A stealthy phishing campaign is actively targeting finance teams using fake purchase orders and voicemails — and it’s doing more than just tricking inboxes. This is part of a growing wave of evasive cyber threats designed to bypass traditional finance controls and deliver hidden malware that can take over systems undetected.
The attacks exploit vendor trust and approval workflows, using malware loaders like UpCrypter to install software that gives criminals full access to company systems — often without anyone realizing.
First detected in August 2025, the campaign spans sectors like manufacturing, technology, healthcare, construction, retail, and hospitality. Targeted organizations span multiple countries, including Canada, Egypt, India, and Austria.
How attackers hijack finance workflows
The phishing emails imitate everyday business communications — like a vendor sending a purchase order or voicemail. When clicked, they lead to a fake landing page that looks like your company’s website, complete with logos and branding to build false trust.
These sites prompt users to download a file. If opened, the file runs silently in the background and installs malware without triggering standard security alerts. In some cases, the malware is hidden inside what looks like a harmless image or document.
Once installed, this software gives attackers long-term access — letting them observe activity, capture login details, and even intercept or redirect vendor payments.
Why finance teams are in the firing line
This campaign doesn’t target IT systems or customer data — it targets finance workflows. That includes vendor onboarding, invoice approvals, and payment processing. The attackers rely on your team trusting the communication and acting quickly, without confirming details independently.
Even cautious teams can be caught off guard if the right verification steps aren’t in place. And because the emails and websites look legitimate, many existing controls won’t flag the threat.
The financial and reputational damage from a payment diversion — or prolonged system access — can be severe.
What finance leaders should do now
To stay ahead of phishing-led fraud, finance teams should:
- Verify vendor contact details using independent sources — never trust what’s in an email or invoice
- Use outbound phone calls to confirm payment changes, especially bank details
- Avoid opening unknown ZIP files or attachments, even if they appear to come from a known vendor
- Treat all vendor change requests as high risk, and ensure dual approval or manual checks
- Educate teams on what phishing emails look like today, especially those tied to vendor activity
- Monitor for unusual system behavior, such as unexpected login activity or payment re-routes
Eftsure helps finance teams avoid these risks
This campaign is just one example of how cybercriminals are exploiting gaps in traditional finance processes. Eftsure helps protect against these risks by verifying vendor details, flagging suspicious payment activity, and ensuring only the right parties get paid.
Finance leaders across Australia and the US trust Eftsure to strengthen their controls without adding friction to workflows.
Book a demo to see how Eftsure protects your payment processes from phishing-led fraud.
