Invoice Fraud: How Scammers Forge Emails to Steal Payments

A supplier you have worked with for years sends an invoice. Everything looks normal — the formatting, the language, the line items, the amounts. There is one small change: the bank account details have been updated. The email explains that the company has switched banks. You process the payment. Weeks later, the real supplier calls asking why they have not been paid.

This is invoice fraud, and it is one of the most financially devastating forms of cybercrime targeting businesses today. Unlike mass spam campaigns that cast a wide net, invoice fraud is targeted, patient, and disturbingly effective. The attacker does not need sophisticated hacking tools. They need access to an email thread (or the ability to convincingly fake one) and a bank account to receive the stolen funds.

What Invoice Fraud Is

Invoice fraud is a specific type of Business Email Compromise (BEC). In a BEC attack, a criminal impersonates a trusted party — a supplier, a colleague, or an executive — to trick someone into making a payment or sharing sensitive information. Invoice fraud focuses specifically on redirecting legitimate payments by modifying banking details on real or convincingly faked invoices.

The FBI’s Internet Crime Complaint Center has consistently ranked BEC as one of the costliest forms of cybercrime. In 2023, the IC3 reported over $2.9 billion in losses from BEC attacks in the United States alone. Globally, the figure is much higher. The average loss per incident ranges from tens of thousands to millions of dollars, depending on the size of the intercepted transaction.

For a broader overview of BEC tactics beyond invoice fraud, see our article on business email compromise prevention.

How Invoice Fraud Attacks Work

Method 1: Email Account Compromise

The most sophisticated version begins with the attacker gaining access to the email account of someone in the billing chain — either at the supplier or the buyer. This usually happens through phishing: a convincing login page steals the victim’s email credentials.

Once inside the email account, the attacker reads through message history to understand the relationship, identify upcoming payments, and study the formatting and tone of communication. They may set up email forwarding rules to silently copy incoming messages to an external address, or they may create inbox rules that hide specific emails from the account owner.

When a real invoice is about to be sent (or has just been sent), the attacker intercepts it, modifies the bank account details, and forwards the altered version — either from the compromised account itself or from a spoofed address. Because the attacker has been reading the email thread, their message fits seamlessly into the conversation.

Method 2: Email Spoofing and Lookalike Domains

When the attacker cannot compromise an actual email account, they impersonate one. Common techniques include:

• Display name spoofing: The email shows “John Smith - ABC Suppliers” as the sender name, but the actual email address is completely different. Many email clients prominently display the name and hide or truncate the address.
• Lookalike domains: The attacker registers a domain that closely resembles the real one. For example, abc-suppIiers.com (with a capital I instead of an L) or abcsuppliers.co instead of .com. At a glance, the difference is nearly invisible.
• Reply-to manipulation: The email appears to come from the correct address, but the Reply-To header points to the attacker’s address. When the victim replies, their message goes to the attacker instead of the real sender.

Method 3: Man-in-the-Middle Interception

In some cases, the attacker compromises the email system at a deeper level — for example, by gaining access to the mail server or DNS records of the supplier. This allows them to intercept all email between the two parties, modifying invoices in transit while keeping both sides unaware. This is rarer but extremely difficult to detect.

Real-World Impact

Invoice fraud affects organizations of every size and industry. A few illustrative examples (details anonymized):

• A mid-sized manufacturing company received what appeared to be a routine invoice from their raw materials supplier. The bank details had changed. They paid the equivalent of $340,000 to the fraudulent account. By the time the real supplier followed up about the missing payment two weeks later, the money had been moved through several accounts and was unrecoverable.
• A real estate law firm handling a property transaction received altered wire instructions for the closing payment. $1.2 million was sent to the wrong account. The attacker had compromised the realtor’s email weeks earlier and had been monitoring the transaction timeline.
• A nonprofit organization received an email from what appeared to be their landlord, citing updated banking details for the monthly rent payment. Six months of rent ($78,000) went to the attacker before a routine audit caught the discrepancy.

These are not anomalies. They are everyday occurrences in businesses that have not implemented proper verification procedures.

Red Flags to Watch For

Invoice fraud works because it mimics normal business communication. But there are almost always subtle signs if you know what to look for:

• Changed bank details. This is the single biggest red flag. Any request to update payment information — whether for a new bank, a new account number, or a switch to a different country — should trigger immediate verification through a separate channel.
• Unusual urgency. “Please process this today” or “the payment deadline has been moved up” are pressure tactics designed to bypass your verification process.
• Different Reply-To address. Hover over (or click to reveal) the actual email address, not just the display name. Check the Reply-To header. If the reply address differs from the sender address, that is suspicious.
• Slightly different domain. Look carefully at the domain in the email address. Character substitutions (l/I, rn/m, 0/O) and alternative TLDs (.co instead of .com, .net instead of .com) are common tricks.
• Changes in tone or formatting. If the email reads differently than usual — different greeting, different sign-off, different formatting, unusual grammar — it may not be from who it claims to be.
• Requests to keep the change quiet. “Please do not discuss this with [person]” or “this is confidential for now” should set off alarm bells.
• First-time vendor or first invoice. Extra scrutiny is warranted for any new vendor or the first payment to an existing vendor after a long gap.

How to Verify and Protect Your Business

Verify Through a Separate Channel

The single most effective defense against invoice fraud is verification through a channel that the attacker does not control. When you receive a request to change payment details:

1. Call the supplier on a phone number you already have on file (NOT the number listed in the suspicious email).
2. Speak to a known contact who can confirm the change.
3. Use a different communication method — if the request came by email, verify by phone or a secure messaging platform.

This takes two minutes and can prevent losses of hundreds of thousands of dollars. Make it a mandatory policy, not a suggestion.

Implement Dual Authorization for Payments

No single person should be able to change payment details and approve a payment. Require two people to sign off on any changes to vendor banking information, and two people to approve payments above a certain threshold. This separation of duties makes it much harder for a single compromised communication to result in a fraudulent payment.

Train Your Team

Every person in your organization who handles invoices, payments, or vendor communication needs to understand invoice fraud. This is not an IT problem — it is a finance and operations problem. Training should cover:

• How to recognize the red flags listed above
• The verification procedure for payment detail changes
• How to report suspicious emails (without replying to or forwarding them)
• Real examples of invoice fraud (anonymized cases from your industry are most impactful)

Technical Defenses: Email Authentication

Email authentication protocols do not stop all invoice fraud, but they make spoofing significantly harder:

• SPF (Sender Policy Framework) specifies which servers are authorized to send email for your domain. It prevents simple sender address forgery.
• DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email, allowing the recipient to verify the message has not been altered in transit.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM to tell receiving servers what to do with messages that fail authentication — report, quarantine, or reject them.

If your business domain does not have DMARC set to quarantine or reject, attackers can spoof your domain to send fraudulent invoices to your clients and partners. Implementing DMARC protects both you and the people you do business with. For a practical guide on protecting your company, see our article on protecting company email from phishing.

Cleanbox and Invoice Fraud Detection

Cleanbox’s spam detection and email authentication features add a layer of protection against invoice fraud. Incoming email is checked against SPF, DKIM, and DMARC records, and messages that fail authentication are flagged. This means a spoofed email pretending to come from a supplier’s domain will be identified if the supplier has proper email authentication in place. Combined with display-name analysis that detects mismatches between the sender name and the actual address, this catches many of the common spoofing techniques used in invoice fraud before they reach your inbox.

What to Do If You Have Been a Victim

1. Contact your bank immediately. If the payment was made by wire transfer, there is sometimes a narrow window (24 to 72 hours) during which the receiving bank can freeze the funds. Speed is critical.
2. File a report with law enforcement. In the US, file with the FBI’s IC3 at ic3.gov. In the EU, contact your national cybercrime unit. Also file a local police report.
3. Notify the real supplier. They may not know their email was compromised. They need to secure their accounts and warn other clients.
4. Preserve all evidence. Do not delete the fraudulent emails. Save them with full headers. Document the timeline: when the email was received, when the payment was made, when the fraud was discovered.
5. Review your email security. If the attacker compromised an email account, investigate how. Change passwords, enable 2FA, check for forwarding rules and unauthorized access, and audit which emails the attacker may have read.
6. Consider cyber insurance. If you do not have it, this may be the event that justifies the investment. Many cyber insurance policies cover BEC losses.

Prevention Comes Down to Process

Invoice fraud is not primarily a technology problem. It is a process problem. The most sophisticated email security in the world will not help if someone in your accounting department changes bank details based on an email without picking up the phone to verify.

The technical defenses matter — email authentication, spam filtering, and display name verification all raise the bar for attackers. But the last line of defense is always a human being who has been trained to pause, question, and verify before sending money. Build that into your payment processes, drill it regularly, and treat any request to change payment details as suspicious until proven otherwise.

The two-minute phone call to verify a bank account change is the cheapest security investment your business will ever make.