Ever wondered how those corporate invoice scams work, where companies are tricked into paying bullshit invoices for services they've never purchased? Well, I just received one of those, so let's look at it!
The e-mail purports to be from a supplier, more specifically a contractor; it has all the right business speak that a contractor might actually use when trying to gently remind you of an unpaid invoice.
The "end of fiscal year" adds further pressure; it sets a deadline for the payment of the invoice, and crucially makes that deadline something that is imposed by a third party; that way, the scammer discourages attempts to argue about the payment term and makes faster payments happen.
Perhaps you *do* reply, though, to inquire about the line items, despite your "colleague"s approval - the e-mail will go to an e-mail that's *wrong*, but not obviously so!
A lot of companies legitimately use Sendcloud for their internal e-mail affairs, and so it going through a Sendcloud address is a credible thing. This domain, sendcloud-management.com, is probably not actually owned by Sendcloud, but it will *appear* to be to a hurried accounting employee trying to keep a supplier happy!
I receive these kinds of e-mails because a shitty 'adtech' company erroneously added me to their "business leads" list at some point, despite that not being a business address at all.
But most of the recipients on that list are going to be actual businesses, and I bet that at least some of them will have been caught out by this, and will be paying the "invoice" without further thought.
This is how you scam a company.
This is an excellently-written attempt. First of all, the headers. The subject line is crucial here - "Overdue since January" puts on the pressure, trying to make the reader panic, believing that they've somehow overlooked an invoice for months. This makes it likely for them to overlook small things that aren't quite right.
The sender, for example; it's worth noting that the person named here, Kris Marszalek, *does not exist*. It's a randomly generated name! This takes advantage of the fact that in most companies, most departments have *no idea* who actually works there, and will just assume "oh, that must be the new hire".
The e-mail address for both the From and Reply-To headers may be wrong, but the name (which in some e-mail clients is the only thing that shows!) explicitly includes "via cryto.net" (my domain), making it look like it came from someone inside of the "company".
This is important for the scam; having it be forwarded by someone internal, or at least appearing that way, serves as an implicit 'approval'; it will lead the reader to assume that "oh, someone else already checked this and concluded it's legit".