A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together. The emails impersonate PayPal, Amazon, and Geek Squad, and others, and they all share one goal: to scare you into calling a phone number where a fake “support agent” is waiting.
What makes this wave unusual is that some of the templates we recovered still contained blank fields where the phone number and price should have been, while others were already complete and in circulation. We caught the campaign mid-rollout.
What’s the scam?
If you receive an email that looks like a receipt—“Your subscription renewed for $349,” “You sent a payment of $598.96”—and it tells you to call a number to cancel or dispute the charge, stop.
There is no charge. The email exists to get you on the phone with a scammer who will then try to talk you into handing over remote access to your computer, your card details, or a “refund” that somehow requires you to send them money.
This particular flavor is called a “phantom invoice” or “refund” scam, and the trick is psychological, not technical. That’s why these emails can often slip past spam filters: there’s often no malicious attachment or link for security systems to analyze. The scam is in the phone number you’re urged to call.
If you didn’t make the purchase, there’s no need to call the number in the email to cancel it. Real companies don’t pressure customers into resolving unexpected charges through unsolicited phone numbers.
The goal is simple: create enough concern to get you to call. You see a significant charge you don’t recognize, say $499, and your first instinct is to stop it. The invoice helpfully provides a number to call “if this wasn’t you.” So you call, and now you’re talking to the scammer.
From there, the conversation usually leads to one of a few outcomes. They may ask you to install software so they can “fix” the charge, giving them access to your computer. They may ask for your card or bank details to “process the refund.” Or they may “accidentally” refund too much and ask you to send the difference back, usually by gift card or bank transfer.
The invoice is just the bait, while the phone call is the trap.
These emails are convincing, and some are already reaching inboxes. The good news is that simply receiving one doesn’t put you at risk. The scam only works if it succeeds in getting you to call the number provided. If you recognize the message as fraudulent and delete it, the attack stops there.
If you did call the number and followed instructions from a scammer, run a virus scan and check your bank accounts. Change your critical passwords, enable multi-factor authentication (MFA), and make sure your security software is up to date.
How we caught it half-built
Most scam investigations start after the damage is done. This one was different. We came across a cluster of nearly identical invoice templates that were clearly part of the same kit, and several of them were incomplete.
Where a finished scam email would show a phone number, some of these showed the literal text #TFN# instead, which is just a placeholder. (“TFN” is the scammers’ shorthand for toll-free number, the callback line they route victims to.) Others left the price as #PRICE#, the date as #DATE#, and the recipient as #EMAIL#. These are merge fields—the blanks a bulk-sending tool fills in automatically before a campaign goes out.
Finding those placeholders still in place told us that the operation was still being assembled. Some templates were still half-finished, while others were already complete and carrying live callback numbers. We’d caught the campaign mid-rollout, between being built and fully launched.
Why these invoices look believable
The scammers use familiar brands such as PayPal, Amazon, and Geek Squad. They’re companies people expect to receive receipts and renewal notices from, which lowers suspicion.
The charges are also carefully chosen. Amounts in the few-hundred-dollar range are large enough to cause concern but still seem plausible as a subscription renewal or online purchase.
Many messages add urgency, telling recipients to call quickly to dispute or cancel the charge. This pressure is designed to stop people from verifying the transaction independently.
Some invoices even combine trusted brands, such as claiming a payment was sent through PayPal to Amazon. Referencing multiple well-known companies makes the message appear more credible.
How to spot a fake invoice
The good news is that these scams share warning signs. Once you know what to look for, they get a lot easier to catch. Watch for any of these:
- A charge you don’t remember making. If you don’t recognize the charge, verify it independently through your account or bank. If there’s no record of it, the invoice is likely a lure designed to get you to call.
- A ticking clock. “Call within 12 hours,” “cancel before it renews,” or “act immediately” provide fake urgency designed to stop you thinking. Real billing problems can wait while you check.
- Brands you trust, used as cover. The more familiar the logo, the less carefully people read. Scammers borrow trust they didn’t earn.
- Odd details that don’t quite fit. A PayPal email “from” Amazon, a stray address that belongs to no one, or slightly off wording. Trust the small things that feel wrong.
- Pressure to keep you on the phone. Once you call, a real company would never stop you from hanging up to verify, but a scammer will.
If even one of these is present, treat the whole message as suspicious.
Remember the single rule that defeats this entire scam: A genuine company will never rush you onto a call to undo a payment you never made. If you’re not sure whether a charge is real, close the email and check your account the normal way: by typing the company’s website into your browser yourself, or calling the number on the back of your bank card.
Pro tip: Malwarebytes Scam Guard can help spot scams like these and guide you in what to do next, while Browser Guard will block you from accessing scam websites.
What to do if one of these lands in your inbox
If you receive a suspicious invoice like the ones described here, take a few simple precautions:
- Don’t call the number. That’s the core of the scam. Legitimate refunds or cancellations don’t require you to call a number from an unsolicited receipt.
- Don’t reply or click anything. Treat the message as suspicious, even if it looks legitimate.
- Verify charges independently. If you’re concerned a charge might be real, log in directly to PayPal, your bank, or the retailer by typing the address yourself and reviewing your transaction history.
- Report it. Forward suspected phishing emails to the impersonated company’s abuse address and, in the US, report them to the FTC at
reportfraud.ftc.gov. Reporting helps disrupt scam operations. - If you already called, end the conversation. Don’t install any software they recommend. If you granted remote access or shared payment information, contact your bank immediately and run a trusted security scan on your device.
- Be wary of urgency. Phrases like “within 12 hours” or “cancel now” are designed to pressure you into acting before you think. Take the time to verify the claim independently.
Scammers are increasingly shifting to tactics that software can’t easily inspect. A phone number in an email is difficult for security tools to evaluate, and the actual scam happens over a phone call instead of through a malicious link or attachment.
That’s why finding this campaign during rollout matters. Instead of seeing the damage afterward, we got a look at the preparation: unfinished templates, incomplete details, and the scam kit before it was fully deployed.
The best defense is simple: if an unexpected invoice tells you to call a number immediately, stop and verify the charge independently first.
Indicators of compromise
Domains
invoicepdfin[.]xyz
invoicepdfus[.]xyz
invoicepdfusa[.]xyz
invoicerep[.]xyz
invoicestatement[.]xyz
invoicestm[.]xyz
Callback numbers
804-392-2793
801-640-8589
Something feel off? Check it before you click.
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
Try it free →
