of the long history of scammers exploiting QuickBooks.

The accounting platform is used by over 8 million people worldwide and has strong brand recognition.

As a result, QuickBooks-based scams have notably been used to target victims in 2016, 2018, 2020, and this year — and many other times in-between.

The problem has become so common that even Intuit has had to warn its users, with one recent scam disguising malware-laden links within a faked renewal notice that warned customers’ databases would be corrupted or backup files removed automatically if they didn’t pay up.

Scammers have proven to be nothing if not flexible — and they often hit upon victims with entirely legitimate reasons for getting sucked in.

Grimes recalls speaking to one man who got an email saying his automated payment had failed and that he needed to make a payment using gift cards or they would turn his electricity off in an hour or two.

Turns out he was managing bills for his elderly mother, who was in hospital undergoing cancer therapy — and while her son initially thought the email was a mistake, Grimes recalled, he said, “I’ll take care of this really quickly because I can’t take her back to her home and not have electricity — she’s just gone through cancer treatment.”

Then there was the woman who thought her husband’s habit of missing payments had destroyed their credit, to the point where creditors would only accept gift cards.

“Each person had their own personal dilemma about why this particular request seemed more plausible,” Grimes said, noting that scammers regularly “change up their technique.”

This flexibility is part of the reason business email compromise (BEC) has become so successful for cybercriminals, who have proven remarkably flexible in adapting their scams to be just real enough to slip past their victims’ skepticism.

“Many spear-phishing attempts come when they’ve learned about some pending business deal or something that will give it more credibility,” Grimes said, “so that business deal that you’re reading about is something that your boss is actually involved in.”

BEC has proven so effective that the FBI placed losses to those scams at over $26b between 2016 and 2019 — and that was before the COVID-19 pandemic provided cybercriminal scammers with a whole new vocabulary to deceive health-conscious employers with orders of PPE, hand sanitizer, rapid antigen tests, working from home issues, and more.

How to fight back

Fighting back against scammers — and, in particular, BEC scammers where the financial stakes are much higher — requires buy-in across the board, as well as tough policing of the powers given to people with the right to make payments on a company’s behalf.

That includes a strict policy that nobody in the company will buy anything based on emailed instructions, unless they get verbal confirmation from the purported source.

This can be easier said than done, particularly in the case of QuickBooks — which is used on a daily basis by millions of small business owners and accountants who take anything received using its brand as gospel.

Although building skepticism into the workforce takes time, Grimes recommends business owners — and, in particular, anyone with payment authority — be on the lookout for four key attributes of a scam email.

These include the email arriving unexpectedly; a request to do something for the sender that has never been done before; a sense of urgency by warning of what KnowBe4 calls “stressor events”; and, finally, a request to do something “that, if malicious, could harm you or your organization.”

“Any time you’re skeptical,” he added, “contact the requester on an otherwise previously known legitimate method…. And when in doubt, chicken out and don’t do it.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.