Tier · dangerous
Verdict

Confirmed scam — delete it

This email uses a fake QuickBooks dispute notification to trick you into clicking a malicious link.

Subject·URGENT: Invoice Dispute Review Needed
Body-only scan — sender identity and infrastructure checks are unavailable.Re-scan with sender
At a glance
AI · 95% phishingInvoice Scam4 red flags
Risk score
100
/ 100
malicious
AI analyst

MalwareTips analyst · message material

invoice_scam

This email uses a fake QuickBooks dispute notification to trick you into clicking a malicious link.

Phishing likelihood95%
Spam likelihood5%
Red flags identified
  • The Reply-To address points to a random personal domain instead of an official Intuit or QuickBooks support address.
  • The message uses high-pressure tactics regarding a large financial dispute and restricted funds to provoke an immediate reaction.
  • The sender display name is formatted incorrectly and the infrastructure lacks standard authentication results like SPF or DKIM.
  • The footer contains a Gmail address and a mobile phone number which are inconsistent with professional corporate support communications.
What to do

Do not click any links or buttons in this email. Forward the message to security@intuit.com and then delete it from your inbox.

Why this verdict

Every scoring adjustment, in dominance order. Shows exactly how we got from 100 to the final trust number.

Why this verdict

1000

The scorer starts every address at 100 trust and applies each signal below in turn. Negative deltas are penalties (red), positive deltas are bonuses (emerald). Final clamped trust: 0.

  • The pasted address doesn't parse as a valid RFC-5322 email address.
    syntax_invalid
    -100
Unlock more checks

Paste the sender to unlock identity + infrastructure analysis

This scan analysed the message body only. Adding the sender address, a Gmail Name <a@b.com> line, or full headers unlocks:

  • Display-name impersonation
    Spot mismatched names like "PayPal Support" on a random Gmail.
  • SPF · DKIM · DMARC
    See whether the sending server is authorised to use that domain.
  • Domain age + registrar
    Brand-new domains are one of the strongest phish signals.
  • Breach exposure
    How many known data breaches this specific address appears in.
  • MX + DNSBL reputation
    Whether the domain can even receive mail and if it's on any blocklists.
Add sender and re-scan

Your previous paste won't be sent — you'll start a fresh scan with both fields.

MalwareTips never stores the raw address. Every input is SHA-256 hashed before persistence — the URL above IS that hash. We keep the local part, domain, and display name separately so the report can render them; the original raw input is dropped after the scan. If you received this email and are worried, do not click any links and do not reply — verify the sender through a known-good channel.