Security & Privacy

Throughout the past couple of years, we’ve continued to see more and more scams that leverage fake invoices or payment requests. Scammers often send them via legitimate services, such as Intuit QuickBooks, PayPal, Venmo, or Docusign to bypass e-mail spam filters.

The latest round of scams uses alleged payment requests or subscription purchases. Scammers may send these scams via one of the aforementioned services, or Payoneer, or even directly from Microsoft.

Here’s how you can recognize, avoid, and report these scams.

“Apple Inc sent you a payment request” fraud e-mail sent via Payoneer

First, let’s take a look at what a fake invoice or money request sent via Payoneer looks like.

“Apple Inc is requesting a payment… Here are the details of the payment request” fraudulent e-mail

If you get a payment request via Payoneer, the From address will be [email protected] and the subject will be something like “Apple Inc sent you a payment request.” But that doesn’t mean that the invoice or money request is legitimate; scammers often leverage real services like Payoneer to send scams.

First of all, if you don’t have any business relationship with the person or organization who allegedly sent the invoice, that should be your first red flag. Second, the amount is sometimes (but not always) scarily high; the main point of this is to cause the recipient to panic and act rashly.

And third, pay close attention to the “Description” section. In the example above, the note from the payment requestor says, “Your iPhone 16 Pro Max order is processed via PayPal. Due to security updates, transactions now use Payoneer. Contact PayPal at 1(888) 651-[redacted] for assistance or Payoneer to track your order.” The phone number belongs to the scammer who sent the message—NOT to Payoneer.

“Microsoft subscription purchase confirmation” fraud e-mail

Next, let’s take a look at another scam that might on the surface appear to be very different, sent directly via Microsoft. In a moment, we’ll explain how these two scams are related.

“Details of your subscription purchase [from] Microsoft 365 admin center… Pay now” fraudulent e-mail

How can you tell that this e-mail is fraudulent, if it really did come from Microsoft? Pay close attention to the supposed “Organization name,” which instead contains a ridiculously long and deceptive message:

Organization name: (Microsoft Corporation) .Your subscription has been successfully purchased for 689.89 USD using your checking account. If you did not authorize this transaction, please call 1(888) 651-[redacted] to request a refund.

Like with the Payoneer variation of the scam, this phone number won’t actually go to a legitimate customer support center. Rather, the scammer operates these phone numbers.

What is the common link between these scam e-mails?

While it might not be immediately obvious, both of these fraudulent e-mails are related and come from the same ring of fraudsters.

How can you tell? Take a look at the “To” e-mail address for both e-mails; it’s the same address, ending in @[redacted].onmicrosoft.com. What does this mean? It means that the e-mail address where you’re receiving these scam messages has been added to an e-mail distribution list group, as part of a Microsoft Office 365 for Business organization operated by the scammer.

A large number of people—including potential victims whose external e-mail addresses have nothing to do with the “business” domain set up by the scammers—can potentially be added to such an e-mail spam list.

Eventually, when Microsoft discovers that the Office 365 business domain is being used for fraud, they’ll likely shut it down; however, it may take some time before that happens. In the mean time, recipients of these scam e-mails may fall for some of the payment requests and get tricked into sending the scammers money. After Microsoft eventually shuts down the business domain, the scammers will simply create a new one and start all over again.

How can I report these scammers?

Here’s a quick chart of some legitimate organizations that are often exploited to send fraudulent e-mails. If you get fake invoices, payment requests, or subscription purchases that appear to have been sent by one of these companies, you can forward the e-mail to the relevant addresses below to report the scam:

It’s also a good idea to forward scam and phishing e-mails to the U.S. Federal Trade Commission (FTC) at [email protected]. Additionally, you can CC the Anti-Phishing Working Group at [email protected]. The APWG is a coalition of international law enforcement agencies and tech companies that work together to take down identity thieves and fraudsters.

If you believe you’ve fallen victim to one of these scams, inform the FTC; go to ReportFraud.ftc.gov and fill out the form. You may also find it helpful to review Intego’s video about how to report scams before submitting your report.

How can I learn more?

We’ve previously covered tons of similar scams; check out these articles for additional details:

• How to spot fake Apple security alerts via text, phone, email, or web
• Beware of fake package delivery texts and e-mails! Here’s what to look for
• Money request and invoice scams via PayPal, Venmo, and Docusign (Dec 2024)
• Fake “Geek Squad” invoice scam, now using Housecall Pro servers (Jan 2024)
• Fake invoice scams: Norton, McAfee, PayPal, and more (2023)
• Top 10 online scams to beware of: from malvertising to deepfake kidnappings

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:       

About Joshua Long