What is invoice fraud?
Invoice fraud is a type of phishing where attackers impersonate legitimate suppliers or vendors to trick organizations into paying fake invoices.
These fraudulent invoices often appear authentic, using stolen or fake information such as business logos, invoice formats, or email addresses.
Key invoice fraud statistics
On average, organizations are receiving an incidence of invoice fraud every month.
Approximately 71% of organizations reported being victims of payments fraud, with invoice fraud being a significant contributor.
Around 44.8% of all fraudulent payments are due to invoice and mandate scams.
Nearly 30% of companies reported an uptick in payments fraud in recent years, with digital payment systems and phishing attacks increasingly used to facilitate fraudulent invoices.
How do fake invoice scams work?
Invoice scams usually come in the form of service provider impersonations.
Attackers often pretend to be a service providers because a lot of people use them.
The malicious actor might hide their domain behind spoofing and if everything looks as it should, typing out your Office365 credentials might not seem too harmful.
Invoice phishing cannot be avoided by merely not making payments to dubious bank account numbers when told to.
Legitimate seeming messages often lead to legitimate services, such as PayPal and QuickBooks...
But the sum is not directed to the actual provider.
Real invoice fraud cases
Toyota Boshoku Corporation (2019)
Toyota Boshoku Corporation, a subsidiary of Toyota Group fell victim to an invoice fraud attack when fraudsters impersonated a business partner and tricked the company into redirecting a large payment to a fraudulent bank account.
Losses totalled approximately $37 million.
Scoular Company (2022)
Scoular Company, a leading agricultural marketing company, experienced an attack in which fraudsters used spear phishing emails to compromise an employee’s email account.
They then sent fake invoices to the accounts payable department, requesting payment to fraudulent bank accounts.
The company lost approximately $17 million before the scam was detected. This incident demonstrates the necessity of multi-factor authentication and rigorous email security measures
Pathé Netherlands (2021)
Pathé Netherlands, a subsidiary of the French cinema chain, was successfully scammed by fraudsters impersonating senior executives from the parent company.
Using email spoofing, the fraudsters sent fake invoices and urgent payment requests to the finance department.
The scheme resulted in a loss of €19 million (around $22 million).
Common types of invoice fraud to look out for
Business email compromise (BEC)
This is when email accounts of legitimate suppliers are hacked or spoofed.
These accounts can then be used to send fraudulent invoices or payment requests to the accounts payable department.
The email addresses used are usually very similar to legitimate ones, making them difficult to detect.
Modification of real invoices
In this type of fraud, cybercriminals intercept legitimate invoices, usually via email.
They'll then modify the payment details, such as bank account numbers, before forwarding the altered invoices to the target company.
Overpayment scams
Attackers might send an invoice that appears to overcharge for goods or services.
When the target business pays the inflated invoice, the fraudster contacts the business claiming that there was a mistake and requests a refund for the overpaid amount.
The refund is then directed to a fraudulent account, while the original payment has already been processed.
Service renewal scams
These scams involve sending fake invoices for service renewals, such as subscriptions, maintenance contracts, or software licenses.
The fraudsters rely on the fact that businesses often have multiple subscriptions and might not scrutinize every renewal invoice closely.
They hope that the company will pay the invoice without verifying its authenticity.
Refund and rebate scams
Some fake invoices come with a refund or rebate offer, enticing the target to provide bank details for the supposed refund.
Once the fraudsters have the bank details, they can use them for unauthorized withdrawals or further scams.
Beware of document sharing and service impersonation
Making use of real document sharing and e-signing services, such as Adobe or PandaDoc here, is very popular in phishing.
The email comes from a legitimate service and link-clicking is required to see what the invoice is about.
This makes discerning its relevance more difficult and it takes the recipient further down the rabbit hole.
The payload of the above Standard Notes impersonation below is actually vishing - they want you to call them.
This means you'll interact with them more, which means you'll trust them more, which means you're more likely to pay up.
It includes similar signs of phishing as the Norton impersonation topped with some more detail, but also some bad English.
The scammers claim payment details were already received to give incentive to call the (very emphasized) phone number so that you, the unsuspecting person, will start the scam call yourself.
Invoice phishes frequently lead to a credential harvesting.
Making sure the site asking for login information is legitimate is essential, as is not typing credentials into opened attachments.
What are the red flags for invoice fraud?
Incorrect Vendor Information
- Discrepancies in vendor name, address, or contact details.
- Slight variations in spelling or format.
Unfamiliar vendors
- Invoices from unknown vendors.
- Vendors with no record of business transactions.
Duplicate invoices
- Multiple invoices for the same goods or services.
- Duplicate invoice numbers, amounts, or dates.
Urgent or high-pressure language
- Demanding immediate payment.
- Creating a sense of urgency to bypass verification.
Unusual invoice amounts
- Significantly higher or lower than expected amounts.
- Deviations from previous invoices from the same vendor.
Poor quality or unprofessional appearance
- Poor formatting and low-quality logos.
- Inconsistent fonts and misaligned text.
Unusual billing patterns
- Sudden increases in invoice frequency or amount.
- Unexpected changes in billing behavior.
Lack of detailed descriptions
- Vague or overly general item descriptions.
- Missing clear, itemized breakdowns of goods or services.
How to identify fake invoices: 9 simple steps
1. Stop and think before taking action
Do not throw your precious pennies into a phish pond...
The first thing to do when receiving an invoice is to stop and think.
Hey, I'm a pretty smart person. Do I use this service?
As with any email, ask yourself whether or not you actually expected the email?
As simple as it sounds, this is an important self-protection tool against cybercrime.
You'd be amazed at how many people just pay an invoice when they see it in their inbox.
2. Verify the the invoice with the vendor
So, you've deduced that you do not use a service you've received an invoice from.
It is therefore quite probable you are dealing with a phishing attempt.
One thing you can do in this situation is let the (genuine) service provider's customer support team know that a scam is being sent out and they're using their name.
Never forward the actual email to them, though, as forwarding spreads both the danger and the damage even if you've successfully detected a fake invoice scam.
When you send out a scammer's email to another person, regardless of intent, you're literally doing their work for them and making their job easier.
But what if you do use the service?
Well, the same rules apply...
Use contact information from your existing records to confirm the invoice details with the vendor.
Avoid using the contact information provided on the invoice, as it could be fraudulent.
3. Examine invoice formatting and quality
To check for invoice fraud, carefully examine the formatting and quality of invoices for inconsistencies and errors.
- Verify details: Cross-check vendor and payment information against verified records.
- Check formatting: Look for design inconsistencies, poor-quality logos, or unprofessional formatting.
- Scrutinize amounts and patterns: Be cautious of unusual payment requests or irregular invoice numbering.
- Match with documentation: Ensure invoices align with purchase orders and delivery records.
4. Cross-check invoice details against purchases
If you receive an invoice you think may be fake, try matching the invoice details with the corresponding purchase orders.
Each invoice should clearly reference a purchase order number, and the items listed on the invoice should match those ordered.
Check that the quantities, descriptions, and prices on the invoice are identical to those on the purchase order.
You can also confirm that the goods or services listed on the invoice have been delivered.
Compare the invoice against delivery receipts or service completion records.
Ensure that the delivery dates, quantities, and item descriptions match the records.
5. Review payment information
A common tactic in invoice fraud is changing bank account details to redirect payments to a fraudulent account.
So, always verify that the bank account details on the invoice match those previously used for the vendor.
Look for subtle differences, such as changes in account numbers or bank names.
If there are any changes in payment instructions, such as a new bank account number or payment method, confirm these changes directly with the vendor through a trusted communication channel, such as a known phone number or a verified email address.
Fraudsters often request urgent payments to new accounts to bypass standard verification processes.
Reviewing payment information thoroughly can help prevent funds from being diverted to fraudulent accounts.
Always be cautious of any changes and ensure they are legitimate before processing payments.
6. Identifying duplicates
Duplicate invoices can be a sign of fraud...
Which is why you need to implement a system to search for and identify duplicate invoices.
This can involve manually checking or using automated software to scan for duplicate invoice numbers, dates, amounts, and vendor names.
Ensure that the invoice number is unique and follows the vendor's usual numbering pattern.
Fraudsters might send duplicate or altered invoices hoping that one will slip through the cracks and get paid twice.
By keeping a record of all received invoices and payments, you can quickly spot duplicates.
7. Keep an eye out for urgent and unusual requests
Be cautious of invoices that demand immediate payment or use urgent language.
Legitimate organizations are very unlikely to send you unsolicited, urgent requests for payment.
Attackers often rely on urgency to get around standard verification processes.
If an invoice is marked as urgent, take extra steps to verify its authenticity before processing the payment.
You should also look out for requests for payment to a different account or for payment methods that your company does not typically use.
Scrutinizing urgent and unusual payment requests helps ensure that invoices are legitimate and that your company is not falling victim to fraud.
Always verify and never rush payments without proper checks.
8. Analyze billing patterns
If you're suspicious of an invoice, compare it to previous invoices from the same vendor to identify any unusual patterns, such as a sudden increase in invoice frequency or amount.
Reviewing historical billing data can help detect anomalies that may indicate fraudulent activity.
You can also double check the invoiced amounts and items against past transactions.
If there is a significant deviation from the norm, such as unusually high charges or unfamiliar items, it warrants further investigation.
9. Conduct internal reviews
When it comes to implementing a process for detecting fake invoices, ensure that invoices, especially high-value ones, go through multiple levels of approval before payment.
You may also want to consider conducting regular audits of the accounts payable process to identify and address any vulnerabilities.
Invoice fraud detection checklist
- Did you expect this?
- Evaluate whether you recognize the service or vendor, such as a legitimate company or a real supplier.
- Unsuspecting employees should avoid opening invoices that don't align with recent purchases or core business activities.
- Directly contact your co-worker or the sender for clarification—never forward suspicious emails.
- Does it seem too urgent?
- Scammers often create a sense of urgency, pressuring you to make electronic payments or resolve payment fraud immediately.
- Watch out for rushed payment mechanics or suspicious email subjects designed to bypass manual processes and internal controls.
- Look out for unusual payment amounts:
- High-value invoices or unusually low amounts (as seen in parcel phishing scams) can indicate fictitious invoices.
- Discrepancies between purchase orders and invoices or unexpected changes in vendor information accuracy are red flags.
- Check the sender and links:
- Ensure the email comes from a real email address or a trusted vendor, not a fake email address or phantom vendor.
- Verify if the links lead to accurate vendor bank details or an approved vendor master file.
- Reconfirm the vendor's contact info and company details before proceeding with payments.
- Be careful with attachments:
- Suspicious emails often include malware-laden attachments disguised as invoice images or usage records.
- Never open files without first confirming the authenticity of the invoice and its origin, especially in manual invoice processing.
Breakdown of real fake invoices
To give you an idea of what a phishing invoice looks like in the wild, let’s dive into a real invoice to get a better idea.
Below is one from Norton. We see variations on this particular one all the time (it's actually one of the most common ones out there).
There's a reason these are so popular and have been prevalent for a good while...
Norton software is widely used, making the company a convenient impersonation target.
At a glance, the invoice seems real. But if you take a closer look, you'll spot some red flags for invoice fraud:
- The invoice is pretty short notice, electronic invoices tend to be sent well in advance of the due dates.
- The recipient is addressed as “Customer”, not by their actual name.
- The chances of having such a simple invoice number (here it's "1001") are low, and the product name and pricing do not quite match what can be found on the company website.
Let's look at another example...
Here are warning signs that give this landing page away:
- “Print or save” buttons lead to a QuickBooks page, where the invoice can be paid.
- The site itself is legitimate, and as the invoice was sent through their service, it also comes from their email address. This means it might get past spam filters.
- The landing page contains a glaring anomaly: merchant details.
- The merchant email - to whom payment will be sent - has nothing to do with Norton. Even if Norton did use QuickBooks for billing, they would not use completely unrelated domain (a few days old one at that) to do so.
We've doctored the above screenshot here so that we don't give the scammer any undue credit.
Preventive measures for protecting against invoice fraud
Strong internal controls
To prevent invoice fraud, you may need to establish internal controls if you haven't already.
This just means setting up procedures for invoice approval and payment.
Separating duties among employees ensures that no single person has control over all aspects of a financial transaction.
This segregation of duties might mean one person responsible for approving invoices and another for making payments.
Implementing dual authorization for high-value transactions may also be a measure worth considering if you want an extra layer of security.
As we touched on briefly above, maintaining detailed records of all financial transactions, will allow you to regularly review and identify any anomalies or irregularities.
Regular reconciliation of accounts payable records with bank statements can also ensure that all payments are legitimate and correctly accounted for.
Use invoice verification software
If your organization pays for lots of services, invoice verification software can help automate the process of verifying and cross-checking invoice details with purchase orders and delivery receipts.
These tools use AI and machine learning to detect anomalies and patterns indicative of fraud.
You can also integrate invoice verification software with your existing accounting systems to make sure all invoices are automatically checked against relevant data before approval.
Establish clear reporting channels
Creating a clear and straightforward process for reporting suspicious invoices is essential in preventing fraud.
Employees should know exactly how and where to report any concerns promptly.
Clear reporting channels ensure that any potential fraud is investigated quickly.
Once you have a reporting channels in place, the next step is to set up protocols for responding to reports of suspicious invoices - how do you intend to verify and escalate reports?
Use secure payment methods
Avoid making payments based on email instructions without verification.
Instead, use secure payment portals that require multi-factor authentication (MFA) to confirm transactions.
Regularly updating and securing these systems can prevent unauthorized access and ensure that only legitimate payments are processed.
It may also be worth having strict protocols for changing payment details to prevent fraudsters from diverting funds.
Invest in quality training
No matter what tools and tech you may have in place, your employees represent the biggest security risk.
According to a study by IBM, human error was a major contributing factor in 95% of all data breaches.
Unfortunately, your typical security training will mostly focus on raising awareness and compliance box-ticking.
But to measurably reduce human risk, you'll need to make sure you're using a security training solution that actually changes behavior.
Here are some of the key factors to consider when it comes to evaluating vendors:
- Is training frequent enough?
- Is the content digestible and engaging?
- Can you easily track and report on employee performance?
- Is training tailored to employees' individual skill level?
- Do employees receive positive reinforcement and feedback?
- You can read our Buyer's Guide to Employee Cyber Security Training here.
How Hoxhunt protects your organization from phishing
Here at Hoxhunt, our security awareness and phishing training is purpose-built to tangibly impact behavior.
We believe that effective security awareness programs do more than just meet compliance...
They build a foundation of security-first practices and motivate employees to report real attacks.
Hoxhunt deliver personalized, rewarding micro-trainings that not only educate but also incentivize proactive security behaviors.
Personalize training at scale: personalize the training paths for every employee based on their job roles, locations, tools used, and language.
Gamify end user interaction: engage your employees with gamified micro-training experiences that they'll genuinely enjoy.
Drive results with realistic phishing simulations: stay at the cutting edge of the constantly evolving threat landscape as our global threat intel team turns real phish into powerful phishing simulations
Easily measure progress: follow how your employees improve in reporting, missing, and clicking on the simulated phishing attacks.
Sources
Why Human Error Is the #1 Cyber Security Threat – The Hacker News, 2021
Pathé Loses €19M in BEC Scam – Help Net Security, 2018
Scoular Hit with $17.2 Million Fraud – Reuters, 2015
Toyota Parts Supplier Hit by $37 Million Email Scam – Forbes, 2019
Payments Fraud and Cybersecurity Trends to Watch – JPMorgan, 2023
UK Finance Report Shows Persisting Risk of Invoice and CEO Fraud – Pinsent Masons, 2023
Every Organisation Should Be Aware of Invoice Scams – International Banker, 2023
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt