Security researchers at Malwarebytes have intercepted a large-scale phishing operation while it was still being assembled, discovering incomplete email templates with placeholder fields where phone numbers and prices would normally appear. The campaign uses fake payment invoices impersonating trusted brands including PayPal, Amazon, and Geek Squad to frighten recipients into calling scammer-operated phone numbers. Some templates were found with literal placeholder text like #TFN# (toll-free number) and #PRICE# still visible, indicating the attackers were caught between preparation and full deployment.

The scam relies on psychological manipulation rather than technical exploits, which allows many messages to bypass spam filters since they contain no malicious links or attachments. Recipients receive emails claiming charges between $349 and $598 for subscriptions or purchases they never made, with urgent instructions to call a provided number to cancel or dispute the transaction. The emails create artificial time pressure with phrases like "call within 12 hours" or "cancel before it renews" to prevent victims from independently verifying the claims through legitimate channels.

Once victims call the provided numbers, scammers employ several tactics to extract money or access. They may request remote access software installation under the pretense of fixing the charge, ask for banking details to process a refund, or claim they accidentally refunded too much and demand the difference be returned via gift cards or wire transfer. The phone conversation itself is the actual attack vector, with the email serving only as bait to initiate contact.

The campaign targets users of widely recognized services where subscription renewals and payment notifications are common, making the fake invoices appear plausible. Malwarebytes identified several domains used in the operation including invoicepdfin[.]xyz, invoicepdfus[.]xyz, and invoicestatement[.]xyz, along with callback numbers 804-392-2793 and 801-640-8589. The amounts chosen are large enough to cause concern but remain within believable ranges for legitimate online transactions.

Users who receive suspicious invoices should never call numbers provided in unsolicited emails and should instead verify any charges by logging directly into their accounts through official websites or calling numbers from the back of their payment cards. Those who already engaged with scammers should immediately run security scans, check bank accounts for unauthorized transactions, change critical passwords, and enable multi-factor authentication. The FTC recommends reporting suspected phishing attempts to reportfraud.ftc.gov and forwarding suspicious emails to the abuse departments of impersonated companies.

Source: https://www.malwarebytes.com/blog/threat-intel/2026/06/infostealers-are-becoming-the-go-to-phishing-payload