Invoice Scams Using Fake Email Threads (“Fabricated Threading”)

Body

Overview

Invoice scams are a type of targeted phishing attack designed to trick employees into making fraudulent payments or opening malicious attachments. These scams often target staff involved in financial, purchasing, or accounts payable processes.

A common version of this attack uses a tactic known as fabricated threading, where scammers create fake email histories to make messages appear legitimate and pre-approved.

How This Scam Works

In a fabricated threading scam, attackers attempt to create the illusion of an existing internal conversation.

The scam typically involves:

  • An external sender posing as a manager, vendor, or intermediary

  • A message that appears to be forwarded from a known UM employee or executive

  • A fake “Sent” or reply history included at the bottom of the email

  • A request to pay a “long overdue” invoice or review an attached statement

The goal is to create urgency and trust so the recipient acts without verifying the request.

Common Red Flags

Be cautious if an invoice-related email includes any of the following:

  • Inconsistent email addresses
    The quoted or “forwarded” messages may show addresses that do not match official UM domains or contain subtle misspellings.

  • Unexpected forwarded requests
    External senders claiming to follow up on internal discussions you were not part of.

  • Urgent payment language
    Phrases such as “long overdue,” “immediate settlement,” or “as soon as possible.”

  • Suspicious attachments or links
    Files labeled as “invoice,” “statement,” or “payment details” from unfamiliar vendors or senders.

How to Protect Yourself

  • Do not open attachments or click links in unexpected invoice emails

  • Be cautious of emails that rely on urgency or pressure

  • Remember that legitimate financial requests follow established UM processes

What You Should Do at UM

  • Verify out of band
    If an email appears to come from an executive, colleague, or department, verify the request by calling them directly or starting a new email message. Do not reply to the suspicious email.

  • Report the message
    Report suspected invoice scams using UM’s phishing reporting process. If you are unsure after reporting, contact the UM IT Helpdesk for assistance.

Prompt reporting helps prevent fraudulent payments and protects others across the university.

Additional Questions

  • For UM-related invoice or payment concerns, contact the UM IT Helpdesk and the UM Information Security Office.

  • For personal financial fraud concerns, contact your financial institution immediately.

Details

Details

Article ID: 170176
Created
Wed 1/14/26 7:06 PM