TLDR
71% of organizations have been hit by payments fraud, and fake invoice emails are the primary delivery mechanism. Attackers send emails with PDF attachments that appear to be legitimate invoices but actually deliver malware, including the AsyncRAT trojan, through virtual hard disk (.vhd) files disguised as document attachments. ScamVerify™ cross-references every forwarded email against 74,032 URLhaus malicious domains and 60,758 ThreatFox indicators of compromise to catch these attacks before the payload executes. Of all fraudulent payment incidents, 44.8% originate from invoice or payment mandate scams.
The Invoice Fraud Landscape in 2026
Invoice fraud sits at the intersection of social engineering and malware delivery. It works because invoices are a routine part of business operations. Employees in accounts payable open PDF attachments every day. Attackers exploit this muscle memory.
| Metric | Value | Source |
|---|---|---|
| Organizations hit by payments fraud | 71% | AFP Payments Fraud Survey |
| Fraud from invoice/mandate scams | 44.8% | AFP |
| Average BEC wire request | $24,600 | Abnormal Security |
| Malicious domains tracked | 74,032 | URLhaus via ScamVerify |
| Threat indicators tracked | 60,758 | ThreatFox via ScamVerify |
| PDF-based malware delivery increase | 400%+ (2024-2026) | Palo Alto Unit 42 |
| Organizations lacking invoice verification | 54% | Proofpoint |
The 71% figure means that the majority of businesses have already experienced this attack type. The question is not whether your organization will receive a fake invoice email, but whether your team will recognize it before processing it.
How Fake Invoice Emails Deliver Malware
The Email Layer
The attack begins with an email that looks like a standard invoice notification. Common formats include:
- Vendor invoice: "Invoice #INV-2026-03847 attached - Due March 28"
- Payment confirmation: "Payment receipt for PO-4821 - please review"
- Overdue notice: "Second notice: Invoice #7293 past due - immediate action required"
- Statement: "Monthly statement from [Vendor Name] - February 2026"
The sender domain is either spoofed to match a known vendor or registered as a lookalike (e.g., acme-billing.com instead of acme.com). In some cases, attackers compromise a real vendor's email account and send the malicious invoice from the legitimate address, similar to the DocuSign account abuse pattern.
The Attachment Layer
The attached file appears to be a PDF invoice. However, several malicious variants exist:
| File Type | Disguise Method | Payload |
|---|---|---|
| .pdf with embedded JavaScript | Looks like a normal PDF | Executes script on open that downloads malware |
| .pdf.vhd (double extension) | Shows as "Invoice.pdf" in many email clients | Virtual hard disk auto-mounts and runs executable |
| .pdf.html | Appears to be a PDF document | Opens a credential harvesting page in the browser |
| .zip containing .pdf.exe | "Invoice archive" with compressed attachment | Executable runs directly when extracted and opened |
| .iso disguised as .pdf | Shows PDF icon in file explorer | Disk image mounts and runs embedded malware |
The Virtual Hard Disk Technique
The most technically sophisticated variant uses virtual hard disk (.vhd or .vhdx) files. When a user double-clicks what they think is a PDF, Windows automatically mounts the VHD as a drive. Inside the virtual drive is an executable that runs automatically or is disguised as the invoice document.
This technique bypasses several security layers:
- Email attachment scanning often does not inspect inside VHD files
- Antivirus software may not scan mounted virtual drives in real time
- Mark of the Web (MOTW) protections do not always apply to files inside mounted disk images
- File extension checks show the outer file as .pdf to the user
The AsyncRAT Payload
One of the most common payloads delivered through fake invoice PDFs is AsyncRAT, a remote access trojan. Once installed, AsyncRAT gives attackers:
- Full remote control of the infected computer
- Keylogging to capture passwords and banking credentials
- Screen capture to observe financial transactions in progress
- File exfiltration to steal documents, databases, and credentials
- Persistence through registry modifications and scheduled tasks
AsyncRAT infections frequently lead to secondary attacks: the stolen credentials enable BEC, the observed payment patterns inform future invoice fraud targeting, and the network access allows lateral movement to other systems.
Red Flags in Fake Invoice Emails
Even well-crafted fake invoices leave detectable signals:
Content Red Flags
- Invoice from an unknown vendor. Your accounts payable team should maintain an approved vendor list. Any invoice from a vendor not on the list requires verification before opening.
- Amount that does not match any purchase order. Legitimate invoices correspond to approved POs. A $3,847 invoice with no matching PO is suspicious.
- Urgency language. "Past due," "final notice," or "account will be sent to collections" in a first contact email is a pressure tactic.
- Generic addressing. "Dear Accounts Payable" instead of a specific person's name suggests a mass campaign, not a legitimate vendor relationship.
- Unusual payment instructions. Requests for payment via gift cards, cryptocurrency, wire to a new account, or through an unfamiliar payment portal.
Technical Red Flags
| Signal | What to Check | What It Means |
|---|---|---|
| File extension | Hover over attachment, check actual extension | .pdf.vhd, .pdf.exe, .pdf.html are all malicious |
| File size | Compare to typical invoice size | Legitimate PDFs are usually under 500KB. Malware-laden files are often larger. |
| Sender domain | Verify exact spelling against known vendor domains | One-character differences indicate spoofing |
| Reply-To | Compare Reply-To address with From address | Mismatch indicates the reply goes to the attacker |
| Email headers | Forward to scan@scamverify.ai for full analysis | SPF/DKIM failures indicate unauthorized sending |
ScamVerify Detection Capabilities
Forward suspicious invoice emails to scan@scamverify.ai for automated analysis. ScamVerify checks multiple threat intelligence layers:
| Check | Data Source | What It Catches |
|---|---|---|
| Link analysis | 74,032 URLhaus domains | Malicious download URLs embedded in fake invoices |
| Threat indicators | 60,758 ThreatFox IOCs | Known malware delivery infrastructure (IPs, domains, hashes) |
| Sender reputation | FTC Consumer Sentinel | Domains associated with prior fraud campaigns |
| Authentication | Email header analysis | SPF/DKIM/DMARC failures revealing unauthorized senders |
| Content patterns | AI analysis | Manipulation tactics matching known invoice fraud templates |
You can also paste the email content directly at the ScamVerify email checker for analysis without forwarding. For the most thorough results, forwarding preserves the full headers and attachment metadata.
Protecting Your Organization
Email Security
- Block dangerous attachment types. Configure your email gateway to strip or quarantine .vhd, .vhdx, .iso, .img, and .exe files. Also block double extensions like .pdf.html.
- Enable attachment sandboxing. Advanced email security tools detonate attachments in a sandbox environment before delivering them to the inbox.
- Implement DMARC. Enforce DMARC with a reject policy on your domain to prevent direct spoofing.
Invoice Verification Process
- Three-way matching. Every invoice must match a purchase order and a receiving document before payment. This catches 100% of unsolicited fake invoices.
- Vendor master verification. Maintain an approved vendor list with verified contact information and banking details. Any invoice from an unapproved vendor goes to a verification queue, not to payment.
- Separate payment change channel. Changes to vendor banking details must be confirmed via phone to a number on the original signed contract. Never accept banking changes via email.
Employee Training
- Accounts payable focus. Train AP staff specifically on fake invoice tactics: double extensions, urgency pressure, lookalike domains, and suspicious payment instructions.
- Attachment handling. Establish a policy: never open attachments from unknown senders. For known senders, verify unexpected invoices before opening.
- Reporting culture. Make it easy and consequence-free for employees to report suspicious invoices. A false alarm is infinitely cheaper than a successful attack.
Technical Hardening
- Disable auto-mount for VHD files. In Windows environments, use Group Policy to prevent automatic mounting of virtual disk images.
- Application whitelisting. Restrict executable files to approved applications, preventing malware from running even if a user opens a malicious attachment.
- Network segmentation. Isolate finance department systems so that a compromised workstation cannot access broader company resources.
Check a suspicious email
Paste email content below, or forward it to scan@scamverify.ai for instant analysis.
FAQ
How can a PDF file install malware?
Modern PDF files can contain embedded JavaScript, links to external resources, and form actions that execute when the document is opened. More dangerous variants use double file extensions (Invoice.pdf.vhd) where the actual file is a virtual hard disk or executable, but the email client or file explorer only displays the first extension. When you "open the PDF," you are actually mounting a disk image or running an executable.
What is AsyncRAT and why should I care?
AsyncRAT is a remote access trojan that gives attackers complete control of your computer. They can log your keystrokes (capturing every password you type), watch your screen, steal files, and use your computer as a launching point for further attacks within your network. It is commonly delivered through fake invoice emails because finance personnel are high-value targets with access to payment systems.
Our company uses a cloud invoicing platform. Are we still at risk?
Yes. Attackers send fake invoice emails that bypass your platform entirely. Even if your legitimate vendors submit invoices through a cloud portal, a well-crafted phishing email with an "urgent invoice" attached can trick an employee into opening it. The defense is procedural: any invoice received via email (outside your normal portal) should be flagged for manual verification.
How can I check if an invoice email is legitimate without opening the attachment?
Forward the entire email to scan@scamverify.ai without opening any attachments. ScamVerify will analyze the sender, domain, links, and email headers. Separately, contact the vendor directly using contact information from your records (not from the email) to verify whether they sent the invoice. Never open the attachment before verifying the sender.
What should I do if I already opened a suspicious PDF invoice?
Disconnect from the internet immediately to prevent any malware from communicating with its control server. Run a full antivirus scan. Change all passwords you used on that computer, prioritizing financial accounts. Contact your IT department for a full investigation. If you are on a business network, notify IT immediately so they can isolate the affected system and check for lateral movement.
Received a suspicious invoice email? Forward it to scan@scamverify.ai or check it at the ScamVerify email checker. Do not open any attachments until the email is verified.
