double spear phishing

Double spear attacks: What are they?

Cybercriminals send invoices using reputable accounting software. The objective is twofold; to trigger a credit card payment from the recipient, and to harvest the target’s personal information for use in identity-related crime. 

Here’s how it works:  

Popular online accounting software like PayPal and QuickBooks allow customers to register email addresses using cloud-based accounts. Creating fake email addresses using cloud-based accounts, the scammer can send email that look like they were sent from the domains of reputable, commonly used software for business invoices. Requests for payment, overdue invoices, and bogus statements from seemingly reliable addresses, like “”, for example, seem legit to many targets, and they click through.

Because the email is coming from a known source, it can sidestep standard security measures and land in a user’s inbox. Invoices from Norton and Microsoft 365 are common. Emails state that the target owes money or has recently paid for a subscription. A phone number is provided for disputes.

The phone number takes callers to an operator who requests credit card details in order to cancel a transaction or make one (depending on the email sent). The goal is credit card fraud. The second prong involves harvesting the victim’s phone number for use in follow-on attacks via text message or WhatsApp.

How to protect yourself:

Exploiting the legitimacy of cloud domains for illegitimate purposes is not a new approach for scammers. Other cloud-based services like Evernote, Dropbox, Microsoft, and DHL have been exploited in a similar fashion. As organizations continue to support remote workers with cloud services and software accounting applications, double spear attacks are on the rise. 

The domain-name issue is the main stumbling block. 

  • Before calling any service, check your accounts to verify whether there were any charges on your credit cards. 
  • Always Google the phone number in an unsolicited invoice (and any phone number provided in any unsolicited email) to see if it’s associated with scams.
  • Consider using security software on your computer that scans email for phishing content.