← Back to Attack Types

Invoice & Payment Fraud

High Threat Level

Fake invoices or payment redirect requests from compromised or impersonated vendor accounts

$45K
Average loss per invoice fraud incident
$2.7B
Annual losses to invoice fraud globally
15%
Recovery rate for invoice fraud losses

What is Invoice & Payment Fraud?

Invoice and payment fraud occurs when attackers either compromise a legitimate vendor's email account or create a convincing impersonation to send fake invoices or request changes to payment information. The accounts payable team processes the payment to the attacker's account instead of the real vendor.

This attack is particularly effective because fake invoices look legitimate, reference real projects or purchase orders, and come from email addresses that appear to be from known vendors.

Common Invoice Fraud Variations

1. Payment Redirect

"This is [Vendor Name]. Please update our banking information for all future payments. New ACH details attached."

2. Fake Invoice

Completely fabricated invoice for services never rendered, often referencing real PO numbers or projects.

3. Compromised Vendor Account

Attacker hacks real vendor's email and sends invoice with modified payment information from legitimate account.

4. W-9 Update Scam

"Our company name/EIN has changed. Please process payments using this updated W-9 form."

Real-World Example

Toyota Boshoku Corporation - $37 Million Loss (2019)

Employee received email appearing to be from business partner requesting change to wire transfer procedures. Company sent $37 million to fraudulent account.

From: [Partner Company] Accounts Receivable

Subject: Updated Wire Transfer Instructions - Urgent

"Due to our bank merger, all wire transfers must now be sent to our new account. Please update your records immediately and use these instructions for the pending $37M payment..."

Detection Red Flags

  • Any request to change payment information (always verify via phone)
  • Invoices for services you didn't order or projects not in your system
  • Slight email address differences (vendor@company.co vs vendor@company.com)
  • Urgent payment requests or unusual payment methods
  • Bank account location doesn't match vendor's headquarters
  • Different contact person than usual for financial matters
  • Round numbers instead of specific amounts with cents
  • Generic invoice templates instead of vendor's usual format
  • Request to bypass normal approval processes

Prevention Strategies

1. Vendor Payment Verification Process

  • ALWAYS verify payment changes via phone using known contact number (not one in email)
  • Require written confirmation on company letterhead
  • Verify with multiple contacts at vendor company
  • Flag first-time vendor payments for additional review
  • Implement dual approval for payment information changes

2. Invoice Verification

  • Match invoices to purchase orders in system
  • Verify invoice numbering sequences match vendor patterns
  • Check that services/goods were actually received
  • Confirm amounts with department that ordered services
  • Question invoices that bypass normal ordering process

3. Approved Vendor Database

  • Maintain list of approved vendors with verified bank information
  • Require management approval to add new vendors
  • Flag any deviations from approved vendor payment details
  • Periodic re-verification of vendor payment information

4. Email Security Controls

  • Enable external email warnings
  • Implement SPF/DKIM/DMARC authentication
  • Train staff to verify sender email addresses carefully
  • Use HeaderScope to analyze suspicious vendor emails

If You Sent Payment to Fraudsters

  1. Contact your bank immediately - request wire recall or ACH reversal
  2. Contact receiving bank - request freeze on fraudulent account
  3. File FBI IC3 report - critical for potential recovery assistance
  4. Notify real vendor - they may be compromised and need to secure their systems
  5. Preserve all evidence - emails, invoices, payment records
  6. Review processes - identify how fraud succeeded and close gaps
  7. Alert other vendors - warn them of ongoing fraud attempts

Verify Vendor Emails with HeaderScope

Before processing any payment information changes or unusual invoices, use HeaderScope to verify email authenticity. Check SPF/DKIM results and sender origin to catch impersonation attempts.

Analyze Email Headers →