Web Envy is an email scam that started back in 2021 and is making a resurgence early in 2024.  This scam sends invoices to small businesses from a fake company called Web Envy Solutions. The invoices are for small amounts, typically exactly $98.57, and claim to be for SEO/Link Building.  

The invoices look legitimate and include the customer’s name, account number, and domain. These invoices are sent via PDF email attachment or in some cases fax, not typical for cybersecurity threats.  

The Web Envy website looks legitimate, but the phone number listed on the invoice forwards to a recording saying the number is no longer in service. This letter has been known to be sent to different contacts within the same organization to try to elicit a response.   

In this scam, the threat actor is attempting to fly under the radar with a legitimate-looking invoice for a common service for a small amount of money.

Tips to keep in mind when reviewing a potentially threatening invoice

• Scammers often create a sense of urgency. Often, when someone receives an invoice or bill, they want to pay it and get it taken care of to avoid any negative repercussions. This is something scammers know and try to exploit. They create a sense of urgency in their communications to pressure you into acting before you take the time to look through the details or do any research. 

• Scammers often pretend to be from a trusted organization. Pretending to be from a trusted organization is another way to get individuals to act without much resistance. Common examples are Amazon, Medicaid, and others. In the Web Envy scam, there is a legitimate-looking website behind the scam. 

• Scammers tell you to pay a specific way. Telling you to pay a specific way is another common tactic for scammers. Getting you to pay in a way that cannot be undone and cannot be traced is preferable for them. 

Tips for Avoiding a Scam 

1. Don’t act immediately. Take a moment to look through the invoice for details that could alert you to fraud. Return addresses, web addresses, phone numbers, and the like should be investigated. In this instance, it is also a good idea to talk to someone internally or forward to your technology team so they can confirm any work with Web Envy.  

2. Do not provide personal or financial information in response to a request you did not expect.  If you’re not expecting to hear from Web Envy or any other request for personal or financial data, always verify the sender’s authenticity first. Reach out to GadellNet when in doubt, and our experts can do some research to determine legitimacy. Avoid calling phone numbers on email signatures, as they may point to the threat actor.  

3. Do not pay through wire transfer, cryptocurrency, payment app, or gift card.  Any legitimate organization with a legitimate invoice will have typical payment options available for you. You should expect check, credit card, and online portal options. You should never be asked to pay via cryptocurrency or gift card, especially.  

You can learn more about how to avoid a scam from the Federal Trade Commission.  If you’re interested in learning more about GadellNet’s cybersecurity services, contact us today.