Fake invoice scams are still a major threat to enterprises — and they’re only going to get stealthier

Email security concept image showing a flurry of digitized mail symbols.
(Image credit: Getty Images)

Fake invoice scams remain a pervasive threat in 2024, according to a new study, with researchers warning that threat actors are ramping up efforts and fine-tuning their techniques. 

HP Wolf Security’s threat insights report for Q1 2024 found email-based social engineering attacks are still getting past enterprise email security measures, with 12% of email threats evading gateway security tools.

PDF-based email attacks, in particular, were a major risk to businesses in the first months of the year, according to HP Wolf Security, which found 11% of attacks caught by HP Sure Click in Q1 2024 were PDF files.

The report added that fake invoice scams aimed at enterprises are favored by attackers due to the number of businesses that send and pay invoices through email attachments, as well as the significant return on investment up for grabs if they are successful. 

Fake invoice scams were identified as a growing threat back as far back as 2018, and the new report shows cyber criminals have not soured on the technique and are continuing to refine their tactics.

Threat actors are using fake invoice scams to deliver malware

In one campaign highlighted in the report, hackers spreading the WikiLoader malware were found sending emails containing fake overdue PDF invoices, claiming to be from a logistics firm.

First identified in December 2022, WikiLoader is a sophisticated downloader form of malware that is used to load other malicious software onto a target system during an attack and can be paired with a number of other information stealers, wipers, or worms

It got its name due to its modus operandi of making requests to Wikipedia to confirm it had an internet connection and ensure it was not running inside a virtual machine or sandbox, and avoid being analyzed by security researchers.

If it aint broke dont fix it – but make it stealthier

HP Wolf Security observed threat actors employing a series of additional detection evasion techniques to help make sure their payload can execute the attack chain before being removed or quarantined.

WikiLoader typically operates using a PDF attachment containing a link that if clicked will download a ZIP file containing JavaScript to begin loading the final payload onto the system. 

The report noted the use of open redirect vulnerabilities to divert victims from legitimate sites to malicious ones hosting the malware. In addition, the JavaScript file used in recent campaigns has been obfuscated to disguise its malicious intentions.

The obfuscated JavaScript file downloads another JavaScript file, which downloads and extracts a ZIP file containing the malicious files to the user’s Temp directory.


Another stealth-oriented technique recorded by HP Wolf Security is its use of DLL sideloading using legitimate programs. Within the directory are installation files for Notepad++, which starts a legitimate, signed Notepad++ executable.

But when Notepad++ starts it loads a series of plugins, including the WikiLoader malware, hidden within a file named ‘mimeTools.dll’. The report explained that this technique is a practical way for hackers to make sure their malware is not caught by threat detection systems.

“This technique, DLL sideloading (T1574.002),6 is an effective way to bypass application control and reduce the risk of being caught by endpoint detection and response (EDR) and anti-virus tools.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.