Payment Confirmation Spam Emails

In the early 2010s, scammers developed a new spam email strategy. Cybercriminals started sending phishing emails claiming to be payment confirmations for services that the targets never ordered. The emails are intended to lure targets into attempting to cancel the service either by clicking on a phishing link or opening an attachment.

This kind of attack is called payment confirmation email scam, and it continues to be a real issue for online safety. Even if most users apply good defenses, the attack is spammed to so many targets that the attackers only need a small percentage to fall for it. Worse yet, the recipients of the spam emails are not the only victims: The businesses that these attackers impersonate also suffer from the loss of trust that the attacks create.

When someone reads that they have been charged for something – especially if it is unfamiliar – they are prone to panic. Scammers prey on the desperation that this kind of phishing attempt inspires in the recipient. That is why these attacks work: Increased anxiety may inhibit your better judgment. 

How effectively do scammers employ their manipulation tactics? According to the IC3’s Annual Crime Report, over $44 million USD was lost to phishing scams in 2021 alone (source).

Of course, the cybersecurity community has developed remediations and preventative measures in the years since this attack burst onto the scene. 

In this article, we present the accrued wisdom about recognizing payment confirmation email scam and defending against it. We provide instructions for individuals to notice red flags and show how businesses can help mitigate impersonation so that their reputations are less likely to be abused to attack their customers.

How to identify order confirmation email spam

Below are some quick tips for flagging scams and discerning legitimate payment confirmations from malicious scams.

Red flag	How it works
Charge not recorded in bank account	Check with the bank: Did you order something by accident, or is someone actually making fraudulent charges against your account?
Odd attachment file extensions	The most popular of these scams often send fake PDFs that are really HTML files with the extension .pdf.html.
Unofficial domain name	The email wants you to click a link to a domain other than the service’s official domain, or the email originates from a domain that looks different than the service’s normal one.
Sketchy content	Spelling mistakes or inconsistent formatting should make you question an email’s legitimacy.
Attachment protected with your account password	Often, the attack will include a file that asks for your account password before opening.

Understanding payment confirmation email spam

Let’s break down what’s actually happening when these scammers try to get into your wallet. Think of it like a digital version of the “you owe money” phone scam—but instead of a pushy caller, you get an email claiming you just spent a bunch of money on something you’ve never heard of.

These attacks work because they trigger an immediate emotional response. When you see a charge for $499 for a “Premium Streaming Subscription” you never signed up for, your heart rate probably jumps a bit. And that’s exactly what the scammers want.

Here’s what typically happens:

1. You get an email about a fake charge, usually from a well-known company like Norton, Amazon, or Netflix. The amount is usually significant enough to worry about ($200-$500) but not so high it seems completely unbelievable.
2. The email creates urgency with phrases like “Your card has been charged” or “Payment processed” – making you want to act fast before the charge goes through.
3. They offer an easy way to “cancel” or “dispute” the charge – usually through a link or by opening an attachment. This is where the trap is set.
4. If you click that link or open that attachment, you might end up:
   • On a fake login page that steals your credentials
   • Downloading malware onto your device
   • Getting redirected to a form asking for your credit card info to “verify” your identity

What makes these attacks particularly effective is their timing. Scammers often send these emails during business hours when you’re busy and more likely to act quickly without thinking things through. They also tend to impersonate trusted brands that you might actually have accounts with, making the deception more believable.

And here’s an interesting twist: sometimes these scammers flip the script and send emails saying you’ve received money instead of being charged. They’re betting that the excitement of unexpected cash will make you less cautious about clicking that link or downloading that attachment.

To gain a more concrete understanding of this, let’s look at some of these attacks as they have occurred in the real world.

Real-world fake order confirmations

On September 10, 2021, the University of Minnesota announced that its students and faculty were receiving a barrage of fake payment receipt spam emails.

 

Here, we see a fairly unsophisticated version of this attack. The email claims to come from Norton, a well-known anti-malware program, yet the visible origin of the email is a Gmail address. In response, the university’s advisory gives great advice:

• • Do not reply, click the link(s), call the phone number, or log in (if you do click the link).

• • Report it as spam to Google.

• • Forward the notice to phishing@umn.edu.

• • Check your bank statement to confirm whether the charges are real or not. 

• • For more information, please see: How to Manage Spam Emails

We’ll explore these defenses and others shortly. For now, we can look at a similar attack that also affected a college, this time the University of Vermont. 

 

This attack takes the trickiness up a notch compared to the previous example in three ways:

1. 1. It forges a legitimate-seeming business domain (rather than using a Gmail address).

1. 1. It uses graphics and formatting to appear more professional and thus trustworthy.

1. 1. It links to a phishing document controlled by the attackers.

This attack also changes the approach by making the recipient believe they have received money, lowering their defenses by manipulating hope instead of fear.

Countless other variations of this attack have been documented online, but these two examples should give a general picture of the kinds of tactics typically employed. 

How to prevent fake order confirmation spam

Awareness is important, but what really matters is prevention. Let’s look at some ways that you can prevent, or at least mitigate, the threat of payment confirmation email scam.

1. DMARC and BIMI

DMARC is a protocol that powers authentication in email to make it harder for attackers to forge the visible From: address of an email. You should protect all your domains with DMARC and also enable DMARC on incoming mail so you can tell when From: addresses are forged. You can learn more about DMARC with our guide: A step-by-step guide to getting DMARC done right.

Brand Indicators for Message Identification (BIMI) allows a brand owner to capitalize on the work they’ve done to protect their domain with DMARC by choosing a logo to display next to their emails. A logo makes your email stand out in the recipient’s inbox and gives them confidence that it’s mail that they want. Tools like Valimail Amplify even make BIMI readiness quick and easy.

2. General anti-phishing best practices

Although payment confirmation spam has its own quirks, the best defenses against most kinds of phishing also apply to this attack:

• • Look for sloppy content and basic mistakes in spelling, grammar, and language.

• • Make sure the email originates from an official domain.

• • Enforce email security best practices.

• • Conduct internal phishing campaigns to find weak spots and educate workers.

• • Never interact with suspicious content (e.g., by opening links or downloading attachments).

• • Implement security in layers so that even if an attack occurs, your organization still has some protection.

• • Mandate multi-factor authentication and the use of password managers whenever possible.

Sophisticated phishing can be hard to beat, but with basic security hygiene and general phishing awareness, you can be a lot safer.

What if I suspect a fake email attack?

If you receive a confirmation email for an order that you suspect may be a phishing attempt, the first step is to determine if the order is real. If it is not, you will want to tip off the relevant team in your organization. Follow this simple process for handling suspected payment confirmation email scam.

• • Determine if the payment might be real (either the result of fraud or an accident):
    • • Consult your financial institution to verify that the charge isn’t real.
    • • You may also want to let your bank know to reject the charge if it does come through.

• • Once you’ve confirmed that the email is spam, flag it;
    • • Report it to your mail client, if possible.
    • • Forward it to your organization’s security leadership.
    • • Do not respond to the email itself, click on links, or open attachments.

These attacks often aim for strategic targets throughout an organization, so you can help defend your entire organization by increasing awareness quickly.

How to stay safe from payment scam emails

Let’s wrap up what really matters when it comes to spotting and stopping these payment scams. Instead of just throwing a list of tips at you, here’s what you actually need to know and do:

• Keep your scam detector sharp: Before you click anything in a payment email, ask yourself: Does the sender’s address look right? Are there weird spelling mistakes? Is it pushing you to act RIGHT NOW? If something feels off, it probably is.
• Lock down your domain with DMARC and BIMI: DMARC stops scammers from pretending to be you, while BIMI puts your logo right in your customers’ inboxes so they know it’s really you.
• Don’t keep threats to yourself: If you spot a sketchy payment email, don’t just delete it and move on. Let your security team know about it. What looks like one random scam email might actually be part of a larger attack targeting your company. Plus, your report could help protect your coworkers from falling for the same trap.
• Build better security habits: We get it—remembering different passwords for every account is about as fun as doing your taxes. But using a password manager and turning on multi-factor authentication wherever you can makes a huge difference.

Whether you’re looking to protect your company’s domain or just want to check if your email security is up to snuff, start by checking your domain’s DMARC status. It’s free, takes about 30 seconds, and could save you from becoming the next target.