Fake Sage accounting invoice email spreads malware

Those awfully nice people at Sage (a producer of popular accounting software) have been in touch, to let me know that I need to make a bank transfer… and the deadline is today!

Malicious invoice email

From: [email protected]
Subject: RE: Invoice #3902876

Message body:

Please remit BACs before 12/06/2014.

Please view complete invoice please click here

Well, I hate to be in debt and like to pay my bills on time – so lets see what happens if I click on the link.

Sign up to our free newsletter.
Security news, advice, and tips.

Perhaps surprisingly, those awfully nice people at Sage have decided to use the cloud storage site Cubby (a Dropbox competitor) to host the invoice, which they have provided as a ZIP file.

ZIP of invoice


Hang on a minute – wasn’t it Invoice #3902876 earlier?

Inside the ZIP archive is another file, Invoice_00739287.scr.

If your alarm bells weren’t already triggering earlier in the process then they really should be by now. .SCR in a filename stands for screensaver, and it’s just a repackaged Windows executable file.

Bogus invoiceHopefully you all know that running executable files of suspicious origin on your PC puts you at risk.

Is it be possible that those awfully nice Sage people who contacted me are actually a terribly nasty bunch of online fraudsters attempting to infect my PC with malware?

I uploaded the file to VirusTotal, which showed me just under 50% of the products in their list identifying the file as a Trojan horse, most likely designed to grant hackers remote access to your computer and allow them to steal your banking information.

Spamming out bogus invoices is a typical social engineering trick used by cybercriminals in an attempt to infect your computer and gain access to your online bank account. Often the attackers will forge an email’s header information to pretend to come from a well-known company, and hide their true identity.

With hundreds of thousands of new malicious files are discovered every day – more than one every second – it’s essential to keep your wits about you, and your security software updated.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Fake Sage accounting invoice email spreads malware”

  1. Catherine Sheldon

    Hi Graham

    Sorry to hear you've had an email that looks like it's from us; you're right though it is a spoof or phishing email and isn't actually from us.

    We've heard of a few of these lately and if any of your readers are concerned that they've also received one then they should visit our blog post for some advice on how to identify spoof or phishing emails and what they can do with them.



    Catherine Sheldon
    Sage UKI

  2. SKEN

    Looks like this is back again. Word documents about an invoice from Sage One Accounting. When the victim clicks a button in the Word Document, the victim will be infected with a fileless Kovter malware. The Kovter malware is briefly written to disk at download but deletes itself after execution, establishes a persistence method using the registry, injects itself into the registry, and then deletes itself from disk.

  3. SKEN

    Looks like another variation on this delivered via emai, with Word documents about an invoice from Sage One Accounting. When the victim clicks a button in the Word Document, the victim will be infected with a fileless Kovter malware.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.