Checking the Sender Address Before Opening Any Attachment
The display name in an invoice email might show “Company Support,” but the address behind it tells a different story. Scammers paste the name of a known company, hit send, and rely on you not checking the line after the @ symbol. That line should match the official company domain you’ve seen.
A domain using a free email service or inserting an extra word and extra letter combination that is slightly off is intentional. An invoice for a real charge comes from the domain you log into on a billing site. Scammers polish the display name, but the full address breaks the comparison against any real sender.

Looking for Generic Greetings and Urgent Wording
When the sender does not have your profile details, the greeting is generic. This feels like mass sending rather than a delivery to a known customer. A fake invoice with low detail targets less accuracy, hitting a generic greeting instead of a fully named identity. Legitimate payment reminders arrive through your account dashboard or a standard notice, not a rushed email with a single attachment.
Urgent wording about late fees, service suspension, or legal action is a strong warning sign. The pressure to open the attachment immediately is a trap designed to skip the normal verification step. Ignore the file bait and treat the email as suspicious.

Inspecting the Attachment File Type Before Downloading
When you receive an email that claims to contain an invoice, receipt, or payment confirmation, don’t rush to open the attachment right away. Take a moment to look at the file type first. Most legitimate invoices are sent as PDF files because they’re easy to open on almost any device and don’t require special software. If the attachment ends with .pdf, that’s generally what you would expect to see.
Be more cautious if the attachment uses file types such as .zip, .exe, .js, .bat, .scr, or even an unexpected .htm or .html file. These formats are unusual for invoices and can sometimes be used to deliver malicious software instead of a document. It’s also worth paying attention if the sender normally emails PDF invoices but suddenly sends a compressed archive or an executable file. That kind of change should raise questions before you download or open anything.
Another good habit is to compare the attachment with previous emails from the same company. If past invoices always arrived as a PDF with a familiar naming pattern, but this one looks completely different, don’t ignore that difference. When something feels out of place, it’s much safer to verify the email with the company directly than to assume it’s legitimate. If you cannot confirm that the attachment is genuine, delete the email or mark it as spam instead of taking the risk.

Hovering Over Links Inside the Email Before Clicking
Attachments aren’t the only thing worth checking. Many phishing emails also include links that appear to lead to an invoice, payment portal, or account page. Before clicking any of these links, see where they actually lead. On a computer, move your mouse over the link without clicking it. Most browsers or email programs will display the destination address in the status bar or in a small pop-up window. On a phone or tablet, press and hold the link for a moment to display a preview of the web address before opening it.
Take a close look at the domain name rather than focusing only on the text shown in the email. Cybercriminals often create addresses that look almost identical to legitimate websites by changing a single letter, adding extra words, or using a completely different domain extension. At first glance these addresses can seem convincing, especially when you’re reading quickly.
If the previewed address doesn’t exactly match the company’s official website, don’t open it. The safest approach is to close the email and visit the company’s website yourself by typing the address directly into your browser or using a bookmark you’ve already saved. It only takes a few extra seconds, but that simple habit can help you avoid fake login pages, malware downloads, and other common email scams.
FAQ
Question: What should I do if I already downloaded a fake invoice attachment but did not open it?
Answer: Delete the downloaded file immediately without opening it. Run a scan using your device’s security software. Your device prompts you to allow the file to make changes; decline and remove the file from your downloads folder.
Question: Can a fake invoice attachment infect my phone if I only preview it in the email app?
Answer: Yes, some file types can trigger a download or launch a script during preview. To stay safe, do not preview unknown attachments. Delete the email from your inbox and trash folder without tapping the attachment area.
Question: How can I verify a real invoice if I am unsure about the email but the company name looks correct?
Answer: Go directly to the company’s official website and log into your account. Check the billing or invoice section for any pending charges. No invoice appearing there means the email is fake and should be reported as phishing.