The ‘Invoice’ Trap: How New Extortion Tactics Are Targeting Corporate Data

A chilling report by Google sheds light on how cyber criminals are using simple, invoice-themed lures to hold major firms to ransom.

The digital landscape is currently witnessing a sophisticated shift in corporate extortion. A recent report from Google’s cybersecurity teams, Mandiant and the Google Threat Intelligence Group, reveals that a prolific threat group known as UNC3753—also identified as "Luna Moth" or "Silent Ransom Group"—is actively targeting professional, legal, and financial services across the United States. Unlike the high-tech, multi-layered breaches we often fear, these attackers are relying on a painfully simple yet effective psychological play: the invoice-themed email.

The Art of the Deception

The campaign begins with a sense of mundane familiarity. Attackers send emails that appear harmless, often coming from consumer email accounts. These messages typically contain no malicious attachments or suspicious links. Instead, they lead with vague, conversational lures such as, "hello, here is the invoice we talked about yesterday." By avoiding traditional malicious software, these emails frequently bypass standard security filters, landing directly in the inbox of an unsuspecting employee.

Once a victim engages, the group uses voice phishing and social engineering to gain remote access to the corporate environment. The objective is singular: data theft. Once inside, the group either hunts for proprietary information themselves or manipulates the employee into handing over access, effectively turning the victim into a pawn in their own company's compromise.

A Calculated Extortion Strategy

The aftermath of the breach is where the threat group’s business model becomes clear. Victims are sent a high-pressure extortion email—a sample of which has been shared by Google to alert the industry—threatening to leak sensitive client data. The message often carries a chilling subject line, such as "[Victim Name] has lost confidential data of their clients. Very Important!" and grants the firm a mere three-day deadline to negotiate a ransom.

The threat group claims to be an "elite" organization, even boasting about their own dedicated platforms where they post stolen data to prove their reach. By documenting their history and connections, they aim to build credibility as a business that "delivers," making the victim feel that compliance is the only way to safeguard their firm’s reputation and survival.

Why it matters

This trend signals a broader, worrying evolution in the digital economy. As companies move toward increasingly tech-driven operations, the human element remains the most vulnerable point of failure. When an attacker can bypass firewalls simply by exploiting basic office communication habits, it exposes a massive gap in corporate training. This is no longer just about IT teams patching software; it is about recognizing the "new normal" where even a mundane email can lead to a multi-million dollar catastrophe. For businesses, the lesson is clear: the most dangerous threat to your data might not be a complex virus, but a conversation that seems entirely routine.