Invoice Fraud: How to Identify Fake Invoices (Analyzing Real Threats)

‍

What is invoice fraud?

Invoice fraud is a type of phishing where attackers impersonate legitimate suppliers or vendors to trick organizations into paying fake invoices.

These fraudulent invoices often appear authentic, using stolen or fake information such as business logos, invoice formats, or email addresses.

While traditional invoice fraud often involved attached PDF documents, modern threats have evolved.

Here at Hoxhunt, we definitely still see reports of fake PDF invoices as attachments, but more commonly now, attackers use the idea of an invoice to create urgency - messages prompting you to click a link or call a phone number instead of focusing on the invoice itself.

According to Hoxhunt's threat analysts, it’s rarely about actually getting the invoice paid anymore.

It’s more often about getting someone to click a link, call a scam number, or hand over credentials through a fake login page.

‍

Key invoice fraud statistics

On average, organizations are receiving an incidence of invoice fraud every month - and our threat team here at Hoxhunt have found that invoice phishing is a year-round issue. We don’t really see a time of year when it slows down.

Approximately 71% of organizations reported being victims of payments fraud, with invoice fraud being a significant contributor.

Around 44.8% of all fraudulent payments are due to invoice and mandate scams.

Nearly 30% of companies reported an uptick in payments fraud in recent years, with digital payment systems and phishing attacks increasingly used to facilitate fraudulent invoices​.

62% of businesses cite generative AI as a key driver behind the surge in invoice fraud.

‍

How do fake invoice scams work?

Invoice scams usually come in the form of service provider impersonations.

Attackers often pretend to be a service providers because a lot of people use them.

The malicious actor might hide their domain behind spoofing and if everything looks as it should, typing out your Office365 credentials might not seem too harmful.

Invoice phishing cannot be avoided by merely not making payments to dubious bank account numbers when told to.

Legitimate seeming messages often lead to legitimate services, such as PayPal and QuickBooks...

But the sum is not directed to the actual provider.

Today's attackers often create vague, generic emails referencing invoices, hoping recipients act without questioning.

They act like there's a specific invoice, but when you look at the message, it’s very general, lacking real details. It could be sent to anyone​.

A lot of these emails mention an overdue invoice and ask you to either call a number or reply to sort it out, but offer no real details.

It’s this lack of specificity that’s key - the emails feel like they could’ve gone to anyone

Some sophisticated attacks impersonate local law firms using accurate local language, making them especially convincing.

Our threat analysts have seen localized attacks where everything looks right except small mistakes like mismatched currency symbols or wrong contact details.

Many attacks don’t actually aim to get an invoice paid at all. It’s more often about getting someone to click a malicious link or call a fake number than actually paying an invoice, making awareness critical beyond finance teams alone.

Attackers also frequently leverage compromised external accounts to distribute invoice-themed phishing at scale.

Compromised email accounts are often used to blast vague ‘invoice overdue’ messages, hoping to trick someone - anyone - into clicking the link.

Sophisticated examples may even feature fake email threads.

‍

What does a sophisticated invoice phishing email look like?

While many invoice phishing attempts tend to be vague or poorly constructed, some attackers go to great lengths to make their messages appear legitimate.

In one case our analysts have come across, cybercriminals created a forged internal email thread between a company CEO and a supposed vendor.

The scam began with a fabricated message from the impersonated vendor, issuing what looked like a routine invoice... but with a twist...

The email claimed the recipient could receive a 15% discount if the invoice was paid quickly.

The attackers then faked a reply from the company’s own CEO, enthusiastically forwarding the message to the accounting team and urging them to act fast in order to "take advantage of the savings."

It was crafted to look exactly like a standard business workflow.

The tone was casual but authoritative. The email signatures were polished. The entire thread gave the appearance that this payment request had already been vetted and approved.

The inclusion of urgency, a modest financial incentive, and the illusion of internal approval created a perfect storm of social engineering.

If the recipient had acted without questioning, the funds would have gone directly to the attacker’s account.

This type of attack illustrates how attackers no longer rely solely on poor spelling or mismatched logos.

They exploit business norms - like forwarding messages between departments or offering early-payment discounts - to trick victims with attacks that blend seamlessly into daily operations.

‍

Real invoice fraud cases

Toyota Boshoku Corporation (2019)

Toyota Boshoku Corporation, a subsidiary of Toyota Group fell victim to an invoice fraud attack when fraudsters impersonated a business partner and tricked the company into redirecting a large payment to a fraudulent bank account.

Losses totalled approximately $37 million.

Scoular Company (2022)

Scoular Company, a leading agricultural marketing company, experienced an attack in which fraudsters used spear phishing emails to compromise an employee’s email account.

They then sent fake invoices to the accounts payable department, requesting payment to fraudulent bank accounts.

The company lost approximately $17 million before the scam was detected. This incident demonstrates the necessity of multi-factor authentication and rigorous email security measures

Pathé Netherlands (2021)

Pathé Netherlands, a subsidiary of the French cinema chain, was successfully scammed by fraudsters impersonating senior executives from the parent company.

Using email spoofing, the fraudsters sent fake invoices and urgent payment requests to the finance department.

The scheme resulted in a loss of €19 million (around $22 million).

‍

Common types of invoice fraud to look out for

Business email compromise (BEC)

This is when email accounts of legitimate suppliers are hacked or spoofed.

These accounts can then be used to send fraudulent invoices or payment requests to the accounts payable department.

The email addresses used are usually very similar to legitimate ones, making them difficult to detect.

Modification of real invoices

In this type of fraud, cybercriminals intercept legitimate invoices, usually via email.

They'll then modify the payment details, such as bank account numbers, before forwarding the altered invoices to the target company.

Overpayment scams

Attackers might send an invoice that appears to overcharge for goods or services.

When the target business pays the inflated invoice, the fraudster contacts the business claiming that there was a mistake and requests a refund for the overpaid amount.

The refund is then directed to a fraudulent account, while the original payment has already been processed.

Service renewal scams

These scams involve sending fake invoices for service renewals, such as subscriptions, maintenance contracts, or software licenses.

The fraudsters rely on the fact that businesses often have multiple subscriptions and might not scrutinize every renewal invoice closely.

They hope that the company will pay the invoice without verifying its authenticity.

Refund and rebate scams

Some fake invoices come with a refund or rebate offer, enticing the target to provide bank details for the supposed refund.

Once the fraudsters have the bank details, they can use them for unauthorized withdrawals or further scams.

‍

Beware of document sharing and service impersonation

Making use of real document sharing and e-signing services, such as Adobe or PandaDoc here, is very popular in phishing.

The email comes from a legitimate service and link-clicking is required to see what the invoice is about.

This makes discerning its relevance more difficult and it takes the recipient further down the rabbit hole. 

The payload of the above Standard Notes impersonation below is actually vishing - they want you to call them.

‍

This means you'll interact with them more, which means you'll trust them more, which means you're more likely to pay up.

It includes typical signs of phishing topped with some more detail, but also some bad English.

The scammers claim payment details were already received to give incentive to call the (very emphasized) phone number so that you, the unsuspecting person, will start the scam call yourself.

Invoice phishes frequently lead to a credential harvesting.

Making sure the site asking for login information is legitimate is essential, as is not typing credentials into opened attachments.

‍

Breaking down real fake invoices

To give you an idea of what a phishing invoice looks like in the wild, let’s dive into a real invoice to get a better idea.

Below is one from Norton. We see variations on this particular one all the time (it's actually one of the most common ones out there).

There's a reason these are so popular and have been prevalent for a good while...

Norton software is widely used, making the company a convenient impersonation target.

At a glance, the invoice seems real. But if you take a closer look, you'll spot some red flags for invoice fraud:

• The invoice has been sent on short notice, genuine invoices are not generally sent with just a few days notice.
• The email is fairly generic -  the recipient is just addressed as “Customer”.
• The invoice number ("1001") seems suspicious.
• The product name and pricing don't actually match what's on the company website.

Here are warning signs that give this landing page away:

• “Print or save” buttons lead to a QuickBooks page, where the victim can pay the invoice.
• The site is actually legitimate and comes from their email address to bypass email filters.
• There is one huge red flag though, the merchant's email is completely unrelated.

‍

Red flags for invoice fraud

Incorrect vendor Information

• Discrepancies in vendor name, address, or contact details.
• Slight variations in spelling or format.

Unfamiliar vendors

• Invoices from unknown vendors.
• Vendors with no record of business transactions.

Duplicate invoices

• Multiple invoices for the same goods or services.
• Duplicate invoice numbers, amounts, or dates.

Urgent or high-pressure language

• Demanding immediate payment.
• Creating a sense of urgency to bypass verification.
• Requests to call unfamiliar phone numbers, especially when inconsistent with how the vendor normally operates.

Unusual invoice amounts

• Significantly higher or lower than expected amounts.
• Deviations from previous invoices from the same vendor.

Poor quality or unprofessional appearance

• Poor formatting and low-quality logos.
• Inconsistent fonts and misaligned text.

Unusual billing patterns

• Sudden increases in invoice frequency or amount.
• Unexpected changes in billing behavior.
• Currency inconsistencies, such as invoices billed in USD when the vendor usually operates in GBP.

Lack of detailed descriptions

• Vague language without invoice specifics (e.g. missing invoice numbers, customer names).
• Missing clear, itemized breakdowns of goods or services.

Red flags aren’t always technical, they’re behavioral. Urgency is almost always the number one red flag warns our team. If you’re being rushed, that's when mistakes happen.

‍

How to identify fake invoices: 9 simple steps

1. Stop and think before taking action

Do not throw your precious pennies into a phish pond...

The first thing to do when receiving an invoice is to stop and think.

Hey, I'm a pretty smart person. Do I use this service? 

As with any email, ask yourself whether or not you actually expected the email?

As simple as it sounds, this is an important self-protection tool against cybercrime.

You'd be amazed at how many people just pay an invoice when they see it in their inbox.

2. Verify the the invoice with the vendor

So, you've deduced that you do not use a service you've received an invoice from.

It is therefore quite probable you are dealing with a phishing attempt.

One thing you can do in this situation is let the (genuine) service provider's customer support team know that a scam is being sent out and they're using their name.

Never forward the actual email to them, though, as forwarding spreads both the danger and the damage even if you've successfully detected a fake invoice scam.

When you send out a scammer's email to another person, regardless of intent, you're literally doing their work for them and making their job easier.

But what if you do use the service?

Well, the same rules apply...

Use contact information from your existing records to confirm the invoice details with the vendor.

Avoid using the contact information provided on the invoice, as it could be fraudulent.

3. Examine invoice formatting and quality

To check for invoice fraud, carefully examine the formatting and quality of invoices for inconsistencies and errors.

• Verify details: Cross-check vendor and payment information against verified records.
• Check formatting: Look for design inconsistencies, poor-quality logos, or unprofessional formatting.
• Scrutinize amounts and patterns: Be cautious of unusual payment requests or irregular invoice numbering.
• Match with documentation: Ensure invoices align with purchase orders and delivery records.

4. Cross-check invoice details against purchases

If you receive an invoice you think may be fake, try matching the invoice details with the corresponding purchase orders.

Each invoice should clearly reference a purchase order number, and the items listed on the invoice should match those ordered.

Check that the quantities, descriptions, and prices on the invoice are identical to those on the purchase order.

You can also confirm that the goods or services listed on the invoice have been delivered.

Compare the invoice against delivery receipts or service completion records.

Ensure that the delivery dates, quantities, and item descriptions match the records.

5. Review payment information

A common tactic in invoice fraud is changing bank account details to redirect payments to a fraudulent account.

So, always verify that the bank account details on the invoice match those previously used for the vendor.

Look for subtle differences, such as changes in account numbers or bank names.

If there are any changes in payment instructions, such as a new bank account number or payment method, confirm these changes directly with the vendor through a trusted communication channel, such as a known phone number or a verified email address.

Fraudsters often request urgent payments to new accounts to bypass standard verification processes.

Reviewing payment information thoroughly can help prevent funds from being diverted to fraudulent accounts.

Always be cautious of any changes and ensure they are legitimate before processing payments.

6. Identifying duplicates

Duplicate invoices can be a sign of fraud...

Which is why you need to implement a system to search for and identify duplicate invoices.

This can involve manually checking or using automated software to scan for duplicate invoice numbers, dates, amounts, and vendor names.

Ensure that the invoice number is unique and follows the vendor's usual numbering pattern.

Fraudsters might send duplicate or altered invoices hoping that one will slip through the cracks and get paid twice.

By keeping a record of all received invoices and payments, you can quickly spot duplicates.

7. Keep an eye out for urgent and unusual requests

Be cautious of invoices that demand immediate payment or use urgent language.

Legitimate organizations are very unlikely to send you unsolicited, urgent requests for payment.

Attackers often rely on urgency to get around standard verification processes.

If an invoice is marked as urgent, take extra steps to verify its authenticity before processing the payment.

You should also look out for requests for payment to a different account or for payment methods that your company does not typically use.

Scrutinizing urgent and unusual payment requests helps ensure that invoices are legitimate and that your company is not falling victim to fraud.

Always verify and never rush payments without proper checks.

8. Analyze billing patterns

If you're suspicious of an invoice, compare it to previous invoices from the same vendor to identify any unusual patterns, such as a sudden increase in invoice frequency or amount.

Reviewing historical billing data can help detect anomalies that may indicate fraudulent activity.

You can also double check the invoiced amounts and items against past transactions.

If there is a significant deviation from the norm, such as unusually high charges or unfamiliar items, it warrants further investigation.

9. Conduct internal reviews

When it comes to implementing a process for detecting fake invoices, ensure that invoices, especially high-value ones, go through multiple levels of approval before payment.

You may also want to consider conducting regular audits of the accounts payable process to identify and address any vulnerabilities.

‍

Invoice fraud detection checklist

Did you expect this?

• Evaluate whether you recognize the service or vendor, such as a legitimate company or a real supplier.
• Unsuspecting employees should avoid opening invoices that don't align with recent purchases or core business activities.
• Directly contact your co-worker or the sender for clarification—never forward suspicious emails.

Does it seem too urgent?

• Scammers often create a sense of urgency, pressuring you to make electronic payments or resolve payment fraud immediately.
• Watch out for rushed payment mechanics or suspicious email subjects designed to bypass manual processes and internal controls.

Look out for unusual payment amounts:

• High-value invoices or unusually low amounts (as seen in parcel phishing scams) can indicate fictitious invoices.
• Discrepancies between purchase orders and invoices or unexpected changes in vendor information accuracy are red flags.

Check the sender and links:

• Ensure the email comes from a real email address or a trusted vendor, not a fake email address or phantom vendor.
• Verify if the links lead to accurate vendor bank details or an approved vendor master file.
• Reconfirm the vendor's contact info and company details before proceeding with payments.

Be careful with attachments:

• Suspicious emails often include malware-laden attachments disguised as invoice images or usage records.
• Never open files without first confirming the authenticity of the invoice and its origin, especially in manual invoice processing.

‍

Invoice fraud prevention: best practices

Strong internal controls

Sophisticated invoice scams often mimic legitimate payment processes.

If there’s no clear protocol, phishing scams disguised as real invoices can slip through unnoticed.

To prevent invoice fraud, you may need to establish internal controls if you haven't already.

This just means setting up procedures for invoice approval and payment.

Separating duties among employees ensures that no single person has control over all aspects of a financial transaction.

This segregation of duties might mean one person responsible for approving invoices and another for making payments.

Implementing dual authorization for high-value transactions may also be a measure worth considering if you want an extra layer of security.

As we touched on briefly above, maintaining detailed records of all financial transactions, will allow you to regularly review and identify any anomalies or irregularities.

Regular reconciliation of accounts payable records with bank statements can also ensure that all payments are legitimate and correctly accounted for.

Use invoice verification software

Payment scams often rely on bypassing basic verification.

Something as simple as a rushed invoice for services or a spoofed email subject line can result in irreversible monetary losses.

If your organization pays for lots of services, invoice verification software can help automate the process of verifying and cross-checking invoice details with purchase orders and delivery receipts.

These tools use AI and machine learning to detect anomalies and patterns indicative of fraud.

You can also integrate invoice verification software with your existing accounting systems to make sure all invoices are automatically checked against relevant data before approval.

Establish clear reporting channels

Creating a clear and straightforward process for reporting suspicious invoices is essential in preventing fraud.

Employees should know exactly how and where to report any concerns promptly.

Clear reporting channels ensure that any potential fraud is investigated quickly.

Once you have a reporting channels in place, the next step is to set up protocols for responding to reports of suspicious invoices - how do you intend to verify and escalate reports?

Use secure payment methods

Avoid making payments based on email instructions without verification.

Instead, use secure payment portals that require multi-factor authentication (MFA) to confirm transactions.

Regularly updating and securing these systems can prevent unauthorized access and ensure that only legitimate payments are processed.

It may also be worth having strict protocols for changing payment details to prevent fraudsters from diverting funds.

Training for behavior, not just awareness.

No matter what tools and tech you may have in place, your employees represent the biggest security risk.

According to Verizon's latest report, the human element was a major contributing factor in 60% of all data breaches.

Unfortunately, your typical security training will mostly focus on raising awareness and compliance box-ticking.

But to measurably reduce human risk, you'll need to make sure you're using a security training solution that actually changes behavior.

Training should be tailored by role...

What a payable clerk needs to spot may differ from what a procurement manager or CFO should catch.

Here are some of the key factors to consider when it comes to evaluating vendors:

• Is training frequent enough?
• Is the content digestible and engaging?
• Can you easily track and report on employee performance?
• Is training tailored to employees' individual skill level?
• Do employees receive positive reinforcement and feedback?

‍

What does the future of invoice phishing look like?

Employee vigilance remains crucial because its not always the finance team members who are the targets.

We tend to see that its the more sophisticated invoice phishing is often aimed directly at accounting and finance staff - the people who actually have the ability to move money.

As invoice fraud evolves, AI could play a dual role...

AI can improve impersonation quality - localizing messages more accurately, reducing small errors  - but it also helps defenders detect threats faster.

Overall, invoice fraud isn’t going away anytime soon.

Even as technologies advance, the core tactics of social engineering (urgency, authority, pressure) will still be at the heart of these attacks.

Relying on preaching to employees about the consequences of invoice fraud is unlikely to reduce real risk.

To protect your organization, you need to employees to build positive habits.

As threats evolve, the typical signs of invoice fraud might not be relevant... emails may even come from legitimate vendors who've had their accounts compromised.

This is why Hoxhunt trains employees' instincts for recognising phishing attempts, not just the typical 'bad spelling and grammar'.

‍

How Hoxhunt protects your organization from phishing

Here at Hoxhunt, our security awareness and phishing training is purpose-built to tangibly impact behavior.

We believe that effective security awareness programs do more than just meet compliance...

They build a foundation of security-first practices and motivate employees to report real attacks.

Hoxhunt delivers personalized, rewarding micro-trainings that not only educate but also incentivize proactive security behaviors.

Personalize training at scale: personalize the training paths for every employee based on their job roles, locations, tools used, and language.

Gamify end user interaction: engage your employees with gamified micro-training experiences that they'll genuinely enjoy.

Drive results with realistic phishing simulations: stay at the cutting edge of the constantly evolving threat landscape as our global threat intel team turns real phish into powerful phishing simulations

Easily measure progress: follow how your employees improve in reporting, missing, and clicking on the simulated phishing attacks.

‍

_Sources

^{Why Human Error Is the #1 Cyber Security Threat – The Hacker News, 2021
Pathé Loses €19M in BEC Scam – Help Net Security, 2018
Scoular Hit with $17.2 Million Fraud – Reuters, 2015
Toyota Parts Supplier Hit by $37 Million Email Scam – Forbes, 2019
Payments Fraud and Cybersecurity Trends to Watch – JPMorgan, 2023
UK Finance Report Shows Persisting Risk of Invoice and CEO Fraud – Pinsent Masons, 2023
Every Organisation Should Be Aware of Invoice Scams – International Banker, 2023
2025 Data Breach Investigations Report - Verizon, 2025}