The new wave of phishing that we’ve talked a lot about is BEC 3.0. Essentially, it’s the ability for hackers to sign up for a free account somewhere, send out an invoice or other communication, and embed the malicious activity within that.

We’ve covered this ability in PayPal, Google and more.

Last year, we wrote about how hackers can do something similar in QuickBooks. Now, they’re back at it.  

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers are creating free accounts in Quickbooks and using it to steal money and information from end-users. 


In this attack, hackers are sending fake invoices from a legitimate Quickbooks domain. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Social Engineering, BEC 3.0
  • Target: Any end-user

Email Example #1



This email comes directly from Quickbooks. It has a QuickBooks email address, meaning it will pass all SPF checks, domain checks and more. There’s nothing inherently wrong with the text, no malicious links. One thing that is off, however, is the phone number. Do a Google search of the phone number:

We always recommend that users do this, even if the number is legitimate. However, we are able to do what we call phone number scam protection, including these sorts of look-ups in our AI so your users aren’t caught flatfooted.


This is the only piece of information that might alert an eagle-eyed user that something is off. 

Remember, it's super easy to create and send invoices using free accounts in Quickbooks. Here's one we put together in a few minutes.




In BEC 3.0, all the typical phishing hygiene tricks are thrown out the window. You can’t see a discrepancy in the sender's address. The links are legitimate. The spelling and grammar are on point. You may question why they’re asking for a Norton LifeLock payment, but plenty of people use Norton LifeLock! And that goes for both consumers and businesses. 

In short, users have to scrutinize this email incredibly carefully. And let’s be honest–how many end-users do that? This requires a new wave of education for users. Hovering over links isn’t as helpful–now users have to be wary of all links. This requires a whole new approach. 

For security systems, it’s equally as tough. All the standard checks–domain, SPF, DMARC, etc–will pass. Many security services will see the Intuit domain and just send it through, no other checks done. There isn’t a newly created domain to look at. Natural language processing won’t do much good. This is what makes these attacks so incredibly tricky to stop. 

There’s more, too. By requiring the end-user to call to see what’s going on, the hackers then harvest the phone number, allowing them to use it for future attacks. We call this tactic phone number harvesting.

This attack then presents a one-two punch. The hackers receive money and have a phone number for future attacks, whether it’s via text message or WhatsApp.   

This attack works because of what hackers on the dark web call a double spear:

  • Make the user call the listed telephone number
  • Make the user pay the invoice


Security services will learn to adapt to BEC 3.0, just like they’ve done a good job of adapting to BEC 2.0. But hackers always try to stay one step ahead. This is the next wave.

For security services and users, this represents a major challenge

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • BEC attacks try to trick employees into taking a high-risk action (like sending money or sensitive information) without verifying the request. Implementing policies for these actions that require independent verification from a second employee can help to decrease the probability of a successful attack.
  • Google phone numbers
  • Educate employees on this new variant