{
	"id": "7e47cc49-088b-4ac4-a9e6-0700b0d73c85",
	"created_at": "2026-04-06T00:09:43.180989Z",
	"updated_at": "2026-04-10T03:20:59.182248Z",
	"deleted_at": null,
	"sha1_hash": "131e00c0575ca34c19c82ec86f3a2c254ae8d906",
	"title": "PEC “invoice scam” - Stealing time, money, and trust from businesses",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 134245,
	"plain_text": "PEC “invoice scam” - Stealing time, money, and trust from\r\nbusinesses\r\nArchived: 2026-04-05 12:47:08 UTC\r\nIntroduction\r\nA brief introduction to PEC\r\nThe service enables senders to prove that an email has been sent and received from one PEC mailbox to another\r\nPEC mailbox, in a court of law. It is often used to send important documents to public administration, citizens, and\r\nprivate companies. Because the emails are legally binding, it means the recipient cannot reject the mail - or claim\r\nto have not received it.\r\nPEC is a trusted service, isn’t it?\r\nAccording to official AgID data, in 2022 there were approximately 15 million active PEC email boxes in Italy, and\r\nmore than 2.5 billion messages were exchanged - making it a highly valued, effective and trusted tool. Inspired by\r\nits success, the European Commission is pushing for adoption of REM (Registered Electronic Email) across the\r\nEU - an initiative intended to standardize and address the lack of interoperability among digital certified email\r\nservices within the EU. At face value, this absolutely makes sense.\r\nHowever, malicious actors are already using PEC to send emails, leveraging its features to target everyday people.\r\nWith an interconnected “European PEC” that expands throughout Europe, criminals will have an infinitely greater\r\nopportunity to exploit certified email.\r\nHow can businesses protect their PEC mailbox?\r\nConsidering the potential scope of the so-called “European PEC”, the pool of potential victims is set to grow\r\nexponentially. So, how can business owners protect their mailboxes? Here’s a quick five-step checklist to help\r\nminimize your risk:\r\nConfigure your mailbox to accept messages only from other PEC mailboxes. While this won't prevent the\r\ncase we'll be discussing, it will help reduce spam.\r\nUse a strong, unique password and enable two-factor authentication (where possible).\r\nAvoid sharing your login details…with anyone.\r\nAlways check the \"from\" address of emails received.\r\nDon't click suspicious links, hover over them, instead. If they don’t make sense, that’s an immediate red\r\nflag.\r\nBefore taking any action, always verify the email with the sender.\r\nHaving learned the basics of how to protect your business from PEC email abuse, let's take a closer look at the\r\nscam.\r\nhttps://www.spamhaus.org/resource-hub/cybercrime/pec-invoice-scam/\r\nPage 1 of 4\n\nThe PEC “invoice scam”\r\nAs a self-confessed petrol head I’ve been following the YouTube channel, “GASI Garage,” for years. Ready for\r\nmy latest installment of fumes and burnt rubber, I was shocked to hear Gabriele, talking about PEC, spam and\r\nscams ….apparently your job never leaves you alone!\r\nIn short, someone’s PEC credentials had been stolen, and used to send malspam to hundreds of other PEC\r\naddresses, including that of Gabriele. Here’s the email he received:\r\nGood morning GASI Automobiles, We’d like to inform you that, based on the contract you signed on 25/11, you\r\nmust pay me 142 eur. However, that amount has not yet been paid despite numerous solicitation emails. If you\r\ndon’t pay in 5 days, I’ll be obliged to contact my attorney for further legal actions. This is a formal warning and\r\nstops any prescription. You can download the Invoice by clicking the link “Invoice” (underlined!) Best Regards,\r\nHere we have a typical, \"you need to pay this invoice - download here\" email, where \"here\" is a link to some sort\r\nof malware or phish.\r\nBecause PEC is a legally binding email, Gabriele couldn’t simply ignore it, especially - as he admitted - he isn’t\r\ntech-savvy. As a result, this triggered a chain of verifications, including:\r\nDetermining if and where he had spent the money\r\nReviewing his incoming invoices\r\nAsking his accountant to check his invoices\r\nContacting the certified sender (since it couldn’t be faked) for clarification\r\nThis wasted a considerable amount of time and hundreds of euros on Gabriele's side alone. When he finally\r\nreached the owner of the PEC email address, he was the 100th person to contact him. This suggests that countless\r\nothers likely spent valuable working hours conducting the same checks. Additionally, the PEC sender had to\r\nrepeatedly explain to everyone that the issue wasn’t directly his fault, further adding to the wasted time and\r\naggravation. In the end, it collectively cost thousands of Euros and hours.\r\nhttps://www.spamhaus.org/resource-hub/cybercrime/pec-invoice-scam/\r\nPage 2 of 4\n\nNot the same campaign, again?\r\nYes, that’s right! While I was working out at the gym, the owner approached me with a suspicious email, knowing\r\nmy line of work. At first glance, I couldn’t believe it, it was the exact same email campaign - only this time with a\r\nfresh malware sample ready for analysis!\r\nWhat do we know about the malware?\r\nSpamhaus Malware Labs determined that the malicious link in the email triggers the download of a VBScript file,\r\nwhich results in the download of MintsLoader malware. This malware acts as a dropper, facilitating the delivery\r\nand installation of additional malware, such as credential stealers, RATs, or other malicious payloads. The likely\r\noutcome? Passwords will be exfiltrated and potentially exploited for malicious activities.\r\nAnd, what happened to the victims?\r\nLuckily, there were no severe repercussions for the two victims highlighted here. They were savvy enough to\r\ndetect the threat and take appropriate actions to verify. However, in the life of a mechanic, a gym owner, or any\r\nother business, wasted time means wasted money. Spam and malicious emails aren’t just technical issues, they\r\nhave real-life consequences.\r\nPEC mailbox providers: are they taking any action?\r\nThe PEC regulations typically allow for viruses and malware to be rejected, but not all forms of unsolicited\r\nmessages (spam) can be outright rejected. Unfortunately, providers handling PEC mailboxes tend to apply\r\nminimal security measures, like scanning attachments for viruses, the use of stricter measures (e.g., using real-time blocklists or spam filters) risk legal complications.\r\nEven moving PEC emails to the spam folder is rare, as explained by a court case where a misplaced email ended\r\nup in the spam folder. In this case, the court ruled the recipient was responsible for checking the spam folder.\r\nBecause of situations like this, operators have little incentive to provide anything above the minimum security for\r\nPEC mailboxes. As a result, business owners like Gabriele are more likely to receive spam, scams, and other\r\nmalicious emails into their trusted PEC mailboxes.\r\nhttps://www.spamhaus.org/resource-hub/cybercrime/pec-invoice-scam/\r\nPage 3 of 4\n\nIf you receive a suspicious email, please follow the advice in this blog, report it to your PEC provider, and share it\r\nwith Spamhaus’ Threat Intel community portal to help protect others.\r\nHelp and recommended content\r\nSee below for helpful articles and recommended content\r\nSource: https://www.spamhaus.org/resource-hub/cybercrime/pec-invoice-scam/\r\nhttps://www.spamhaus.org/resource-hub/cybercrime/pec-invoice-scam/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.spamhaus.org/resource-hub/cybercrime/pec-invoice-scam/"
	],
	"report_names": [
		"pec-invoice-scam"
	],
	"threat_actors": [],
	"ts_created_at": 1775434183,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/131e00c0575ca34c19c82ec86f3a2c254ae8d906.pdf",
		"text": "https://archive.orkl.eu/131e00c0575ca34c19c82ec86f3a2c254ae8d906.txt",
		"img": "https://archive.orkl.eu/131e00c0575ca34c19c82ec86f3a2c254ae8d906.jpg"
	}
}