Invoice Fraud: How to Prevent Fake Invoices Paid
Invoice fraud is usually not “clever hacking” — it’s social engineering.
Fraudsters exploit routine processes (invoice approval, supplier changes, month-end pressure) to get money paid to the wrong bank account.
Common attack patterns
Fake invoice / impersonation: A fraudster poses as a real supplier and sends an invoice that looks legitimate.
Bank detail change scam (invoice & mandate fraud): The fraudster emails a “new bank account” request, often with a plausible story (audit, new finance system, merger).
Lookalike domain / reply-chain attack: One character in the email domain changes, or the fraudster inserts themself into an existing email thread.
Internal pressure: The request lands at month-end, during holidays, or when key approvers are away.
Red flags to train people to spot
A “supplier” asks for an urgent payment or bank change.
Email domain is slightly different (e.g., .co vs .com) or the display name is misleading.
Invoice details differ from prior invoices (bank, address, VAT number, contact person).
Payment is requested to a new account or a personal account.
“Please don’t call — I’m in a meeting” / “Use this new number” messages.
Controls that prevent most losses (practical + proportionate)
Supplier master-data governance
Only authorised staff can create/amend suppliers.
Changes require independent approval (not the same person who inputs the change).
Mandatory call-back for bank changes
Call a known, verified contact number from your records (not the email signature).
Document who called, when, and what was confirmed.
Invoice matching / evidence checks
Use PO/GRN matching where proportionate; otherwise require evidence of service/delivery.
Verify VAT numbers and company details where relevant.
Payment run safeguards
Two-person approval for payments above a threshold.
A “new supplier / new bank” review list before release.
Monitoring
Alerts for duplicate invoices, unusual amounts, new payees, and out-of-pattern bank changes.
Case studies (what they illustrate)
Corcoran’s company: A fraudster impersonated an executive assistant using a lookalike email address and persuaded the bookkeeper to pay a “legitimate-looking” renovation invoice — around $388k was transferred to the scammer’s bank account.
London Borough scheme: Insiders created fictitious suppliers and approved payments for work that never happened — fake invoices were processed as if they were genuine until the fraud was uncovered.
Shared services fax example: A mandate-change request (sent by fax) led to supplier bank details being altered, so an agreed payment went to a fraudulent account; the issue was only spotted when the real contractor chased payment.
Construction supplier behaviour: After a duplicate payment error, the supplier exploited weak challenge/controls by submitting exaggerated and non-genuine invoices; the organisation later struggled to recover losses when the supplier went bankrupt.
Simple “first-time payment” rule (high impact)
For a first payment to a new bank account (or after bank changes), consider a small test payment and confirm receipt by phone before sending the full amount.
